Reset Password bug

[intellimedhu]

Describe the bug:

Reset password doesn't work as expected when RequireUniqueEmail is false. When trying to reset the password it changes the password of the first user found. The problem occurs when a new user is created with the same email. See related lines here

Related bug:

Change password operation from the dashboard produces the same result. See here

To Reproduce

1. services.Configure<IdentityOptions>(o => o.User.RequireUniqueEmail = false);
2. Create 2 users from code with the same emails
3. Try to reset passwords

Expected behavior

Should check the RequireUniqueEmail option. In case of false value have to find another way how user should identify herself/himself (username?).

[hishamco]

Good catch, nothing but I presume the reason for that because we are using email as username for that we need to make unique

Either we need to fix this or provide a proper docs for that

[sebastienros]

var user = await _userService.GetForgotPasswordUserAsync(model.Email) as User; should use a user id instead of an email. We also need to check every time we use this method we don't use an email.

Or check that if the option is set, we shouldn't ask for an email.