📧 Implement Password Reset Email Notification (Production Test Phase 2)

app/Http/Controllers/AuthController.php

@@ -8,11 +8,13 @@
 use App\Http\Requests\PasswordResetRequest;
 use App\Http\Requests\PasswordResetRequestRequest;
 use App\Http\Requests\TokenRequest;
+use App\Mail\PasswordResetMail;
 use App\Models\User;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Mail;
 use Illuminate\Support\Str;
 use Illuminate\Validation\ValidationException;
 
@@ -128,8 +130,8 @@ public function passwordResetRequest(PasswordResetRequestRequest $request): Json
                 'created_at' => now(),
             ]);
 
-            // TODO: Send email notification with $token
-            // For now, we just store the token
+            // Send password reset email (queued for async processing)
+            Mail::to($user)->queue(new PasswordResetMail($user, $token));
         }
 
         // Always return same response to prevent email enumeration

app/Mail/PasswordResetMail.php

@@ -0,0 +1,98 @@
+<?php
+
+/*
+ * SPDX-FileCopyrightText: 2025 SecPal Contributors
+ *
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+declare(strict_types=1);
+
+namespace App\Mail;
+
+use App\Models\User;
+use Illuminate\Bus\Queueable;
+use Illuminate\Mail\Mailable;
+use Illuminate\Mail\Mailables\Content;
+use Illuminate\Mail\Mailables\Envelope;
+use Illuminate\Queue\SerializesModels;
+
+/**
+ * Password Reset Email Mailable.
+ *
+ * Security Notes:
+ * - Token is only included in email body (never in logs)
+ * - Email is queued for async sending
+ * - Token expires in 60 minutes (must match AuthController::PASSWORD_RESET_TOKEN_EXPIRY_MINUTES)
+ * - Reset URL uses HTTPS in production
+ */
+class PasswordResetMail extends Mailable
+{
+    use Queueable, SerializesModels;
+
+    /**
+     * Create a new message instance.
+     *
+     * @param  User  $user  The user requesting password reset
+     * @param  string  $token  The plain-text reset token (not hashed)
+     */
+    public function __construct(
+        public User $user,
+        public string $token
+    ) {}
+
+    /**
+     * Get the message envelope.
+     */
+    public function envelope(): Envelope
+    {
+        return new Envelope(
+            subject: 'Reset Your SecPal Password',
+        );
+    }
+
+    /**
+     * Get the message content definition.
+     */
+    public function content(): Content
+    {
+        // Generate reset URL
+        $resetUrl = $this->buildResetUrl();
+
+        return new Content(
+            markdown: 'emails.password-reset',
+            with: [
+                'user' => $this->user,
+                'resetUrl' => $resetUrl,
+                'expiresInMinutes' => 60, // Must match AuthController::PASSWORD_RESET_TOKEN_EXPIRY_MINUTES
+            ],
+        );
+    }
+
+    /**
+     * Build the password reset URL.
+     *
+     * Security: Uses HTTPS in production, token is URL-encoded.
+     */
+    private function buildResetUrl(): string
+    {
+        /** @var string $baseUrl */
+        $baseUrl = config('app.url');
+        $email = urlencode($this->user->email);
+        $token = urlencode($this->token);
+
+        // Frontend will handle the reset form
+        // Example: https://secpal.app/auth/password-reset?email=user@example.com&token=xxx
+        return "{$baseUrl}/auth/password-reset?email={$email}&token={$token}";
+    }
+
+    /**
+     * Get the attachments for the message.
+     *
+     * @return array<int, \Illuminate\Mail\Mailables\Attachment>
+     */
+    public function attachments(): array
+    {
+        return [];
+    }
+}