feat(api): password reset endpoints with portal URL

Add forgot-password and reset-password API routes with rate limiting.
Customize reset URL to point to portal frontend via AppServiceProvider.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/routes/api.php

@@ -29,6 +29,7 @@ use App\Http\Controllers\Api\V1\VolunteerAvailabilityController;
 use App\Http\Controllers\Api\V1\VolunteerRegistrationController;
 use App\Http\Controllers\Api\V1\PublicRegistrationDataController;
 use App\Http\Controllers\Api\V1\PortalTokenController;
+use App\Http\Controllers\Api\V1\PasswordResetController;
 use App\Http\Controllers\Api\V1\PortalMeController;
 use App\Http\Controllers\Api\V1\UserOrganisationTagController;
 use App\Models\FestivalSection;
@@ -59,6 +60,11 @@ Route::post('auth/login', LoginController::class);
 Route::get('invitations/{token}', [InvitationController::class, 'show']);
 Route::post('invitations/{token}/accept', [InvitationController::class, 'accept']);
 
+// Password reset
+Route::post('auth/forgot-password', [PasswordResetController::class, 'sendResetLink'])
+    ->middleware('throttle:5,1');
+Route::post('auth/reset-password', [PasswordResetController::class, 'resetPassword']);
+
 // Public portal routes
 Route::get('public/events/{slug}/registration-data', PublicRegistrationDataController::class);
 Route::post('public/check-email', CheckEmailController::class)->middleware('throttle:10,1');