If a device has an active session with AuthN, we can use that to identify the account and authorize a password change. This is simpler than password resets.
Note that if a reset token is offered, it must be preferred. This is for scenarios where someone opens a reset email on a device that is actually logged in to a family member's account (yes, it happens).
Also note that once the password is changed, the user will be logged in with that account.
There's plenty of duplication between the new PasswordChanger and the rebranded PasswordResetter. I haven't decided how to resolve it.
If a device has an active session with AuthN, we can use that to identify the account and authorize a password change. This is simpler than password resets.
Note that if a reset token is offered, it must be preferred. This is for scenarios where someone opens a reset email on a device that is actually logged in to a family member's account (yes, it happens).
Also note that once the password is changed, the user will be logged in with that account.
There's plenty of duplication between the new
PasswordChanger
and the rebrandedPasswordResetter
. I haven't decided how to resolve it.