feat(api): password reset endpoints with portal URL

Add forgot-password and reset-password API routes with rate limiting.
Customize reset URL to point to portal frontend via AppServiceProvider.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Controllers/Api/V1/PasswordResetController.php

@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Http\Controllers\Controller;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Password;
+
+final class PasswordResetController extends Controller
+{
+    public function sendResetLink(Request $request): JsonResponse
+    {
+        $request->validate(['email' => 'required|email']);
+
+        Password::sendResetLink(['email' => strtolower($request->email)]);
+
+        // Always return success (don't leak whether email exists)
+        return $this->success(
+            message: 'Als dit emailadres bij ons bekend is, ontvang je een link om je wachtwoord te resetten.'
+        );
+    }
+
+    public function resetPassword(Request $request): JsonResponse
+    {
+        $request->validate([
+            'token' => 'required',
+            'email' => 'required|email',
+            'password' => 'required|min:8|confirmed',
+        ]);
+
+        $status = Password::reset(
+            $request->only('email', 'password', 'password_confirmation', 'token'),
+            function ($user, $password) {
+                $user->forceFill(['password' => Hash::make($password)])->save();
+            }
+        );
+
+        if ($status === Password::PASSWORD_RESET) {
+            return $this->success(message: 'Wachtwoord succesvol gewijzigd.');
+        }
+
+        return $this->error(__($status), 422);
+    }
+}