BE16: Secure Password Verification & Update API

[TienNguyen3711]

This PR extends the BE16 authentication work by fixing the forgot-password flow end to end and improving compatibility with the current frontend.

It adds backend support for:

• requesting a password reset
• sending a verification OTP to the user’s email
• verifying the OTP code
• setting a new password after successful verification

It also includes backward-compatible routes so the existing frontend can use the forgot-password flow without further changes. In addition, the update keeps the secure password verification flow aligned with the BE16 work, including validation and compatibility handling for the current UI.

Changes

• add POST /api/password/request-reset to start the forgot-password flow
• add POST /api/password/verify-code to validate the email OTP
• add POST /api/password/reset to save the new password
• send password reset OTP by email
• validate reset code expiry and invalid attempt handling
• validate new password strength before applying reset
• add compatibility support so current frontend auth/password screens work with the backend branch

Testing

• verified in browser with the current frontend flow:
  • request reset code

• receive OTP by email

• verify OTP

• set a new password successfully

[Faithy847]

This has been reviewed.

[Faithy847]

This has been reviewed

[Vedant1515]

Resolve the merge conflict.