Description:

While testing the login flow, I noticed that clicking on "Forgot Password" redirects to the dashboard instead of initiating a proper password reset flow. After reviewing the code in profileRouter.patch("/profile/password/forgot"), I believe the current implementation has several issues.

Current Behavior:
Requires the user to be authenticated (userAuth middleware is used).
Asks for the current password, which doesn’t make sense for a “forgot password” use case.
Directly updates the password if the current password is valid.

Suggested Fix:
A “Forgot Password” flow should:

Accept only the user's email (without authentication).
Generate a secure, time-limited token.
Send a password reset link to the user's email using Nodemailer.
When the user clicks the link, allow them to enter and save a new password.
Optionally, invalidate the token after use or expiration.

Proposed Implementation Plan:

Create a new route: POST /auth/password/forgot
Accepts user email, generates token, sends mail via Nodemailer.

Create a route: POST /auth/password/reset/:token
Accepts new password, verifies token, hashes and saves password.

Kindly assign this issue to me so that I can start working on it.
Also it would be helpful if you could add appropriate labels for better tracking.