Problem
POST /api/auth/forgot-password generates a valid password-reset token but never delivers it in production. The token is only logged to the console in the Development environment — so in production a user who requests a reset gets the generic success message but no email, making password reset effectively non-functional.
Location: Precept.Api/Controllers/AuthController.cs:366
if (environment.IsDevelopment())
{
// DEV ONLY: log the token so the developer can test without an email provider
logger.LogWarning("[DEV ONLY] Password reset token for {Email}: {Token}", request.Email, token);
}
// TODO: In production, send this token via a secure email service.
// Example: await _emailService.SendPasswordResetEmail(request.Email, token);
Proposed work
Notes
🤖 Generated with Claude Code
Problem
POST /api/auth/forgot-passwordgenerates a valid password-reset token but never delivers it in production. The token is only logged to the console in the Development environment — so in production a user who requests a reset gets the generic success message but no email, making password reset effectively non-functional.Location:
Precept.Api/Controllers/AuthController.cs:366Proposed work
IEmailServiceabstraction and a concrete provider (e.g. SendGrid / Postmark / SMTP).JWT_SECRET_KEYpattern — no secrets in committed config)."If an account exists, a password reset email has been sent.").[DEV ONLY]token logging once a real provider exists (or keep it Development-gated only).Notes
🤖 Generated with Claude Code