Ghost: Confusing error message when password reset fails

Do you have any suggestions on what the message should be for number 3?

@peterzimon this issue would need some copy input/review from you.

My suggestions for messaging based on 3 possible error scenarios above and our what/why/how convention:

1. Expired token

message: "The password reset link is invalid."
context: "Password reset link token has expired and is no longer valid."
help: "Generate new password reset request through the login form." 

1. Used/invalid token (after new password has been set)

message: "The password reset link is invalid."
context: "The password reset link has already been used or has an invalid format."
help: "Generate new password reset request through the login form."

1. Corrupted token

message: "The password reset link is invalid."
context: "The password reset link token has invalid structure."
help: "Check if invitation link has been fully copied or generate new password reset request through the login form. "

Currently Ghost-Admin UI would show concatenated message and context fields when error happens. Example for 1st scenario:

We might want to think about changing the pattern or modifying the order just for current password reset scenario? :thinking:

For reference (not the best one tho) these are current "Invitation" error messages, which also use similar token mechanism behind the scenes: https://github.com/TryGhost/Ghost/blob/46932c6d7588f8100013b78bdce74b4d2a913f50/core/server/translations/en.json#L453-L454

@naz here are my suggestions for the error messages:

1. Expired token

message: "Cannot reset password."
context: "Password reset link expired."
help: "Request a new password reset via the login form."

1. Used/invalid token (after new password has been set)

message: "Cannot reset password."
context: "Password reset link has already been used."
help: "Request a new password reset via the login form."

1. Corrupted token

message: "Cannot reset password."
context: "Invalid password reset link."
help: "Check if password reset link has been fully copied or request new password reset via the login form."

@peterzimon for the 2nd case's context saying "Password reset link has already been used." would be only partially correct statement. At this point there could be multiple reasons for why the token check failed - one of them is the reset linked has been used, the other might be something wrong with the token itself - does not match currently set password or does not match db_hash value, or a corrupted token is some other way. Let me know if we should still keep it as is or maybe expand with or has an invalid format. as I proposed originally.

@naz thanks for the addiitonal context :). if the problem is that the link has been used in 80%+ of the time then I wouldn't bother adding the extra info to keep the messaging clear. if it's arbitrary then we can change the copy to Password reset link is invalid or has already been used. wdyt?

It's hard to know if it's +-80% of cases :) as we haven't been catching this specific error just yet. I'll leave it as is for now, to avoid over-optimizing. If the message ever happens to be misleading I'm pretty sure it will be spotted and we can revisit/update the messaging.

Closing the issue as the changes have landed with 32b37d7