feat: implement forgot password, added security updates

tests-results-for-OWASP/A07-Identification-and-Authentication-Failures.md

@@ -25,6 +25,12 @@ Last updated: March 1, 2026
 - `AUTH_MAX_FAILED_ATTEMPTS` (default: `5`)
 - `AUTH_LOCKOUT_WINDOW_MS` (default: `900000`, 15 minutes)
 
+4. Added forgot-password hardening:
+- Public reset request endpoint always returns a generic success response.
+- Reset token issuance is restricted to verified users.
+- Reset confirmation enforces strong password policy and one-time expiring token usage.
+- Successful reset updates `passwordChangedAt` so existing sessions become invalid.
+
 ## Files changed
 
 1. `api/src/server.ts`
@@ -33,6 +39,9 @@ Last updated: March 1, 2026
 4. `api/tests/auth.routes.test.ts`
 5. `api/tests/identification-auth-failures.test.ts`
 6. `api/vitest.security.config.ts`
+7. `api/tests/forgot-password.security.test.ts`
+8. `api/prisma/schema.prisma`
+9. `api/prisma/migrations/20260302000000_add_password_changed_at/migration.sql`
 
 ## Verification