Remove flash errors from admin password recovery

[jacobherrington]

It is possible for an attack to deduce admin account email addresses by injecting email addresses into the password recovery view until the receive a success message.

The solution in this commit is to remove those flash error messages from that view entirely. Instead we will flash a generic success message when the form submits.

This functionality will still exist for non-admin users who may be less technically savvy and may need help remembering the email address they used to sign up.

Before:

After:

[kennyadsl]

Another thing: I don't think an attack can deduce admin emails at the moment since the email existence check is performed against all users, not only admin ones. I think that every user, even non-admin, can login/reset password with those backend authentication pages. The only information that an attack can deduce is if that email belongs to a user signed up on the store, which we are also allowing to do in the frontend.

I think this is still a good change but I would consider adding the same behavior in frontend as well. Users that forget the email used can try different emails and they will receive an email while the right one is entered.

[jacobherrington]

@kennyadsl That is a good point.

I will extend this behavior to the frontend password reset in another PR, or look into opportunities to address duplicated functionality. I saw a few things I could improve in this gem while making this change, but I'd like to get @aitbw PRs merged in before doing too much more.