Password reset for invalid accounts #1198
Description
Describe the bug
When I requested a password reset for an account that I was not registered with, I still received the invitation to reset the password.
I forgot whether I was registered with my gmail or webmail account, and tried the gmail first. When I requested a password reset, I did receive the email and could reset the password, even though it was not a registered username. So when then signin in with the new password, I again get the error that username or password doesn't exist. While pretty harmless, this was quite confusing, because when I received the email I assumed this meant the username was registered.
Sidenote: It might be that this is because i 'am' registered with my gmail as a participant (via oauth, not password).
To Reproduce
Steps to reproduce the behavior:
- Go to the sign-in page on next.eyra.co
- Sign in as researcher
- Click forgot password, and enter an account that is NOT your Next researchers account
- Receive password reset email
- If you did not receive reset email, try first using the same account to sign in as participant. Then sign out and go back to step 3
Expected behavior
If a username does not exist (as a researcher), the password reset link should not be sent