[FEAT] 비밀번호 찾기 기능 구현

[KoungQ]

📝 Pull Request Template

📌 제목

[FEAT] 비밀번호 찾기 기능 구현

---

📢 요약

• 비밀번호 찾기 플로우에 필요한 3개 엔드포인트를 신규
• 회원가입 시 이메일 인증 완료 여부를 서버에서 검증하도록 강화
• 변경 이유: 기존 비밀번호 찾기는 프론트엔드에서 인증번호를 하드코딩으로 검증하고 있었고, 회원가입도 이메일 인증 완료 여부를 서버에서 확인하지 않았음

🔗 연관 이슈: Resolves #109

---

🚀 PR 유형

해당하는 항목에 체크해주세요.

• ✨ 새로운 기능 추가
• 🐛 버그 수정
• 🎨 CSS/UI 디자인 변경
• 🔧 코드에 영향 없는 변경(오타 수정, 탭 사이즈 변경, 변수명 변경 등)
• 🔨 코드 리팩토링
• 📝 주석 추가 및 수정
• 📄 문서 수정
• 🧪 테스트 추가 또는 리팩토링
• 🏗️ 빌드 및 패키지 매니저 수정
• 📂 파일 또는 폴더명 수정
• 🗑️ 파일 또는 폴더 삭제

---

✅ PR 체크리스트

PR이 다음 요구 사항을 충족하는지 확인해주세요.

• 🔹 커밋 메시지 컨벤션을 준수했습니다. (Commit message convention 참고)
• 🔹 변경 사항에 대한 테스트를 수행했습니다. (버그 수정/기능 테스트)
• 🔹 관련 문서를 업데이트했습니다. (필요한 경우)

---

📜 기타

리뷰어가 알면 좋을 추가 사항을 적어주세요.

• 기능 개선 아이디어
• 코드 리팩토링 필요 여부 등

Summary by CodeRabbit

• New Features

  • 비밀번호 재설정 워크플로우 추가(인증 코드 발송·검증 후 비밀번호 변경)
  • 이메일 인증 성공 상태 및 비밀번호 재설정 허용 상태 저장 기능 추가
  • 캘린더 이벤트 응답에 내용·시간·유형 필드 추가

• Security & Validation

  • 회원가입·비밀번호 관련 입력 검증 강화(비밀번호 길이·패턴, NotBlank 적용)
  • 회원가입 시 이메일 인증 완료 필수화

• Configuration

  • 비밀번호 재설정 관련 API를 인증 예외 및 레이트리밋 설정에 추가; 개발 설정 일부 업데이트

• Infrastructure & CI

  • Redis 기반 인증 상태 저장 구현 및 CI 테스트에 Redis 서비스 추가

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

비밀번호 재설정(발송 → 코드 검증 → 재설정) 엔드투엔드 흐름과 이메일 인증 상태 저장/확인 기능을 추가하며, Redis 저장소 구현, API 스펙·컨트롤러, DTO·검증, 관련 설정(CI·애플리케이션) 및 달력 이벤트 모델 확장을 포함합니다.

