feat: password reset workflow

[eulixir]

Summary

• New endpoint POST /users/password-reset/request — accepts email/username, generates a magic token, and sends a reset email (no info leakage: always returns the same generic response)
• New email service sendPasswordResetEmailService — dedicated reset email with proper copy, separate from the legacy magic-link email
• Bug fix in updatePasswordService — was checking !token (the raw string) instead of !tokenRecord; added missing expiry and used-flag validation
• Frontend — connected the forgot-password form (previously a console.log no-op) to the new endpoint via a server action
• Tests — new specs for requestPasswordResetService and updatePasswordService, plus a makeMagicToken factory

Test plan

• Start backend (make run) and frontend (pnpm run dev)
• Go to /forgot-password, enter a registered email → expect success toast
• Check inbox for reset email with link to /reset-password?token=...
• Click link → enter new password → redirects to /sign-in
• Log in with new password — should succeed
• Try the reset link again after use → should return an error (token invalidated)
• Try an expired token → should return an error
• Enter a non-existent email on forgot-password → same success toast (no info leak)
• Run make test in backend → all 203 tests pass

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
plotwist	Error		Apr 8, 2026 5:08am