Account Recovery

Support - Assistance technique
1

Hi team,

Who knows if the account recovery feature in DHIS2 actually works?

  1. I set up user accounts with their respective email addresses

  2. Also under ‘System Settings’ I enabled ‘user account recovery’

    Screenshot from 2023-11-27 13-17-34
    Screenshot from 2023-11-27 13-17-34929×154 15.7 KB

  3. Under for each user, under ‘User Settings’ I enabled ‘message email notifications’:
    Screenshot from 2023-11-27 13-18-15

But when I attempt email recovery by clicking ‘Forgot Password’, and entering username, the page is not responsive and upon viewing the console log, I find this error:

Screenshot from 2023-11-27 09-23-50
Screenshot from 2023-11-27 09-23-50737×108 13.2 KB

I am currently on v2.39.2. Not sure if I’m missing out any step. Any help on this will be appreciated.

2

I’m not sure the CSP directive (content security policy) is something sent by default by dhis2. I would assume your administrator has put one at nginx level or another proxy (like cloudfront).

This policy directive need to be “adjusted” so the page work.
OR Some content has been actually injected so I guess the best answer is that your admin/security officer review the error message and content violating the policy.

1 Like
3

Thanks @Quoda and @Stephan_Mestach!

@Quoda please see @Stephan_Mestach’s post.

Additionally, do you have any extensions in your browser that might be causing this issue? Could you try using your browser’s Guest mode (Browse Chrome as a guest - Computer - Google Chrome Help)? And if it still doesn’t work, would you try in a clean installation (maybe using How to spin up a DHIS2 local instance | DHIS2 Developer Portal to quicky have one up and running, but you’d still need to configure the SMTP to send/receive the email reset request)…

4

Hi @Stephan_Mestach
Thanks for the quick response.
I found the resource on ‘CSP Header Quick Reference’ really helpful.
I’m running the server myself and will have to implement this myself. From what i found, by default the browser is automatically blocking inline scripts because a Content-Security-Policy header is defined. Also, from the error message I shared above, it looks like the Content Security Policy is defined somewhere in my dhis2 setup but I cannot find it in my apache-dhis2.conf and dhis2.conf files(still searching).

@Gassim Thank you for the suggestions. I tested this in Guest mode but the ‘Recover’ button does not still work. At this point I believe the ‘Recover button is not working’ in my instance (probably blocked by the CSP) and so there are no requests made to the server when I click.

1 Like