magento
diff --git a/‎app/code/Magento/Customer/Api/AccountManagementInterface.php
Lines changed: 9 additions & 2 deletions b/‎app/code/Magento/Customer/Api/AccountManagementInterface.php
Lines changed: 9 additions & 2 deletions
diff --git a/‎app/code/Magento/Customer/Controller/Account/CreatePassword.php
Lines changed: 9 additions & 6 deletions b/‎app/code/Magento/Customer/Controller/Account/CreatePassword.php
Lines changed: 9 additions & 6 deletions
diff --git a/‎app/code/Magento/Customer/Controller/Account/ResetPasswordPost.php
Lines changed: 20 additions & 16 deletions b/‎app/code/Magento/Customer/Controller/Account/ResetPasswordPost.php
Lines changed: 20 additions & 16 deletions
diff --git a/‎app/code/Magento/Customer/Model/AccountManagement.php
Lines changed: 64 additions & 8 deletions b/‎app/code/Magento/Customer/Model/AccountManagement.php
Lines changed: 64 additions & 8 deletions
@@ -7,6 +7,8 @@
 
 namespace Magento\Customer\Api;
 
+use Magento\Framework\Exception\InputException;
+
 /**
  * Interface for managing customers accounts.
  * @api
@@ -144,19 +146,24 @@ public function initiatePasswordReset($email, $template, $websiteId = null);
     /**
      * Reset customer password.
      *
-     * @param string $email
+     * @param string $email If empty value given then the customer
+     * will be matched by the RP token.
      * @param string $resetToken
      * @param string $newPassword
+     *
      * @return bool true on success
      * @throws \Magento\Framework\Exception\LocalizedException
+     * @throws InputException
      */
     public function resetPassword($email, $resetToken, $newPassword);
 
     /**
      * Check if password reset token is valid.
      *
-     * @param int $customerId
+     * @param int $customerId If 0 is given then a customer
+     * will be matched by the RP token.
      * @param string $resetPasswordLinkToken
+     *
      * @return bool True if the token is valid
      * @throws \Magento\Framework\Exception\State\InputMismatchException If token is mismatched
      * @throws \Magento\Framework\Exception\State\ExpiredException If token is expired
 
@@ -54,27 +54,30 @@ public function __construct(
     public function execute()
     {
         $resetPasswordToken = (string)$this->getRequest()->getParam('token');
-        $customerId = (int)$this->getRequest()->getParam('id');
-        $isDirectLink = $resetPasswordToken != '' && $customerId != 0;
+        $isDirectLink = $resetPasswordToken != '';
         if (!$isDirectLink) {
             $resetPasswordToken = (string)$this->session->getRpToken();
-            $customerId = (int)$this->session->getRpCustomerId();
         }
 
         try {
-            $this->accountManagement->validateResetPasswordLinkToken($customerId, $resetPasswordToken);
+            $this->accountManagement->validateResetPasswordLinkToken(
+                0,
+                $resetPasswordToken
+            );
 
             if ($isDirectLink) {
                 $this->session->setRpToken($resetPasswordToken);
-                $this->session->setRpCustomerId($customerId);
                 $resultRedirect = $this->resultRedirectFactory->create();
                 $resultRedirect->setPath('*/*/createpassword');
+
                 return $resultRedirect;
             } else {
                 /** @var \Magento\Framework\View\Result\Page $resultPage */
                 $resultPage = $this->resultPageFactory->create();
-                $resultPage->getLayout()->getBlock('resetPassword')->setCustomerId($customerId)
+                $resultPage->getLayout()
+                    ->getBlock('resetPassword')
                     ->setResetPasswordLinkToken($resetPasswordToken);
+
                 return $resultPage;
             }
         } catch (\Exception $exception) {
 
@@ -12,7 +12,6 @@
 use Magento\Framework\App\Action\Context;
 use Magento\Framework\Exception\InputException;
 use Magento\Customer\Model\Customer\CredentialsValidator;
-use Magento\Framework\App\ObjectManager;
 
 class ResetPasswordPost extends \Magento\Customer\Controller\AbstractAccount
 {
@@ -31,17 +30,14 @@ class ResetPasswordPost extends \Magento\Customer\Controller\AbstractAccount
      */
     protected $session;
 
