Ghost(Pro) lockout - multiple password reset attempts

Fill out the following bug report template with as much detail as possible!

Are you sure this is a bug? If you just need help, post in the developer help category. If it’s a feature request, head to the ideas category.

Issue Summary

• Explain roughly what’s wrong
  The site in question is tofugametips.ghost.io (which also has a .com domain attached to it though it’s currently having issues with cloudflare’s DNS ATM). I was running adblock but I’ve whitelisted this domain. Whenever I try to reset my password it appears that the attempt is successful, and it attempts to log me in after the reset is complete but can’t complete the request because of the lockout time due to too many attempted logins.
• What did you expect to happen?
  The password to reset, with me able to login after instead of waiting for the timeout due to too many login attempts.

Steps to Reproduce

1. Navigate to signin page.
2. Attempt login
3. Login fails - but says to reset password to bypass the request lockout. So I proceed to request a password reset.
4. Go to my email, open the link from and change my password.
5. Because nothing happens at this point, I return to Ghost Admin and attempt to sign in again.
6. Login fails due to too many attempted logins.

Setup information

Ghost Version
Share which version of Ghost you’re using.

Ghost Pro (web admin portal )

Provide details of your host & operating system
Include further details about your hosting and OS.

Database type
MySQL 5.7 / MySQL 8 / SQLite 3 / Other
N/A

Browser & OS version
Version 115.0.5790.99 (Official Build, ungoogled-chromium) (64-bit)

Relevant log / error output

json request when resetting password:

  "password_reset": [
    {
      "newPassword": "N0tR3alLyMyn3Wp@s$wOrD",
      "ne2Password": "N0tR3alLyMyn3Wp@s$wOrD",
      "token": "SuperLoooooooooooooooooooooo0o0o0o0o0ongToken"
    }
  ]
}

response:

{password_reset":[{"message":"Password changed successfully."}]}

The page then attempts to re-direct me to via {mysite}/api/admin/session but returns with the error:

{"errors":[{"message":"Too many login attempts. Please wait 30 minutes before trying again, or reset your password.","context":"Too many login attempts.","type":"TooManyRequestsError","details":null,"property":null,"help":"Too many login attempts.","code":null,"id":"78b0f3a0-3310-11ee-87fa-934735dc9535","ghostErrorCode":null}]}

That’s weird. If it tells you to reset your password, you’d think that’d work. It’s possible that functionality isn’t super well tested, because it’d be rare to hit the password lockout on the admin side… .

This seems like the sort of thing you might need to contact Ghost Pro support about if waiting out the half hour doesn’t fix it.

And welcome to the forum! There are some Ghost Pro folks who post here, but mostly it’s community support.

Thanks for the reply, I ended up just turning off my DNS over HTTPS in my browser. No clue what the disconnect was between the server and my DNS but it works for now.

Oh and thanks for having me on the forum! I recently setup one of my old laptops with Ubuntu Jellyfish Server that I’m using to host the comment engine on my page but I’ve definitely thought about self-hosting the site if possible using VuePress. The pro themes(and the free trial) are the only thing keeping me on the pro plan at the moment mostly because the CSS I often try creating makes people’s eyes bleed.

You still get all the free themes if you decide to self-host! :)

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.