변경사항

비밀번호 재설정 기능

Layer / File(s)	Summary
도메인 계약 및 엔티티 확장 src/main/java/.../User.java, src/main/java/.../domain/repository/*	User 엔티티에 updatePassword 추가, EmailVerifiedRepository, PasswordResetCodeRepository, PasswordResetVerifiedRepository 인터페이스를 정의합니다.
이메일 인증 흐름 통합 src/main/java/.../usecase/SignUpUseCase.java, src/main/java/.../usecase/VerifyEmailUseCase.java	회원가입 시 이메일 인증 완료 여부 확인을 추가하고, VerifyEmail 성공 시 인증 상태를 저장하도록 변경합니다.
Redis 저장소 구현 src/main/java/.../infra/repository/Redis*.java	이메일 검증·비밀번호 재설정 코드·재설정 검증 상태를 Redis에 TTL로 저장/조회/삭제하는 구현체를 제공합니다.
비밀번호 재설정 유스케이스 src/main/java/.../usecase/SendPasswordResetEmailUseCase.java, .../VerifyPasswordResetCodeUseCase.java, .../ResetPasswordUseCase.java	(1) 가입 여부·도메인 검증 후 코드 발송, (2) 코드 검증 후 재설정 허용 상태 저장, (3) 비밀번호 일치·검증 확인 후 암호 인코딩 및 사용자 비밀번호 갱신 흐름을 구현합니다.
REST API 엔드포인트 src/main/java/.../ui/*.java, src/main/java/.../ui/spec/*.java	/api/email/password-reset/send, /api/email/password-reset/verify, /api/users/password/reset 스펙 인터페이스와 컨트롤러들을 추가하고 입력 검증을 적용합니다.
검증·레이트리밋·컨트롤러 검증 src/main/java/.../dto/request/*.java, src/main/java/.../usecase/SendVerificationEmailUseCase.java, src/main/java/.../ui/*Controller.java	SignUp/Reset DTO 비밀번호 제약 추가, 전송 관련 메서드에 레이트리밋/검증 애노테이션 적용, 컨트롤러에서 @Validated·@NotBlank 적용을 포함합니다.
설정·CI·예외·테스트 변경 src/main/resources/application.yml, src/main/resources/application-dev.yml, .github/workflows/cicd.yml, src/main/java/.../global/exception/code/status/UserErrorStatus.java, tests/*	비밀번호 재설정 경로들을 인증·화이트/블랙리스트 예외에 추가, dev 설정 변경(jpa ddl-auto, firebase path env), CI 테스트에 Redis 서비스 추가, EMAIL_NOT_VERIFIED 에러 추가 및 관련 테스트 조정/업데이트.

달력 이벤트 확장

Layer / File(s)	Summary
Calendar 엔티티·DTO·매퍼 src/main/java/.../calendar/domain/entity/CalendarEvent.java, src/main/java/.../calendar/application/dto/response/CalendarEventResponse.java, src/main/java/.../calendar/application/mapper/CalendarEventMapper.java	CalendarEvent에 content, eventTime, eventType 필드를 추가하고 응답 DTO와 매퍼를 확장했습니다.
테스트 업데이트 src/test/java/.../calendar/*	확장된 CalendarEventResponse 시그니처에 맞춰 단위 테스트와 컨트롤러/유스케이스 테스트의 생성자 인자를 업데이트했습니다.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant SendPWResetCtrl as SendPasswordResetEmailController
  participant SendPWResetUC as SendPasswordResetEmailUseCase
  participant EmailSvc as EmailVerificationService
  participant PWCodeRepo as PasswordResetCodeRepository
  participant VerifyCtrl as VerifyPasswordResetCodeController
  participant VerifyUC as VerifyPasswordResetCodeUseCase
  participant PWVerifiedRepo as PasswordResetVerifiedRepository
  participant ResetCtrl as ResetPasswordController
  participant ResetUC as ResetPasswordUseCase
  participant UserSvc as UserService
  Client->>SendPWResetCtrl: POST /api/email/password-reset/send (email)
  SendPWResetCtrl->>SendPWResetUC: send(email)
  SendPWResetUC->>EmailSvc: sendCode(email, code)
  EmailSvc->>PWCodeRepo: save(email, code) [TTL=10m]
  Client->>VerifyCtrl: POST /api/email/password-reset/verify (email, code)
  VerifyCtrl->>VerifyUC: execute(email, code)
  VerifyUC->>EmailSvc: verifyCode(email, code)
  VerifyUC->>PWVerifiedRepo: save(email) [verified TTL=10m]
  Client->>ResetCtrl: POST /api/users/password/reset (ResetPasswordRequest)
  ResetCtrl->>ResetUC: execute(request)
  ResetUC->>PWVerifiedRepo: existsByEmail(email)
  ResetUC->>UserSvc: findByEmail(email) -> User
  ResetUC->>UserSvc: updatePassword(encodedNewPassword)
  ResetUC->>PWVerifiedRepo: delete(email)

Loading

코드 리뷰 예상 시간

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• #109 — 본 PR은 비밀번호 재설정 API 기능(컨트롤러, 유스케이스, DTO, Redis 검증 흐름)을 구현하므로 해당 이슈의 목표와 직접적으로 일치합니다.

