lukechilds
commented
6 years ago Thanks, for taking the time to test and report.
This isn't a bug, that’s how it’s supposed to work, maybe we need to make the wording more clear.
If you forget your password, the seed can’t be decrypted so your funds can’t be accessed. The reset password is for people who have created a backup of their seed. They go to reset password, enter their backed up seed, and enter a new password. Then we’ll re-encrypt the seed with that password and they can use it to log in as normal.
If they enter a different seed, it will still proceed with the process because there’s no possible way of us knowing what your original seed was. It's cryptographically impossible for us to allow a user to login with a seed they don't know or don't know the password for.
That said, the logout functionality isn't complete yet, it isn't clearing much state, it just takes you to the login view. So it's possible old addresses/balances are still cached when you login with the new seed, or the api lib is still communicating with the old instance of marketmaker. We're aware of this, for now, if you want to test re-logging in you should close the app and re-open it.
sindresorhus
The "forgot password" feature isn't correctly confirming the seed. You can type anything when it asks you to confirm the seed, and it will let you into the portfolio.
I sent a video to pondsea on slack.