feat: implement forgot password, added security updates

api/src/env.ts

@@ -55,6 +55,9 @@ const Env = z.object({
   SESSION_TIMEOUT_MINUTES: z.coerce.number().int().positive().default(30),
   AUTH_MAX_FAILED_ATTEMPTS: z.coerce.number().int().positive().default(5),
   AUTH_LOCKOUT_WINDOW_MS: z.coerce.number().int().positive().default(15 * 60_000),
+  PASSWORD_RESET_TTL_MINUTES: z.coerce.number().int().positive().default(30),
+  PASSWORD_RESET_RATE_LIMIT_PER_MINUTE: z.coerce.number().int().positive().default(5),
+  PASSWORD_RESET_CONFIRM_RATE_LIMIT_PER_MINUTE: z.coerce.number().int().positive().default(10),
   APP_ORIGIN: z.string().min(1).default("http://localhost:5173"),
   UPDATE_NOTICE_VERSION: z.coerce.number().int().nonnegative().default(0),
   UPDATE_NOTICE_TITLE: z.string().min(1).default("SkyMoney Updated"),
@@ -93,6 +96,9 @@ const rawEnv = {
   SESSION_TIMEOUT_MINUTES: process.env.SESSION_TIMEOUT_MINUTES,
   AUTH_MAX_FAILED_ATTEMPTS: process.env.AUTH_MAX_FAILED_ATTEMPTS,
   AUTH_LOCKOUT_WINDOW_MS: process.env.AUTH_LOCKOUT_WINDOW_MS,
+  PASSWORD_RESET_TTL_MINUTES: process.env.PASSWORD_RESET_TTL_MINUTES,
+  PASSWORD_RESET_RATE_LIMIT_PER_MINUTE: process.env.PASSWORD_RESET_RATE_LIMIT_PER_MINUTE,
+  PASSWORD_RESET_CONFIRM_RATE_LIMIT_PER_MINUTE: process.env.PASSWORD_RESET_CONFIRM_RATE_LIMIT_PER_MINUTE,
   APP_ORIGIN: process.env.APP_ORIGIN,
   UPDATE_NOTICE_VERSION: process.env.UPDATE_NOTICE_VERSION,
   UPDATE_NOTICE_TITLE: process.env.UPDATE_NOTICE_TITLE,