IDOR to full account takeover via predictable UUIDv1

Time-based UUIDs leaked creation order; enumerating them exposed password-reset tokens for any user.

UUIDv1 encodes a timestamp and node id, so tokens issued close together are highly predictable. By harvesting a few reset tokens and interpolating, an attacker could mint a valid token for any account. Fix: use UUIDv4 (CSPRNG) for anything security-sensitive, and bind reset tokens to the user + a server-side secret.