From b0c76416cd9caaba56c01f9e2b9a5c896b8aff94 Mon Sep 17 00:00:00 2001
From: Kesara Rathnayake <kesara@fq.nz>
Date: Tue, 28 Mar 2023 11:07:31 +0900
Subject: [PATCH] feat: Allow password reset with non username email address
 (#5419)

This change allows password reset with any email address associated with the
account.
The password reset will only be sent to the active email addresses associated
with the account.

Fixes #5057
---
 ietf/ietfauth/tests.py | 15 +++++++++++++++
 ietf/ietfauth/views.py |  6 ++++++
 2 files changed, 21 insertions(+)

diff --git a/ietf/ietfauth/tests.py b/ietf/ietfauth/tests.py
index 5ce299d3d..219b273df 100644
--- a/ietf/ietfauth/tests.py
+++ b/ietf/ietfauth/tests.py
@@ -563,6 +563,21 @@ class IetfAuthTests(TestCase):
         self.assertIn(active_address, to)
         self.assertNotIn(person.user.username, to)
 
+    def test_reset_password_without_username(self):
+        """Reset password using non-username email address"""
+        url = urlreverse('ietf.ietfauth.views.password_reset')
+        person = PersonFactory()
+        secondary_address = EmailFactory(person=person).address
+        inactive_secondary_address = EmailFactory(person=person, active=False).address
+        empty_outbox()
+        r = self.client.post(url, { 'username': secondary_address})
+        self.assertContains(r, 'We have sent you an email with instructions', status_code=200)
+        self.assertEqual(len(outbox), 1)
+        to = outbox[0].get('To')
+        self.assertIn(person.user.username, to)
+        self.assertIn(secondary_address, to)
+        self.assertNotIn(inactive_secondary_address, to)
+
     def test_review_overview(self):
         review_req = ReviewRequestFactory()
         assignment = ReviewAssignmentFactory(review_request=review_req,reviewer=EmailFactory(person__user__username='reviewer'))
diff --git a/ietf/ietfauth/views.py b/ietf/ietfauth/views.py
index 0473936bd..4dd21be43 100644
--- a/ietf/ietfauth/views.py
+++ b/ietf/ietfauth/views.py
@@ -463,6 +463,12 @@ def password_reset(request):
             # We still report that the action succeeded, so we're not leaking the existence of user
             # email addresses.
             user = User.objects.filter(username__iexact=submitted_username, person__isnull=False).first()
+            if not user:
+                # try to find user ID from the email address
+                email = Email.objects.filter(address=submitted_username).first()
+                if email and email.person and email.person.user:
+                    user = email.person.user
+
             if user and user.person.email_set.filter(active=True).exists():
                 data = {
                     'username': user.username,