Application
OJS 3.3.0-13 (and earlier)
Describe the issue or problem
E-mail client (Outlook in Office 365) tries to verify the safety of the password reset confirmation link before sending the user to the reset confirmation link, causing it to expire by the time the user is able to visit the confirmation link. The user still receives the e-mail with username and temporary password but is rather confused, and several users have tried to reset their passwords multiple times before finally contacting our support about this issue.
By copying the url in the e-mail and pasting it directly in a new tab in the browser, I am able to bypass the safelink measure by the email client, and I will get the following message from OJS:
"A confirmation has been sent to your email address. Please follow the instructions in the email to reset your password. "
if I reload this page, I will get the expected message since the reset link should only be used once:
"Sorry, the link you clicked on has expired or is not valid. Please try resetting your password again. "
Conclusion is that the e-mail client’s safelink feature causes the password reset confirmation link to be ‘expired’ before the user will see the confirmation page.
So how can we somewhat change this behaviour or message as not to confuse the users who are resetting their passwords?
Steps I took leading up to the issue
User initiates a password reset.
User clicks on password reset link in the e-mail
Email-solution wants to check if the link is safe before immediately sending the user to the password reset link.
The link generated by OJS:
https://journal.example.com/index.php/index/login/resetPassword/{username}?confirm={confirmation-hash}
The link the user will actually go to when clicking the email before quickly being redirected to the original URL which was generated by OJS:
https://outlook.office.com/mail/safelink.html?url=https://journal.example.com/index.php/index/login/resetPassword/{username}?confirm={confirmation-hash}
User gets the message “Sorry, the link you clicked on has expired or is not valid. Please try resetting your password again.”
User is confused and thinks that something was wrong with the password reset link, and sometimes users continue to reset their password multiple times.
User receives the e-mail with username and temporary password, but maybe they didn’t check because they were just told by OJS that the password reset link did not work.
User sends me a support request complaining that the password reset link doesn’t work.
Note: the URL doesn’t actually contain curly braces, but I have anonymized the contents there …
Temporary fix
My suggestion for a temporary fix if your users are experiencing this issue is to change user.login.lostPassword.invalidHash in /lib/pkp/locale/en_US/user.po (and other languages you use) to something like:
msgstr “Sorry, the link you clicked on has expired or is not valid. Please try resetting your password again. <br /><br />(Or it could be that your E-mail client’s safelink feature has already checked the URL causing it to expire). <br /><br />Check your inbox anyway to see if you just got an email with your username and a temporary password.”