bug: Forgot password flow sends verification code before checking if account existsΒ #8485
Description
Describe the bug
The "Forgot password" flow sends a verification code email before checking if the account exists. After the user enters and verifies the code, they see "The account with email X does not exist."
This means anyone could add any email into the reset password field and either spam emails to others abusing the email service or flooding emails.
Expected behavior
- Always show the same generic message: "If an account with this email exists, you will receive a verification code" β regardless of whether the account exists or not
- Only send the verification code if the account actually exists
- Never reveal whether an account exists or not
How to reproduce?
- User enters email which is not a registered email in forgot password form
- Verification code is sent immediately (regardless of account existence)
- User enters the code
- After verification, error message: "The account with email X does not exist"
Environment
Self-hosted (Docker image)
Screenshots
No response