We use Lock in our Auth0 hosted login page. On clicking the Don’t remember your password? link, the password reset page comes up wherein the user can enter the email address to receive the password reset email (see non-customized example image below).
![alt text][1]
Is there some way to validate the user entered email address against the email addresses (users) present in our Auth0 account? We would like to make the experience more user friendly such that if the email address is entered incorrectly we can let the user know that it is an invalid/non existent email address, instead of seeing a success message about the email to reset the password being sent, when actually nothing happens (and user has to wait indefinitely before assuming s/he may have entered her/his email address incorrectly and retry).
To my knowledge, you won’t be able to achieve exactly what you mentioned with the built-in reset password functionality and this is intentional. The reason for this is that in order to guard against privacy issues the reset password API public response will not distinguish between a request issued for an email address associated with an existing user versus one associated with a non-existing user. If it did, this would open up the possibility for an unknown party to enumerate the registered users of your service.
You may want to consider tweaking the current success message to hint at the fact that the email will only be sent if the email is associated with a valid user and that the end-user should make sure they are using the correct email. If you want to disregard the privacy guard and still have a flow that would react differently depending on the fact that the user does not exist then you’ll need to implement your own custom reset password flow, however, this would not be recommended.
Thanks jmangelo! Yes, that makes sense, we did appreciate that someone could enumerate the registered users of our service this way. Your suggestion to tweak the response makes more sense and we will adopt that measure.