feat: implement forgot password, added security updates

api/tests/security-logging-monitoring-failures.test.ts

@@ -74,4 +74,20 @@ describe("A09 Security Logging and Monitoring Failures", () => {
     expect(typeof event?.requestId).toBe("string");
     expect(typeof event?.ip).toBe("string");
   });
+
+  it("emits structured security log for forgot-password requests without raw token data", async () => {
+    capturedEvents.length = 0;
+
+    const res = await request(authApp.server)
+      .post("/auth/forgot-password/request")
+      .send({ email: `missing-${Date.now()}@test.dev` });
+
+    expect(res.status).toBe(200);
+    const event = capturedEvents.find(
+      (payload) => payload.securityEvent === "auth.password_reset.request"
+    );
+    expect(event).toBeTruthy();
+    expect(event?.outcome).toBe("success");
+    expect(event && "token" in event).toBe(false);
+  });
 });