[Chore/Refactor] Standardize authentication error messages to prevent user enumeration

[laipz8200]

Self Checks

• I have read the Contributing Guide and Language Policy.
• This is only for refactoring, if you would like to ask a question, please head to Discussions.
• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report, otherwise it will be closed.
• 【中文用户 & Non English User】请使用英语提交，否则会被关闭 ：）
• Please do not modify this template :) and fill in all the required fields.

Description

Standardize error messages across login, register, and reset password endpoints to prevent user enumeration attacks. Currently, the authentication endpoints return different error messages that allow attackers to determine whether an email address exists in the system.

Motivation

This is a critical security improvement to prevent user enumeration attacks. When authentication endpoints return different error messages for "user not found" vs "wrong password", attackers can determine which email addresses are registered in the system. This information can be used for targeted phishing attacks or brute force attempts on known accounts. By standardizing error messages, we protect user privacy and improve the overall security posture of the application.

Additional Context

The changes ensure that:

• Login attempts always return a generic "Invalid email or password" error regardless of whether the account exists
• Password reset requests always return success to prevent revealing account existence
• Email verification flows don't leak information about registered accounts

[laipz8200]

After #24324 merged, we still need to tweak the current email login flow to make sure users aren't vulnerable to enumeration attacks