Self-service password reset

server/api/auth/forgot-password.post.ts

@@ -0,0 +1,44 @@
+import { getUserByEmail, createPasswordResetCode } from '~/server/utils/database'
+import { sendPasswordResetEmail, generateResetCode } from '~/server/utils/email'
+
+export default defineEventHandler(async (event) => {
+  const body = await readBody(event)
+  const { email } = body
+
+  if (!email) {
+    throw createError({
+      statusCode: 400,
+      message: 'Email is required',
+    })
+  }
+
+  // Check if user exists with this email
+  const user = getUserByEmail(email)
+  
+  if (!user) {
+    // Don't reveal if email exists or not for security
+    return { success: true, message: 'If an account exists with this email, a reset code has been sent.' }
+  }
+
+  // Generate 6-digit code
+  const code = generateResetCode()
+  
+  // Set expiration to 15 minutes from now
+  const expiresAt = new Date(Date.now() + 15 * 60 * 1000).toISOString()
+  
+  // Store code in database
+  createPasswordResetCode(email, code, expiresAt)
+  
+  // Send email
+  try {
+    await sendPasswordResetEmail(email, code)
+  } catch (error) {
+    console.error('Failed to send reset email:', error)
+    throw createError({
+      statusCode: 500,
+      message: 'Failed to send reset email. Please try again later.',
+    })
+  }
+
+  return { success: true, message: 'If an account exists with this email, a reset code has been sent.' }
+})