### Description Currently the password reset email is only sent to the primary email address. If a user loses access to their primary email address, they should still be able to receive the password reset email if they have a secondary email address in their profile. ### Proposal Send the password reset email to whichever email address the user has requested as long as it is verified This is somewhat tricky because we're overriding Devise behavior. Devise uses the `Recoverable#send_reset_password_instructions_notification` method to send the notification. Inside that method it uses [`send_devise_notification`](https://github.com/heartcombo/devise/blob/e8e0c275999dd98150197cab03acb5509cb16b6a/lib/devise/models/recoverable.rb#L99). By default it sends empty opts, but the opts hash *should* accept a `to` value. I think we can override the method by creating `User#send_reset_password_instructions_notification` and calling the same `send_devise_notification` method with our own `to` values. We should only send to confirmed email addresses. For details, see: - Required code changes: https://gitlab.com/gitlab-org/gitlab/-/issues/16311#note_546239035 - User/email flow: https://gitlab.com/gitlab-org/gitlab/-/issues/16311#note_547052525 Please update the description as refinement occurs. ### Implementation note This feature should be configurable at the instance level. Admins should have the ability to keep the existing behaviour of only allowing password resets to be sent to the primary email address.