Bug report: Netlify Identity password is unrecoverable if it fails the first time

Support
1

I am starting this thread to discuss two issues I describe in the netlify-identity-widget GitHub repo. These two issues are not on the widget, but on the Netlify Identity service, and so are more appropriate here. Combined with the other widget issues described in the GitHub issue, they make Netlify Identity borderline unusable.

  • A Netlify Identity cannot have recovery triggered from the Netlify UI more than once (e.g. to generate a new recovery token / link)
  • The Netlify UI does not allow admins to set the passwords of the users manually

I consider this a high priority bug report due to the result

=> the whole account is royally screwed and a new account must be created

Going back to 1.,

A Netlify Identity cannot have recovery triggered from the Netlify UI more than once

Why is this (is there a technical limitation)? Is it by design (terrible design imo)? As an aside, the button is not disabled after the first use, giving users the wrong impression (that it can be used again).

On 2.,

The Netlify UI does not allow admins to set the passwords of the users manually

I realize this is a feature request but since it contributes to this problem of making Netlify Identity accounts unrecoverable, I consider it a bug.

2

Are you sure that you cannot request a new reset once you have let some time pass? I think we won’t re-send any identity email to the same address quickly - I recommend you try waiting 30 minutes to see if you can send the reset email again.

Can you help me understand how often do you need to do this, that this one missing feature makes the entire service “borderline unusable”? The other thousands of folks who use it successfully (me included) might disagree :slight_smile:

3

Oh of course, I forgot to wait 30 minutes. I also restarted my computer because that was probably also a problem.

It does work if you wait - suggested some kind of rate limiting. This makes more sense. There is no indication of a rate limit.

I was developing. There is no practical reason anyone should need to initiate recovery so often.

Yes, if it didn’t resend at all, which is the premise I created this issue on, accounts would be rendered unrecoverable, and that would make it borderline unusable in my opinion.