From 4a42756e2e1e8553ca47d975589223c22a68d0b7 Mon Sep 17 00:00:00 2001
From: xiaomai <xsbugh@gmail.com>
Date: Sat, 2 May 2026 22:13:10 +0800
Subject: [PATCH] feat(auth): add password reset and remember me options

Add password reset request and reset endpoints with email verification
Add "Remember me" option to login for persistent sessions
Create frontend views for forgot and reset password flows
---
 DESIGN.md                                 |  11 +-
 backend/db/schema.sql                     |  12 ++
 backend/src/auth.ts                       | 150 +++++++++++++++++++++-
 backend/src/server.ts                     |  19 ++-
 frontend/src/icons.ts                     |   1 +
 frontend/src/router/index.ts              |   4 +
 frontend/src/services/api.ts              |  38 ++++--
 frontend/src/styles/main.css              |  21 +++
 frontend/src/views/ForgotPasswordView.vue |  59 +++++++++
 frontend/src/views/LoginView.vue          |  16 ++-
 frontend/src/views/ResetPasswordView.vue  |  98 ++++++++++++++
 system-wordings.ts                        |  53 +++++++-
 12 files changed, 456 insertions(+), 26 deletions(-)
 create mode 100644 frontend/src/views/ForgotPasswordView.vue
 create mode 100644 frontend/src/views/ResetPasswordView.vue

diff --git a/DESIGN.md b/DESIGN.md
index 5968f42..dfd18ed 100644
--- a/DESIGN.md
+++ b/DESIGN.md
@@ -102,8 +102,15 @@
 - 验证邮件包含一次性验证链接。
 - 验证 token 只保存 hash，并带过期时间和使用状态。
 - 只有邮箱已验证的用户可以登录。
+- 用户可请求重置密码：
+  - 重置请求只接收邮箱，并始终返回泛化成功信息，避免暴露邮箱是否已注册。
+  - 重置邮件包含一次性重置链接。
+  - 重置 token 只保存 hash，并带过期时间和使用状态。
+  - 密码重置成功后不自动登录，并删除该用户已有 session。
+- 登录页提供 Remember me：
+  - 未勾选时前端将登录 token 保存在 `sessionStorage` 的 `pokopia_auth_token`，服务端 session 有效期为 1 天。
+  - 勾选时前端将登录 token 保存在 `localStorage` 的 `pokopia_auth_token`，服务端 session 有效期为 30 天。
 - 登录成功后返回明文 session token 给前端；数据库只保存 session token hash。
-- 前端将登录 token 保存在 `localStorage` 的 `pokopia_auth_token`。
 - 用户可退出登录，退出时删除对应 session。
 - 对外用户字段只包含必要信息：
   - 当前用户：`id`、`email`、`displayName`、`emailVerified`
@@ -534,6 +541,8 @@ API 暴露边界：
 - `POST /api/auth/register`
 - `POST /api/auth/verify-email`
 - `POST /api/auth/login`
+- `POST /api/auth/request-password-reset`
+- `POST /api/auth/reset-password`
 - `GET /api/auth/me`
 - `POST /api/auth/logout`
 
diff --git a/backend/db/schema.sql b/backend/db/schema.sql
index b6c4949..5ac6d35 100644
--- a/backend/db/schema.sql
+++ b/backend/db/schema.sql
@@ -130,6 +130,18 @@ CREATE TABLE IF NOT EXISTS email_verification_tokens (
 CREATE INDEX IF NOT EXISTS email_verification_tokens_user_id_idx
   ON email_verification_tokens(user_id);
 
+CREATE TABLE IF NOT EXISTS password_reset_tokens (
+  id integer GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
+  user_id integer NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  token_hash text NOT NULL UNIQUE,
+  expires_at timestamptz NOT NULL,
+  used_at timestamptz,
+  created_at timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE INDEX IF NOT EXISTS password_reset_tokens_user_id_idx
+  ON password_reset_tokens(user_id);
+
 CREATE TABLE IF NOT EXISTS user_sessions (
   id integer GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
   user_id integer NOT NULL REFERENCES users(id) ON DELETE CASCADE,
diff --git a/backend/src/auth.ts b/backend/src/auth.ts
index f0e15ee..945061e 100644
--- a/backend/src/auth.ts
+++ b/backend/src/auth.ts
@@ -7,7 +7,9 @@ import { systemMessage } from './systemWordingQueries.ts';
 const scrypt = promisify(scryptCallback);
 const passwordKeyLength = 64;
 const verificationTokenHours = 24;
-const sessionDays = 30;
+const passwordResetTokenHours = 1;
+const rememberedSessionDays = 30;
+const sessionOnlySessionDays = 1;
 const defaultLocale = 'en';
 
