1288712 - Forgot password: can enter another account's email, but it does not reset

Status: RESOLVED WONTFIX

(Cloud Services :: Server: Firefox Accounts, defect)

Description

[Cristian Comorasu, QA [:ccomorasu], Releae Desktop QA - Please contact mboldan@mozilla.com]

[Affected versions]:
 Fx 48.0b10 (20160721144529)
 Fx 49.0a2 (20160720004018)
 Fx 50.0a1 (20160719030224)

[Steps to reproduce]:
 1.Open latest Firefox beta/aurora/nightly .
 2.Go to about:preferences#sync.
 3.Sign in with an existing account.
 4.Go to Manage Account -> Password -> Change -> Forgot Password?
 5.Enter a different e-mail, from another account and press "reset password".
 6.Log to that e-mail address and reset the password.

[Expected result]:
 The password is reset.

[Actual result]:
 The password is not reset.

Comment 1

[Ryan Kelly [:rfkelly]]

It's not clear to me exactly what behavior is being described here, I'm going to re-state the STR with concrete examples, can you please tell me if it's a correct interpretation?


 1.Open latest Firefox beta/aurora/nightly .
 2.Go to about:preferences#sync.
 3.Sign in with an existing account for "one@example.com".
 4.Go to Manage Account -> Password -> Change -> Forgot Password?
 5.Enter a different e-mail "two@example.com", from another account and press "reset password".
 6.Log to that e-mail address "two@example.com" and reset the password.

If so, I dont understand which step is in error.

Comment 2

[Cristian Comorasu, QA [:ccomorasu], Releae Desktop QA - Please contact mboldan@mozilla.com]

Sorry if the STR were not clear enough.

STR 2.0:

 1.Launch Fx with a clean profile.
 2.Log in with an existing account.(i.e. acc1@example.com, the page on the first run https://www.mozilla.org/en-US/firefox/48.0/firstrun/).
 3.Select the button "Change" from the password area.
 4.Under the "Old Password" field select the "Forgot password?" hyperlink.
 5.Complete with another e-mail address (i.e. acc2@example.com which has a Fx account).
 6.Check the e-mail recieved from Firefox Accounts (with acc2@example.com).
 7.Click on "Reset password" and enter the new password, re-enter and confirm the new password.
 8.Relog in Firefox accounts with acc1@example.com(nothing has changed).
 9.Relog in Firefox accounts with acc2@example.com(the password has changed).

[Notes]:
 The bug here in my perspective is at step 5, either the e-mail is auto-filled, an error prompt or remove the field.

Comment 3

[Ryan Kelly [:rfkelly]]

Thanks, I think I understand now - the bug being that you can be logged in as user A, but use the "forgot password" link to reset the password for user B.  The email field should indeed be restricted someone to the currently logged in email address in this case.

Comment 4

[Jim Mathies [:jimm]]

We're trying to triage this but we're not sure what the severity is. Can we get some feedback on whether or not this should be tracked?

Comment 5

[Ryan Kelly [:rfkelly]]

I don't think this needs to be tracked anywhere except within the Firefox Accounts dev cycle; it's a little bit confusing but unless I'm missing something, the impact is not very severe.  It won't let you e.g. accidentally log into someone else's account or anything like that.

Comment 6

[Ryan Kelly [:rfkelly]]

In the linked issue, our UX lead confirms that this is in fact working as intended:

  https://github.com/mozilla/fxa-content-server/issues/4151#issuecomment-247377953

Since resetting your password results in wiping your sync data from the server, the intention here is ensure that users are very deliberately going through the flow and considering the implications.  We will probably revisit this flow at some point, but I'm going to WONTFIX this for now as it's working as designed.