test(account): cover resend verification and password reset login flow

docs/core-checklist-status.md

@@ -7,7 +7,7 @@ Legend:
 
 ## Modules
 
-1. Account - `PARTIAL` (email auth, JWT, refresh, logout, reset; sessions exist, full UX still improving)
+1. Account - `PARTIAL` (email auth, JWT, refresh, logout, reset; integration tests now cover resend-verification token replacement and full password-reset login flow; sessions exist, full UX still improving)
 2. User Profile - `DONE` (username, name, avatar, bio, update)
 3. User Status - `PARTIAL` (online/last seen/offline; web now formats `just now/today/yesterday/recently`, backend-side presence heuristics still limited)
 4. Contacts - `PARTIAL` (list/search/add/remove/block/unblock; `add by email` flow covered by integration tests including `success/not found/blocked conflict`; web now surfaces specific add-by-email errors (`not found` vs `blocked`); UX moved to menu)

tests/test_auth_flow.py

@@ -1,6 +1,6 @@
 from sqlalchemy import select
 
-from app.auth.models import EmailVerificationToken
+from app.auth.models import EmailVerificationToken, PasswordResetToken
 from app.utils.totp import _totp_code
 
 
@@ -297,3 +297,77 @@ async def test_twofa_recovery_codes_are_normalized_and_decrement_status(client,
     status_after = await client.get("/api/v1/auth/2fa/recovery-codes/status", headers=headers)
     assert status_after.status_code == 200
     assert status_after.json()["remaining_codes"] == initial_count - 1
+
+
+async def test_resend_verification_replaces_old_token_and_verifies_with_new_one(client, db_session):
+    payload = {
+        "email": "resend_flow@example.com",
+        "name": "Resend Flow",
+        "username": "resend_flow",
+        "password": "strongpass123",
+    }
+    register_response = await client.post("/api/v1/auth/register", json=payload)
+    assert register_response.status_code == 201
+
+    first_token_row = await db_session.execute(select(EmailVerificationToken).order_by(EmailVerificationToken.id.desc()))
+    first_token = first_token_row.scalar_one().token
+
+    resend_response = await client.post("/api/v1/auth/resend-verification", json={"email": payload["email"]})
+    assert resend_response.status_code == 200
+
+    second_token_row = await db_session.execute(select(EmailVerificationToken).order_by(EmailVerificationToken.id.desc()))
+    second_token = second_token_row.scalar_one().token
+    assert second_token != first_token
+
+    verify_old = await client.post("/api/v1/auth/verify-email", json={"token": first_token})
+    assert verify_old.status_code == 400
+
+    verify_new = await client.post("/api/v1/auth/verify-email", json={"token": second_token})
+    assert verify_new.status_code == 200
+
+    login_response = await client.post(
+        "/api/v1/auth/login",
+        json={"email": payload["email"], "password": payload["password"]},
+    )
+    assert login_response.status_code == 200
+
+
+async def test_password_reset_flow_replaces_password_and_invalidates_old_password(client, db_session):
+    payload = {
+        "email": "reset_flow@example.com",
+        "name": "Reset Flow",
+        "username": "reset_flow",
+        "password": "strongpass123",
+    }
+    register_response = await client.post("/api/v1/auth/register", json=payload)
+    assert register_response.status_code == 201
+
+    token_row = await db_session.execute(select(EmailVerificationToken).order_by(EmailVerificationToken.id.desc()))
+    verify_token = token_row.scalar_one().token
+    verify_response = await client.post("/api/v1/auth/verify-email", json={"token": verify_token})
+    assert verify_response.status_code == 200
+
+    request_reset = await client.post("/api/v1/auth/request-password-reset", json={"email": payload["email"]})
+    assert request_reset.status_code == 200
+
+    reset_token_row = await db_session.execute(select(PasswordResetToken).order_by(PasswordResetToken.id.desc()))
+    reset_token = reset_token_row.scalar_one().token
+
+    new_password = "newstrongpass456"
+    reset_password_response = await client.post(
+        "/api/v1/auth/reset-password",
+        json={"token": reset_token, "new_password": new_password},
+    )
+    assert reset_password_response.status_code == 200
+
+    old_login = await client.post(
+        "/api/v1/auth/login",
+        json={"email": payload["email"], "password": payload["password"]},
+    )
+    assert old_login.status_code == 401
+
+    new_login = await client.post(
+        "/api/v1/auth/login",
+        json={"email": payload["email"], "password": new_password},
+    )
+    assert new_login.status_code == 200