"Forgot password" request: endpoint + Thymeleaf form.
- Generate a high-entropy random token; store its hash in
reset_tokens with expires_at and requester ip_address.
- Send the reset email with a link
/reset?token=<raw>.
- Enumeration-safe response regardless of whether the email exists.
- Record an
audit_logs entry.
"Forgot password" request: endpoint + Thymeleaf form.
reset_tokenswithexpires_atand requesterip_address./reset?token=<raw>.audit_logsentry.