Forgot password

On /login, below the email and password fields, there's a small "Forgot password?" link. Click it — a modal opens on top of the page.

Type your account email and click "Send code". Endpoint: `/api/auth/forgot-password`, rate limit 5 attempts/min per IP. For security reasons we always return `{ success: true }` regardless of whether the email exists — otherwise attackers could enumerate accounts. We send an email with a 6-digit **code** (subject: "Reset code: NNNNNN") — valid for **15 minutes**. This is NOT a magic link, it's a code to enter.

Back on /login with a reset UI: enter the 6-digit code from your email + a new password (minimum 6 characters). Endpoint: `/api/auth/reset-password` with `{ email, code, password }`. Up to 5 attempts per code. Rate limit: 10 attempts/min per IP.

After a successful reset: we mark `email_verified=true` (just in case), clear all old reset and verification codes, and auto-log you in (a new session is created). The old password no longer works. Active sessions on other devices are NOT auto-revoked — log out everywhere manually for full security.