always return 200 in /forgot_password

README.md

@@ -802,9 +802,7 @@ Output:
 Input:
 - email
 
-Output:
-- 200: user is going to receive an email to reset the password
-- 400 if error (email not found)
+Output: always return 200, even if email doesn't exist. User need to enter correctly their email.
 
 #### GET /api/aliases
 

app/api/views/auth_login.py

@@ -332,16 +332,14 @@ def forgot_password():
 
     """
     data = request.get_json()
-    if not data:
-        return jsonify(error="request body cannot be empty"), 400
+    if not data or not data.get("email"):
+        return jsonify(error="request body must contain email"), 400
 
-    email = data.get("email")
+    email = data.get("email").lower()
 
     user = User.get_by(email=email)
 
-    if not user:
-        return jsonify(error="Email not found"), 400
+    if user:
+        send_reset_password_email(user)
 
-    send_reset_password_email(user)
-
-    return jsonify(reset_sent=True)
+    return jsonify(ok=True)

tests/api/test_auth_login.py

@@ -210,9 +210,9 @@ def test_auth_login_forgot_password(flask_client):
 
     assert r.status_code == 200
 
-    # No such email
+    # No such email, still return 200
     r = flask_client.post(
         url_for("api.forgot_password"), json={"email": "not-exist@b.c"},
     )
 
-    assert r.status_code == 400
+    assert r.status_code == 200