Okta for Node & Express: /forgot password gives 404, while /login works?

Greetings…

We’ve used stormpath earlier with custom /login /register and /forgot… Since everything now is ported / depricated to Okta we struggle to get the routes working properly, except /login…

Especially crucial now, is to get /forgot implemented but i’m endring up with a 404 (not found) exception in the browser…

Here is the Implementation (VUE) :

tryResetPassword(resetEmail){
        var config = {
            headers: {
                'Content-Type': ' application/json',
                'Accept': ' application/json'
            }
        };

        return axios.post('/forgot', resetEmail, config)
            .then(response => response.data)
    },

Here is the configuration of okta… (server.js)

const stormpath = require('express-stormpath');
const path = require('path');
function configureStormpath(app, site){

 app.use(stormpath.init(app, {
   org: process.env.oktaURL || "https://myaddressxxx.oktapreview.com",
     debug: 'info',
     application: {
        id: process.env.oktaApplicationId || "mykeyxxxxx"
    },
    apiToken: process.env.oktaApiToken || "mytokenxxxx",
    web: {
      
      me: {
        expand: {
          customData: true
        }
      },
      forgot: {
        enabled: true
      },
      register: {
        enabled: true,
        form : {
          fields: {
            givenName: {
              required: false,
              enabled: true
            },
            surname: {
              required: false,
              enabled: true
            },
            CompanyName: {
              enabled: true,
              label:"Firmanavn",
              placeholder: "Stuff..",
              required: true,
              type: "text"
            },
            CompanyId: {
              enabled: true,
              label:"Firmakode",
              placeholder: "Stuff...",
              required: true,
              type: "text"
            }

          }
        } 
      }
    },
  }));

  console.log('(Octa-wannabe-stormpath installed')
  console.log(stormpath)

}

module.exports = configureStormpath;

So my question is… what do i need to configure additionally to make it accept /forgot ? And… why isn’t it working “out of the box” like /login does ?

Hi @nygter, sorry you are running into problems here. Ex-stormpather here, we needed to make some modifications to how forgot password worked, there is a lot of information in the changelog.

Primarily:

Forgot password flow has several changes:

This feature is no longer available on a per-directory basis, and you must configure it locally in your server configuration. This feature will now be disabled by default, unless you manually enable it with these options:

app.use(stormpath.init(app, {
  web: {
    changePassword: {
      enabled: true
    },
    forgotPassword: {
      enabled: true
    }
  }
}));

You will need to re-create the email template for the password reset email. You can copy the current template from the Stormpath Admin Console, then in the Okta console you can paste it into the template found at Settings > Email & SMS > Forgot Password. You’ll want to use the ${recoveryToken} variable to create a link that points the user to the verification endpoint on your application, for example: http://localhost:3000/change?sptoken=${recoveryToken}.

The expiration time for password reset tokens is now 59 minutes, this can be configured through the Okta Admin Console, see Security -> Policies -> Default Policy.

Password recovery confirmation emails will not be sent, this type of email template is currently not available. Please let us know if you need this feature and we can provide a hook in this library that will let you send this message manually.

Thanks for your answer Tom :slight_smile:

Well… generally we have our own forgot.VUE component (custom, not using oktas ui) which basically just does a axios.post(’/forgot’, providedEmail).then…

So what you are saying is that if i define forgotPassword to enabled:true, i will be able to make a post to /forgot ? (or… is it forgotPassword) API endpoint ?

Really need the e-mail verification though, so the user gets a reset email link… That can be the okta UI Template though…

So basically… custom /forgot (forgotPassword) page --> email to user --> user clicks email link to okta page --> resets email … Can that be done easily without too much tweaking from your side ?

Have a nice weekend :slight_smile:
Terje.

Hi @nygter, I would take a look at this Angular sample project as a reference:

It has been updated for the 4.x version of express-stormpath. You will need to manually enable the forgot password and email verification features, as described in this section of the changelog:

Hope this helps!