User enumeration through login functionality

[akudiurov]

Problem:
The server answers with different HTTP code (400) and explicit error text if a user exists but a password is incorrect and if a user does not exist.

Possible impact:
Such behavior allows user enumeration which makes brute-force attacks easier and since username is email, implies lead scrapping and social engineering attacks.

Solution:
Responses from authentication or recovery mechanism must give no information about user existence. Return the same exact message (including headers, HTTP status, etc.) if a user does or does not exist.