Users stuck in password reset loop

cp99 · December 21, 2023, 7:56pm

We are running Metabase 0.48.0 docker image (free version) on Linux Ubuntu Jammy 22.04.
Postgres is used as the configuration database.

Our problem: At least two users and possibly more are stuck in an endless password reset cycle:

Get invitation email
Create password and sign in for the first time
Use Metabase and sign out
Attempt to sign in again. Password invalid. This is the logger message (default logging options only):

image887×58 2.92 KB
Choose password reset option.
Follow link in password reset email. Reset password and sign in to metabase.
Repeat from 3.

This has been repeated enough times by competent individuals for it not to be a simple matter of not typing passwords correctly.

Other users are fine.

I have attempted to reset the users' passwords from the admin console, which didn't work.
I am at a loss as to how to resolve this problem. Does anyone have any pointers?

Below are more details about my setup. Note that password complexity is set to strong. Please let me know of other details required:

Compose yaml:

version: '3.9' 

services: 

  metabase: 
    image: metabase/metabase:latest 
    container_name: metabase 
    hostname: metabase 

    volumes: 
    - /dev/urandom:/dev/random:ro 

    ports: 
      - 3000:3000 

    environment: 
      MB_DB_TYPE: postgres 
      MB_DB_DBNAME: metabase 
      MB_DB_PORT: 5432 
      MB_DB_USER_FILE: /run/secrets/db_user 
      MB_DB_PASS_FILE: /run/secrets/db_password 
      MB_DB_HOST: postgres 

    env_file: 
      - metabase.env 

    healthcheck: 
      test: curl --fail -I http://localhost:3000/api/health || exit 1 
      interval: 15s 
      retries: 5 
      start_period: 10s 
      timeout: 5s 

    networks: 
      - metanet1 

    depends_on: 
      - postgres 

    secrets: 
      - db_password 
      - db_user 

  postgres: 
    image: postgres:latest 
    container_name: postgres 
    hostname: postgres 

    environment: 
      POSTGRES_USER_FILE: /run/secrets/db_user 
      POSTGRES_DB: metabase 
      POSTGRES_PASSWORD_FILE: /run/secrets/db_password 

    healthcheck: 
      test: ['CMD', 'pg_isready', '-U', 'postgres'] 

    volumes: 
      - ./postgresql:/var/lib/postgresql/data 

    networks: 
      - metanet1 

    secrets: 
      - db_password 
      - db_user 

networks: 
  metanet1: 
    driver: bridge 

secrets: 
   db_password: 
     file: db_password.txt 
   db_user: 
     file: db_user.txt

env file:

MB_SITE_URL=[censored] 
MB_SITE_NAME="MetabaseNew" 
MB_ADMIN_EMAIL=[censored]
MB_EMAIL_FROM_ADDRESS=[censored] 
MB_EMAIL_FROM_NAME=Metabase(new) 
MB_EMAIL_SMTP_HOST=192.168.[censored] 
MB_EMAIL_SMTP_PORT=25 
MB_EMAIL_SMTP_SECURITY=[censored]  

MB_ENCRYPTION_SECRET_KEY=[censored]  
MB_ANON_TRACKING_ENABLED=false 
MB_APPLICATION_NAME=Cottonsoft Metabase (New) 
MB_PASSWORD_COMPLEXITY=strong

Luiggi · December 21, 2023, 8:16pm

Can you try the same flow but copying and pasting the password they enter when they reset it? I need the users to see the password they're typing

cp99 · December 21, 2023, 8:28pm

I will try this and get back to you

cp99 · December 21, 2023, 9:04pm

Hi Luiggi, we have tried copying+pasting as you suggested, but it doesn't work. So there is something else going on.

Does anyone have any suggestions?

Luiggi · December 21, 2023, 9:12pm

your browser is inserting weird characters? does this happen to all users or to a subset?

cp99 · December 21, 2023, 9:34pm

Just to a subset, and I don't think it's likely that strange characters are being inserted.

Is there a way to delete and re-add the user?

Would changing the password policy help?

Luiggi · December 22, 2023, 11:18am

Try changing the password policy first, although I don’t believe that will work

To delete the user you can deactivate those from the user panel in the admin, although they won’t be deleted but just deactivated. Try adding those with new emails

id_jy · April 1, 2024, 7:16pm

We are having the same issue, running Metabase on Cloudron. User resets password successfully, and new password does not work. Have tried copy and pasting into a text file to make sure it's not a typing issue. Simply put, they can reset their password, but the new password never works.

Note - we also recently enabled the strong password policy, which is one reason we're forcing resets on everyone.

Version info

"version": {
      "date": "2024-03-28",
      "tag": "v0.49.2",
      "hash": "4b83b88"
    },

Luiggi · April 3, 2024, 7:10am

Try checking if the password is sent to the backend via the network log in the browser