UX + Security current user password reset

[coolaj86]

Follow up to #5034

I'll annotate these a little later, but it's combos for these states:

• not logged in
• logged in as expected user
• logged in as an unexpected user
• valid code
• invalid code (or expired code)

Default Condition

• Not logged In
• Valid Reset Code

Result

• Shows email of user for whom the password is to be reset
• Shows "Remember me"
• Signs in the user

Logged In

• Already Logged In
• Valid Reset Code

Result

• Shows email of user for whom the password is to be reset
• Doesn't show "Remember me"
• Renews user session

Invalid Code

• Login Status N/A
• Invalid Code

Result

• Error about invalid code
• Submits to same error page (could probably just disable submit)

Invalid User

• User Logged in as FOO USER
• Valid Code for BAR USER

Result

• Error about mismatch user
• Submits to same error page (could probably just disable submit)

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (master@fdb933c). Click here to learn what that means.
The diff coverage is 8.33%.

@@            Coverage Diff            @@
##             master    #5042   +/-   ##
=========================================
  Coverage          ?   41.66%           
=========================================
  Files             ?      414           
  Lines             ?    55985           
  Branches          ?        0           
=========================================
  Hits              ?    23327           
  Misses            ?    29529           
  Partials          ?     3129

Impacted Files	Coverage Δ
models/mail.go	23.93% <0%> (ø)
routers/routes/routes.go	81.99% <100%> (ø)
routers/user/auth.go	13.08% <5.26%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fdb933c...1688720. Read the comment docs.

[daviian]

I'm against auto-signin on password reset. Consequently I find having "Remember me" on Password reset awkward.

IMO we need a "password confirmation" field instead.
Showing Email is fine.

[coolaj86]

@daviian The "Remember me" felt a little weird to me too.

What I came to was that it's actually the form was incorrectly labeled. "Password Reset" is the process that happens on the Account page. This process is actually "Account Recovery", which is a different user flow.

The user isn't coming to this page with the intent to change their password (that is already on the Account page), but rather to be able to login to their account. In this case, with the current configuration, that implicitly includes setting a password. However, once more secure options are available (such as simply omitting passwords if a mailer is configured) the user will still want to recover their account (i.e. their primary oauth is down and they can't log in) but a password won't be part of the process.

I'll post new screenshots a little later.

[coolaj86]

Two more things that should change for increased clarity:

• "New Password" instead of "Password"
• "Remember this device" instead of "Remember me"

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions.

[coolaj86]

I'm back on the scene. I'll see what I can do to get this stuff cleaned up and PR'd again.

[coolaj86]

Rebased and ready for re-review!

[adelowo]

Do we need to atleast redirect to the new route before this is finally removed in 1.10?

[lafriks]

@adelowo I don't see why as emails having old route won't be usable anyway as code is valid only for few hours

[adelowo]

Ha true... stupid me

[lafriks]

@daviian need your approval