Currently if you provide an email address that is not associated with an account it will display the error message:
User not found
I’ve always operated under the assumption that one should not provide informative messages when it comes to any authentication functionality. In this case, this type of message could be used for username enumeration.
I had created a branch with a simple update that would remove this informative error message, but read that I should try and build consensus here before making a pull request.
So what do people think - would an update like this make sense?