#3005 - App unable to reset password after 16 hours

Issue reported by user to user support staff.

Have not confirmed app version or if they are iOS user but their email address is an icloud account (larrymail55@icloud-com) and I found their email address in the iOS section of the firebase realtime database and they created their app account after the 0.8.0 was (april 5th)

User report

April, 6th:

Tried to reset password 3 times and got message like “Only three bad requests are allowed. Additional attempts will be possible within 16 hours”

April 7th:

After waiting 16 hours he tried to reset password again and got the same error message. He then called us. Admin reset his password and he was able to log into the app. After logging into the app he tried to change his password and got the same error message.

I originally thought this was an app issue, but clarified it was server side issue.

Comments from the original Jira ticket below:

Milan: It feels to me this message and security feature comes from the server. I don’t think we have these timers in the mobile apps. Would you please ask Jan? Or we can discuss it at the meeting …

Zac: Sure I’ll ask Jan, but I also expected this to be implemented on the server side but when I looked at the code base I didn’t see anything on the server side, but found this in the android repo (I had trouble updating my ios repo).

\app\src\main\res\values\strings.xml
<string name="change_password_wrong_password_limit">Only three bad requests are allowed. Additional attempts will be possible within 16 hours.</string>

Milan: Ok, then we will check the logic in the app.

Andrew Hanchak is the same text in the iOS app? When it is shown?

Andrew: The password reset issue is not related to the app. The password resetting happens on the web site. The app just calls an API, which results in the server sending a link for a password reset to users email. The link redirects to the web site. No app interaction in this case.

Same for the change password, app only calls the API for changing the password. User inputs current (old) and new password.

According to Jan, the 16 hours behaviour is implemented on the server side.