Yesod.Auth.Email setting password always returns "Passwords did not match, please try again"

Question

Currently trying to set up Yesod.Auth.Email, but running into a bit of a problem after getting the verification url.

On the "Set password" page (with "New password" and "Confirm"), after entering the password and the same in the confirmation box, it always returns "Passwords did not match, please try again".

This is the request that is logged,

POST /auth/page/email/set-password
  Params: [("_token","wcpv0LhJfy"),("new","1234"),("confirm","1234")]
  Request Body: _token=wcpv0LhJfy&new=1234&confirm=1234
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Status: 303 See Other 0.002459s

Showing that they should indeed match.

Looking into the source code for the handler postPasswordR it's not entirely clear to me why it fails, since this isn't something you overwrite in instance YesodAuthEmail App?

A Minimal Example

Taken straight from the email-auth section in the Yesod book, and saved as Main.hs,

{-# LANGUAGE DeriveDataTypeable #-}
{-# LANGUAGE FlexibleContexts #-}
{-# LANGUAGE GADTs #-}
{-# LANGUAGE GeneralizedNewtypeDeriving #-}
{-# LANGUAGE MultiParamTypeClasses #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE QuasiQuotes #-}
{-# LANGUAGE TemplateHaskell #-}
{-# LANGUAGE TypeFamilies #-}

import Control.Monad (join)
import Control.Monad.Logger (runNoLoggingT)
import Data.Maybe (isJust)
import Data.Text (Text, unpack)
import qualified Data.Text.Lazy.Encoding
import Data.Typeable (Typeable)
import Database.Persist.Sqlite
import Database.Persist.TH
import Network.Mail.Mime
import Text.Blaze.Html.Renderer.Utf8 (renderHtml)
import Text.Hamlet (shamlet)
import Text.Shakespeare.Text (stext)
import Yesod
import Yesod.Auth
import Yesod.Auth.Email

share
  [ mkPersist
      sqlSettings
      { mpsGeneric = False
      }
  , mkMigrate "migrateAll"
  ]
  [persistLowerCase|
User
    email Text
    password Text Maybe -- Password may not be set yet
    verkey Text Maybe -- Used for resetting passwords
    verified Bool
    UniqueUser email
    deriving Typeable
|]

data App =
  App SqlBackend

mkYesod
  "App"
  [parseRoutes|
/ HomeR GET
/auth AuthR Auth getAuth
|]

instance Yesod App
         -- Emails will include links, so be sure to include an approot so that
         -- the links are valid!
                                 where
  approot = ApprootStatic "http://localhost:3000"

instance RenderMessage App FormMessage where
  renderMessage _ _ = defaultFormMessage

-- Set up Persistent
instance YesodPersist App where
  type YesodPersistBackend App = SqlBackend
  runDB f = do
    App conn <- getYesod
    runSqlConn f conn

instance YesodAuth App where
  type AuthId App = UserId
  loginDest _ = HomeR
  logoutDest _ = HomeR
  authPlugins _ = [authEmail]
  -- Need to find the UserId for the given email address.
  getAuthId creds =
    runDB $
    do x <- insertBy $ User (credsIdent creds) Nothing Nothing False
       return $
         Just $
         case x of
           Left (Entity userid _) -> userid -- newly added user
           Right userid -> userid -- existing user
  authHttpManager = error "Email doesn't need an HTTP manager"

instance YesodAuthPersist App

-- Here's all of the email-specific code
instance YesodAuthEmail App where
  type AuthEmailId App = UserId
  afterPasswordRoute _ = HomeR
  addUnverified email verkey =
    runDB $ insert $ User email Nothing (Just verkey) False
  sendVerifyEmail email _ verurl
                          -- Print out to the console the verification email, for easier
                          -- debugging.
   = do
    liftIO $ putStrLn $ "Copy/ Paste this URL in your browser:" ++ unpack verurl
    -- Send email.
    liftIO $
      renderSendMail
        (emptyMail $ Address Nothing "noreply")
        { mailTo = [Address Nothing email]
        , mailHeaders = [("Subject", "Verify your email address")]
        , mailParts = [[textPart, htmlPart]]
        }
    where
      textPart =
        Part
        { partType = "text/plain; charset=utf-8"
        , partEncoding = None
        , partFilename = Nothing
        , partContent =
          Data.Text.Lazy.Encoding.encodeUtf8
            [stext|
                    Please confirm your email address by clicking on the link below.

                    #{verurl}

                    Thank you
                |]
        , partHeaders = []
        }
      htmlPart =
        Part
        { partType = "text/html; charset=utf-8"
        , partEncoding = None
        , partFilename = Nothing
        , partContent =
          renderHtml
            [shamlet|
                    <p>Please confirm your email address by clicking on the link below.
                    <p>
                        <a href=#{verurl}>#{verurl}
                    <p>Thank you
                |]
        , partHeaders = []
        }
  getVerifyKey = runDB . fmap (join . fmap userVerkey) . get
  setVerifyKey uid key = runDB $ update uid [UserVerkey =. Just key]
  verifyAccount uid =
    runDB $
    do mu <- get uid
       case mu of
         Nothing -> return Nothing
         Just u -> do
           update uid [UserVerified =. True]
           return $ Just uid
  getPassword = runDB . fmap (join . fmap userPassword) . get
  setPassword uid pass = runDB $ update uid [UserPassword =. Just pass]
  getEmailCreds email =
    runDB $
    do mu <- getBy $ UniqueUser email
       case mu of
         Nothing -> return Nothing
         Just (Entity uid u) ->
           return $
           Just
             EmailCreds
             { emailCredsId = uid
             , emailCredsAuthId = Just uid
             , emailCredsStatus = isJust $ userPassword u
             , emailCredsVerkey = userVerkey u
             , emailCredsEmail = email
             }
  getEmail = runDB . fmap (fmap userEmail) . get

getHomeR :: Handler Html
getHomeR = do
  maid <- maybeAuthId
  defaultLayout
    [whamlet|
            <p>Your current auth ID: #{show maid}
            $maybe _ <- maid
                <p>
                    <a href=@{AuthR LogoutR}>Logout
            $nothing
                <p>
                    <a href=@{AuthR LoginR}>Go to the login page
        |]

main :: IO ()
main =
  runNoLoggingT $
  withSqliteConn "email.db3" $
  \conn ->
     liftIO $
     do runSqlConn (runMigration migrateAll) conn
        warp 3000 $ App conn

It is then run with stack runghc Main.hs after having installed stack install yesod persistent-sqlite.

My stackage LTS version is lts-7.14, and I'm running GHC version 8.0.1.20161117.

Still getting the same result.

Answer 1

You will have to enable the CSRF middleware to make it work properly. I will update the book example accordingly. The error message is obviously not good and it should be improved. To make your code work, add this while making the instance of Yesod typeclass with the foundation type:

yesodMiddleware = defaultCsrfMiddleware . defaultYesodMiddleware