 type DbClient = PoolClient;
@@ -35,11 +37,19 @@ type AuthMessageKey =
   | 'emailAlreadyRegistered'
   | 'checkVerificationEmail'
   | 'emailVerified'
+  | 'checkPasswordResetEmail'
+  | 'passwordResetComplete'
   | 'invalidCredentials'
   | 'verifyEmailFirst'
+  | 'invalidResetToken'
   | 'emailSubject'
   | 'emailHtml'
-  | 'emailText';
+  | 'emailText'
+  | 'passwordResetSubject'
+  | 'passwordResetHtml'
+  | 'passwordResetText';
+
+type AuthTokenMessageKey = 'invalidToken' | 'invalidResetToken';
 
 export type AuthUser = {
   id: number;
@@ -65,11 +75,17 @@ function authMessage(locale: string, key: AuthMessageKey, params: Record<string,
     emailAlreadyRegistered: 'server.auth.emailAlreadyRegistered',
     checkVerificationEmail: 'server.auth.checkVerificationEmail',
     emailVerified: 'server.auth.emailVerified',
+    checkPasswordResetEmail: 'server.auth.checkPasswordResetEmail',
+    passwordResetComplete: 'server.auth.passwordResetComplete',
     invalidCredentials: 'server.auth.invalidCredentials',
     verifyEmailFirst: 'server.auth.verifyEmailFirst',
+    invalidResetToken: 'server.auth.invalidResetToken',
     emailSubject: 'email.auth.verificationSubject',
     emailHtml: 'email.auth.verificationHtml',
-    emailText: 'email.auth.verificationText'
+    emailText: 'email.auth.verificationText',
+    passwordResetSubject: 'email.auth.passwordResetSubject',
+    passwordResetHtml: 'email.auth.passwordResetHtml',
+    passwordResetText: 'email.auth.passwordResetText'
   };
 
   return systemMessage(locale || defaultLocale, messageKeys[key], params);
@@ -109,9 +125,13 @@ async function cleanPassword(value: unknown, locale: string): Promise<string> {
   return value;
 }
 
-async function cleanToken(value: unknown, locale: string): Promise<string> {
+async function cleanToken(
+  value: unknown,
+  locale: string,
+  messageKey: AuthTokenMessageKey = 'invalidToken'
+): Promise<string> {
   if (typeof value !== 'string' || value.trim().length < 32) {
-    throw statusError(await authMessage(locale, 'invalidToken'), 400);
+    throw statusError(await authMessage(locale, messageKey), 400);
   }
 
   return value.trim();
@@ -187,13 +207,21 @@ function getEmailConfig() {
   return { apiKey, from };
 }
 
-function buildVerificationUrl(token: string): string {
+function buildTokenUrl(pathname: string, token: string): string {
   const origin = process.env.APP_ORIGIN ?? process.env.FRONTEND_ORIGIN ?? 'http://localhost:3000';
-  const url = new URL('/verify-email', origin);
+  const url = new URL(pathname, origin);
   url.searchParams.set('token', token);
   return url.toString();
 }
 
+function buildVerificationUrl(token: string): string {
+  return buildTokenUrl('/verify-email', token);
+}
+
+function buildPasswordResetUrl(token: string): string {
+  return buildTokenUrl('/reset-password', token);
+}
+
 async function sendVerificationEmail(email: string, token: string, locale: string): Promise<void> {
   const { apiKey, from } = getEmailConfig();
   const verificationUrl = buildVerificationUrl(token);
@@ -221,6 +249,33 @@ async function sendVerificationEmail(email: string, token: string, locale: strin
   }
 }
 
