/api/v2/tickets/password-change returns a ticket URL regardless of whether the user exists

Problem Statement

Could you please explain why using /api/v2/tickets/password-change to generate a reset password ticket allows providing a non-existent user?

Steps to Reproduce

  1. Issue a management API token.
  2. Make a call to the Create a password change ticket endpoint while including a non-existing user ID or email address.
  3. A ticket URL will be returned despite the user not existing.

Solution

This is intentional behavior. This endpoint uses the same underlying code as the public endpoint. We always create the ticket regardless of whether the user exists in order to prevent enumeration attacks.