Resetting Password: Automatically logs user in even if the account isn't confirmed.

[ACPK]

When a user resets their password, it automatically logs them into their account (i.e. doesn't check if their account is confirmed). If they log out and then try to later sign in, they get the message "Account not confirmed yet. Please follow the instructions we sent you by email."

[manukall]

that's a bug. maybe we should just confirm the users account when they reset their password, as we know they entered a correct email.

[ACPK]

@manukall That sounds awesome!

[clekstro]

I'm just evaluating this as a possible solution for an upcoming Phoenix project (so apologies for the armchair quarterbacking), but the proposed solution feels odd. If I haven't confirmed my email, it seems strange that I could log in at all. Just because I've entered an email, doesn't mean it's mine. That's why the confirmation is required in the first place.

In practice, doesn't this mean that anyone who's able to guess an unconfirmed account's email is able to log in as that user?

[ACPK]

@clekstro In order to reset your password, you need to get the confirmation email. Hence, they (1) submit for password reset form, (2) click the link that gets emailed to them, and (3) get brought to a page where they change their password.

BTW, in regards to logging in when your email isn't confirmed, a few websites where you're automatically logged in before confirming your email are Github, Facebook, LinkedIn, Twitter. etc.

[clekstro]

@ACPK Appreciate the additional context. I didn't realize from the description above that that was the flow.

[ACPK]

@clekstro No problem. We're using @manukall so I recommend it but I'm adding some custom features.