I just wanted to ask for assistance on the following. My client has enabled an ROPC flow and it works properly most of the time.
It is hard to record the error but we made it.
https://msit.microsoftstream.com/video/2340a1ff-0400-a521-2f90-f1eac84c3b02
Check from min 20 for the error.
There are invalid passwords like the following that doesn't work.
Ac#grra%42, Acgrra%42, Ac#gr%ra%42.
Passwords that worked properly were the following:
Vg#5k4VrMw, &wy6S"-s'&, Micro%s0ft.
Is there any password policy or anything that may cause this behavior?
Related
I have looked at many posts on this issue, but for me all the proposed solutions didnt work. I am trying to access a database with a remote user, so I am setting the connection credentials as needed. I get the error as shown in the subject of this post. I have checked all the permissions, things like that, windows/sql authentication, etc. Any quick ideas of another potential problem?
Presuming the user has the permission, and you have entered the password correctly as you say, then another thing to look at would be to ensure the user is authorized to access the database remotely.
I am trying to login to my heroku account.
I keep getting an error message that says "There was a problem with your login". There are no details of what the problem is.
I tried changing my password through the forgot password action and I still get directed back around to the above error message.
I can't contact Heroku's support team because I can't login.
Has anyone found this problem and found a way around it - or even a way to contact Heroku?
I had the same problem, couldn't login even after resetting my password. I use the Last Pass chrome extension to fill in forms. When I entered the (same) credentials in manually I was able to login.
I started getting this error very recently. I believe it's linked to a recent email that I got regarding password requirement changes:
Heroku will start resetting user account passwords today, May 4, 2022, as mentioned in our previous notification. We recommend that you reset your user account password in advance here and follow the best practices below:
Minimum of 16 characters
Minimum complexity of 3 out of 4: Uppercase, Lowercase, Numeric, Symbol
Don't just add a letter or a 1 digit number to the existing password while changing
Passwords may not be duplicated across accounts
As mentioned elsewhere, resetting my password and ensuring LastPass included symbols resolved it.
I reset my password and it helped.
After a research I found that Last Pass auto generated password was not strong enough as per Heroku password reset requirement.
I solved it by opening password reset link on different browser (in my case safari). enter strong password (ex: 51lxgpf2F52PgOBAPdAM#)
I had this problem on "Opera", then I went to "Chrome", and still the error, but in the end it worked on "Microsoft Edge". So try changing your browser to this one)
I've been working with VirtoCommerce 1.13 and I want registered users to get an email in order to confirm their account. To do so, I've activated the correct property and the email does get sent and everything, although the token part of the URL wasn't formatted properly.
I solved this by using HttpUtility.Encode and .Decode so I can both send the right token and decode it properly when a new user visits that link. So far everything works for new users except most of the time, users trying to recover their password will get hit with "Password reset failed. Either invalid or expired token. Please try to reset _password again".
The token is encoded/decoded in the same way as in the registry process. Sometimes it does work and I have no idea why or how to replicate it.
Any hints? Thank you.
EDIT: Upon further debugging, ResetPasswordWithTokenAsync returns false due to "Invalid token." error but the token itself doesn't show any signs of not being valid.
I have found the error, when using the decode function for the token upon the password reset, the token wound up getting decoded twice, which means it went from the URL encoded format, to text, to text again but with small changes, one of them being '+'s being converted into white-spaces which meant the tokens wouldn't match up.
EDIT: after changing this behaviour, the token wound up getting encoded twice and decoded only once, which means reverting the decode I put in there made it a bit worse.
In order to fix this, Apparently the token for the password recovery doesn't need to be encoded or decoded like in the registration process.
What are the possible reasons that can cause token to become expired (besides having the user un-authorising the app)?
My problem is that I have an app with several thousands of users, all API communication works perfectly but for some users I am getting the invalid or expired token error, my initial though was that they are users who canceled the authentication to the app but I've contacted some of them and they haven't revoked the access.
Any ideas what other issues can cause that error?
Check the integrity of an access token at any time by calling the GET account/verify_credentials while using that access token.
Its mentioned and by research I came to know that:
Your access token will be invalid if a user explicitly rejects your
application from their settings or if a Twitter admin suspends your
application. If your application is suspended there will be a note on
your application page saying that it has been suspended.
Why is my twitter oauth access token invalid / expired ?
Check this post: invalid / expired access tokens.
There is one post in google groups that says:
You don't get a second chance, and this is by design. OAuth requests
have a unique signature; once a particular request is submitted, it
can't be submitted again.
If they enter the pin correctly, all is well, you get an access token.
If they enter the pin wrong, you get 401 Unauthorized - which is
expected.
But if they then try again to enter the pin, even the correct pin
shows as unauthorized.
Check this link for the above reference.
Some suggestions by twitter employee for the same problem:
I guess there are two things I would suggest at this point: 1.) Go to
your application settings and use the "Reset keys" tab to reset your
consumer key and secret, then update those values in the app and
verify that you still see the same behavior. 2.) Try passing
oauth_callback in your request_token call. Honestly I don't think this
will make a difference, but I want to try and be as rigorous as I can
here.
Also check this discussion saying:
You need to use the oauth_token and oauth_token_secret returned from
the oauth/access_token call instead of the one in your app's settings
in dev.twitter.com
I was getting same error then I changed (access_token) to (access_token_key) and it worked for me.
I hope it will help someone.
