refac: gera url de reset de senha com base no .env

server/utils/auth-config.ts

@@ -11,6 +11,7 @@ export interface AuthRuntimeConfig {
   kid: string
   refreshTokenPepper: string
   passwordResetTokenPepper: string
+  passwordResetBaseUrl: string
 }
 
 /**
@@ -85,6 +86,7 @@ export function getAuthRuntimeConfig(event?: H3Event): AuthRuntimeConfig {
   const refreshTokenPepper = String(runtimeConfig.refreshTokenPepper ?? '').trim()
   const passwordResetTokenPepper =
     String(runtimeConfig.passwordResetTokenPepper ?? '').trim() || refreshTokenPepper
+  const passwordResetBaseUrl = String(runtimeConfig.passwordResetBaseUrl ?? '').trim()
 
   return {
     issuer,
@@ -99,6 +101,7 @@ export function getAuthRuntimeConfig(event?: H3Event): AuthRuntimeConfig {
     privateKeyPem: normalizePem(String(runtimeConfig.jwtPrivateKeyPem ?? ''), 'JWT private key'),
     publicKeyPem: normalizePem(String(runtimeConfig.jwtPublicKeyPem ?? ''), 'JWT public key'),
     refreshTokenPepper,
-    passwordResetTokenPepper
+    passwordResetTokenPepper,
+    passwordResetBaseUrl
   }
 }

server/utils/auth-service.ts

@@ -1,5 +1,5 @@
 import { Prisma } from '@prisma/client'
-import { createError, readBody, setResponseStatus, type H3Event } from 'h3'
+import { createError, getRequestURL, readBody, setResponseStatus, type H3Event } from 'h3'
 
 import { signAccessToken } from './jwt'
 import { getAuthRuntimeConfig } from './auth-config'
@@ -202,6 +202,7 @@ export async function handleForgotPassword(event: H3Event) {
   const expiresAt = new Date(now.getTime() + config.passwordResetTtlSec * 1000)
   const rawResetToken = generateRawPasswordResetToken()
   const tokenHash = hashPasswordResetToken(rawResetToken, config.passwordResetTokenPepper)
+  const resetBaseUrl = config.passwordResetBaseUrl || getRequestURL(event).origin
 
   const user = await prisma.user.findUnique({
     where: { email },
@@ -233,7 +234,7 @@ export async function handleForgotPassword(event: H3Event) {
     message: 'If the email exists, recovery instructions were generated',
     recovery: {
       reset_token: rawResetToken,
-      reset_url: buildPasswordResetPreviewUrl(config.issuer, rawResetToken),
+      reset_url: buildPasswordResetPreviewUrl(resetBaseUrl, rawResetToken),
       expires_in: config.passwordResetTtlSec
     }
   }

server/utils/password-reset-token.ts

@@ -23,13 +23,13 @@ export function generateRawPasswordResetToken(): string {
 /**
  * Monta uma URL de preview para facilitar testes locais sem SMTP.
  *
- * @param issuer Base do serviço de auth.
+ * @param baseUrl URL pública usada para abrir a tela de redefinição.
  * @param token Token bruto de recuperação.
  * @returns URL completa (ou fallback relativo) com o token.
  */
-export function buildPasswordResetPreviewUrl(issuer: string, token: string): string {
+export function buildPasswordResetPreviewUrl(baseUrl: string, token: string): string {
   try {
-    const url = new URL('/auth/reset-password', issuer)
+    const url = new URL('/auth/reset-password', baseUrl)
     url.searchParams.set('token', token)
 
     return url.toString()