/api/account/validate-password does not take into account the request.userName

[perisdr]

When there is no available user (e.g. the user is registering) the /api/account/validate-password endpoint does not take into account the userName from the request payload.

Therefore irrespectively of the MaxAllowedUserNameSubset the password rule always returns valid.

Expected behavior: When there is no user, the user instance that gets created needs to have the userName initialized from the request value.

[cleftheris]

As I recall this is an improvement we made as a result from a Pen TEST security finding because it is leaking the usernames that the store already has in case of anonymous access. I thing the validation error should show up on the change password POST method just fine with 400 BadRequest but not on the hint list.

@perisdr check the change password post to see my asumption please