+async function sendPasswordResetEmail(email: string, token: string, locale: string): Promise<void> {
+  const { apiKey, from } = getEmailConfig();
+  const resetUrl = buildPasswordResetUrl(token);
+  const subject = await authMessage(locale, 'passwordResetSubject');
+  const html = await authMessage(locale, 'passwordResetHtml', { url: resetUrl, hours: passwordResetTokenHours });
+  const text = await authMessage(locale, 'passwordResetText', { url: resetUrl, hours: passwordResetTokenHours });
+  const response = await fetch('https://api.resend.com/emails', {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${apiKey}`,
+      'Content-Type': 'application/json'
+    },
+    body: JSON.stringify({
+      from,
+      to: [email],
+      subject,
+      html,
+      text
+    })
+  });
+
+  if (!response.ok) {
+    const responseText = await response.text();
+    throw new Error(`Resend email failed with ${response.status}: ${responseText.slice(0, 500)}`);
+  }
+}
+
 export async function registerUser(payload: Record<string, unknown>, locale = defaultLocale) {
   const email = await cleanEmail(payload.email, locale);
   const displayName = await cleanDisplayName(payload.displayName, locale);
@@ -324,9 +379,90 @@ export async function verifyEmail(payload: Record<string, unknown>, locale = def
   });
 }
 
+export async function requestPasswordReset(payload: Record<string, unknown>, locale = defaultLocale) {
+  const email = await cleanEmail(payload.email, locale);
+  const user = await queryOne<UserRow>(
+    'SELECT id, email, display_name, email_verified_at FROM users WHERE email = $1',
+    [email]
+  );
+
+  if (user) {
+    const resetToken = createPlainToken();
+    const resetTokenHash = hashToken(resetToken);
+
+    await withTransaction(async (client) => {
+      await client.query('DELETE FROM password_reset_tokens WHERE user_id = $1 AND used_at IS NULL', [user.id]);
+      await client.query(
+        `
+          INSERT INTO password_reset_tokens (user_id, token_hash, expires_at)
+          VALUES ($1, $2, now() + ($3 * interval '1 hour'))
+        `,
+        [user.id, resetTokenHash, passwordResetTokenHours]
+      );
+    });
+
+    try {
+      await sendPasswordResetEmail(email, resetToken, locale);
+    } catch (error) {
+      console.error('Password reset email failed', error);
+    }
+  }
+
+  return { message: await authMessage(locale, 'checkPasswordResetEmail') };
+}
+
+export async function resetPassword(payload: Record<string, unknown>, locale = defaultLocale) {
+  const token = await cleanToken(payload.token, locale, 'invalidResetToken');
+  const password = await cleanPassword(payload.password, locale);
+  const passwordHash = await hashPassword(password);
+  const tokenHash = hashToken(token);
+
+  return withTransaction(async (client) => {
+    const tokenRow = await clientQueryOne<{ id: number; user_id: number }>(
+      client,
+      `
+        SELECT id, user_id
+        FROM password_reset_tokens
+        WHERE token_hash = $1
+          AND used_at IS NULL
+          AND expires_at > now()
+        FOR UPDATE
+      `,
+      [tokenHash]
+    );
+
+    if (!tokenRow) {
+      throw statusError(await authMessage(locale, 'invalidResetToken'), 400);
+    }
+
+    const user = await clientQueryOne<UserRow>(
+      client,
+      `
+        UPDATE users
+        SET password_hash = $1, updated_at = now()
+        WHERE id = $2
+        RETURNING id, email, display_name, email_verified_at
+      `,
+      [passwordHash, tokenRow.user_id]
+    );
+
+    if (!user) {
+      throw statusError(await authMessage(locale, 'invalidResetToken'), 400);
+    }
+
+    await client.query('UPDATE password_reset_tokens SET used_at = now() WHERE user_id = $1 AND used_at IS NULL', [
+      user.id
+    ]);
+    await client.query('DELETE FROM user_sessions WHERE user_id = $1', [user.id]);
+
+    return { message: await authMessage(locale, 'passwordResetComplete') };
+  });
+}
+
 export async function loginUser(payload: Record<string, unknown>, locale = defaultLocale) {
   const email = await cleanEmail(payload.email, locale);
   const password = await cleanPassword(payload.password, locale);
+  const sessionDays = payload.rememberMe === true ? rememberedSessionDays : sessionOnlySessionDays;
   const user = await queryOne<LoginUserRow>(
     'SELECT id, email, display_name, email_verified_at, password_hash FROM users WHERE email = $1',
     [email]
diff --git a/backend/src/server.ts b/backend/src/server.ts
index f3ca3f6..b17a1f1 100644
--- a/backend/src/server.ts
+++ b/backend/src/server.ts
@@ -1,7 +1,16 @@
 import cors from '@fastify/cors';
 import Fastify from 'fastify';
 import type { FastifyReply, FastifyRequest } from 'fastify';
-import { getUserBySessionToken, loginUser, logoutSession, registerUser, verifyEmail, type AuthUser } from './auth.ts';
+import {
+  getUserBySessionToken,
+  loginUser,
+  logoutSession,
+  registerUser,
+  requestPasswordReset,
+  resetPassword,
+  verifyEmail,
+  type AuthUser
+} from './auth.ts';
 import { initializeDatabase, pool } from './db.ts';
 import {
   cleanLocale,
@@ -170,6 +179,14 @@ app.post('/api/auth/verify-email', async (request) => verifyEmail(request.body a
 
