fix: trigger login hooks after reset password (#14711)

### What?
Added execution of `beforeLogin` and `afterLogin` hooks during the
password reset operation in `resetPasswordOperation()`. These hooks now
execute with the same parameters and flow as they do in the standard
login operation, ensuring consistent behavior across both authentication
paths.
- `packages/payload/src/auth/operations/resetPassword.ts` - Added hook
execution before and after JWT token generation.

### Why?
When a user resets their password, the operation performs two phases:
updating the password in the database, then automatically logging the
user in with a new session and JWT token. However, `beforeLogin` and
`afterLogin` hooks were not being triggered during this auto-login
phase, creating inconsistent behavior compared to standard login.
This caused issues for applications that uses `afterLogin` hooks to
attach additional cookie (for example).

### How?
Triggered `beforeLogin` and `afterLogin` in `resetPassword.ts`

Author: MrLijan

packages/payload/src/auth/operations/resetPassword.ts

@@ -163,12 +163,49 @@ export const resetPasswordOperation = async <TSlug extends CollectionSlug>(
 
     const fieldsToSign = getFieldsToSign(fieldsToSignArgs)
 
+    // /////////////////////////////////////
+    // beforeLogin - Collection
+    // /////////////////////////////////////
+
+    let userBeforeLogin = user
+
+    if (collectionConfig.hooks?.beforeLogin?.length) {
+      for (const hook of collectionConfig.hooks.beforeLogin) {
+        userBeforeLogin =
+          (await hook({
+            collection: args.collection?.config,
+            context: args.req.context,
+            req: args.req,
+            user: userBeforeLogin,
+          })) || userBeforeLogin
+      }
+    }
+
     const { token } = await jwtSign({
       fieldsToSign,
       secret,
       tokenExpiration: collectionConfig.auth.tokenExpiration,
     })
 
+    req.user = userBeforeLogin
+
+    // /////////////////////////////////////
+    // afterLogin - Collection
+    // /////////////////////////////////////
+
+    if (collectionConfig.hooks?.afterLogin?.length) {
+      for (const hook of collectionConfig.hooks.afterLogin) {
+        userBeforeLogin =
+          (await hook({
+            collection: args.collection?.config,
+            context: args.req.context,
+            req: args.req,
+            token,
+            user: userBeforeLogin,
+          })) || userBeforeLogin
+      }
+    }
+
     const fullUser = await payload.findByID({
       id: user.id,
       collection: collectionConfig.slug,

test/hooks/int.spec.ts

@@ -411,6 +411,47 @@ describe('Hooks', () => {
       expect(result.afterLoginHook).toStrictEqual(true)
     })
 
+    it('should call afterLogin hook on password reset', async () => {
+      const resetUser = await payload.create({
+        collection: hooksUsersSlug,
+        data: {
+          email: 'reset-test@payloadcms.com',
+          password: devUser.password,
+          roles: ['admin'],
+          afterLoginHook: false,
+        },
+      })
+
+      expect(resetUser.afterLoginHook).toStrictEqual(false)
+
+      const token = await payload.forgotPassword({
+        collection: hooksUsersSlug,
+        data: {
+          email: resetUser.email,
+        },
+        disableEmail: true,
+      })
+
+      const { user } = await payload.resetPassword({
+        collection: hooksUsersSlug,
+        overrideAccess: true,
+        data: {
+          password: 'newPassword123',
+          token,
+        },
+      })
+
+      expect(user).toBeDefined()
+      expect(user.afterLoginHook).toStrictEqual(true)
+
+      const result = await payload.findByID({
+        id: user.id,
+        collection: hooksUsersSlug,
+      })
+
+      expect(result.afterLoginHook).toStrictEqual(true)
+    })
+
     it('deny user login', async () => {
       await expect(() =>
         payload.login({