-    /**
-     * @var CredentialsValidator
-     */
-    private $credentialsValidator;
-
     /**
      * @param Context $context
      * @param Session $customerSession
      * @param AccountManagementInterface $accountManagement
      * @param CustomerRepositoryInterface $customerRepository
      * @param CredentialsValidator|null $credentialsValidator
+     *
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */
     public function __construct(
         Context $context,
@@ -53,8 +49,6 @@ public function __construct(
         $this->session = $customerSession;
         $this->accountManagement = $accountManagement;
         $this->customerRepository = $customerRepository;
-        $this->credentialsValidator = $credentialsValidator ?: ObjectManager::getInstance()
-            ->get(CredentialsValidator::class);
         parent::__construct($context);
     }
 
@@ -70,27 +64,33 @@ public function execute()
         /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
         $resultRedirect = $this->resultRedirectFactory->create();
         $resetPasswordToken = (string)$this->getRequest()->getQuery('token');
-        $customerId = (int)$this->getRequest()->getQuery('id');
         $password = (string)$this->getRequest()->getPost('password');
         $passwordConfirmation = (string)$this->getRequest()->getPost('password_confirmation');
 
         if ($password !== $passwordConfirmation) {
             $this->messageManager->addError(__("New Password and Confirm New Password values didn't match."));
-            $resultRedirect->setPath('*/*/createPassword', ['id' => $customerId, 'token' => $resetPasswordToken]);
+            $resultRedirect->setPath(
+                '*/*/createPassword',
+                ['token' => $resetPasswordToken]
+            );
             return $resultRedirect;
         }
         if (iconv_strlen($password) <= 0) {
             $this->messageManager->addError(__('Please enter a new password.'));
-            $resultRedirect->setPath('*/*/createPassword', ['id' => $customerId, 'token' => $resetPasswordToken]);
+            $resultRedirect->setPath(
+                '*/*/createPassword',
+                ['token' => $resetPasswordToken]
+            );
             return $resultRedirect;
         }
 
         try {
-            $customerEmail = $this->customerRepository->getById($customerId)->getEmail();
-            $this->credentialsValidator->checkPasswordDifferentFromEmail($customerEmail, $password);
-            $this->accountManagement->resetPassword($customerEmail, $resetPasswordToken, $password);
+            $this->accountManagement->resetPassword(
+                '',
+                $resetPasswordToken,
+                $password
+            );
             $this->session->unsRpToken();
-            $this->session->unsRpCustomerId();
             $this->messageManager->addSuccess(__('You updated your password.'));
             $resultRedirect->setPath('*/*/login');
             return $resultRedirect;
@@ -102,7 +102,11 @@ public function execute()
         } catch (\Exception $exception) {
             $this->messageManager->addError(__('Something went wrong while saving the new password.'));
         }
-        $resultRedirect->setPath('*/*/createPassword', ['id' => $customerId, 'token' => $resetPasswordToken]);
+
+        $resultRedirect->setPath(
+            '*/*/createPassword',
+            ['token' => $resetPasswordToken]
+        );
         return $resultRedirect;
     }
 }
@@ -19,6 +19,7 @@
 use Magento\Customer\Model\Metadata\Validator;
 use Magento\Eav\Model\Validator\Attribute\Backend;
 use Magento\Framework\Api\ExtensibleDataObjectConverter;
+use Magento\Framework\Api\SearchCriteriaBuilder;
 use Magento\Framework\App\Area;
 use Magento\Framework\App\Config\ScopeConfigInterface;
 use Magento\Framework\App\ObjectManager;
@@ -40,6 +41,7 @@
 use Magento\Framework\Intl\DateTimeFactory;
 use Magento\Framework\Mail\Template\TransportBuilder;
 use Magento\Framework\Math\Random;
+use Magento\Framework\Phrase;
 use Magento\Framework\Reflection\DataObjectProcessor;
 use Magento\Framework\Registry;
 use Magento\Framework\Stdlib\DateTime;
@@ -325,6 +327,11 @@ class AccountManagement implements AccountManagementInterface
      */
     private $accountConfirmation;
 