Suggested reviewers

• ydking0911

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	캘린더 필드 확장, Discord 웹훅 오류 처리 등 부수적 수정사항이 포함되어 있습니다.	비밀번호 찾기 기능과 무관한 변경사항들(CalendarEvent 필드 추가, RoomService 반환값 변경)을 별도 PR로 분리해주세요.
Docstring Coverage	⚠️ Warning	Docstring coverage is 12.24% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	PR 타이틀은 주요 변경사항인 비밀번호 찾기 기능 구현을 명확하게 설명하고 있습니다.
Linked Issues check	✅ Passed	비밀번호 찾기 API 기능 구현(#109)에 필요한 3개 엔드포인트(이메일 발송, 코드 검증, 비밀번호 재설정)가 모두 구현되었습니다.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/#109/비밀번호-찾기-api-기능-구현

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 17

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/main/resources/application.yml (1)

135-135: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

속성명 일관성 문제가 있습니다.

Line 135에서 pathPattern (camelCase)을 사용하고 있는데, 나머지 모든 항목들은 path-pattern (kebab-case)을 사용하고 있습니다.

YAML 파서가 두 형식을 모두 처리할 수 있더라도, 일관성을 위해 path-pattern으로 통일하시는 것을 권장드립니다.

🔧 일관성 개선을 위한 제안

-    - pathPattern: /api/users/login
+    - path-pattern: /api/users/login
       method: POST

참고: 이 문제는 기존 코드에 존재하던 것으로 현재 PR의 범위는 아니지만, 향후 개선하시면 좋을 것 같습니다.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/resources/application.yml` at line 135, Replace the inconsistent
camelCase property name pathPattern with the kebab-case variant path-pattern to
match the rest of the YAML keys; locate the occurrence of pathPattern in the
configuration (the property named pathPattern) and rename it to path-pattern so
property naming is consistent across the file.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@src/main/java/com/project/dorumdorum/domain/user/application/dto/request/ResetPasswordRequest.java`:
- Around line 6-10: ResetPasswordRequest currently only enforces `@NotBlank` on
newPassword and newPasswordCheck; add a password strength validation (e.g., a
`@Pattern` on the newPassword field or apply a custom constraint annotation) to
enforce minimum length and required character classes (uppercase, lowercase,
digit, special char) and update imports accordingly; ensure the validation is
applied to the record component named newPassword (and consider mirroring or
separately validating newPasswordCheck in the same DTO or via a cross-field
validator in the ResetPasswordRequest to ensure both fields match).

In
`@src/main/java/com/project/dorumdorum/domain/user/application/usecase/ResetPasswordUseCase.java`:
- Around line 40-42: The current operation order in ResetPasswordUseCase calls
passwordResetVerifiedRepository.delete(request.email()) before updating the
user's password, which can leave the Redis verification state deleted if
user.updatePassword/passwordEncoder.encode fails (not rolled back); change the
sequence so that you first perform the transactional password update via
user.updatePassword(passwordEncoder.encode(request.newPassword())) after
locating the user with userService.findByEmail(request.email()), and only after
the update succeeds call passwordResetVerifiedRepository.delete(request.email())
to remove the verification state.

In
`@src/main/java/com/project/dorumdorum/domain/user/application/usecase/SendPasswordResetEmailUseCase.java`:
- Around line 36-37: Add per-email rate limiting to
SendPasswordResetEmailUseCase so callers cannot trigger unlimited sendCode
calls; before calling secureRandomGenerator.generate() and
emailVerificationService.sendCode(), check a rate-limit marker (e.g., via a
RateLimitRepository or Redis) keyed by the email and if it exists throw a
TOO_MANY_REQUESTS/RestApiException, and after sending store the marker with a
short TTL (e.g., 1 minute). Apply the same pattern optionally for IP-based
limits or use a decorator/Resilience4j `@RateLimiter` on the use case if
preferred.
- Around line 27-30: The current SendPasswordResetEmailUseCase.send method
exposes user existence by throwing RestApiException(EMAIL_NOT_FOUND) when
userService.isAlreadyRegistered(email) is false; change this to always return
the same success response regardless of registration status and only trigger
sending an auth code/email when userService.isAlreadyRegistered(email) is true
(e.g., call the existing email-sending logic inside the true branch), while
removing or replacing the EMAIL_NOT_FOUND throw; optionally log non-sensitive
info for ops but do not alter the outward response so clients cannot enumerate
users.

