TLDR; Basically you have to implement a button in Vue that when click redirects to a page that collects the users email and checks they exist. Then you generate a (time-sensitive?) code you send them by email. That email redirects to a third page which collects and error sniffs the new password. If it checks out, the password is changed or an error is thrown.
Within an a2 project, the password reset code is primarily in node_modules/apostrophe/lib/modules/apostrophe-login.
There is code in the index.js file, plus several HTML pages in the views folder of that folder.
The passwordResetRequest.html file is a form for requesting a password change.
The passwordReset.html is the file for actually having the user change the password.
The passwordResetEmail.html is what is emailed to the user and would contain the link back to the passwordReset.html page.
Going forward, when we implement this in house we will do it with Vue.
With regards to the login.js file.
There are multiple areas of code that deal with password resets. Part of it is used to force legacy users who have bad passwords
to reset. You don't need to worry about that.
The first section is: https://github.com/apostrophecms/apostrophe/blob/2.0/lib/modules/apostrophe-login/index.js#L757 That section catches submission of the request form and sends the password reset email That function is here: https://github.com/apostrophecms/apostrophe/blob/2.0/lib/modules/apostrophe-login/index.js#L1118
The next section catches the person coming in from the sent email: https://github.com/apostrophecms/apostrophe/blob/2.0/lib/modules/apostrophe-login/index.js#L797 If all is copacetic it allows them to submit the for, otherwise it throws an error. In the a2 version the reset code was given a finite lifetime. You may not want this.
THe next section sets the password and throws errors: https://github.com/apostrophecms/apostrophe/blob/2.0/lib/modules/apostrophe-login/index.js#L839
I think that is all of it.