TYPO3 Core

Currently, the EXT:felogin extension provides a password recovery workflow via the PasswordRecoveryController::recoveryAction() method. However, there is no way to intercept or validate the request before the recovery email is triggered.

This limitation makes it difficult to implement common requirements such as:

CAPTCHA validation to prevent automated abuse

Custom rate limiting or throttling logic beyond what is built-in

Audit logging or analytics for recovery attempts

Custom business rules before proceeding (e.g., blocklisted emails)

While TYPO3 already provides the SendRecoveryEmailEvent (dispatched within RecoveryService::sendRecoveryEmail()), it occurs too late in the process — after:

The user has already been looked up in the database

A recovery hash has been generated and saved

The process has committed to sending the email

This makes SendRecoveryEmailEvent unsuitable for early validation tasks. A new BeforePasswordRecoveryEvent dispatched at the beginning of recoveryAction() would allow integrators to cancel or modify the workflow before any sensitive actions occur.

This would align with other PSR-14 events in TYPO3 (e.g., AfterUserLoggedInEvent, PasswordChangeEvent) and improve the security and extensibility of the password recovery process.