User identification

How to configure the user password change functionality in Bitrix?

Good day!
There is a site on Bitrix.
The site has an authorization page /auth/, where the bitrix:system.auth.form component is called.
There is a page for requesting a control string and password recovery ( /forgot/ and /restore/ respectively).
To recover the password, go to the /forgot/ page, where the bitrix:system.auth.forgotpasswd component is called, enter the login or email and click send - the control string is successfully sent to the mail (in the database we see that the user's CHECKWORD value has changed, i.e. the submitted string is indeed relevant).
Wherever the components are displayed, I put the default templates, in order to avoid mistakes on my part ..
We follow the link and get to the /restore/ section, where the bitrix:system.auth.changepasswd component was first used, but due to not returning error messages, it was commented out and the following code was written, which at least returns errors:

<?if(($_POST["AUTH_FORM"]=="Y")&&($_POST["TYPE"]=="CHANGE_PWD")){
   global $USER;
   $arResult = $USER->ChangePassword($_POST["USER_LOGIN"], $_POST["USER_CHECKWORD"], $_POST["USER_PASSWORD"], $_POST["USER_CONFIRM_PASSWORD"]);
      if($arResult["TYPE"] == "OK"){
         echo "Пароль успешно изменен.";
      }else{
         echo $arResult["MESSAGE"];      
      }
   }
        echo '<pre>';
   print_r($arResult);
   echo '</pre>';
                  
   if($arResult["TYPE"] != "OK"){   
   ?>
   <fo rm method="post" action="" name="bform" id="b-form">
      <input type="hidden" name="backurl" value="">
      <input type="hidden" name="AUTH_FORM" value="Y">
      <input type="hidden" name="TYPE" value="CHANGE_PWD">
                  
      <input type="text" name="USER_LOGIN" maxlength="50" value="<?=$_GET['USER_LOGIN']?>" class="bx-auth-input" placeholder="Ваш логин" />
      <input type="text" name="USER_CHECKWORD" maxlength="50" value="<?=$_GET["USER_CHECKWORD"]?>" class="bx-auth-input" placeholder="Контрольная строка"/>
                  
      <input type="password" name="USER_PASSWORD" maxlength="50" value="" class="bx-auth-input" autocomplete="off" placeholder="Новый пароль" />
      <input type="password" name="USER_CONFIRM_PASSWORD" maxlength="50" value="" class="bx-auth-input" autocomplete="off" placeholder="Подтверждение пароля" />
      <div class="clearfix b-form-buttons">
         <input type="submit" name="change_pwd" value="Изменить пароль" />
      </div>
   </form>
<?}?>

Upon successful entry of a new password and its confirmation (they are equal and comply with all the rules), I get the $arResult array:

Array
(
    [MESSAGE] => Неверное контрольное слово для логина "[email protected]".

    [TYPE] => ERROR
    [FIELD] => CHECKWORD
)

On the page, after submitting the form, I display the $_POST array, which confirms that USER_CHECKWORD is still being passed:

Array
(
    [backurl] => 
    [AUTH_FORM] => Y
    [TYPE] => CHANGE_PWD
    [USER_LOGIN] => [email protected]
    [USER_CHECKWORD] => 1a571b5f2170ff4ef7c0657c89befcd8
    [USER_PASSWORD] => PASSWORDtest1!Q
    [USER_CONFIRM_PASSWORD] =>  PASSWORDtest1!Q
    [change_pwd] => Изменить пароль
)

I looked at the code of the method, such an error occurs if it is empty (not transmitted) or it is not equal to the password hash from the database:

if($res["CHECKWORD"] == '' || $res["CHECKWORD"] != $salt.md5($salt.$arParams["CHECKWORD"]))

BUT! If you set the value of the define("AUTH", true) constant on the page before connecting header.php and request a password using the output form, then the password is successfully changed. wtf?
Dear experts, attention, the question is: "What causes such a problem, and how to solve it?". Thanks in advance! I really hope to help...