 app.post('/api/auth/login', async (request) => loginUser(request.body as Record<string, unknown>, requestLocale(request)));
 
+app.post('/api/auth/request-password-reset', async (request) =>
+  requestPasswordReset(request.body as Record<string, unknown>, requestLocale(request))
+);
+
+app.post('/api/auth/reset-password', async (request) =>
+  resetPassword(request.body as Record<string, unknown>, requestLocale(request))
+);
+
 app.get('/api/auth/me', async (request, reply) => {
   const token = getBearerToken(request.headers.authorization);
   const user = token ? await getUserBySessionToken(token) : null;
diff --git a/frontend/src/icons.ts b/frontend/src/icons.ts
index ef6e330..f7e3c3c 100644
--- a/frontend/src/icons.ts
+++ b/frontend/src/icons.ts
@@ -20,6 +20,7 @@ export const iconEvent: AppIcon = 'mdi:calendar-star';
 export const iconHabitat: AppIcon = 'mdi:pine-tree';
 export const iconInfo: AppIcon = 'mdi:information-outline';
 export const iconItem: AppIcon = 'mdi:bag-personal-outline';
+export const iconKey: AppIcon = 'mdi:key-outline';
 export const iconLife: AppIcon = 'mdi:post-outline';
 export const iconClothes: AppIcon = 'mdi:tshirt-crew-outline';
 export const iconLogin: AppIcon = 'mdi:login';
diff --git a/frontend/src/router/index.ts b/frontend/src/router/index.ts
index 2cceb96..3d482fa 100644
--- a/frontend/src/router/index.ts
+++ b/frontend/src/router/index.ts
@@ -11,8 +11,10 @@ import DailyChecklistView from '../views/DailyChecklistView.vue';
 import LifeView from '../views/LifeView.vue';
 import ComingSoonView from '../views/ComingSoonView.vue';
 import AdminView from '../views/AdminView.vue';
+import ForgotPasswordView from '../views/ForgotPasswordView.vue';
 import LoginView from '../views/LoginView.vue';
 import RegisterView from '../views/RegisterView.vue';
+import ResetPasswordView from '../views/ResetPasswordView.vue';
 import VerifyEmailView from '../views/VerifyEmailView.vue';
 import { api, getAuthToken, setAuthToken } from '../services/api';
 
@@ -45,6 +47,8 @@ export const router = createRouter({
     { path: '/life', component: LifeView },
     { path: '/admin', component: AdminView, meta: { requiresVerified: true } },
     { path: '/login', component: LoginView },
+    { path: '/forgot-password', component: ForgotPasswordView },
+    { path: '/reset-password', component: ResetPasswordView },
     { path: '/register', component: RegisterView },
     { path: '/verify-email', component: VerifyEmailView }
   ],
diff --git a/frontend/src/services/api.ts b/frontend/src/services/api.ts
index 532d962..85eed52 100644
--- a/frontend/src/services/api.ts
+++ b/frontend/src/services/api.ts
@@ -277,6 +277,7 @@ export interface AuthUser {
 export interface LoginPayload {
   email: string;
   password: string;
+  rememberMe?: boolean;
 }
 
 export interface RegisterPayload extends LoginPayload {
@@ -418,26 +419,39 @@ export function buildQuery(params: Record<string, string | number | undefined>):
   return query ? `?${query}` : '';
 }
 
-export function getAuthToken(): string | null {
-  if (typeof localStorage === 'undefined') {
+function authStorage(type: 'local' | 'session'): Storage | null {
+  if (typeof window === 'undefined') {
     return null;
   }
 
-  return localStorage.getItem(authTokenKey);
+  return type === 'local' ? window.localStorage : window.sessionStorage;
 }
 
