I think you're right. It looks like the execution hangs up in Auth.request_reset_password at the point where the system is checking a setting for password case sensitivity:
if not self.settings.email_case_sensitive:
table_user.email.requires.insert(0, IS_LOWER())
I did a search in the current web2py book for "email_case_sensitive" and came up empty. Is this something we're supposed to be aware of and set in db.py?
More importantly, if email_case_sensitive is False, the behaviour seems wrong. What should happen is that a stored email with some uppercase matches a submitted email regardless of the case. Instead, it's assuming all stored email addresses are lowercase. I think what happened is that this behaviour changed (was introduced?) in a recent update. So my old stored email addresses were stored with some uppercase. But when I updated to the newest version of web2py this new behaviour broke login and auth for anyone with uppercase in their email. Or am I missing something? Setting Auth.email_case_sensitive = True does seem to have fixed the issue.