We’re running passbolt 2.4 and, as admins, added a bunch of users on a Friday night. Unfortunately, not everybody immediately clicked the activation emails that came through. This resulted in the security token being timed expired when they clicked the link. The users are in the activation pending state.
I tried getting them to submit the recovery request, and they got a new email link, unfortunately, that results in the same issue with the following message:
Yes the recovery for expired token is a regression of 2.4 (see. https://github.com/passbolt/passbolt_api/issues/290). We’ll fix that in the next release (coming up in the next few days). In the meantime the only option is to delete and add the users again.
Thank you for your patience, and sorry for the inconvenience.