We have a custom database, but even when I just tried on the default app using the default “Username-Password-Authentication” database that isn’t using the custom database, I get the same behavior. We’ve of course customized the universal login to have our logo and such, but when I put any password in the reset password screen with spaces after it, I get a 400 on the POST to /u/reset-password/request/Username-Password-Authentication?state=<long state> indicating the email is invalid.
If I simply remove the spaces after, I get a 200 on the same API call. I thought it was our custom database script until just doing the test above and realizing it isn’t from our custom script.