As designed Password Reset Broken with Cloudflare Smart Errors

[mdxonebiz]

The issue is relatively simple.

XenForo_ControllerPublic_LostPassword::actionLost() line 66:

return $this->responseError(new XenForo_Phrase('requested_member_not_found'), 404);

This line results in a response code of 404, which the Cloudflare Smart Errors interprets as a regular Page Not Found and replaces the page's contents with a help page. While I can temporarily fix this with custom page rules that disable Smart Errors for this particular page, I am very concerned about how many other pages behave similarly. With Cloudflare's insane popularity I think compatibility with it is essential.

My amateur suggestion would be to not ever respond with 404 error codes, because server software and reverse proxies may interpret it in a similar way and lead to some nasty edge cases.

 

[imthebest]

I also use CF and the XenForo password reset feature works just fine.

Please take in account that some CF features might interfere with proper software operation, features like RocketLoader and in this case SmartErrors.

This being said, I don't see a bug here.

 

[Mike]

This may be a situation where the 404 is inappropriate, but...

My amateur suggestion would be to not ever respond with 404 error codes, because server software and reverse proxies may interpret it in a similar way and lead to some nasty edge cases.

This is not something that will change. If a reverse proxy is throwing away the error page with specific details of the error because it returns the correct response code for an error of that type, that's a definite issue with the proxy.

 

[mdxonebiz]

I also use CF and the XenForo password reset feature works just fine.

Please take in account that some CF features might interfere with proper software operation, features like RocketLoader and in this case SmartErrors.

This being said, I don't see a bug here.

You likely don't have SmartErrors enabled and thus no compatibility issue. While I agree that there are certain instances where what you say is true, I don't think this is one of them.

 

[Jeremy P]

I'd bet there are more people running XF without CloudFlare than with it (though plenty do use it). I don't really see the appeal of SmartErrors at all to be honest.

Nevertheless, I think the lost password case is an odd one. It probably shouldn't be sending a 404 (seems like a bug), but the software definitely should respond with 404 error codes for pages that actually don't exist (non-existent threads, members, etc). If you don't want SmartErrors to intercept those actual 404 errors, then what exactly do you want it to do?

 

[SneakyDave]

I use CloudFlare, but most XenForo users I know don't use Smart Errors. I think it also interferes with 403's

 

[Mike]

I've changed the specific example given because I think it is probably wrong to respond with a 404 when a user enters an incorrect username.

However, the crux of the report seems to be that we should always be returning 200, which is definitely not what we're going to do; it's fundamentally incorrect. On that basis, I'm tagging this as "as designed".