@Prtksxna What do you recommend as the message we display for exceptions #1 and #2?

In T238961#5698703, @ifried wrote:

@Prtksxna What do you recommend as the message we display for exceptions #1 and #2?

The browser will automatically prevent some invalid input, for example:

I think the system already has an error message that shows up, but I am not able to see it. Will update this ticket once I figure it out.

Thanks, @Prtksxna. The browser message for incomplete email addresses makes sense. In that case, we probably just need a message for cases when users input usernames with invalid characters. How do you suggest we do this? Perhaps a basic message that states they have entered an invalid character & inclusion of the character, such as: "You have entered an invalid character (*)."

Why it's good to check for character validity: Good faith actors may accidentally type in an incorrect username. Since we'll no longer be informing them if a username is recognized in the system, a basic check of character validity would be helpful. Furthermore, the rules on character validity are publicly shared (for example, here are the rules for English Wikipedia), so such checks will not reveal private information.

Note: We might already have a message about invalid characters in Usernames within the registration page? Worth checking if it's valid to reuse here.

@Mooeypoo good idea. Here is what it looks like on the Create account page:

Without JS	With JS

In T238961#5700503, @Prtksxna wrote:

I think the system already has an error message that shows up, but I am not able to see it. Will update this ticket once I figure it out.

Here is how it shows up (thanks @Tchanders for teaching me how to do this)

@Prtksxna: Any recommendations for what the Help page should be called? And any recommendations for where the "You have requested a password reset email..." text should be placed on the page?

@Samwilson: I agree with about the language. I'll update the requirements now. Thanks!

And @Prtksxna, how do you think we should display the information on what the user submitted on Special:PasswordReset? Should there be bullet points, bolded text, etc? Thanks!

Change 556102 had a related patch set uploaded (by Samwilson; owner: Samwilson):
[mediawiki/core@master] Provide less information on Password Reset success page

https://gerrit.wikimedia.org/r/556102

In T238961#5722380, @Samwilson wrote:

What should this page be called? Help:Reset_password?

Sounds good to me 👍🏽

I'm not sure the slash is the best way to display the username and password together, because it's a valid character for the local part of an email address (although pretty rare). How about making it more explicit, e.g. bullet points with only the relevant ones shown:

Yeah, I agree the slash can be confusing. I am not so convinced with the bullet points though. Anything in bullet points takes up a lot of attention, and while we want the users to make sure that the information that they've entered is correct, I worry that if we have bullet points they wont read the second line.

I would prefer if we could fit the different combinations of info in a sentence form.

Email	Username	Both

Would this make it harder for translation though?

In a meeting today, @Prtksxna and I discussed the following:

• The Help page should perhaps be Help:Password_Reset, since this mirrors Special:PasswordReset.
• The general idea of having the user info in one sentence rather than bulletpoints makes sense, but the current wireframes have awkward grammar that we may want to revise (so we can discuss it as a team).

In T238961#5727701, @Prtksxna wrote:

Would this make it harder for translation though?

I was thinking that sentence order in some languages, or RTL in others, or both might make this particularly awkward.

With that in mind, what if we swap the order?

You have a requested a password reset. 

If the information submitted is valid, a password reset email will be sent. If you haven't received an email, we recommend that you visit the Password Reset Help page.

The details you submitted are:
* Username: MyUsername
* Email address: me@example.com

That way, we might have the emphasis on the second sentence as @Prtksxna highlights while also having a clear format for the user-submitted data.

In T238961#5729041, @aezell wrote:

With that in mind, what if we swap the order?

Yeah, you're right, I think swapping will definitely help. I worry though that bullet points always take more attention no matter where on the page they are. This is surely a better option though, especially if we can't figure out a way to phrase the information in sentence (and have it be i18n friendly).

@aezell and @Prtksxna This suggestion works for me. I have updated the requirements with the text, as written by Alex.

The Help page should perhaps be Help:Password_Reset, since this mirrors Special:PasswordReset.

That's true, but the passwordreset message that is the page title of Special:PasswordReset is 'Reset password', so that might be more visible to people than what's in the URL.

Whatever it's called, the page needs to exist before this ticket can proceed. @ifried do you have content for it?

@Samwilson Good point! I have just created the page, which is currently in draft mode. I don't have the content yet, but I plan to develop it next week. Sorry for the delay! Ultimately, I decided to go with "Help:Reset_password." Like you wrote, the button on the Special:PasswordReset page states "Reset password." Also, the language ("Reset password") is more commonly used than "Password reset." Thanks for pointing that out! Let me know if you need anything else.

The above patch is waiting for the help page to be more than a placeholder before it can be merged.

Update: A rough draft of the Help page has been written and is currently being reviewed. I plan to have it posted on MediaWiki early next week.

@Samwilson: The Help:Reset password page is now up on MediaWiki. Thanks!

Patch ready for review: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/556102

Change 556102 merged by jenkins-bot:
[mediawiki/core@master] Standardize information on Password Reset success page

https://gerrit.wikimedia.org/r/556102

This is ready for QA. I've been trying to test it on the the beta wikis, but there seems to be some issue with logging out and maybe csrf tokens in general.

I used a script to systematically cover every (valid) combination of username + email based on:

• Is the username/email blank
• Does the username/email exist on the system
• Does the username/email have PRU enabled
• Does the username have an email associated with it
• Has the username/email hit their password reset request limit (more than one request in 24 hours)

I recorded the message I got from password reset.

