ArrayIndexOutOfBoundsException when trying to update/reset user password via API

Victor Butlera year ago

Hi,

May I ask for advice on how to update/reset the user pass via API? Btw, there is no reference for password reset on the official API documentation so I was checking the network requests from the official app.

Similar to the official app, I am first running http post for /api/password/reset and I get the token string sent to the user email. So far so good.

Now, the issue is when I try to run the http post for /api/password/update, this is the error:

source index -80 out of bounds for byte[115] - ArrayIndexOutOfBoundsException (... < CryptoManager:73 < TokenManager:69 < PasswordResource:78 < ...).

I thought it's something related to the HTTP Request Headers so I copied what official traccar sends 1 on 1 but still the same error. This is the request that I am sending:

Example Request

The only guess left is that is am doing something wrong with the session cookie id - I currently get this by running /api/server just before the http update request and pass it from the /api/server response to the /api/password/update request.

Any help to identify the issue will be appreciated!

Anton Tananaeva year ago

It seems to me that the token is invalid.

Victor Butlera year ago

It's the very same token sent to the email, copy-pasted.
The only difference is that the official traccar is getting the token from the https://demo.traccar.org/reset-password?passwordReset=token and then calling the /api/password/update, while I am direclty providing the token in the /api/password/update request.

Is there anything special about the https://demo.traccar.org/reset-password?passwordReset=token that I am missing? As far as I can see it serves only as getter for the token and the cookie id.

Anton Tananaeva year ago

There should be no difference if your API request matches what official Traccar app sends.

Victor Butlera year ago

Looking at the update HTTP request there is no difference - headers are all the same. Is there any encoding applied to the token that I am missing?

Anton Tananaeva year ago

No. You need to use it exactly as you get it.

Victor Butlera year ago

In the meantime, I tried the same steps with the official traccar api and I get the same error. So something in my logic is not quite right. Here are the steps I did:

  1. On traccar demo, I request a password reset via modern API.
  2. Link is sent to the email account
  3. I get the token from the email and I send a manual HTTP reuqest via api: https://demo.traccar.org/api/password/update.
  4. I included all headers as in the screenshot above
  5. Cookie is set manually to the same session cookie as in the password reset request
  6. Token and password are hard coded.
  7. Content type, referes and origin are all set correct