+    /**
+     * @var SearchCriteriaBuilder
+     */
+    private $searchCriteriaBuilder;
+
     /**
      * @param CustomerFactory $customerFactory
      * @param ManagerInterface $eventManager
@@ -356,6 +363,7 @@ class AccountManagement implements AccountManagementInterface
      * @param SessionManagerInterface|null $sessionManager
      * @param SaveHandlerInterface|null $saveHandler
      * @param CollectionFactory|null $visitorCollectionFactory
+     * @param SearchCriteriaBuilder|null $searchCriteriaBuilder
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -387,7 +395,8 @@ public function __construct(
         AccountConfirmation $accountConfirmation = null,
         SessionManagerInterface $sessionManager = null,
         SaveHandlerInterface $saveHandler = null,
-        CollectionFactory $visitorCollectionFactory = null
+        CollectionFactory $visitorCollectionFactory = null,
+        SearchCriteriaBuilder $searchCriteriaBuilder = null
     ) {
         $this->customerFactory = $customerFactory;
         $this->eventManager = $eventManager;
@@ -423,6 +432,8 @@ public function __construct(
             ?: ObjectManager::getInstance()->get(SaveHandlerInterface::class);
         $this->visitorCollectionFactory = $visitorCollectionFactory
             ?: ObjectManager::getInstance()->get(CollectionFactory::class);
+        $this->searchCriteriaBuilder = $searchCriteriaBuilder
+            ?: ObjectManager::getInstance()->get(SearchCriteriaBuilder::class);
     }
 
     /**
@@ -596,14 +607,62 @@ public function initiatePasswordReset($email, $template, $websiteId = null)
         return false;
     }
 
+    /**
+     * Match a customer by their RP token.
+     *
+     * @param string $rpToken
+     * @throws ExpiredException
+     * @throws NoSuchEntityException
+     *
+     * @return CustomerInterface
+     */
+    private function matchCustomerByRpToken(string $rpToken): CustomerInterface
+    {
+
+        $this->searchCriteriaBuilder->addFilter(
+            'rp_token',
+            $rpToken
+        );
+        $this->searchCriteriaBuilder->setPageSize(1);
+        $found = $this->customerRepository->getList(
+            $this->searchCriteriaBuilder->create()
+        );
+
+        if ($found->getTotalCount() > 1) {
+            //Failed to generated unique RP token
+            throw new ExpiredException(
+                new Phrase('Reset password token expired.')
+            );
+        }
+        if ($found->getTotalCount() === 0) {
+            //Customer with such token not found.
+            throw NoSuchEntityException::singleField(
+                'rp_token',
+                $rpToken
+            );
+        }
+
+        //Unique customer found.
+        return $found->getItems()[0];
+    }
+
     /**
      * {@inheritdoc}
      */
     public function resetPassword($email, $resetToken, $newPassword)
     {
-        $customer = $this->customerRepository->get($email);
+        if (!$email) {
+            $customer = $this->matchCustomerByRpToken($resetToken);
+            $email = $customer->getEmail();
+        } else {
+            $customer = $this->customerRepository->get($email);
+        }
         //Validate Token and new password strength
         $this->validateResetPasswordToken($customer->getId(), $resetToken);
+        $this->credentialsValidator->checkPasswordDifferentFromEmail(
+            $email,
+            $newPassword
+        );
         $this->checkPasswordStrength($newPassword);
         //Update secure data
         $customerSecure = $this->customerRegistry->retrieveSecureData($customer->getId());
@@ -1011,12 +1070,9 @@ public function isCustomerInStore($customerWebsiteId, $storeId)
     private function validateResetPasswordToken($customerId, $resetPasswordLinkToken)
     {
         if (empty($customerId) || $customerId < 0) {
-            throw new InputException(
-                __(
-                    'Invalid value of "%value" provided for the %fieldName field.',
-                    ['value' => $customerId, 'fieldName' => 'customerId']
-                )
-            );
+            //Looking for the customer.
+            $customerId = $this->matchCustomerByRpToken($resetPasswordLinkToken)
+                ->getId();
         }
         if (!is_string($resetPasswordLinkToken) || empty($resetPasswordLinkToken)) {
             $params = ['fieldName' => 'resetPasswordLinkToken'];