WordPress password reset in custom login page getting errors=invalidkey error

Question

In my WordPress v5.7, I have custom login pages.

Below the code to accept password reset request and send the email from custom login page.

add_filter("retrieve_password_message", "custom_password_reset", 99, 4);

function custom_password_reset($message, $key, $user_login, $user_data) {

    $key = get_password_reset_key($user_data);
    
    $message = sprintf(__('To reset password for %s, visit the following address:'), $user_data->user_email) . "\r\n\r\n";
    $message .= site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . "\r\n\r\n";

    return $message;
}

The above code generates the below URL and sends an email to the user.

https://www.example.com/wp-login.php?action=rp&key=XVBzvTRG17rKaG4brjH6&login=user_name

Below is the form in the custom password reset page:

<form name="resetpassform" id="resetpassform" action="<?php echo esc_url(network_site_url('wp-login.php?action=resetpass', 'login_post')); ?>" method="post" autocomplete="off">

    <input type="hidden" id="user_login" value="<?php echo $_GET['login']; ?>" autocomplete="off" />

    <input id="pass1" name="pass1" type="password" value="" placeholder="New Password" autocapitalize="off" data-reveal="1">
    <input id="pass2" name="pass2" type="password" value="" placeholder="Confirm New Password" autocapitalize="off">

   <input type="hidden" name="key" value="<?php echo $_GET['key']; ?>" />
     <button type="submit" id="resetpass-button" name="submit">Save New Password</button>
</form>

And the below code is supposed to validate the key+login and reset the password:

function do_password_reset() {
    if ('POST' == $_SERVER['REQUEST_METHOD']) {
        $rp_key = $_REQUEST['rp_key'];
        $rp_login = $_REQUEST['rp_login'];

        $user = check_password_reset_key($rp_key, $rp_login);

        if (!$user || is_wp_error($user)) {

            if ($user && $user->get_error_code() === 'expired_key') {
                wp_redirect(site_url('login/reset/?errors=expiredkey'));
            } else {
                wp_redirect(site_url('login/reset/?errors=invalidkey'));
            }
            exit;
        }

        if (isset($_POST['pass1'])) {
            if ($_POST['pass1'] != $_POST['pass2']) {
                // Passwords don't match
                .....
            }

            if (empty($_POST['pass1'])) {
                // Password is empty
                .....
            }
            
            // Parameter checks OK, reset password
            reset_password($user, $_POST['pass1']);
            wp_redirect(site_url('login?password=changed'));
        } else {
            echo "Invalid request.";
        }

        exit;
    }
}

add_action('login_form_rp', 'do_password_reset');
add_action('login_form_resetpass', 'do_password_reset');

Users not able to reset the password from custom login pages and getting errors=invalidkey error.

Answer 1

Your form contains pass1 and pass2 as members, yet, your backend expects rp_key and rp_login , respectively. The two are incompatible because of this, resulting in the undesired behavior you've just described. In order to fix the issue you will need to make sure that the name s of the password input elements in the form matches the keys you use at the backend, so you will need to either change the form name s accordingly or the keys you provide to $ _REQUEST in order to get them.

Answer 2

You did not name the field #user_login please name it rp_login so you can get it via $_REQUEST also same for rp_key you named it key

<input name="rp_login" type="hidden" id="user_login" value="<?php echo $_GET['login']; ?>" autocomplete="off" />

without naming a field you won't get the value of $_REQUEST['rp_login'];

Please check the value before calling the function that you are getting the value.

print_r([$rp_key , $rp_login ]);
die();
$user = check_password_reset_key($rp_key, $rp_login);