password expired message still shows upon resetting password via email.

I've noticed that the $uid isn't passed through on the password reset form when submitting as the user. This would cause loading the user to fail and the values would still not be updated.

I have added a patch to add the check for $uid, but there still needs to be the $uid to be passed through in the form submission as it still isn't currently updating field_last_password_reset or field_password_expiration.

I'm getting this during pre-live testing today :-}
Will try the patch here and look into it.

Additional info:
Submitting a password reset does give the message that the changes were saved - which is a bit misleading.
Going 'back to site' was trying to load /user/1 (not sure why, as I was testing with a lower-level user/3) and this produced infinite redirect loops and an unhappy browser and 50 messages in the log.

Most recent patch does not solve the issue yet. But did apply clean...

I found that http://cgit.drupalcode.org/password_policy/commit/?h=8.x-3.x&id=8ee51e4e... seems to have fixed it!

So a fix was made #2852312: Password expiration not set to false on update
but it's not in 8.x-3.0-alpha3.

This is critical - makes the normal use case un-usable - so it would be good to get another tagged release out with this.

Sorry - unless I am TOTALLY misguided and mis-interpreted this issue for that one. ... I'm not sure I grabbed the right issue here now...

RIghty, it's both issues.

#2852312: Password expiration not set to false on update is still in dev, and resolves half the problem.
But reported here, the email password reset process failed with the same sort of symptom.

The patch #5 applies to -dev good, and looked like it fixed that second situation... But on re-testing manually I found there may have been some session/cookies that made it look like it was working... Still WIP I guess. I'm trying to see what can be done. Testing this email cycle is a pain...
I wonder if drush ULI is the same method...

I believe this still needs work?

Most likely "needs work" yeah. ... the cycle of steps required to test a success or replicate a fail was so long I think I got misguided.
Apologies for the stream-of-consciousness style of bug reporting previously. I'd got in too deep trying to untangle/replicate a reported issue, and was tripping over my own conclusions.

Patch so far is an *improvement* however. It did solve some of the problem :]

"related" issue #2884567: UX: It's possible to enter a frustrating loop if resetting an expired password. was clouding things for me when attempting to test the solution here.

Rerolled the patch against the latest dev and also added in a comment.

Steps for testing:

1. Configure the module to reset password after x days.
2. Enable Password for user Y.
3. Let's say that the password for user Y has expired.
4. Login the user using the password reset feature.
5. Change the password of the user.
6. The "Your password has expired, please update it" should not appear now.

Setting to the correct status.

Ah sorry, I see that you feel like this patch still needs work. Anywho, the patch in #13 works for our use case and allows people to change their passwords on the password reset page and not end up in a loop.

Setting to needs work as per #10.

Actually the patch in #2881213: Fails updating password reset date and flag password was reset on resetting password by using one time login link was the superior implementation for this fix. Checking $form_state means that the token is actually checked for validity, and not simply for existence.

Here's the patch from #2881213-2: Fails updating password reset date and flag password was reset on resetting password by using one time login link re-rolled for latest dev.
I think this also can be reviewed.

Patch applies cleanly and fixes this specific issue.

Let's credit @alunyov if possible since it was his patch that was copied over to this issue.

Adding alunyov to this issue.

I've reviewed #16 and it looks good. And, thanks to everyone who helped with this :)