In addition to the comments everyone else has made, sometimes the twitter api will return a "invalid token" error when the token isn't the problem. I've noticed it the most when I've built a request string that doesn't parse correctly. For example, once I was getting that error when I was passing in screen_name's that had symbols that weren't URI-encodable. I also have gotten it when I passed in empty values like this (where the cursor is empty):
https://api.twitter.com/1/followers.json?cursor=&screen_name=whatevah
Could you give us the specifics of the calls that are returning this error?
Have you confirmed that the tokens worked at one time? In an OAuth system I worked on, there was an error in how tokens were securely stored and retrieved that caused a small percentage of them to become corrupted. If you can confirm that the tokens worked in the past, that's a good first step.
When you retrieve the tokens from storage, are they unchanged? Is it possible for them to get corrupted with the way you're managing them?
Put some logging in place to keep track of when tokens work and fail. Does a token ever start working again after it has failed once? If you fail to use a token for 30 days, does it expire? With a detailed log, you can start identifying the expired tokens and look for patterns in use to point to what might cause them to expire.
Be sure to explore other possibilities as well. How do users revoke tokens in Twitter? Is it easy to accidentally do that? For users with failed tokens, do they have other authorized apps that have stopped working as well?
First of all nice question Ran.
I want to ask you that have you gone through Twitter developers??
Sometimes it becomes ambiguous that which token to use since Twitter provides two pairs of tokens and the library.One of them is a secret key.
You need to select those token which starts with your Twitter ID followed by a hyphen.
Now your question is this error happens with some of yours users. So here is the answer that an app itself finds ambiguous to choose the token.
Though I might not be completely right, but I recommend you to try this solution at least once.
It might be possible these users have not revoked access. But in my experience an access token can also get expired after the user (in test cases: me) changed his/her password.
When the user does that, you can no longer use the REST API of stream API on that user's scope. Please adapt your application to handle with that situation. Revoke the user's session, so when he comes back to your application, he/she can be redirected to Twitter again to start a new OAuth access token process. Or send him/her an e-mail to kindly ask to reconnect. Vimeo/Windows/... are some of the people handling expired tokens with e-mails.
Have fun!
My God's answer is correct but I will share my answer from another question explaining how it could be your computer's clock:
If your OAuth flow was working one day and failing the next, check your computer's clock. I was running a Vagrant box that somehow had its time set to the day before, which caused the Twitter API to return {"code":89,"message":"Invalid or expired token."}. This may also appear as 401 timestamp out of bounds. You can use this command to update your clock in Ubuntu:
sudo ntpdate time.nist.gov
Alternative method if ntpdate isn't available on your system:
sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"
if your Access Token=738629462149844993-FcWHjfcucCLGEosyGGQ38qI******iC then don't forget to mention hyphen (-) followed by your USERID.
May be this will be helpful for you.I faced the same problem.
Please find the below piece of code snippet
$code = $tmhOAuth->user_request(array(
'method' => 'POST',
'url' => $tmhOAuth->url('oauth/access_token', ''),
'params' => array(
'oauth_verifier' => trim($params['oauth_verifier']),
)
));
if ($code == 200) {
$oauth_creds = $tmhOAuth->extract_params($tmhOAuth->response['response']);
// echo '<pre>';print_r($oauth_creds);exit;
$tmhOAuth->reconfigure(array_merge($tmhOAuth->config, array(
'token' => $oauth_creds['oauth_token'],
'secret' => $oauth_creds['oauth_token_secret'],
)));
$code = $tmhOAuth->user_request(array(
'url' => $tmhOAuth->url('1.1/account/verify_credentials')
));
}
The error invalid or expired token can be linked with the fact that one is not paying.
Without paying one will only be able to create the dev environment (sandbox).
As I have answered here:
Counts is only available to paid premium accounts, and one needs to pay for premium access.
Use this link to Apply for access.
Try to regenerate the keys again and save them properly.
For me, it happened because after regenerating one of the keys I did not update other keys. Therefore removed and regenerated all 4 keys again (CONSUMER_KEY, CONSUMER_SECRET, ACCESS_KEY, ACCESS_SECRET). And tried to execute it again and it worked this time.
You are writing the login routine for a password protected website. Give examples of specific user input errors that you might want to catch, and how you might deal with them.
This is an interview question
I answered this as follows
We should add both client side errors and server side errors.
Client side error:
Check if user put nothing in username field. We can show message using javascript that “username not entered”
Server side error:
We can check if username does not exist in database and can throw error message.
We can check if password does not match in database for entered username.
Can anyone suggest. Are these the only error we can catch?
I'd consider syntactically invalid usernames (empty; too short or too long; containing invalid characters like possibly spaces, quote marks or shell/SQL metacharacters; structurally invalid, i.e., starting with dot or number), and syntactically invalid passwords (too short or even empty, too "simple", or equal to username). All these cases you can validate client side with JS, recycling the same code for the "Creating new user, choose user and password" view.
Server side, you might have backend connection error (i.e. not being able to tell whether the user does exist -- not exactly an user error, but we might want to manage it here nonetheless), user not found, password mismatch, and possibly "login disabled" (this is quite common on auto-create-user website: the login exists but must be validated by clicking on a link sent through email. Then again, one might want to place these "not-yet-users" in a storage apart to avoid clogging/churning on the real user database). Of course you might also want to add a special disable state and message ("Your membership fee is overdue"). Other additional "errors" and "warnings" may be added here, e.g. "You're not logging from your usual IP block(s) [, would you mind answering this security question?]" or "password expired, choose another password".
IMO, the main issue (assuming SQL as the database for the users and password) is SQL Injection, that for example adds a specific user as an admin access.
Dealing with it can be done using libraries in the server side to handle all user input — rather then trying to do it on your own.