choose_password template shows "undefined" for username — username param missing from reset redirect URL

[DylanBanta-WM]

New Issue Checklist

• Report security issues confidentially.
• Any contribution is under this license.
• Before posting search existing issues.

Issue Description

The choose_password password reset page displays "New Password for undefined" because the username query parameter is not included in the redirect URL generated by PublicAPIRouter.js, despite the template expecting it.

Steps to reproduce

1. Call requestPasswordReset for any user
2. Click the reset link sent via email
3. Observe the label on the reset page reads "New Password for undefined"

Actual Outcome

The page renders: "New Password for undefined"

Expected Outcome

The page should render: "New Password for " (or the app name)

The comment at the top of the choose_password template explicitly states:

"The query params 'username' and 'app' hold the friendly names for your current user and your app."

However, requestResetPassword() in PublicAPIRouter.js only includes token, id, and app in the redirect username is absent:

const params = querystring.stringify({
token,
id: config.applicationId,
app: config.appName
// username is missing
});

While the template at line 184 reads:

document.getElementById('username_label').appendChild(document.createTextNode(urlParams['username']));

[parse-github-assistant]

🚀 Thanks for opening this issue!

ℹ️ You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[mtrezza]

Yes, username has been removed. Template requires a change.