-export function setAuthToken(token: string | null): void {
-  if (typeof localStorage === 'undefined') {
-    return;
-  }
+export function getAuthToken(): string | null {
+  const sessionToken = authStorage('session')?.getItem(authTokenKey);
+  return sessionToken ?? authStorage('local')?.getItem(authTokenKey) ?? null;
+}
+
+export function setAuthToken(token: string | null, options: { persistent?: boolean } = {}): void {
+  const local = authStorage('local');
+  const session = authStorage('session');
 
   if (token) {
-    localStorage.setItem(authTokenKey, token);
+    if (options.persistent === false) {
+      session?.setItem(authTokenKey, token);
+      local?.removeItem(authTokenKey);
+    } else {
+      local?.setItem(authTokenKey, token);
+      session?.removeItem(authTokenKey);
+    }
   } else {
-    localStorage.removeItem(authTokenKey);
+    local?.removeItem(authTokenKey);
+    session?.removeItem(authTokenKey);
   }
 
-  window.dispatchEvent(new Event(authChangeEvent));
+  if (typeof window !== 'undefined') {
+    window.dispatchEvent(new Event(authChangeEvent));
+  }
 }
 
 export function onAuthTokenChange(callback: () => void): () => void {
@@ -548,6 +562,10 @@ export const api = {
   verifyEmail: (token: string) =>
     sendJson<{ message: string; user: AuthUser }>('/api/auth/verify-email', 'POST', { token }),
   login: (payload: LoginPayload) => sendJson<AuthResponse>('/api/auth/login', 'POST', payload),
+  requestPasswordReset: (payload: { email: string }) =>
+    sendJson<{ message: string }>('/api/auth/request-password-reset', 'POST', payload),
+  resetPassword: (payload: { token: string; password: string }) =>
+    sendJson<{ message: string }>('/api/auth/reset-password', 'POST', payload),
   me: () => getJson<{ user: AuthUser }>('/api/auth/me'),
   logout: () => postEmpty('/api/auth/logout'),
   options: () => getJson<Options>('/api/options'),
diff --git a/frontend/src/styles/main.css b/frontend/src/styles/main.css
index 402fdbe..fb32244 100644
--- a/frontend/src/styles/main.css
+++ b/frontend/src/styles/main.css
@@ -3784,6 +3784,27 @@ button:disabled,
   gap: 14px;
 }
 
+.auth-options {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 12px;
+  color: var(--muted);
+  font-size: 14px;
+  font-weight: 800;
+}
+
+.auth-options__remember {
+  margin: 0;
+  min-width: 0;
+}
+
+.auth-options a {
+  color: var(--pokemon-blue-deep);
+  font-weight: 900;
+  white-space: nowrap;
+}
+
 .auth-switch {
   margin: 0;
   color: var(--muted);
diff --git a/frontend/src/views/ForgotPasswordView.vue b/frontend/src/views/ForgotPasswordView.vue
new file mode 100644
index 0000000..a66bb12
--- /dev/null
+++ b/frontend/src/views/ForgotPasswordView.vue
@@ -0,0 +1,59 @@
+<script setup lang="ts">
+import { Icon } from '@iconify/vue';
+import { ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import PageHeader from '../components/PageHeader.vue';
+import StatusMessage from '../components/StatusMessage.vue';
+import { iconMail } from '../icons';
+import { api } from '../services/api';
+
+const { t } = useI18n();
+const email = ref('');
+const busy = ref(false);
+const message = ref('');
+const errorMessage = ref('');
+
+async function submitResetRequest() {
+  busy.value = true;
+  message.value = '';
+  errorMessage.value = '';
+
+  try {
+    const response = await api.requestPasswordReset({ email: email.value });
+    message.value = response.message;
+  } catch (error) {
+    errorMessage.value = error instanceof Error && error.message ? error.message : t('auth.requestResetFailed');
+  } finally {
+    busy.value = false;
+  }
+}
+</script>
+
+<template>
+  <section class="auth-page">
+    <div class="auth-panel">
+      <PageHeader :title="t('auth.requestResetTitle')" :subtitle="t('auth.requestResetSubtitle')">
+        <template #kicker>{{ t('auth.accountAccess') }}</template>
+      </PageHeader>
+
+      <form class="auth-form" @submit.prevent="submitResetRequest">
+        <div class="field">
+          <label for="forgot-password-email">{{ t('auth.email') }}</label>
+          <input id="forgot-password-email" v-model="email" autocomplete="email" required type="email" />
+        </div>
+
+        <StatusMessage v-if="message" variant="success">{{ message }}</StatusMessage>
+        <StatusMessage v-if="errorMessage" variant="danger">{{ errorMessage }}</StatusMessage>
+
+        <button class="ui-button ui-button--primary" :disabled="busy" type="submit">
+          <Icon :icon="iconMail" class="ui-icon" aria-hidden="true" />
+          {{ busy ? t('auth.sending') : t('auth.sendResetLink') }}
+        </button>
+      </form>
+
+      <p class="auth-switch">
+        <RouterLink to="/login">{{ t('auth.goLogin') }}</RouterLink>
+      </p>
+    </div>
+  </section>
+</template>
diff --git a/frontend/src/views/LoginView.vue b/frontend/src/views/LoginView.vue
index a007d56..d7327e7 100644
--- a/frontend/src/views/LoginView.vue
+++ b/frontend/src/views/LoginView.vue
@@ -13,6 +13,7 @@ const router = useRouter();
 const { t } = useI18n();
 const email = ref('');
 const password = ref('');
+const rememberMe = ref(false);
 const busy = ref(false);
 const errorMessage = ref('');
 