In
`@src/main/java/com/project/dorumdorum/domain/user/infra/repository/RedisEmailVerifiedRepository.java`:
- Around line 19-21: 현재 RedisEmailVerifiedRepository.save에서 EMAIL_VERIFIED +
email 키를 Duration.ofMinutes(10)으로 설정해 VerifyEmailUseCase/SignUpUseCase 흐름에서 인증
완료 상태가 회원가입 완료까지 제한될 수 있으니, 인증 코드 TTL과 인증 완료 상태 TTL을 분리하거나 인증 완료 TTL을 더 늘리거나 설정
가능하게 변경하세요; 구체적으로
RedisEmailVerifiedRepository.save/EMAIL_VERIFIED/VERIFIED_VALUE를 수정해 TTL 값을 설정에서
주입받도록(예: config 프로퍼티로) 대체하고 VerifyEmailUseCase와 SignUpUseCase는 기존 키 존재 검사 로직은
유지하되 TTL 정책이 변경되어도 동작하도록 검증하세요.

In
`@src/main/java/com/project/dorumdorum/domain/user/infra/repository/RedisPasswordResetCodeRepository.java`:
- Line 16: The PASSWORD_RESET key prefix and hardcoded TTL in
RedisPasswordResetCodeRepository should be externalized to configuration: add
properties (e.g. password-reset.code.ttl-minutes and
password-reset.code.key-prefix) in application.yml, create either
`@ConfigurationProperties` or `@Value` injections in
RedisPasswordResetCodeRepository to populate two fields (keyPrefix and
ttlMinutes), replace the private static final String PASSWORD_RESET =
"PASSWORD_RESET:" with the injected keyPrefix, and update save (and all other
methods that reference PASSWORD_RESET) to build keys using keyPrefix and to set
expiry using ttlMinutes (converted to Duration or seconds) instead of the
literal 10 minutes; ensure constructor or field injection and appropriate types
are used so tests and usages still compile.
- Around line 24-26: In RedisPasswordResetCodeRepository.findByEmail validate
the email parameter before using it: check for null or blank (e.g.,
Objects.requireNonNull(email) and String#isBlank or StringUtils.hasText) and
either throw an IllegalArgumentException with a clear message or return
Optional.empty() for invalid input; perform this defensive check at the top of
the findByEmail method so redisTemplate.opsForValue().get(PASSWORD_RESET +
email) is never called with a null/empty key.
- Around line 19-21: The save method in RedisPasswordResetCodeRepository (public
void save(String email, String code)) lacks input validation; add checks to
ensure email and code are non-null and non-blank (trimmed) before calling
redisTemplate.opsForValue().set, and if validation fails throw an
IllegalArgumentException (or a custom BadRequest/ValidationException) with a
clear message so you never store keys like "PASSWORD_RESET:null" or perform
Redis ops on invalid inputs; validate both parameters at the top of save, trim
them, and only proceed to build the key and call opsForValue().set when they
pass validation.
- Around line 29-31: In RedisPasswordResetCodeRepository::delete, validate the
email parameter (null or blank) before using it to build the key; if email is
null/empty/blank, either throw an IllegalArgumentException with a clear message
or simply return without calling redisTemplate.delete to avoid a
NullPointerException—check the input at the start of the delete(String email)
method, reference the PASSWORD_RESET key prefix and redisTemplate.delete call,
and ensure consistent behavior with other repository methods (throw vs no-op) in
this class.

