Bug Description

In internal/graphql/reset_password.go:106-114, the reset password OTP path only checks if the OTP value matches but does not check if the OTP has expired. The VerifyOTP method correctly checks otp.ExpiresAt, but ResetPassword skips this check.

Impact

MEDIUM — Expired OTPs can be used to reset passwords indefinitely, as long as they haven't been deleted from the database.

Fix

Add expiry check: if otpRequest.ExpiresAt < time.Now().Unix() { return error }