I’m trying to use anvil.users.change_password_with_form() to allow users to change their password when they’re logged into the site.

In the real app I use an if statement so that if a password hash already exists, they have to enter their current password, too. But if a password hash doesn’t already exist, they can just enter the new password. This is done using:

anvil.users.change_password_with_form(require_old_password=False)

Unfortunately it doesn’t work. It always says Invalid Password no matter what I enter for the new passwords.

Is this a bug? Something I’m doing wrong? Here’s a simple app that lets you login to create a user, and then buttons for showing the two different password reset forms.

https://anvil.works/build#clone:V5OJSQCQMNW2WUFM=265JCMFD6FFSE7CY36UPCCT2

To recreate the issue, login with a Google account, and then click Change Password Without Current. That’ll pop up the password change form with only the new password and confirmation fields. Enter matching passwords in and click Reset.

Hi @jshaffstall,

Thanks for reporting this and adding a clone link. I have raised this as a bug to be fixed.

Thanks,
Ryan

Has there been any updates on this front?

I seem to be getting an error that my user table is not writable from the client side. Which makes sense to me.

I’m still getting my original error, so for me it isn’t even getting to the point of trying to write to the user table.

Any updates on this bug? I just tried the clone that shows the bug and the clone still has the original issue, where it always says Invalid Password.

Any updates on this? The issue is still around.

I just tried this and I am getting an Invalid Password. Is there an update here?

As far as I know, this still does not work. However, the workaround is for people with Google/Facebook accounts to reset their password. That gives them a local Anvil login to use.

Has this been fixed, by any chance? I started looking into it and it all appears to be working just fine!

I just tried it with the test app I put in the original post, and it still fails to change the password when you don’t force the user to enter their current password.

Hi all,

An update here: This behaviour is mostly not a bug, but in here for security reasons – if the user doesn’t already have a password, then they should not be able to set one without reauthenticating (by receiving an email – ie the reset flow). Otherwise I could log into an app with Google, some random person could sit down at my unattended terminal, and set a password they could use to access my account forever, without my even being aware of it. Bad news.

So the correct behaviour is, if the user doesn’t have a password already set, the only way they can set one is by going through the reset flow. If they do have one set, they may change it.

If, despite the concerns raised above, you want to implement the behaviour where a user can set a password without having one, you will want to implement it yourself - an alert with a hidden-text textbox that then passes the password to a server function that changes the password, specifying require_old_password=False. (require_old_password=False will, of course, not be respected in client code – untrusted code can’t just ask to bypass a security constraint!)

We’ll be working to update our APIs to make this clearer: to throw useful errors, and for configure_account_with_form() to offer the reset option if the user doesn’t have a password already.

The workaround has been working fine for me.

You may want to remove the require_old_password argument from anvil.users.change_password_with_form(), since it’s designed to never work when set to False.