Fix password reset flow - implement recovery token authentication with Supabase

[Copilot]

The password reset functionality was failing with "Auth session missing!" errors because recovery tokens from Supabase reset emails were not being processed. No implementation existed to authenticate with recovery tokens or update passwords.

Changes

Backend Services (UserService.ts)

• Added forgotPassword(email) - triggers Supabase password reset email
• Added resetPassword(accessToken, refreshToken, newPassword) - establishes session with recovery tokens and updates password

API Routes

• Created /api/auth/forgot-password - validates email and initiates reset flow
• Created /api/auth/reset-password - validates tokens and completes password update

Frontend (reset-password/page.tsx)

Critical fix: Extract tokens from URL hash fragment, not query params. Supabase sends tokens as #access_token=...&refresh_token=...:

// Before: useSearchParams() - wrong, reads query params only
const searchParams = useSearchParams();
const accessToken = searchParams.get('access_token'); // null

// After: Read from hash fragment
const hashParams = new URLSearchParams(window.location.hash.substring(1));
const accessToken = hashParams.get('access_token'); // correct

Authentication Flow

// Establish session with recovery tokens
await supabaseClient.auth.setSession({
  access_token: accessToken,
  refresh_token: refreshToken,
});

// Update password (now authenticated)
await supabaseClient.auth.updateUser({
  password: newPassword
});

Testing

Requires Supabase environment variables: NEXT_PUBLIC_SUPABASE_URL, NEXT_PUBLIC_SUPABASE_ANON_KEY, NEXT_PUBLIC_APP_URL

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Password Reset Flow Failing - Recovery Token Authentication Issue</issue_title>
<issue_description>The password reset functionality is failing when attempting to use recovery tokens. The current implementation returns "Auth session missing!" errors when trying to establish a session with recovery tokens using setSession().

Expected Behavior
The recovery token should properly authenticate the user and allow password update without requiring an active session.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Password Reset Flow Failing - Recovery Token Authentication Issue #3

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.