Problem
Password reset tokens are generated and stored but never delivered to the user. The admin.php reset-password CLI command exists as a workaround, but the self-service reset flow is non-functional.
File: src/Handler/Auth/ResetPasswordHandler.php:35-36
$token = $this->resets->create($account['account_id'], ...);
// TODO: Send email with reset link containing $token
Fix
Implement email sending (e.g., via SMTP or a transactional email service), or remove the endpoint and document that password resets are admin-only.
Severity
Info — Known incomplete feature.
Problem
Password reset tokens are generated and stored but never delivered to the user. The
admin.php reset-passwordCLI command exists as a workaround, but the self-service reset flow is non-functional.File:
src/Handler/Auth/ResetPasswordHandler.php:35-36Fix
Implement email sending (e.g., via SMTP or a transactional email service), or remove the endpoint and document that password resets are admin-only.
Severity
Info — Known incomplete feature.