Following a password reset link while authenticated should allow a password change without the current password.

[herbdool]

Backport of Issue #889772 by tuutti, stefan.r, opdavies, Sutharsan, Perignon, pjcdawkins, joachim, das-peter, YesCT, David_Rothstein, Zerdiox, hussainweb, Fabianx, mgifford, xjm: Following a password reset link while logged in leaves users unable to change their password.

Commit: https://git.drupalcode.org/project/drupal/-/commit/f7d2f47e9ed15ce7840ffafa105a0ea80a46eeca

Currently, if a user is logged in in one browser, requests a reset password in another browser when not logged in, and then follows that reset URL in the logged in browser, they will be required to enter their current password to change the password.

Instead it should follow the same as the regular workflow as an anonymous user. In order to do that the user should be logged out and then be presented with the reset password form.

[herbdool]

Note that the PR works if someone has stayed logged in, in one browser, and didn't log out/log in after requesting the login link. When the Drupal 7 patch was merged a few years ago it didn't check the $account->login timestamp, but it now does, which Backdrop also does. So it won't work if someone logs out and then logs in after requesting the password reset. I didn't want to change the logic too much since it's more important to be secure than to account for an edge case.

[herbdool]

Steps to test the PR:

• Log in.
• Go to a different browser (or incognito) and request a password reset link for that same user.
• Go back to the original browser and paste the link.
• It should automatically log you out from the existing session and present the Password Reset form.

Note that if it's a different user account, then it will still follow the old steps of showing a warning "You cannot use a password reset link while logged into the site."

[argiepiano]

Tested and reviewed. LGTM

[quicksketch]

Thanks @herbdool and @argiepiano! Merged into 1.x and 1.28.x.