I was looking at the "AccountManagementService" as this function provide two nice features to validate users who can register themselves and it provide a feature to allow user to reset their own password.
One point I want to understand is the host validation. The host name of the production server is not the same as the URL the external customer is looking at. So for the generation of the email we call the service accountManagementService.requestPasswordReset with the hostname equal to the external facing hostname. This hostname is embedded in the token as one of the secured parameters AND is used to generate the URL in the email that the user can click.
On the return the system validate the token in the "AccountManagementServlet" with this private code below. The host name here is the internal host name so the token will always be invalid as the internal host name is different from the external host name embedded in the token. Is there something I overlook here?
We already use the externalizer on the outgoing message, but the issue here is the validation when the user submit the result from the page after entering a new password. The customer face URL is a nice formatted URL, while the actual internal server URL inside the safe zone is a very different URL. The system will generate the ky value with the Externalizer generated URL while it validate the URL with the internal host name. This will never match in this case.