Learn more about these different git repos.
Other Git URLs
At this moment, as soon as someone uses the lost password function for an account, that account is unable to login (even with the correct password), because user.token is set.
This can be used to deny a user access if they lost access to the email address (so they can't even login to update the address if someone else hit Lost Password on them), or as a major annoyance because the user will be unable to login until they go to their email, click the link, and change their password.
We should probably either have a user.token_type attribute that's set to 'emailconfirmation' or 'lostpassword', or a second user.lost_password_token field, to make sure we can decide whether the user has a token because they need to confirm their email address or because they wanted to reset their password.
to comment on this ticket.