> Why people are still hand rolling common stuff like this is baffling to me

Don't most systems hand roll their own password reset? Using any backend tech, I mean. This isn't crypto, where hand rolling your own solution is almost always a mistake.