[BE-13] Implement forgot-password and password reset flow

[mftee]

Overview

Users who forget their password have no way to recover their account. There is no forgot-password or reset-password endpoint. The MailService is set up and UsersService.update() can write a new passwordHash, so only the controller logic and reset token mechanism are missing.

Background

Files relevant:

• backend/src/auth/auth.controller.ts — add two endpoints:
  • POST /api/auth/forgot-password — accepts { email }, sends reset link
  • POST /api/auth/reset-password — accepts { token, newPassword }, updates hash
• backend/src/auth/auth.service.ts — add forgotPassword() and resetPassword() methods
• backend/src/mail/mail.service.ts — add sendPasswordReset(to, token) method

Token approach: signed JWT with 1-hour expiry containing the user's ID and a purpose: 'password-reset' claim. Store no server-side state — just verify the JWT signature and expiry on the reset endpoint.

Acceptance Criteria

• POST /api/auth/forgot-password always returns 200 (do not reveal whether email exists)
• Reset email is sent if the email matches a registered user
• POST /api/auth/reset-password validates the token, hashes the new password, and updates the user
• Expired or reused tokens return 400 Bad Request
• Password is re-hashed with bcrypt (same saltRounds: 12 as registration)

[phertyameen]

@phertyameen has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi, will like to work on this issue.
I an existing contributor to this project and a a reliable fullstack developer
I can deliver this in 12hrs

ℹ️ Repo Maintainers: To accept this application, review their application or assign @phertyameen to this issue.

[grantfox-oss]

🦊 GrantFox — @phertyameen has been assigned to this issue!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #738)
2. Your PR will be reviewed by the CodeGirlsInc maintainers

Good luck! Track your progress on GrantFox.

[drips-wave]

Congratulations, @phertyameen! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @phertyameen: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