V1/customers/password endpoint security

Author: rogerdz

app/code/Magento/Security/Model/Plugin/AccountManagement.php

@@ -3,9 +3,12 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Security\Model\Plugin;
 
 use Magento\Customer\Model\AccountManagement as AccountManagementOriginal;
+use Magento\Framework\App\Area;
 use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Config\ScopeInterface;
 use Magento\Framework\Exception\SecurityViolationException;
@@ -58,6 +61,8 @@ public function __construct(
     }
 
     /**
+     * Security check before reset password
+     *
      * @param AccountManagementOriginal $accountManagement
      * @param string $email
      * @param string $template
@@ -73,8 +78,10 @@ public function beforeInitiatePasswordReset(
         $template,
         $websiteId = null
     ) {
-        if ($this->scope->getCurrentScope() == \Magento\Framework\App\Area::AREA_FRONTEND
-            || $this->passwordRequestEvent == PasswordResetRequestEvent::ADMIN_PASSWORD_RESET_REQUEST) {
+        if ($this->scope->getCurrentScope() == Area::AREA_FRONTEND
+            || $this->passwordRequestEvent == PasswordResetRequestEvent::ADMIN_PASSWORD_RESET_REQUEST
+            || ($this->scope->getCurrentScope() == Area::AREA_WEBAPI_REST
+            && $this->passwordRequestEvent == PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST)) {
             $this->securityManager->performSecurityCheck(
                 $this->passwordRequestEvent,
                 $email