allow current user to reset their own password

[coolaj86]

Re: #5008

The current logged-in user (which may have signed in via OAuth) is not able to reset their own password via email reset, because they cannot access the form.

• Users can get to reset form logged in and logged out
• Can attempt to reset password without being logged out
• If password reset will be successful, user is logged out (and is redirected to login)

Beyond fixing the bug, these are some things I'd be open to adding now (but would prefer to wait until after this clears)

• show username / email of user
  • take some action if that's different from the current user?
• treat reset password form the same as register & sign in (remember me, retype password)
• invalidate the code once used
• set time to 15 minutes rather than 3 hours

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (master@c168095). Click here to learn what that means.
The diff coverage is 50%.

@@            Coverage Diff            @@
##             master    #5034   +/-   ##
=========================================
  Coverage          ?   40.47%           
=========================================
  Files             ?      405           
  Lines             ?    54399           
  Branches          ?        0           
=========================================
  Hits              ?    22017           
  Misses            ?    29356           
  Partials          ?     3026

Impacted Files	Coverage Δ
routers/routes/routes.go	82.02% <100%> (ø)
routers/user/auth.go	13.15% <30%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c168095...0d701e4. Read the comment docs.

[lafriks]

I would prefer that there would be check for code that was issued for what user and currently authorised user and if they do not much than return error (probably 404?)

[lunny]

This could be another PR.

[coolaj86]

The 404 that's already there is really confusing. I think there should be some sort of error message to the user like "This code is not valid or has expired." to let them know that Gitea doesn't have a bug, it recognized what they were trying to do, but followed a set of rules to disallow the action they intended, and gives them a clue as to what to do next to accomplish their goal.

Although the type of user we have is probably pretty savvy, giving feedback so will also increase security by reducing chances for social engineering attacks or pranks.

[coolaj86]

I've got a second PR on the way that contains the ux fixes, showing the correct error message in each of the edge cases discussed in this issue as well as the original issue.

It's currently visible in use at https://git.coolaj86.com, but I have to fix a conflict between my v1.5.1 backports and master, and I have to head out for a bit, so I may not push it until tonight.

[lafriks]

Can these changes be merged into #5042 ?

[coolaj86]

@lafriks I'm still a bit under water right now, but I'll try to make some time to merge them together. Thanks for reviewing. :)

[coolaj86]

Rebased and ready for re-review!

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions.

[lunny]

Please resolve the conflicts

[zeripath]

It looks like #5042 supersedes this.

What's the envisioned behaviour for this.

[lunny]

@solderjs please confirm that this could be closed since #5042 merged.

[coolaj86]

Looking at the commit history, I believe that is correct. These changes were included in and improved upon by #5042

[coolaj86]

Looking at the commit history, I believe that is correct. These changes were included in and improved upon by #5042

[zeripath]

Thanks @solderjs for your contributions. Sorry some of them have languished.