jfenner
commented
5 years ago I would actually disagree with this from a security standpoint. I implemented the password reset this way because it is a security risk to tell them that the email is not valid.
We could change the message to be something like "If your email address is registered with the system, you will receive the password reset via email".
Currently if a user does not have an active account and they request a password-reset email (via "forgot password" or "register" links) the app will incorrectly tell them that a password was sent.
Before sending the password (in
resetPassword()in data-sources/firebase-data.js), we should check to see if the email matches a valid account and give the user feedback accordingly.