Stop auto-logging in users after password reset

Instead of logging users in after a password reset, redirect them to
the login page (CP) or the redirect path (front-end) unauthenticated.
This avoids needing special handling for 2FA and passkey-enforced login.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jasonvarga

resources/js/pages/auth/passwords/Reset.vue

@@ -30,9 +30,6 @@ const submit = () => {
             processing.value = true;
             errors.value = {};
         },
-        onSuccess: (e) => {
-            return window.location.href = e.url;
-        },
         onError: () => processing.value = false
     });
 }

src/Auth/ResetsPasswords.php

@@ -130,8 +130,6 @@ protected function resetPassword($user, $password)
         $user->save();
 
         event(new PasswordReset($user));
-
-        $this->guard()->login($user);
     }
 
     /**

src/Http/Controllers/CP/Auth/ResetPasswordController.php

@@ -25,6 +25,11 @@ public function broker()
         return Password::broker($broker);
     }
 
+    public function redirectPath()
+    {
+        return cp_route('login');
+    }
+
     protected function resetFormAction()
     {
         return route('statamic.cp.password.reset.action');

src/Http/Middleware/CP/HandleInertiaRequests.php

@@ -75,6 +75,10 @@ private function toasts(Request $request)
             $this->toasts->success($message);
         }
 
+        if ($message = $session->get('status')) {
+            $this->toasts->success($message);
+        }
+
         if ($message = $session->get('error')) {
             $this->toasts->error($message);
         }

tests/Auth/ResetPasswordTest.php

@@ -0,0 +1,79 @@
+<?php
+
+namespace Tests\Auth;
+
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Password;
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\Attributes\Test;
+use Statamic\Auth\Passwords\PasswordReset;
+use Statamic\Facades\User;
+use Tests\PreventSavingStacheItemsToDisk;
+use Tests\TestCase;
+
+class ResetPasswordTest extends TestCase
+{
+    use PreventSavingStacheItemsToDisk;
+
+    public static function resetPasswordProvider()
+    {
+        return [
+            'cp' => ['cp'],
+            'web' => ['web'],
+        ];
+    }
+
+    private function resetUrl($type)
+    {
+        return match ($type) {
+            'cp' => cp_route('password.reset.action'),
+            'web' => route('statamic.password.reset.action'),
+        };
+    }
+
+    private function defaultRedirectUrl($type)
+    {
+        return match ($type) {
+            'cp' => cp_route('login'),
+            'web' => route('statamic.site'),
+        };
+    }
+
+    private function createUser()
+    {
+        return tap(User::make()->makeSuper()->email('san@holo.com')->password('secret'))->save();
+    }
+
+    private function createToken($user, $type)
+    {
+        $broker = config('statamic.users.passwords.'.PasswordReset::BROKER_RESETS);
+
+        if (is_array($broker)) {
+            $broker = $broker[$type];
+        }
+
+        return Password::broker($broker)->createToken($user);
+    }
+
+    #[Test]
+    #[DataProvider('resetPasswordProvider')]
+    public function it_resets_the_password_and_user_is_not_authenticated($type)
+    {
+        $user = $this->createUser();
+        $token = $this->createToken($user, $type);
+
+        $this
+            ->assertGuest()
+            ->post($this->resetUrl($type), [
+                'token' => $token,
+                'email' => 'san@holo.com',
+                'password' => 'newpassword',
+                'password_confirmation' => 'newpassword',
+            ])
+            ->assertSessionHas('status')
+            ->assertRedirect($this->defaultRedirectUrl($type));
+
+        $this->assertGuest();
+        $this->assertTrue(Hash::check('newpassword', $user->fresh()->password()));
+    }
+}