@Tgr is this related to SUL3?

Further info from the user: When navigating directly to https://auth.wikimedia.org/enwiki/wiki/Special:PasswordReset, the user ended up reaching an error message indicating an IP block:

In T391862#10740094, @Ragesoss wrote:

@Tgr is this related to SUL3?

Seems to be. LoginSignupSpecialPage::showCreateAccountLink() returning false somehow?

In T391862#10740220, @Ragesoss wrote:

Further info from the user: When navigating directly to https://auth.wikimedia.org/enwiki/wiki/Special:PasswordReset, the user ended up reaching an error message indicating an IP block:

This is intentional, we don't allow password reset from blocked IPs. Harassment concerns I imagine?
The formatting is not very helpful (it could display the details of the block) but it has always been that way.

I guess the 'Forgot password' link is not appearing on the login page for that reason as well, but it's very confusing for an affected user because there's no indication of why the link does not appear, if they are looking for it.

Actually not directly related, it's a side effect of the force parameter (which itself is the side effect of visiting a page that requires reauthentication). The relevant logic is in LoginSignupSpecialPage::showExtraInformation().

The extent to which it is related to SUL3 is that before, if you were logged in on the wiki, you were always logged in on the credentials change page as well, but now they are on different domains so that's not guaranteed. (See T391324: Missing "send temporary password through email" option in Wikimedia SUL account creation for a similar issue.)

In this case, IMO not that confusing - the user can just log in, and then they will end up on the password change page. These are two different user journeys:

• forgot your password and unable to log in -> go to password reset, visible on the log in form where you are failing to log in
• you get an email that someone else is trying to log in into your account and you feel you need a stronger password -> follow the change password link from the email. A password reset is not going to help you here (it doesn't actually change your password, just creates another temporary one).

I mean, in the case of the user not seeing the password reset link from https://auth.wikimedia.org/enwiki/wiki/Special:UserLogin (where it appears for me) I assume it's because of the block.

That said if you are on the login page with force in the URL (which would normally make the login page show up, even though you are logged in), but you aren't actually logged in, maybe it would make sense to show the "Help with logging in" / "Forgot your password?" links (but not the "Join Wikipedia" one)? Not sure.

(This is the SUL2 login page FWIW: https://en.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Special%3AChangeCredentials%2FMediaWiki%5CAuth%5CPasswordAuthenticationRequest&returntoquery=&force=ChangeCredentials&usesul3=0 )

I think it's common for users who have lost/forgotten their password to attempt enough tries with password guesses to trigger the 'failed attempts' email, so some path that leads to a password reset makes sense there. The 'change password' link the email is easily interpreted to be a synonym for 'reset password'.

Change #1187010 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/core@master] LoginSignupSpecialPage: Show extra info for anon users with force flag

https://gerrit.wikimedia.org/r/1187010

Change #1187010 merged by jenkins-bot:

[mediawiki/core@master] LoginSignupSpecialPage: Show extra info for anon users with force flag

https://gerrit.wikimedia.org/r/1187010