"Reset password": endpoint + Thymeleaf form consuming the token.
- Validate by hash: exists, not expired (
expires_at), not used (used_at).
- On success: set the new (hashed) password, stamp
used_at, invalidate other outstanding tokens for the user.
- Enforce password policy; rely on Spring Security CSRF.
"Reset password": endpoint + Thymeleaf form consuming the token.
expires_at), not used (used_at).used_at, invalidate other outstanding tokens for the user.