As a product manager, I want to update the behavior associated with password reset requests, so that we can improve security and standardize the messaging associated with such requests.
NOTE: In the process of developing Password Reset Update, we have had a series of conversations about how to create a more secure and standardized experience for users. In the process, we've discussed how this can be implemented generally -- not just for PRU users, but for all users who have email addresses associated with their accounts. We came up with a proposal, which we shared with the Security team in T237755. Now that we have shared our proposal and received general approval, this ticket is for the implementation of such changes. It was originally envisioned as two separate tickets (one for the changes in Special:PasswordReset, and one for the message that is displayed after the request is submitted). However, in a previous engineering meeting, it was decided that it's easier to implement and manage as one ticket.
* If any user submits any information on Special:PasswordReset (i.e., data for username or email address), they should be redirected to the message screen
** This applies regardless of whether PRU is enabled, and regardless of whether the information entered is valid or invalid in the system
** Exception #1: If the user submits a username without characters accepted by Wikimedia, then they should be prevented from completing the form.
** Exception #2: If the user submits an email address without the @ symbol or other basic requirements of email, then they should be prevented from completing the form.
* The message that users see after generating a password reset request should be standardized so that it is always the same. The message should read: "If the information submitted is valid, a password reset email will be sent. If you haven’t received an email, we recommend that you visit the Password Reset Help page.”
* The text "Password Reset Help page" should link to a new page (to be created) in MediaWiki.
* If possible, display what user input in the previous screen (i.,e, username, email address, or both). For example: "Input information: email@example.com"
**Visual Examples: **
//Screenshot of Special:PasswordReset on English Wikipedia://
//Current messaging behavior: If only username OR if username and email address information submitted//
//Current messaging behavior: If only email address information submitted