[6.x] Stop auto-logging in users after password reset

[jasonvarga]

Summary

• Remove the $this->guard()->login($user) call from ResetsPasswords::resetPassword() so users are no longer automatically logged in after resetting their password.
• Override redirectPath() in the CP ResetPasswordController to redirect to the CP login page.
• Add status flash handling to HandleInertiaRequests so the "password has been reset" message displays as a toast on the CP login page.
• Remove the window.location.href reload in Reset.vue's onSuccess callback that was causing a double page load (wiping the flash message). This was necessary before because the user would get logged in and we needed a full reload when entering the control panel.
• Front-end resets redirect to the redirectPath() (from the form's redirect parameter, or site root) unauthenticated.

This avoids needing special handling for 2FA and passkey-enforced login — the user just logs in normally after resetting their password, and auth checks (2FA, passkeys) happen naturally through the login flow.

Replaces #14449

Test plan

• Added tests/Auth/ResetPasswordTest.php covering:
  • Password is changed and user is NOT authenticated afterward (CP and web)
  • CP resets redirect to the CP login page
  • Front-end resets redirect to redirect URL or site root
  • 2FA-enabled users get the same behavior
  • Passkey users with allow_password_login_with_passkey=false get the same behavior
• Manually test CP password reset flow — should see toast on login page
• Manually test front-end password reset flow — should redirect unauthenticated

🤖 Generated with Claude Code