I also checked that a password reset email was being sent when it should be.

Also repeated this with my IP throttled from making password reset requests (set in $wgRateLimits).

Acceptance Criteria:

• If any user submits any information on Special:PasswordReset (i.e., data for username or email address), they should be redirected to the message screen
  • This applies regardless of whether PRU is enabled, and regardless of whether the information entered is valid or invalid in the system

This is true, with the exceptions already noted below and a few more (roughly in order of precedence/priority):

1. If the user has PRU option checked in Special:Preferences and you enter only their username. Normal PRU message: "Both username and email address are required to receive a temporary password via email."
   • This does not happen if you enter both username and email, or just their email. In these cases, the new message (as specified in the description) appears.
2. IP has been throttled from making password reset requests (i.e. the IP has already made 5 password reset requests). Message: "As an anti-abuse measure, you are limited from performing this action too many times in a short space of time, and you have exceeded this limit. Please try again in a few minutes. "
3. User has already made a password reset request in the last 24 hours, and the info submitted complies with other rules (e.g. PRU). Message: "A password reset email has already been sent, within the last 24 hours. To prevent abuse, only one password reset email will be sent per 24 hours."
4. Both input fields are empty. Message: "Neither a username nor an email address was supplied"

• Exception #1: If the user submits a username with invalid characters, according to wiki rules, they should be prevented from completing the form.

Form is reloaded with the message "You have not specified a valid user name."

I am not sure exactly what the invalid characters are, but I entered strings like +=!£$%^*()_-~#;?}]{["''¬.

• Exception #2: If the user submits an email address with incomplete or invalid requirements (such as no "@" symbol), they should be prevented from completing the form.

Browser validation (e.g. on Firefox you are shown "Please enter an email address", Chrome is as the last screenshot in description).

Does not appear to matter if JavaScript is enabled or disabled.

• The message that users see after generating a password reset request should be standardized so that it is always the same. The message should read: "If the information submitted is valid, a password reset email will be sent. If you haven’t received an email, we recommend that you visit the Password Reset Help page.”

The text is as specified in the description, except that it states "...we recommend that you visit the reset password help page." instead of "...Password Reset Help page."

• The text "Password Reset Help page" should link to a new page (to be created) in MediaWiki.

Link is to https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Reset_password

• If possible, display what user input in the previous screen (i.,e, username, email address, or both). For example:

...

• If the user submitted only a username or email address, the text should only display the entered information (i.e., it shouldn't have something like "Username: n/a," if no username was submitted).

This is true.

Version tested: my own local vagrant environment running MediaWiki 1.35.0-alpha (10b98b7)

Hello @dom_walden and @Samwilson

There seems to be some confusion (and apologies if there was any!). From what I read in the QA notes: If the user has PRU option checked in Special:Preferences and you enter only their username. Normal PRU message: "Both username and email address are required to receive a temporary password via email."

This is incorrect behavior, according to the acceptance criteria. As stated in the first bullet point: "If any user submits any information on Special:PasswordReset (i.e., data for username or email address), they should be redirected to the message screen." This means that there should be no message that blocks users from submitting information, whether or not it is considered valid or complete. Overall, it's important that we have a standardized experience, so that we provide more security to users via Special:PasswordReset.

For this reason, I'm moving this ticket back to 'In Development.' Thanks (and please reach out if you have questions)!

Just to clarify for engineering related thing, am I right to say that, basically, the message ("Both username and email address are required to receive a temporary password via email.") should never appear anywhere, @ifried ?

That is, we could (and should) get rid of passwordreset-username-email-required key and message entirely, and make sure it never appears in the UI?

Or am I missing something? (just verifying!)

Yes, @Mooeypoo, you are correct. We should remove the message (i.e., "Both username and email address are required to receive a temporary password via email") entirely. Thanks!

Change 572504 had a related patch set uploaded (by Samwilson; owner: Samwilson):
[mediawiki/core@master] Don't tell user when email is required but not supplied

https://gerrit.wikimedia.org/r/572504

Sorry, I missed that point! Done now (I think); patch ready for review.

In T238961#5885739, @ifried wrote:

Hello @dom_walden and @Samwilson

There seems to be some confusion (and apologies if there was any!). From what I read in the QA notes: If the user has PRU option checked in Special:Preferences and you enter only their username. Normal PRU message: "Both username and email address are required to receive a temporary password via email."

Ah, ok. I had assumed we would be ok revealing usernames via the password reset form, as this is something you can find out easily anyway.

But, as you point out, it does violate point 1 and 2 of the acceptance criteria. Apologies.

Change 572504 merged by jenkins-bot:
[mediawiki/core@master] Don't tell user when email is required but not supplied

https://gerrit.wikimedia.org/r/572504

Testing this on https://en.wikipedia.beta.wmflabs.org (version: MediaWiki 1.35.0-alpha (c664b4f) 17:32, 18 February 2020).

For an account with PRU enabled, regardless of whether I enter just the username, just the email or both, I see the new message screen (bullet point 2 in acceptance criteria). When entering both I successfully get a password reset email.

I assume that the train went out with the version before Sam's last patch, i.e. the version with the incorrect behaviour noted by Ilana in T238961#5885739.

I also did a search on all our codebase (using https://codesearch.wmflabs.org/search/) for the term passwordreset-username-email-required. I did not find it anywhere.

This is now on production, so I'm marking this work as Done.