Password reset flow does not work if previously logged in with a different email

[mikehale]

Steps to reproduce

1. Setup you+test@heroku.com account
2. Login as you@heroku.com
3. Logout
4. Reset password for you+test@heroku.com account
5. No reset is sent!

6. Lookup the password reset hash in api:

   User['you+test@heroku.com'].reset_password_hash
   > 2cc7e6ef2e0f02afb9c35b0be5a29bc8

7. Go to https://id.heroku.com/account/password/reset/2cc7e6ef2e0f02afb9c35b0be5a29bc8
8. Reset password
9. Reset is successful, but you are redirected to the login form with you@heroku.com prefilled, not you+test@heroku.com
10. Logging in with the new password for you+test@heroku.com works.

[mikehale]

This issue was discovered because of a support ticket: https://support.heroku.com/tickets/357431

[mikehale]

@dmcinnes or @adelcambre any ideas on this one?

[dmcinnes]

The login prefill is almost certatingly coming from autocomplete on the user's browser since we don't keep track of or set a default value: https://github.com/heroku/identity/blob/master/views/login.slim#L21 The no email sent is weird though, we can check our mail logs to see what happened to it...