In password recovery, don't reveal whether an e-mail address is valid (unless it is an org's e-mail address)

endpoints/api/user.py

@@ -829,7 +829,9 @@ class Recovery(ApiResource):
     email = request.get_json()['email']
     user = model.user.find_user_by_email(email)
     if not user:
-      raise model.InvalidEmailAddressException('Email address was not found.')
+      return {
+        'status': 'sent',
+      }
 
     if user.organization:
       send_org_recovery_email(user, model.organization.get_admin_users(user))

static/directives/recovery-form.html

@@ -5,7 +5,7 @@
   </div>
   <div ng-show="!sendingRecovery">
     <div class="co-alert co-alert-success" ng-show="sent.status == 'sent'">
-        Account recovery email was sent to {{ recovery.email }}.
+      Instructions on how to reset your password have been sent to {{ recovery.email }}. If you do not receive the email, please try again shortly.
     </div>
     <div class="co-alert co-alert-danger" ng-show="invalidRecovery">{{ errorMessage }}</div>
     <div class="co-alert co-alert-info" ng-show="sent.status == 'org'">

test/test_api_security.py

@@ -457,16 +457,16 @@ class TestRecovery(ApiTestCase):
     self._set_url(Recovery)
 
   def test_post_anonymous(self):
-    self._run_test('POST', 400, None, {u'email': '826S'})
+    self._run_test('POST', 200, None, {u'email': '826S'})
 
   def test_post_freshuser(self):
-    self._run_test('POST', 400, 'freshuser', {u'email': '826S'})
+    self._run_test('POST', 200, 'freshuser', {u'email': '826S'})
 
   def test_post_reader(self):
-    self._run_test('POST', 400, 'reader', {u'email': '826S'})
+    self._run_test('POST', 200, 'reader', {u'email': '826S'})
 
   def test_post_devtable(self):
-    self._run_test('POST', 400, 'devtable', {u'email': '826S'})
+    self._run_test('POST', 200, 'devtable', {u'email': '826S'})
 
 
 class TestSignout(ApiTestCase):