Issue #3261663 by s.messaris, DieterHolvoet, ShaunDychko, smustgrave,...

    }

    // Load by name if provided.

    $identifier = '';

    if (isset($credentials['name'])) {

      $users = $this->userStorage->loadByProperties(['name' => trim($credentials['name'])]);

      $identifier = $credentials['name'];

      $users = $this->userStorage->loadByProperties(['name' => trim($identifier)]);

    }

    elseif (isset($credentials['mail'])) {

      $users = $this->userStorage->loadByProperties(['mail' => trim($credentials['mail'])]);

      $identifier = $credentials['mail'];

      $users = $this->userStorage->loadByProperties(['mail' => trim($identifier)]);

    }

    /** @var \Drupal\Core\Session\AccountInterface $account */

    $account = reset($users);

    if ($account && $account->id()) {

      if ($this->userIsBlocked($account->getAccountName())) {

        throw new BadRequestHttpException('The user has not been activated or is blocked.');

        $this->logger->error('Unable to send password reset email for blocked or not yet activated user %identifier.', [

          '%identifier' => $identifier,

        ]);

        return new Response();

      }

      // Send the password reset email.

    }

    // Error if no users found with provided name or mail.

    throw new BadRequestHttpException('Unrecognized username or email address.');

    $this->logger->error('Unable to send password reset email for unrecognized username or email address %identifier.', [

      '%identifier' => $identifier,

    ]);

    return new Response();

  }

  /**

use Drupal\Core\Flood\DatabaseBackend;

use Drupal\Core\Test\AssertMailTrait;

use Drupal\Core\Database\Database;

use Drupal\Core\Url;

use Drupal\Tests\BrowserTestBase;

use Drupal\user\Controller\UserAuthenticationController;

    $this->assertHttpResponseWithMessage($response, 400, 'Missing credentials.name or credentials.mail', $format);

    $response = $this->passwordRequest(['name' => 'dramallama'], $format);

    $this->assertHttpResponseWithMessage($response, 400, 'Unrecognized username or email address.', $format);

    $this->assertEquals(200, $response->getStatusCode());

    $response = $this->passwordRequest(['mail' => 'llama@drupal.org'], $format);

    $this->assertHttpResponseWithMessage($response, 400, 'Unrecognized username or email address.', $format);

    $this->assertEquals(200, $response->getStatusCode());

    $account

      ->block()

      ->save();

    $response = $this->passwordRequest(['name' => $account->getAccountName()], $format);

    $this->assertHttpResponseWithMessage($response, 400, 'The user has not been activated or is blocked.', $format);

    $this->assertEquals(200, $response->getStatusCode());

    // Check that the proper warning has been logged.

    $arguments = [

      '%identifier' => $account->getAccountName(),

    ];

    $logged = Database::getConnection()->select('watchdog')

      ->fields('watchdog', ['variables'])

      ->condition('type', 'user')

      ->condition('message', 'Unable to send password reset email for blocked or not yet activated user %identifier.')

      ->orderBy('wid', 'DESC')

      ->range(0, 1)

      ->execute()

      ->fetchField();

    $this->assertEquals(serialize($arguments), $logged);

    $response = $this->passwordRequest(['mail' => $account->getEmail()], $format);

    $this->assertHttpResponseWithMessage($response, 400, 'The user has not been activated or is blocked.', $format);

    $this->assertEquals(200, $response->getStatusCode());

    // Check that the proper warning has been logged.

    $arguments = [

      '%identifier' => $account->getEmail(),

    ];

    $logged = Database::getConnection()->select('watchdog')

      ->fields('watchdog', ['variables'])

      ->condition('type', 'user')

      ->condition('message', 'Unable to send password reset email for blocked or not yet activated user %identifier.')

      ->orderBy('wid', 'DESC')

      ->range(0, 1)

      ->execute()

      ->fetchField();

    $this->assertEquals(serialize($arguments), $logged);

    $account

      ->activate()