Currently the password reset API only requires a username and does not support CAPTCHAs. Without CAPTCHA support it's fairly easy for a malicious party to spam legitimate users with password reset emails. I propose CAPTCHA support for password reset just like there's one for magic links and registrations.
Hi (Ali),
We hereby sincerely invite you and your company to visit our booth during electronica 2024.
C5.248
Trade Fair Center Messe Munchen
(10:00 - 11:00, November 13th, 2024)
Thank you for submitting this idea. I agree it would be good to protect the password reset flows with reCAPTCHA and we will consider adding this.
We are being spammed by bots requesting 300+ password resets on a brand new bot created accounts. 4 million+ password resets this year so far, and all are calling the Arc services directly which are not protected.