I can’t be 100% confident on why Strapi has done this but this is undoubtedly a standard behaviour of most systems to say the forgot password email has been sent.
Reasons:
It reduces security vulnerabilities as it doesn’t confirm a user’s email address exists. Otherwise, bots can brute force the forgot password endpoint to try to find valid user accounts and then brute force passwords.
It reduces privacy, some people would not like websites to confirm a user exists on their website.
Is email sent?
If the email address doesn’t exist, no email is sent.
Do I have to create custom endpoint to check first if email is valid?