Auth. Security vulnerability: find out if an email address is registered in the DB.

[maricabertarini]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

An attacker is able then to distinguish whether a given email is present in the DB or not.

To Reproduce

1. I used the method supabase.auth.resetPasswordForEmail and I have noticed that if I enter an email address that is not present in the DB, the method succeeds as it's supposed to although the email is not sent.
2. But then, if I invoke the method right away (e.g. a user clicks immediately after the button again), this method succeeds.
3. It succeeds fast (because an email is not really sent).

Whereas
4. If I insert an email address that's present in the DB, then I invoke the same method right away, this time the method fails with error ( AuthApiError: For security purposes, you can only request this after 56 seconds.).
5. When the method succeeds in this case, it succeeds slower than in the case explain in steps 1,2, and 3 because the an email is getting sent in this case.

Expected behaviour

supabase.auth.resetPasswordForEmail should:

• fail with the rate limit error also for email addresses that are not present in the DB
• take approximately the same time to succeed for emails that are not present in the DB as it takes to succeed for emails that are present in the DB (so attackers don't use the exec time of the method to find out if the email is present in the DB or not).