Reset password doesn't work for legacy users (2.x versions) that require to

[josegar74]

Legacy users have in the security field in the database the value update_hash_required as in previous versions of GeoNetwork the encoder algorithm was different. So they have to reset the password.

When reseting the password from the Admin UI, it works updating the password and removing previous value:

https://github.com/geonetwork/core-geonetwork/blob/3.4.x/core/src/main/java/org/fao/geonet/util/PasswordUtil.java#L220

user.getSecurity().getSecurityNotifications().remove(UserSecurityNotification.UPDATE_HASH_REQUIRED);

But not from the Forgot password that uses PasswordApi and doesn't remove that attribute, so the user can't login:

https://github.com/geonetwork/core-geonetwork/blob/3.4.x/services/src/main/java/org/fao/geonet/api/users/PasswordApi.java#L136

user.getSecurity().setPassword(PasswordUtil.encode(context, passwordAndChangeKey.getPassword()));
userRepository.save(user);

[Delawen]

Moving forward as it is not a blocking issue.

[jodygarnett]

This ticket was not handled during GN3 development. Should probably be considered stale.