Security hardening for the reset-token lifecycle.
- Tokens hashed at rest; high-entropy generation.
- Short
expires_at; strict single-use; invalidate prior tokens on new request/use.
- Rate-limit requests (per email and per IP).
- Audit-log request and completion events.
Security hardening for the reset-token lifecycle.
expires_at; strict single-use; invalidate prior tokens on new request/use.