identity icon indicating copy to clipboard operation
identity copied to clipboard

Published 20 hours ago verified publisher icon heroku

Password reset flow does not work if previously logged in with a different email

Open mikehale opened this issue 9 years ago • 3 comments

Steps to reproduce

  1. Setup [email protected] account

  2. Login as [email protected]

  3. Logout

  4. Reset password for [email protected] account

  5. No reset is sent!

  6. Lookup the password reset hash in api:

    User['[email protected]'].reset_password_hash
> 2cc7e6ef2e0f02afb9c35b0be5a29bc8

  7. Go to https://id.heroku.com/account/password/reset/2cc7e6ef2e0f02afb9c35b0be5a29bc8

  8. Reset password

  9. Reset is successful, but you are redirected to the login form with [email protected] prefilled, not [email protected]

  10. Logging in with the new password for [email protected] works.

mikehale avatar Apr 22 '16 16:04 mikehale

This issue was discovered because of a support ticket: https://support.heroku.com/tickets/357431

mikehale avatar Apr 22 '16 16:04 mikehale

@dmcinnes or @adelcambre any ideas on this one?

mikehale avatar Apr 22 '16 16:04 mikehale

The login prefill is almost certatingly coming from autocomplete on the user's browser since we don't keep track of or set a default value: https://github.com/heroku/identity/blob/master/views/login.slim#L21 The no email sent is weird though, we can check our mail logs to see what happened to it...

dmcinnes avatar Apr 22 '16 19:04 dmcinnes