🐛 Bug Report: Email recovery API allows access to user existence check

[SanthoshS20]

👟 Reproduction steps

1. Go to this URL - https://cloud.appwrite.io/recover
2. Enter an email address
3. Click recover button (If an account not exists in the appwrite database, It notified that the user is not found with this email address)

👍 Expected behavior

𝑫𝒆𝒔𝒄𝒓𝒊𝒑𝒕𝒊𝒐𝒏: The Email recovery API allows anyone to check whether a user have an account in the Appwrite website.

𝗧𝗵𝗲𝘀𝗲 𝗯𝘂𝗴𝘀 𝗳𝗮𝗹𝗹 𝗶𝗻 𝘁𝗵𝗲 𝗳𝗼𝗹𝗹𝗼𝘄𝗶𝗻𝗴 𝗰𝗮𝘁𝗲𝗴𝗼𝗿𝗶𝗲𝘀,

1. Privacy violation - Users typically expect their account information to be kept private.
2. Security risk - Attackers can use this functionality to gather information about valid user accounts
3. Resource drain - Frequent requests to check for user existence can leads to consumption of the resources

Solution/Expected Behavior: Implement rate limiting to restrict the usage frequency or Implement a generic message "If an account exists in our database, you will receive an account recovery link to your email address"

𝑷𝒓𝒊𝒐𝒓𝒊𝒕𝒚: High
𝑺𝒆𝒗𝒆𝒓𝒊𝒕𝒚: Medium

👎 Actual Behavior

It actually exposes the information about an account exists with the given email address.

🎲 Appwrite version

Appwrite Cloud

💻 Operating system

Windows

🧱 Your Environment

No response

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[stnguyen90]

@SanthoshS20 thanks for raising this issue! 🙏🏼 Let me bring this up to the team.