@@ -23,9 +24,10 @@ async function submitLogin() {
   try {
     const response = await api.login({
       email: email.value,
-      password: password.value
+      password: password.value,
+      rememberMe: rememberMe.value
     });
-    setAuthToken(response.token);
+    setAuthToken(response.token, { persistent: rememberMe.value });
 
     const redirect =
       typeof route.query.redirect === 'string' && route.query.redirect.startsWith('/')
@@ -44,7 +46,7 @@ async function submitLogin() {
   <section class="auth-page">
     <div class="auth-panel">
       <PageHeader :title="t('auth.loginTitle')" :subtitle="t('auth.loginSubtitle')">
-        <template #kicker>Trainer Pass</template>
+        <template #kicker>{{ t('auth.accountAccess') }}</template>
       </PageHeader>
 
       <form class="auth-form" @submit.prevent="submitLogin">
@@ -58,6 +60,14 @@ async function submitLogin() {
           <input id="login-password" v-model="password" autocomplete="current-password" required type="password" />
         </div>
 
+        <div class="auth-options">
+          <label class="check-row auth-options__remember">
+            <input v-model="rememberMe" type="checkbox" />
+            {{ t('auth.rememberMe') }}
+          </label>
+          <RouterLink to="/forgot-password">{{ t('auth.forgotPassword') }}</RouterLink>
+        </div>
+
         <StatusMessage v-if="errorMessage" variant="danger">{{ errorMessage }}</StatusMessage>
 
