From 389f66955c2a6bd9b78859ddd19294ed63db1fc1 Mon Sep 17 00:00:00 2001
From: Mannu <manohar6839@gmail.com>
Date: Sun, 17 May 2026 11:57:54 +0530
Subject: [PATCH] fix: stop leaking password reset tokens in response

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/app/api/auth/reset-request/route.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/app/api/auth/reset-request/route.ts b/src/app/api/auth/reset-request/route.ts
index 7d14a20..06f3786 100644
--- a/src/app/api/auth/reset-request/route.ts
+++ b/src/app/api/auth/reset-request/route.ts
@@ -37,8 +37,8 @@ export async function POST(request: Request) {
     );
 
     // In production, send email with reset link
-    // For now, return token for testing
-    return NextResponse.json({ success: true, token: `reset_${token}`, message: "Reset link sent" });
+    console.log(`[RESET-TOKEN] user=${user.id} email=${email} token=reset_${token} expires=${expiresAt.toISOString()}`);
+    return NextResponse.json({ success: true, message: "If email exists, reset link sent" });
   } catch (error) {
     console.error("Reset request error:", error);
     return NextResponse.json({ success: true, message: "If email exists, reset link sent" });