Forgotten password - triggers reset password for suspended users.

[anchovy]

We've got users who are suspended and therefore not allowed to login into the app (and therefore not reset their password). But if they go through the forgotten password loop via the ForgottenPassword mutation it sends them the reset password token, allowing them to reset their password and then activate their account?

{"query":"\n    mutation ForgottenPassword($email: String!) {\n  forgottenPassword(email: $email)\n}\n    ","variables":{"email":"[email protected]"}}

Couple of solutions 1: Throw an error (make it editable) i.e. Your account is suspended, you cannot reset your password. 2: Have a BEFORE_PASSWORD_REST event so we can hook into it and return false.