I’d rather guess that it’s the wrong error message. Like e.g. there’s a communication error with a downstream service and they just catch Exception broadly and convert it to this error message. That would also explain why the non-filled value defaults to 0.
We had something similar where there was a check that checks whether the password is the same as the user name, but then it showed the “Password is too short” message to the user instead because of an overly broad try-catch.
Also if the user is not yet registered, reset password shouldn’t work, as there is no password to reset, maybe that’s the real error. Or the counter is wrong
I’d rather guess that it’s the wrong error message. Like e.g. there’s a communication error with a downstream service and they just catch Exception broadly and convert it to this error message. That would also explain why the non-filled value defaults to 0.
We had something similar where there was a check that checks whether the password is the same as the user name, but then it showed the “Password is too short” message to the user instead because of an overly broad try-catch.
Also if the user is not yet registered, reset password shouldn’t work, as there is no password to reset, maybe that’s the real error. Or the counter is wrong