Problem Statement
Could you please explain why using /api/v2/tickets/password-change to generate a reset password ticket allows providing a non-existent user?
Steps to Reproduce
- Issue a management API token.
- Make a call to the Create a password change ticket endpoint while including a non-existing user ID or email address.
- A ticket URL will be returned despite the user not existing.
Solution
This is intentional behavior. This endpoint uses the same underlying code as the public endpoint. We always create the ticket regardless of whether the user exists in order to prevent enumeration attacks.