Password reset route should be excluded

Would we need to include all the reset password link paths? Looking in the user module there are a number of user.reset routes.

Maybe something like:

substr($route_name, 0, 10) === 'user.reset')

Combining the original patch with TommyK's suggestion does the trick for me. Here is an updated patch.

Also changing priority to Major, as this bug prevents users from using the forgotten password functionality.

#4 did the trick for me!

Please apply the patch. #RTBC

We need maintainer action here and on other 8.x issues. I will contact robphillips or Jeffrey C. to get commit access. Let's make this module ready for the ride ...

Hello. I've recently been occupied with client work, so my apologies for lack of maintenance releases. I'll be reviewing issues today and will determine if an additional maintainer will be necessary. In terms of a roadmap, aiming to have a new beta release ready by EOD.

I'm unable to replicate this issue with Drupal 8.5.3. Furthermore, the $route_name given on the reset password page is "user.pass". The "user.pass" route is already excluded from the access restrictions. If anyone reports this issue again, please provide additional information for replication purposes (Drupal version, contrib modules, theme, etc).

@robphillips: Great to have you back.

my apologies for lack of maintenance releases.

No need to apologize. Thanks for clarification. Absolutely understandable reasons. Thanks for chiming in and having a look. Don't worry. It is all about the interest getting Drupal 8 contrib area ready ;-) We will help if required.

#4: Also changing priority to Major, as this bug prevents users from using the forgotten password functionality.

robphillips: I'm unable to replicate this issue with Drupal 8.5.3. Furthermore, the $route_name given on the reset password page is "user.pass". The "user.pass" route is already excluded from the access restrictions.

@robphillips: Did you made enough tests and can you confirm that you have no issues with the usability like the test of #4 is mentioning?

Patch #4 committed. I was previously only testing access to the reset password form. I found that "user.reset" route name is used when clicking the reset password email confirmation link. New release will be out shortly.

1+! Awesome work on this, Rob.