forgottenpassword API throws a NullPointerException after the second request

[tothf]

Describe the bug
The forgottenpassword API is crashing after second request when the user search and verification detection is complete.

To Reproduce
Steps to reproduce the behavior:

1. Install PWM 2.0.3 war on tomcat or run PWM 2.0.6 docker image
2. Configure MSAD or FreeIPA with OpenLDAP
3. Configure Postgres as an External database and store all information there, including TOKENs
4. Configure the Forgotten password module with only SMS/Email TOKEN required
5. Enable REST service and /forgottenpassword for public use
6. Send the first request to the forgotten password API
7. Send a second request with the required form data and state in the request body
8. Response will be a 5015 Internal error

Expected behavior
The third response should be METHOD_CHOICE or TOKEN_CHOICE

Screenshots

Desktop (please complete the following information):
It is in the trace log

Smartphone (please complete the following information):
N/A

Additional context
trace.log

[tothf]

Found a partial workaround.

Configure Forgotten Password profile:

• Set SMS/Email Token Verification as optional
• Set Minimum Optional Required to 1

After this the API proceeds further, sends email with TOKEN, accepts the TOKEN, removes the claimed TOKEN from DB and sends response COMPLETE with the message "The password has been changed successfully."
However the user does not get it's password changed in LDAP and no email sent with the new password either.

Attached the trace log for the last request which is sending the TOKEN in.
trace_half_success.log

[tothf]

... sends response COMPLETE with the message "The password has been changed successfully." However, the user did not get it's password changed in LDAP and no email sent with the new password either.

I think I've found the problem with this one here: https://github.com/pwm-project/pwm/blob/529dc0cdac9e9afa80c2627a1ea2dc141d599376/server/src/main/java/password/pwm/http/servlet/forgottenpw/ForgottenPasswordStageProcessor.java#L385C13-L385C13

When we have "Send Password" or "Send Password and expire" configured, this if statemen checks if we can reset the password or unlock the account only, then it returns with the COMPLETE state without doing anything else.

The only way to make it work is to set the Forgotten Password Action to "Allow user to type in new password". Managed to change user password via REST API with all settings configured as mentioned before.

[jrivard]

Thanks for the detailed report. I'm not sure when I'll have time but I'll do my best to get to this soon.