It does highlight an interesting race condition of sorts. You can avoid this by forcing the user to confirm their email before they can change their password. But what if they signup while mistyping their password, then logout before confirming their email? Will their account be stranded? If they haven't confirmed their email then you probably don't want to send a password reset request to it, right? (Or maybe you do?)
Ultimately it boils down to how much friction your users are willing to tolerate. Or how often you want field emails from users who can't reset their PW and you find a typo in their email address in the DB
/s
No, don't do that. Unless you really need to.
I do request 'confirm password' but that was from feedback that users expect to input a password twice for a new account and it seems to add no friction.
It's almost impossible to type on a cellphone "keyboard".
The threat of shoulder surfing is basically eliminated by tiny smartphone screens and font, held close to the face.
You can make the confirmation optional like: https://ph.leftium.com/
While you're at it, drop password rules that prevent strong, pronounceable/typeable passwords generated by my password manager like:
`lumpy empower susie classic sly stoppage calculate backache`
It's much easier to type random words than random characters, especially on mobile keyboards. Symbols, numbers, and even upper case are more annoying to type.
Don't make me repeat my email, unless you're obscuring that too.