fix: harden auth flows and align api contracts

internal/api/handler/password_reset_handler.go

@@ -41,7 +41,7 @@ type ValidateResetTokenRequest struct {
 // @Param request body ForgotPasswordRequest true "邮箱地址"
 // @Success 200 {object} Response "密码重置邮件已发送"
 // @Failure 400 {object} Response "请求参数错误"
-// @Router /api/v1/auth/password/forgot [post]
+// @Router /api/v1/auth/forgot-password [post]
 func (h *PasswordResetHandler) ForgotPassword(c *gin.Context) {
 	var req struct {
 		Email string `json:"email" binding:"required"`
@@ -95,7 +95,7 @@ func (h *PasswordResetHandler) ValidateResetToken(c *gin.Context) {
 // @Param request body ResetPasswordRequest true "重置请求"
 // @Success 200 {object} Response "密码重置成功"
 // @Failure 400 {object} Response "请求参数错误"
-// @Router /api/v1/auth/password/reset [post]
+// @Router /api/v1/auth/reset-password [post]
 func (h *PasswordResetHandler) ResetPassword(c *gin.Context) {
 	var req struct {
 		Token       string `json:"token" binding:"required"`
@@ -130,7 +130,7 @@ type ForgotPasswordByPhoneRequest struct {
 // @Success 200 {object} Response "验证码发送成功"
 // @Failure 400 {object} Response "请求参数错误"
 // @Failure 503 {object} Response "短信服务未配置"
-// @Router /api/v1/auth/password/sms/forgot [post]
+// @Router /api/v1/auth/forgot-password/phone [post]
 func (h *PasswordResetHandler) ForgotPasswordByPhone(c *gin.Context) {
 	if h.smsService == nil {
 		c.JSON(http.StatusServiceUnavailable, gin.H{"code": 503, "message": "SMS service not configured"})
@@ -187,7 +187,7 @@ type ResetPasswordByPhoneRequest struct {
 // @Failure 400 {object} Response "请求参数错误"
 // @Failure 401 {object} Response "验证码错误"
 // @Failure 503 {object} Response "短信服务未配置"
-// @Router /api/v1/auth/password/sms/reset [post]
+// @Router /api/v1/auth/reset-password/phone [post]
 func (h *PasswordResetHandler) ResetPasswordByPhone(c *gin.Context) {
 	var req ResetPasswordByPhoneRequest
 	if err := c.ShouldBindJSON(&req); err != nil {