Yes, of course. You can improve easily by creating a fresh random password and mailing that to the user, and then store it encrypted.
No, please no!
(I know many websites do this.)
So everone claiming "I am user X and I forgot my password" can now reset my password, and I am locked out and have to check my email.
The minimum password procedure should be: store an intermediate token, send the user a link with that token and then let them enter their new password. And that means, we need a new endpoint *and* a new database table probably. So it's not that trivial.