In
`@src/main/java/com/project/dorumdorum/domain/user/infra/repository/RedisPasswordResetVerifiedRepository.java`:
- Around line 15-16: The constants PASSWORD_RESET_VERIFIED, VERIFIED_VALUE and
the hardcoded TTL (10 minutes) in RedisPasswordResetVerifiedRepository should be
externalized to configuration; add properties (e.g.,
password-reset.verified.ttl-minutes, key-prefix, value) in application.yml,
inject them into RedisPasswordResetVerifiedRepository via a
`@ConfigurationProperties` or `@Value` fields (e.g., keyPrefix, ttlMinutes,
verifiedValue) replacing the static constants, and update save(String userId)
and all other methods that reference PASSWORD_RESET_VERIFIED/VERIFIED_VALUE to
use keyPrefix, verifiedValue and compute TTL from ttlMinutes when calling Redis
operations.
- Around line 19-21: The save method in RedisPasswordResetVerifiedRepository
accepts an email without validation which can cause NullPointerException or
create keys like "PASSWORD_RESET_VERIFIED:null"; update the save(String email)
method to validate the parameter (e.g., check for null or blank after trim using
Objects.requireNonNull and String.isBlank or a utility like
StringUtils.hasText), and if invalid throw an IllegalArgumentException (or
return early) with a clear message; ensure you use the validated/trimmed email
when building the key (PASSWORD_RESET_VERIFIED + email) so no invalid keys are
written to Redis.
- Around line 29-31: The delete method
(RedisPasswordResetVerifiedRepository.delete) currently calls
redisTemplate.delete(PASSWORD_RESET_VERIFIED + email) without validating the
email parameter; add a null/empty check for the email argument and handle
invalid input by either throwing an IllegalArgumentException with a clear
message or returning early so you don't concatenate a null and avoid
NullPointerException; locate the method and the constants
PASSWORD_RESET_VERIFIED and redisTemplate to implement the check before calling
redisTemplate.delete.
- Around line 24-26: In RedisPasswordResetVerifiedRepository.existsByEmail
validate the email parameter before calling redisTemplate.hasKey: check for null
or blank (e.g., using Objects.requireNonNull or StringUtils.hasText) and either
throw an IllegalArgumentException with a clear message or return false for
invalid input; then use the existing
Boolean.TRUE.equals(redisTemplate.hasKey(PASSWORD_RESET_VERIFIED +
email.trim())) pattern so the redis key lookup remains null-safe and uses a
trimmed email.

In
`@src/main/java/com/project/dorumdorum/domain/user/ui/SendPasswordResetEmailController.java`:
- Around line 16-22: Add rate limiting to the unauthenticated
SendPasswordResetEmailController.send flow to prevent abuse: before calling
sendPasswordResetEmailUseCase.send(email) check/record request counts for the
requesting IP and the target email (e.g. with a shared RateLimiterService or
cache-backed counters) and enforce limits and a cooldown window (reject with 429
when exceeded); ensure the controller consults methods like
RateLimiterService.allowByIp(ip) and allowByEmail(email) or a combined
token-bucket check and returns an appropriate HTTP 429 response instead of
invoking sendPasswordResetEmailUseCase.send when limits are hit.
- Around line 16-22: 컨트롤러 SendPasswordResetEmailController의 send 메서드가 현재
SendPasswordResetEmailUseCase.send 호출에서 발생하는
EMAIL_NOT_FOUND/INVALID_EMAIL_DOMAIN 예외에 따라 다른 오류(계정 존재 여부 노출)를 만들 수 있으니, send
내부에서 발생 가능한 예외를 잡아 HTTP 응답을 항상 동일하게 반환하도록 변경하세요:
SendPasswordResetEmailUseCase.send 호출을 try-catch로 감싸고 이메일이 존재하지 않거나 도메인이 유효하지 않은
경우에도 ResponseEntity.ok().build()를 반환하며 실제 실패 사유는 로깅만 하고 클라이언트에 노출하지 않도록 처리하고(예:
log.warn/error), 추가로 해당 엔드포인트에 대한 레이트리밋 적용 여부를 확인하거나 적용해 동일한 응답 정책이 다른 인증/계정 관련
엔드포인트에도 일관되도록 점검하세요.

