Password Reset Invalid Key

I’ve found the problem. The hash generated by the key which get’s generated with the function reset_url() in the file class-password.php from UM is different than the has which is wrote into the DB.

Also the WP function generates 4 hashes but only one is used so I think there must be a huge problem with the UM plugin according to the hash function from WP:

[23-Dec-2018 15:57:41 UTC] 1545580661:$P$BiLzjLuPDHwVtUlnLmEQE19D4UpgJf0
[23-Dec-2018 15:57:41 UTC] 1545580661:$P$BCAl/MTbiuCyqiix7310EOEn.eJlQz1
[23-Dec-2018 15:57:41 UTC] 1545580661:$P$BH0W.btK4hYFNDidKh.DA46KZhp5Ay.
[23-Dec-2018 15:57:41 UTC] Hash from mail: 1545580661:$P$BOzHQ9mIasqhbdYnkK0n.EXhGXBFyD0
[23-Dec-2018 15:57:41 UTC] 1545580661:$P$BGRg8guQBbhuNKdMCIDSweNUDKLG1v/

I don’t know how to fix this but I’ll try a bit and let u know when it works.

• This reply was modified 5 years, 11 months ago by lolitsjohnnyboy.

Check out this question @stackoverflow: https://stackoverflow.com/questions/53905184/wordpress-reset-password-always-invalid-key

I’ve did some debugging sessions and found out that there are 4 times a hash and a key get’s generated with the current UM version.

The problem is that the key and hash pair generated by the {password_reset_link} action in the resetpw_email is pair number 3.

But after this pair another pair is created which has also a key and a hash. The problem is now, that the hash number 4 is saved to the database but the key from hash number 3 is sent via email to the member.

So the result is, that all keys are invalid because the key from pair 3 don’t matches the hash from pair 4 (which makes sense).

To clarify if this is the problem I would love if you can do following steps and paste your result into this question. This is what you need to do:

(Please don’t do this if you are new in programming!)

1. Open your wp-config.php and add following to the end of the file:

define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );

(This will generate a debug.log directly in the wp-content folder of WordPress)

2. Go into the wp-includes folder and open the file users.php. Search for this line of code:

$hashed = time() . ':' . $wp_hasher->HashPassword( $key );

Add directly after this these 2 expressions:

error_log( 'Key from user.php: ' . $key );
error_log( 'Hash from user.php: ' . $hashed );

Save the file now and open the email templateresetpw_email.php from UM. Remove now the {password_reset_link} from the <a href="{password_reset_link}">.

Now you need to add this here between the php tags at the top of the file:

error_log('Reset link from email: ' . UM()->password()->reset_url() );

So now we are good to go. Save all and upload it to your server. Go now to your UM reset password page and to just one reset. When you got the message that the email was sent successfully, open the debug.log file in your wp-content folder and paste the content here as an answer. We need to do this to check if it’s not just a problem on my side and a global one.

Undo now all what we did to remove the debugging from your page (We don’t need this anymore I think).

By the way I’m not a member from UM. I’m just a programmer and I’m very interested to solve this issue.

• This reply was modified 5 years, 11 months ago by lolitsjohnnyboy.

This plugin is absolutely trash! I’ve found out how I can create a backtrace and UM calls the reset 4 times like I wrote above. The 3rd one is the one sent by the email and the last one is saved to the database:

[30-Dec-2018 14:04:52 UTC] require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), do_action('template_redirect'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->form_init, do_action('um_reset_password_process_hook'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->um_reset_password_process_hook, um\core\User->password_reset, get_password_reset_key
[30-Dec-2018 14:04:52 UTC] Hashed: 1546178692:$P$BJoSYtR913FSi..xNSAdZaC6RwqYVC1
[30-Dec-2018 14:04:52 UTC] Key saved: 1546178692:$P$BJoSYtR913FSi..xNSAdZaC6RwqYVC1
[30-Dec-2018 14:04:52 UTC] require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), do_action('template_redirect'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->form_init, do_action('um_reset_password_process_hook'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->um_reset_password_process_hook, um\core\User->password_reset, um\core\Mail->send, um_convert_tags, um_user, um\core\Password->reset_url, get_password_reset_key
[30-Dec-2018 14:04:52 UTC] Hashed: 1546178692:$P$B6/0iQI1Ke5KODTKihHCctTROvUorc.
[30-Dec-2018 14:04:52 UTC] Key saved: 1546178692:$P$B6/0iQI1Ke5KODTKihHCctTROvUorc.
[30-Dec-2018 14:04:52 UTC] require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), do_action('template_redirect'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->form_init, do_action('um_reset_password_process_hook'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->um_reset_password_process_hook, um\core\User->password_reset, um\core\Mail->send, um\core\Mail->prepare_template, um\core\Mail->get_email_template, include('/themes/enwikuna/ultimate-member/email/resetpw_email.php'), um\core\Password->reset_url, get_password_reset_key
[30-Dec-2018 14:04:52 UTC] Hashed: 1546178692:$P$BSQgzwcRgvKVaSbQ5U5uQ.YUHIHfoB.
[30-Dec-2018 14:04:52 UTC] Key saved: 1546178692:$P$BSQgzwcRgvKVaSbQ5U5uQ.YUHIHfoB.
[30-Dec-2018 14:04:52 UTC] Reset URL: https://www.enwikuna.de/passwort-zuruecksetzten/?act=reset_password&hash=6vjgRQfnvawpH5Ga6S8S&user_id=19
[30-Dec-2018 14:04:52 UTC] require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), do_action('template_redirect'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->form_init, do_action('um_reset_password_process_hook'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->um_reset_password_process_hook, um\core\User->password_reset, um\core\Mail->send, um\core\Mail->prepare_template, um_convert_tags, um_user, um\core\Password->reset_url, get_password_reset_key
[30-Dec-2018 14:04:52 UTC] Hashed: 1546178692:$P$Bw6cVAT69d34uzXkEf2uKAYf40Kwnm/
[30-Dec-2018 14:04:52 UTC] Key saved: 1546178692:$P$Bw6cVAT69d34uzXkEf2uKAYf40Kwnm/

I’ve fixed it now. There is an issue in a library I’m using to merge HTML and CSS together:

//Apply CSS styles inline for picky email clients.
try {
	$emogrifier = new Emogrifier( $message, $css );
	$message    = $emogrifier->emogrify();
} catch ( Exception $e ) {
	$logger = wc_get_logger();
	$logger->error( $e->getMessage(), array( 'source' => 'emogrifier' ) );
}
//Temporarily fix emogrified {} to ASCII code
$message = str_replace( array( '%7B', '%7D' ), array( '{', '}' ), $message );

The problem was that the Emogrifier turned the placeholder openings and closings back to it’s ASCII code so the UM was not able to replace it.

Because of this I’ve first replaced it with the function itself’s which is called from the placeholder. But the problem is that the placeholder is called anyway so the last hash was generated from the plugin trying to find the placeholder.

My wish is to remove the whole placeholder thing and call the function directly to get the reset link so that this can be used in custom templates too.

I was able to fix my problem by excluding the UM pages from the various caching services employed on the site. This is not ideal, but was mentioned in another old thread as the solution and did, in fact, work. I don’t seem to be having the issue any longer.