MitchDrage opened a new issue, #13604: URL: https://github.com/apache/cloudstack/issues/13604
### problem When a user requests a password reset at the login page, with password reset emails enabled, it returns a successful message to the user and emails them a reset token. If the user requests another reset within that token's window (user.password.reset.ttl), it will still return a successful message to the user but willl fail internally with the message: `DEBUG [o.a.c.u.UserPasswordResetManagerImpl] Failed to reset token and send email. Password reset token is already set for user [email protected] in domain id: xy with account primary and email [email protected]` This doesn't appear in the event log of the user either. ### versions 4.22.1.0 ### The steps to reproduce the bug 1. Have settings enabled for user password reset (user.password.reset.enabled = true) and an email host configured (user.password.reset.smtp.host) 2. Request a password reset. 3. Observe the first reset email. 4. Request another password reset. ### What to do about it? There's a few issues here I think should be addressed: 1. Consider if password reset attemps should be visible in the user's Event's page. It might create spam in the events list, so might not be a good idea. 2. Consider either: - Allowing a user to re-request a new password reset token and reset the TTL window using the new token (my desired outcome, and what I'd expect end-users would be familiar with). - If not the above, then wait for the email to be successfully queued/sent and return the success from that. If the email isn't sent due to the token being within the TTL, then return a user-friendly message that they cannot request a new token until a specified datetime. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
