Reset password allows user to bypass custom find_for_authentication

[toots]

As documented in lib/devise/models/authenticatable.rb,

        # Finally, notice that Devise also queries for users in other scenarios
        # besides authentication, for example when retrieving an user to send
        # an e-mail for password reset. In such cases, find_for_authentication
        # is not called.

However, that makes it possible for a user to actually bypass custom find_for_authentication and successfully sign-in when it would have been explicitly prohibited otherwise.

Most common scenario is a website allowing subdomain-based authentication, leading users for domain foo.example.com to be able to sign-in into bla.example.com by reseting their password on bla.example.com.

[tegon]

Hello @toots, thanks for your report.
Can you provide us a sample application that reproduces the issue in isolation?
That would help us find the issue.

Thank you!

[tegon]

I'm closing this issue because it has not had recent activity.
If you're still facing this on the latest version, please open a new one with all the information requested in the template.

Thank you!