Closed csmith closed 3 years ago
The API call actually returns:
{
"error": "API currently unavailable."
}
This should have been the case (Issue #18 should have done this!) - the user not existing should have raised an error, but instead it continued through to the rest of the code and attempted to generate a reset code on a non-existent user object.
This should actually be resolved now.
If the e-mail address isn't registered with MyDNSHost, the reset password flow displays:
To avoid user enumeration it should probably just show the same message as success (along the lines of "If this is a registered account, instructions have been sent, blah blah")(It was already meant to do that)