I can’t be 100% confident on why Strapi has done this but this is undoubtedly a standard behaviour of most systems to say the forgot password email has been sent.
Reasons:
- It reduces security vulnerabilities as it doesn’t confirm a user’s email address exists. Otherwise, bots can brute force the forgot password endpoint to try to find valid user accounts and then brute force passwords.
- It reduces privacy, some people would not like websites to confirm a user exists on their website.
Is email sent?
If the email address doesn’t exist, no email is sent.
Do I have to create custom endpoint to check first if email is valid?
Do don’t that, for the reasons above.