We are setting up a new site for our CANUSB product shop (currently at https://canusb-shop.com) using OpenCart 3.x. While testing various functions, I found that when using the “forgotten password” feature, the system correctly sent a recovery email with a link, but clicking the link resulted in an error message:
Password reset code is invalid or was used previously!
Searching for the errors on the web did not result in promising fixes. There are some similar problems with OpenCart 2.x but the issues do not apply. Certainly, the fixes do not help.
Time to do some bug chasing myself then. To send a reset code, OC sends a randomly generated string as a validating code. Looking at the sent email carefully, I noticed something wonky:
Do you see it? The words “The IP” does not have a space in front, and “The” became part of the code, so when the link is clicked, the incorrect code is posted to the server and the server rejects it.
The fix is simple, edit the file catalog/controller/mail/forgotten.php on the OpenCart installation directory, and change the following line:
$data[‘reset’] = str_replace(‘&’, ‘&’, $this->url->link(‘account/reset’, ‘code=’ . $args[1] . ‘ ‘ /* rfm add space to protect the code */, true));
Basically, as ” . ‘ ‘” after “$args[1]” to add a space (‘.’ is the PHP string concatenation character.