         <button class="ui-button ui-button--primary" :disabled="busy" type="submit">
diff --git a/frontend/src/views/ResetPasswordView.vue b/frontend/src/views/ResetPasswordView.vue
new file mode 100644
index 0000000..be3579a
--- /dev/null
+++ b/frontend/src/views/ResetPasswordView.vue
@@ -0,0 +1,98 @@
+<script setup lang="ts">
+import { Icon } from '@iconify/vue';
+import { computed, ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import { useRoute } from 'vue-router';
+import PageHeader from '../components/PageHeader.vue';
+import StatusMessage from '../components/StatusMessage.vue';
+import { iconKey, iconLogin } from '../icons';
+import { api } from '../services/api';
+
+const { t } = useI18n();
+const route = useRoute();
+const password = ref('');
+const confirmPassword = ref('');
+const busy = ref(false);
+const message = ref('');
+const errorMessage = ref('');
+
+const token = computed(() => (typeof route.query.token === 'string' ? route.query.token : ''));
+
+async function submitPasswordReset() {
+  message.value = '';
+  errorMessage.value = '';
+
+  if (!token.value) {
+    errorMessage.value = t('auth.invalidPasswordReset');
+    return;
+  }
+
+  if (password.value !== confirmPassword.value) {
+    errorMessage.value = t('auth.passwordMismatch');
+    return;
+  }
+
+  busy.value = true;
+
+  try {
+    const response = await api.resetPassword({ token: token.value, password: password.value });
+    message.value = response.message;
+    password.value = '';
+    confirmPassword.value = '';
+  } catch (error) {
+    errorMessage.value = error instanceof Error && error.message ? error.message : t('auth.resetFailed');
+  } finally {
+    busy.value = false;
+  }
+}
+</script>
+
+<template>
+  <section class="auth-page">
+    <div class="auth-panel">
+      <PageHeader :title="t('auth.resetTitle')" :subtitle="t('auth.resetSubtitle')">
+        <template #kicker>{{ t('auth.accountAccess') }}</template>
+      </PageHeader>
+
+      <form v-if="!message" class="auth-form" @submit.prevent="submitPasswordReset">
+        <div class="field">
+          <label for="reset-password">{{ t('auth.newPassword') }}</label>
+          <input
+            id="reset-password"
+            v-model="password"
+            autocomplete="new-password"
+            minlength="8"
+            required
+            type="password"
+          />
+        </div>
+
+        <div class="field">
+          <label for="reset-password-confirm">{{ t('auth.confirmPassword') }}</label>
+          <input
+            id="reset-password-confirm"
+            v-model="confirmPassword"
+            autocomplete="new-password"
+            minlength="8"
+            required
+            type="password"
+          />
+        </div>
+
+        <StatusMessage v-if="errorMessage" variant="danger">{{ errorMessage }}</StatusMessage>
+
+        <button class="ui-button ui-button--primary" :disabled="busy" type="submit">
+          <Icon :icon="iconKey" class="ui-icon" aria-hidden="true" />
+          {{ busy ? t('auth.resetting') : t('auth.resetPassword') }}
+        </button>
+      </form>
+
+      <StatusMessage v-else variant="success">{{ message }}</StatusMessage>
+
+      <RouterLink v-if="message" class="ui-button ui-button--ghost" to="/login">
+        <Icon :icon="iconLogin" class="ui-icon" aria-hidden="true" />
+        {{ t('auth.goLogin') }}
+      </RouterLink>
+    </div>
+  </section>
+</template>
diff --git a/system-wordings.ts b/system-wordings.ts
index f11408c..072f25d 100644
--- a/system-wordings.ts
+++ b/system-wordings.ts
@@ -62,13 +62,18 @@ export const systemWordingMessages = {
       register: 'Register'
     },
     auth: {
+      accountAccess: 'Trainer Pass',
       email: 'Email',
       password: 'Password',
+      newPassword: 'New password',
+      confirmPassword: 'Confirm password',
       displayName: 'Display name',
       loginTitle: 'Log in',
       loginSubtitle: 'Use a verified email to enter Pokopia Wiki.',
       loggingIn: 'Logging in',
       loginFailed: 'Login failed',
+      rememberMe: 'Remember me',
+      forgotPassword: 'Forgot password?',
       noAccount: 'No account yet?',
       registerTitle: 'Register',
       registerSubtitle: 'Verify your email after creating an account.',
@@ -76,6 +81,17 @@ export const systemWordingMessages = {
       sending: 'Sending',
       sendVerification: 'Send verification email',
       hasAccount: 'Already have an account?',
+      requestResetTitle: 'Reset password',
+      requestResetSubtitle: 'Send a password reset link to your account email.',
+      sendResetLink: 'Send reset link',
