Supabase is an open source Firebase alternative. Start your project with a Postgres database, Authentication, instant APIs, Edge Functions, Realtime subscriptions, and Storage.

Supabase

Re: Password reset.
We are implementing a password reset feature, but it looks like the API calls leak data on if the account exists or not in the console, which is a bad security practice (see the OWASP guidelines).

After running ```const { data, error } = supabase.auth.api.resetPasswordForEmail('user@email.com')``` a 404 is returned for non-existant emails.

Is there a way to not expose if the account exists or not?

I think hiding this is just security by obscurity, it's not really security at all. Quite a number of websites do tell you if an email is already in use or taken, if you don't want to expose this at all, you could move it to a server function and not return the error response when the API is called.

Thank you  

Do you have any links to point me in the right direction?