how to reset password of users whose email is not verified in loopback?

Question

So I ran into this issue. I have a user who has emailedVerified as false.

So, when I try to reset password for that user as follows it gives me user unverified error.

Person.resetPassword({
    email: email
  }, function (err) {
    if (err) return res.status(422).send(err);
});

So if user has emailVerified as false I created a token for the user with token data as follows:

const tokenData = {
  ttl: 900,
  scopes: ['reset-password'],
};

user.createAccessToken(tokenData, req, function (err, token) {
  //email link with token
});

Now when I try to change password with following request.

/api/people/reset-password?access_token=generated-token and data message as {newPassword: “newPassword”}

I’m getting Access Denied for POST /api/people/reset-password?access_token=token --Context scopes of Person.setPassword()

This happening only for generated token (either for verified user or non-verified user). If verified user request for password-change its successful which is done by following code.

Person.resetPassword({
  email: email
  }, function (err) {
    if (err) return res.status(422).send(err);
});

I have following settings in person model, which i removed, but still it says access denied.

"restrictResetPasswordTokenScope": true,
"emailVerificationRequired": true,

Answer 1

I found this code in loopback/common/models/user.js:

      User.resetPassword = function(options, cb) {
        ...
        if (UserModel.settings.emailVerificationRequired && !user.emailVerified) {
          err = new Error(g.f('Email has not been verified'));
          err.statusCode = 401;
          err.code = 'RESET_FAILED_EMAIL_NOT_VERIFIED';
          return cb(err);
        }
        ...
      }

Looks like email verification validation only depends on the emailVerificationRequired setting. The value should be false if you want to enable reset password for not verified users:

"emailVerificationRequired": false, // The deletion of this property should also work as I don't see a default value in user.json

If it will not help, I suggest just debug the method above. I think it should be easy to find the problem, when you know the place to search.