+      requestResetFailed: 'Password reset request failed',
+      resetTitle: 'Choose a new password',
+      resetSubtitle: 'Use the reset link from your email to update your password.',
+      resetPassword: 'Reset password',
+      resetting: 'Resetting',
+      resetFailed: 'Password reset failed',
+      passwordMismatch: 'Passwords do not match',
+      invalidPasswordReset: 'The password reset link is invalid or expired.',
       verifyTitle: 'Email verification',
       verifySubtitle: 'You can log in after verification is complete.',
       verifyingEmail: 'Verifying email',
@@ -523,8 +539,11 @@ export const systemWordingMessages = {
       emailAlreadyRegistered: 'This email is already registered',
       checkVerificationEmail: 'Please check your verification email',
       emailVerified: 'Email verified',
+      checkPasswordResetEmail: 'If an account uses this email, a password reset link will be sent.',
+      passwordResetComplete: 'Password updated. You can log in with the new password.',
       invalidCredentials: 'Email or password is incorrect',
-      verifyEmailFirst: 'Please complete email verification first'
+      verifyEmailFirst: 'Please complete email verification first',
+      invalidResetToken: 'The password reset link is invalid or expired'
     },
     validation: {
       nameRequired: 'Name is required',
@@ -590,7 +609,11 @@ export const systemWordingMessages = {
       verificationSubject: 'Verify your Pokopia Wiki email',
       verificationHtml:
         '<p>Open the link below to verify your email:</p><p><a href="{url}">Verify email</a></p><p>The link expires in {hours} hours.</p>',
-      verificationText: 'Open this link to verify your Pokopia Wiki email: {url}\nThe link expires in {hours} hours.'
+      verificationText: 'Open this link to verify your Pokopia Wiki email: {url}\nThe link expires in {hours} hours.',
+      passwordResetSubject: 'Reset your Pokopia Wiki password',
+      passwordResetHtml:
+        '<p>Open the link below to reset your password:</p><p><a href="{url}">Reset password</a></p><p>The link expires in {hours} hours.</p>',
+      passwordResetText: 'Open this link to reset your Pokopia Wiki password: {url}\nThe link expires in {hours} hours.'
     }
   },
   },
@@ -651,13 +674,18 @@ export const systemWordingMessages = {
       register: '注册'
     },
     auth: {
+      accountAccess: 'Trainer Pass',
       email: '邮箱',
       password: '密码',
+      newPassword: '新密码',
+      confirmPassword: '确认密码',
       displayName: '显示名',
       loginTitle: '登录',
       loginSubtitle: '使用已验证邮箱进入 Pokopia Wiki',
       loggingIn: '登录中',
       loginFailed: '登录失败',
+      rememberMe: '记住我',
+      forgotPassword: '忘记密码？',
       noAccount: '还没有账号？',
       registerTitle: '注册',
       registerSubtitle: '创建账号后需要完成邮箱验证',
@@ -665,6 +693,17 @@ export const systemWordingMessages = {
       sending: '发送中',
       sendVerification: '发送验证邮件',
       hasAccount: '已有账号？',
+      requestResetTitle: '重置密码',
+      requestResetSubtitle: '向账号邮箱发送密码重置链接。',
+      sendResetLink: '发送重置链接',
+      requestResetFailed: '密码重置请求失败',
+      resetTitle: '设置新密码',
+      resetSubtitle: '使用邮件中的重置链接更新密码。',
+      resetPassword: '重置密码',
+      resetting: '重置中',
+      resetFailed: '密码重置失败',
+      passwordMismatch: '两次输入的密码不一致',
+      invalidPasswordReset: '密码重置链接无效或已过期',
       verifyTitle: '邮箱验证',
       verifySubtitle: '完成验证后即可登录',
       verifyingEmail: '正在验证邮箱',
@@ -1112,8 +1151,11 @@ export const systemWordingMessages = {
         emailAlreadyRegistered: '该邮箱已注册',
         checkVerificationEmail: '请查收验证邮件',
         emailVerified: '邮箱已验证',
+        checkPasswordResetEmail: '如果该邮箱已注册，系统会发送密码重置链接。',
+        passwordResetComplete: '密码已更新，请使用新密码登录。',
         invalidCredentials: '邮箱或密码不正确',
-        verifyEmailFirst: '请先完成邮箱验证'
+        verifyEmailFirst: '请先完成邮箱验证',
+        invalidResetToken: '密码重置链接无效或已过期'
       },
       validation: {
         nameRequired: '请输入名称',
@@ -1178,7 +1220,10 @@ export const systemWordingMessages = {
       auth: {
         verificationSubject: '验证你的 Pokopia Wiki 邮箱',
         verificationHtml: '<p>请点击下面的链接完成邮箱验证：</p><p><a href="{url}">验证邮箱</a></p><p>链接将在 {hours} 小时后失效。</p>',
-        verificationText: '请打开以下链接完成 Pokopia Wiki 邮箱验证：{url}\n链接将在 {hours} 小时后失效。'
+        verificationText: '请打开以下链接完成 Pokopia Wiki 邮箱验证：{url}\n链接将在 {hours} 小时后失效。',
+        passwordResetSubject: '重置你的 Pokopia Wiki 密码',
+        passwordResetHtml: '<p>请点击下面的链接重置密码：</p><p><a href="{url}">重置密码</a></p><p>链接将在 {hours} 小时后失效。</p>',
+        passwordResetText: '请打开以下链接重置 Pokopia Wiki 密码：{url}\n链接将在 {hours} 小时后失效。'
       }
     }
   }