"Password reset" success message is displayed when using an invalid code

[SorinaFlorean]

Environment:
Win10, Stage server - Train 119
Prerequisites: Account recovery is enabled.

Steps to reproduce:

1. From Sign In page, tap on "Forget password?";
2. Go to email and choose "create new password";
3. Enter an invalid recovery key.

Actual results: when tapping on "Confirm recovery key" option the message is displayed "Password reset successfully. Sign in to continue." even if the key is invalid.

Expected results: the message is not displayed because the password wasn't changed yet.

[vbudhram]

@SorinaFlorean I am unable to reproduce this. When the Invalid recovery key error is displayed, the page does not transition to Sign-in page. I tried submitting multiple invalid keys as well with no luck. Is there an extra step that I might be missing?

[vbudhram]

@SorinaFlorean Are you still experiencing this issue?

[SorinaFlorean]

@vbudhram yes, tested today and the issue is still displayed. On one monitor the green message is displayed, and on the second one, the invalid password is typed.

[vbudhram]

Some additional notes on this issue

• When a user attempts to use a recovery key they exchange the passwordForgotToken for an accountResetToken
• The Reset email sent window, is polling behind the scenes for a password change event and detects it during the token exhange
• Upon detecting it, redirects for the user to login

[SorinaFlorean]

Tested this issue on Train 126 and now if I enter an invalid recovery key the message "Sign in to continue is displayed". I think it will be more accurate to not show anything if we don't enter a valid key. @vbudhram what do you think?

[vbudhram]

@SorinaFlorean Sorry for late response, I am ok with removing the Sign in to continue. However, because of the way account recovery works, we wouldn't be able to detect a valid or invalid key to choose which is shown. I think this is ok because the text seems duplicate anyways.