fix: Prevent email enumeration for password recovery (#2925)

* fix: Prevent email enumeration for password recovery

* feedback

Author: hmacr

src/routes/(public)/recover/+page.svelte

@@ -23,22 +23,31 @@
     });
 
     async function recover() {
+        let showGenericSuccessNotification = true;
         try {
             await sdk.forConsole.account.createRecovery({
                 email,
                 url: window.location.toString()
             });
-            addNotification({
-                type: 'success',
-                message: 'We have sent you an email with a password reset link'
-            });
             trackEvent(Submit.AccountRecover);
         } catch (error) {
+            // Do not show error for 403 Forbidden or 404 Not Found to prevent email enumeration
+            if (error.code !== 403 && error.code !== 404) {
+                showGenericSuccessNotification = false;
+                addNotification({
+                    type: 'error',
+                    message: error.message
+                });
+                trackError(error, Submit.AccountRecover);
+            }
+        }
+
+        if (showGenericSuccessNotification) {
             addNotification({
-                type: 'error',
-                message: error.message
+                type: 'success',
+                message:
+                    'If an account exists for this email, you will receive a password reset link shortly'
             });
-            trackError(error, Submit.AccountRecover);
         }
     }