magento2: Admin reset password link broken

Preconditions and environment

  • Magento 2.4.4
  • Multiple websites and stores

Steps to reproduce

  1. Enable settings Add Store Code to Urls
  2. Create 2 new website with each 1 store view
  3. Create new admin user
  4. Click Forgot your password? link in the admin login page;
  5. Input your e-mail and submit;
  6. Click the link in the email.

Expected result

Form to reset the password

Actual result

404 not found

Additional information

Link is generated as http://magento.local/admin/admin_123456/admin/auth/resetpassword/key/xxxxxxxxxx/?id=1&token=yyyyyyyy, but it should be http://magento.local/admin_123456/admin/auth/resetpassword/key/xxxxxxxxxx/?id=1&token=yyyyyyyy (notice the extra admin/ right after the domain name).

Release note

No response

Triage and priority

  • Severity: S0 - Affects critical data or functionality and leaves users without workaround.
  • Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
  • Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
  • Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
  • Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 3
  • Comments: 39 (14 by maintainers)

Most upvoted comments

Based on @bruno-blackbird workaround, I’ve created another patch to avoid touch any other area. Already tested on v2.4.6

diff --git a/vendor/magento/module-user/Model/Notificator.php b/vendor/magento/module-user/Model/Notificator.php
index 3e36cd13..e452de3d 100644
--- a/vendor/magento/module-user/Model/Notificator.php
+++ b/vendor/magento/module-user/Model/Notificator.php
@@ -111,7 +111,7 @@ class Notificator implements NotificatorInterface
                     'user' => $user,
                     'store' => $this->storeManager->getStore(
                         Store::DEFAULT_STORE_ID
-                    )
+                    )->setData("disable_store_in_url", true)
                 ],
                 $user->getEmail(),
                 $user->getFirstName().' '.$user->getLastName()

Above patch only add the flag to the specific function that trigger the email.

+8
0franco on Jun 2, 2023

You can fix this issue without any patches also.

  • This is the way to create a patch of email templates.

Just modify the one line from the vendor/magento/module-user/view/adminhtml/email/password_reset_confirmation.html email template,

From the Store URL, Remove admin from the store url="admin/auth/resetpassword

{{store url="admin/auth/resetpassword/" _query_id=$user.user_id _query_token=$user.rp_token _nosid=1}}

Replace line no 23 with the given line,

{{store url="auth/resetpassword/" _query_id=$user.user_id _query_token=$user.rp_token _nosid=1}}

  • If you don’t require to create a patch,

Just create a new Forgot Admin Password template from the Backend, Marketing -> Communication -> Email Template Create a new template by clicking on the Add New Template button,

Now Load Default Template from the Magento_User -> Forgot Admin Password

After Loading, just modify the above line from the email template and save the new template.

Just Assigned this email template from the Stores -> Configuration -> Advanced -> Admin -> Admin User Emails,

From the Dropdown, Forgot Password Email Template you need to choose the template and Save Config.

+8
RakeshJesadiya on Dec 19, 2022

Hi all, please find the official patch provided by support:

diff --git a/vendor/magento/module-user/view/adminhtml/email/password_reset_confirmation.html b/vendor/magento/module-user/view/adminhtml/email/password_reset_confirmation.html
index 374713cad91..dafab374011 100644
--- a/vendor/magento/module-user/view/adminhtml/email/password_reset_confirmation.html
+++ b/vendor/magento/module-user/view/adminhtml/email/password_reset_confirmation.html
@@ -20,7 +20,7 @@
 
 {{trans "If you requested this change, reset your password here:"}}
 
-{{store url="admin/auth/resetpassword/" _query_id=$user.user_id _query_token=$user.rp_token _nosid=1}}
+{{store url="admin/auth/resetpassword/" _type="web" _query_id=$user.user_id _query_token=$user.rp_token _nosid=1 }}
 
 {{trans "If you did not make this request, you can ignore this email and your password will remain the same."}}

ACSD-48570_2.4.5.patch

+4
thomas-kl1 on Feb 14, 2024

We applied another workaround for this. It will solve all the cases where a store is passed directly to the url resolver.

diff --git a/Model/Url.php b/Model/Url.php
index 8948961..c1bf6f0 100644
--- a/Model/Url.php
+++ b/Model/Url.php
@@ -447,6 +447,13 @@ class Url extends \Magento\Framework\Url implements \Magento\Backend\Model\UrlIn
                     'data' => ['code' => 'admin', 'force_disable_rewrites' => false, 'disable_store_in_url' => true],
                 ]
             );
+        } else {
+            /**
+             * Patch admin password url incorrect with setting "web/url/use_store" = 1
+             * Force option to disable store in url from url.
+             * Issue : https://github.com/magento/magento2/issues/35667
+             */
+            $this->_scope->setData("disable_store_in_url", true);
         }
         return $this->_scope;
     }
+3
bruno-blackbird on Nov 24, 2022

we solved the same problem creating a plugin for Magento\User\Model\Notificator

with this workaround

/**
     * Workaround to disable store code in reset password link 
     * 
     * @param Notificator $subject
     * @param callable $proceed
     * @param UserInterface $user
     * @return bool
     */
    public function aroundSendForgotPassword(
        Notificator $subject, 
        callable $proceed, 
        UserInterface $user
    ) {

        $store = $this->storeManager->getStore(Store::DEFAULT_STORE_ID);
        $store->setDisableStoreInUrl(true);

        try {
            $this->sendNotification(
                'admin/emails/forgot_email_template',
                [
                    'username' => $user->getFirstName().' '.$user->getLastName(),
                    'user' => $user,
                    'store' => $store
                ],
                $user->getEmail(),
                $user->getFirstName().' '.$user->getLastName()
            );
        } catch (LocalizedException $exception) {
            throw new NotificatorException(
                __($exception->getMessage()),
                $exception
            );
        }

        return true;
    }
+2
Kamina92 on Sep 19, 2022

Hi @kassner

Thanks for your contribution and collaboration. I have tried to reproduce the issue but in my case link is not broken I am successfully able to reset the password and able to login using new password. As you have observed extra admin/ in reset link same I also observed. Checked in Magento 2.4-develop and browser: Chrome & FireFox.

Below is the screenshots for your reference: Screenshot from 2022-06-24 17-24-39 Screenshot from 2022-06-24 17-24-10 Screenshot from 2022-06-24 17-24-03 Screenshot from 2022-06-24 17-23-14

Please provide more information if anything got missed and can be tested further.

+2
engcom-Lima on Jun 24, 2022

Looks like that patch mentioned above got included in Magento 2.4.7: https://github.com/magento/magento2/commit/face8387fe48034d981d07efd45612ab2950f460

So I guess we can close this issue now?

+1
hostep on Apr 23, 2024
Read more comments on GitHub
← magento2: Admin panel not working if I install any custom modules in Magento 2.2.0
magento2: After running setup:upgrade, setup:db:check still says: Declarative Schema is not up to date →