In
`@src/main/java/com/project/dorumdorum/domain/user/ui/VerifyPasswordResetCodeController.java`:
- Around line 16-23: Change VerifyPasswordResetCodeController.verify to accept a
request body DTO instead of query params: create a
VerifyPasswordResetCodeRequest record (fields email and code with validation
annotations), update the controller method signature to take `@RequestBody`
VerifyPasswordResetCodeRequest request (and keep it as a POST endpoint), then
pass request.email() and request.code() into
verifyPasswordResetCodeUseCase.execute; also update any caller/tests to send
JSON body.

In `@src/main/resources/application-dev.yml`:
- Line 16: The current Hibernate property ddl-auto is set to "update", which
allows runtime schema changes; change the ddl-auto value from "update" back to
"validate" for development (or "create-drop" only in test environments) to
prevent unintended schema modifications, and instead add/configure a migration
tool (e.g., Flyway or Liquibase) in the project to manage schema changes via
explicit migration scripts; ensure any CI/deploy docs describe running
migrations before starting the app.

---

Outside diff comments:
In `@src/main/resources/application.yml`:
- Line 135: Replace the inconsistent camelCase property name pathPattern with
the kebab-case variant path-pattern to match the rest of the YAML keys; locate
the occurrence of pathPattern in the configuration (the property named
pathPattern) and rename it to path-pattern so property naming is consistent
across the file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 73c4d74e-6b1d-4052-85b1-c9b046f7d1ef

📥 Commits

Reviewing files that changed from the base of the PR and between 0c015be and 112797c.

📒 Files selected for processing (22)

• src/main/java/com/project/dorumdorum/domain/user/application/dto/request/ResetPasswordRequest.java
• src/main/java/com/project/dorumdorum/domain/user/application/usecase/ResetPasswordUseCase.java
• src/main/java/com/project/dorumdorum/domain/user/application/usecase/SendPasswordResetEmailUseCase.java
• src/main/java/com/project/dorumdorum/domain/user/application/usecase/SignUpUseCase.java
• src/main/java/com/project/dorumdorum/domain/user/application/usecase/VerifyEmailUseCase.java
• src/main/java/com/project/dorumdorum/domain/user/application/usecase/VerifyPasswordResetCodeUseCase.java
• src/main/java/com/project/dorumdorum/domain/user/domain/entity/User.java
• src/main/java/com/project/dorumdorum/domain/user/domain/repository/EmailVerifiedRepository.java
• src/main/java/com/project/dorumdorum/domain/user/domain/repository/PasswordResetCodeRepository.java
• src/main/java/com/project/dorumdorum/domain/user/domain/repository/PasswordResetVerifiedRepository.java
• src/main/java/com/project/dorumdorum/domain/user/infra/repository/RedisEmailVerifiedRepository.java
• src/main/java/com/project/dorumdorum/domain/user/infra/repository/RedisPasswordResetCodeRepository.java
• src/main/java/com/project/dorumdorum/domain/user/infra/repository/RedisPasswordResetVerifiedRepository.java
• src/main/java/com/project/dorumdorum/domain/user/ui/ResetPasswordController.java
• src/main/java/com/project/dorumdorum/domain/user/ui/SendPasswordResetEmailController.java
• src/main/java/com/project/dorumdorum/domain/user/ui/VerifyPasswordResetCodeController.java
• src/main/java/com/project/dorumdorum/domain/user/ui/spec/ResetPasswordApiSpec.java
• src/main/java/com/project/dorumdorum/domain/user/ui/spec/SendPasswordResetEmailApiSpec.java
• src/main/java/com/project/dorumdorum/domain/user/ui/spec/VerifyPasswordResetCodeApiSpec.java
• src/main/java/com/project/dorumdorum/global/exception/code/status/UserErrorStatus.java
• src/main/resources/application-dev.yml
• src/main/resources/application.yml