Okta for Node & Express: /forgot password gives 404, while /login works?

nygter · October 19, 2017, 10:31am

Greetings…

We’ve used stormpath earlier with custom /login /register and /forgot… Since everything now is ported / depricated to Okta we struggle to get the routes working properly, except /login…

Especially crucial now, is to get /forgot implemented but i’m endring up with a 404 (not found) exception in the browser…

Here is the Implementation (VUE) :

tryResetPassword(resetEmail){
        var config = {
            headers: {
                'Content-Type': ' application/json',
                'Accept': ' application/json'
            }
        };

        return axios.post('/forgot', resetEmail, config)
            .then(response => response.data)
    },

Here is the configuration of okta… (server.js)

const stormpath = require('express-stormpath');
const path = require('path');
function configureStormpath(app, site){

 app.use(stormpath.init(app, {
   org: process.env.oktaURL || "https://myaddressxxx.oktapreview.com",
     debug: 'info',
     application: {
        id: process.env.oktaApplicationId || "mykeyxxxxx"
    },
    apiToken: process.env.oktaApiToken || "mytokenxxxx",
    web: {
      
      me: {
        expand: {
          customData: true
        }
      },
      forgot: {
        enabled: true
      },
      register: {
        enabled: true,
        form : {
          fields: {
            givenName: {
              required: false,
              enabled: true
            },
            surname: {
              required: false,
              enabled: true
            },
            CompanyName: {
              enabled: true,
              label:"Firmanavn",
              placeholder: "Stuff..",
              required: true,
              type: "text"
            },
            CompanyId: {
              enabled: true,
              label:"Firmakode",
              placeholder: "Stuff...",
              required: true,
              type: "text"
            }

          }
        } 
      }
    },
  }));

  console.log('(Octa-wannabe-stormpath installed')
  console.log(stormpath)

}

module.exports = configureStormpath;

So my question is… what do i need to configure additionally to make it accept /forgot ? And… why isn’t it working “out of the box” like /login does ?

tom · October 20, 2017, 3:54pm

Hi @nygter, sorry you are running into problems here. Ex-stormpather here, we needed to make some modifications to how forgot password worked, there is a lot of information in the changelog.

Primarily:

Forgot password flow has several changes:

This feature is no longer available on a per-directory basis, and you must configure it locally in your server configuration. This feature will now be disabled by default, unless you manually enable it with these options:

app.use(stormpath.init(app, {
  web: {
    changePassword: {
      enabled: true
    },
    forgotPassword: {
      enabled: true
    }
  }
}));

You will need to re-create the email template for the password reset email. You can copy the current template from the Stormpath Admin Console, then in the Okta console you can paste it into the template found at Settings > Email & SMS > Forgot Password. You’ll want to use the ${recoveryToken} variable to create a link that points the user to the verification endpoint on your application, for example: http://localhost:3000/change?sptoken=${recoveryToken}.

The expiration time for password reset tokens is now 59 minutes, this can be configured through the Okta Admin Console, see Security -> Policies -> Default Policy.

Password recovery confirmation emails will not be sent, this type of email template is currently not available. Please let us know if you need this feature and we can provide a hook in this library that will let you send this message manually.

nygter · October 20, 2017, 7:30pm

Thanks for your answer Tom

Well… generally we have our own forgot.VUE component (custom, not using oktas ui) which basically just does a axios.post(’/forgot’, providedEmail).then…

So what you are saying is that if i define forgotPassword to enabled:true, i will be able to make a post to /forgot ? (or… is it forgotPassword) API endpoint ?

Really need the e-mail verification though, so the user gets a reset email link… That can be the okta UI Template though…

So basically… custom /forgot (forgotPassword) page --> email to user --> user clicks email link to okta page --> resets email … Can that be done easily without too much tweaking from your side ?

Have a nice weekend
Terje.

robertjd · October 20, 2017, 11:40pm

Hi @nygter, I would take a look at this Angular sample project as a reference:

It has been updated for the 4.x version of express-stormpath. You will need to manually enable the forgot password and email verification features, as described in this section of the changelog:

github.com

stormpath/express-stormpath/blob/master/docs/changelog.rst#version-400-rc1

.. _changelog:


Change Log
==========

All library changes, in descending order.

Version 4.0.0
-----------------

**Released July 21, 2017**

This major version is meant to be used if:

 - You are a Stormpath customer that is migrating to Okta `(learn more) <https://stormpath.com/oktaplusstormpath>`_.
 - You have successfully exported your tenant data from Stormpath `(learn more) <https://stormpath.com/export>`_.
 - You plan to imported your data into Okta `(learn more) <https://developer.okta.com/documentation/stormpath-import>`_.

We suggest following the instructions in the `Express Stormpath Sample Project <https://github.com/stormpath/express-stormpath-sample-project/>`_

This file has been truncated. show original

Hope this helps!