feat: implement forgot password, added security updates

tests-results-for-OWASP/A09-Security-Logging-and-Monitoring-Failures.md

@@ -21,6 +21,9 @@ Last updated: March 1, 2026
 - `auth.logout` success
 - `auth.verify` success/failure
 - `auth.verify_resend` success/failure/blocked
+- `auth.password_reset.request` success/blocked
+- `auth.password_reset.email` success/failure
+- `auth.password_reset.confirm` success/failure
 - `account.delete_request` success/failure/blocked
 - `account.confirm_delete` success/failure/blocked
 
@@ -32,6 +35,8 @@ Last updated: March 1, 2026
 1. `api/src/server.ts`
 2. `api/tests/security-logging-monitoring-failures.test.ts`
 3. `api/vitest.security.config.ts`
+4. `api/tests/forgot-password.security.test.ts`
+5. `SECURITY_FORGOT_PASSWORD.md`
 
 ## Verification
 
@@ -52,6 +57,7 @@ Dedicated A09 checks in `security-logging-monitoring-failures.test.ts`:
 1. Runtime check emits structured `auth.unauthenticated_request` security event for protected-route access failures.
 2. Runtime check emits structured `csrf.validation` security event for CSRF failures.
 3. Validates correlation fields (`requestId`, `ip`, `outcome`) are present in emitted security events.
+4. Runtime check emits `auth.password_reset.request` events and confirms raw token fields are absent.
 
 ## Residual notes