Reset Password API should return success response even if email doesn't exist

[anhcuky]

Requirements

• Is this a feature request? For questions or discussions use https://lemmy.ml/c/lemmy_support
• Did you check to see if this issue already exists?
• Is this only a feature request? Do not put multiple feature requests in one issue.
• Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.
• Do you agree to follow the rules in our Code of Conduct?

Is your proposal related to a problem?

I notice that the Reset Password returns 401 incorrect_login if the requested email doesn't exist. This way someone can check if my email was used for registration, not ideal especially for NSFW instances.

Describe the solution you'd like.

Always return the same success message regardless if the email exists or not

Describe alternatives you've considered.

.

Additional context

No response

[Nothing4You]

there are several other ways to determine this as well:

• try to sign up with an email address
• try to change your account email to another one

a common pattern for the reset message is something like "reset instructions have been sent if an account using the provided email address exists".

[phiresky]

We've had some discussions about this before somewhere on Github. It may be true that we have other endpoints that allow this as well, but even if we don't prioritize fixing all of them we can still slowly move (updated / new code) towards a more secure pattern here - as long as everyone agrees the UX cost is okay.