A Password Reset That Led Nowhere: Debugging the Plato Email Link
Few things are more frustrating than a “reset your password” link that doesn’t reset your password. Here’s how I tracked one down, fixed it with a one-line change, and got it shipped — symptom, cause, fix, and the lesson I’m keeping.
Full issue and fix: https://github.com/1111philo/plato/issues/203 (resolved in PR #214)
Symptom
On the Plato learning platform, clicking the password-reset link in the email didn’t take you to a reset page — it dropped you right back on the login screen. As far as I could tell, there was simply no way to reset your password through email at all. I reproduced it on both macOS/Firefox and iPhone/Safari, so it wasn’t a one-off browser quirk. The link worked, technically — it just led nowhere useful.
Root Cause
It wasn’t a broken link; it was a link pointing at the wrong place. In src/lib/email.js, the reset URL was being built without the /reset-password route, so it resolved to the login page instead of the “Set new password” page. The email was doing exactly what the code told it to — the code just told it the wrong destination.
Fix
I asked Claude to help debug, and it flagged that the email was directing to the wrong route. From there I cloned the source onto my own server, found the culprit on line 67 of src/lib/email.js, and added the missing /reset-password route to resetUrl. AI sped up the hypothesis; I located and confirmed the actual fix myself. Reloaded, clicked the link, and the “Set new password” page finally appeared.
Why It Matters
A password reset is the one thing a locked-out user has to be able to do. If that path is broken, it’s not a cosmetic bug — people lose access to their accounts entirely, with no self-service way back in. It’s the kind of quiet failure that doesn’t crash anything but quietly blocks real users, which is exactly why it’s worth chasing down and documenting.
Lesson
Reproduce the bug in an isolated environment before you fix it. I stood up my own cloned copy, confirmed the broken behavior there, made the one-line change, and verified the reset page rendered correctly — so the fix was provably tied to the root cause, not a lucky guess. Then I filed a detailed, reproducible issue (steps, expected behavior, environment, screenshot), it was tagged ready-for-pilot, and the fix shipped as a verified commit in PR #214. The public issue-and-PR trail is the proof: anyone can audit the symptom, the cause, and the confirmation. Don’t assume it works — confirm it, and leave a trail.
Leave a Reply