PHP

What requirements should the form for restoring access to your account meet?

I am writing a site from scratch, which has a form for reminding the username and password from the account (the username and password cannot be changed as planned). Now I am finishing a page that requires you to specify the mail to which the account is registered, with the logic that an email with a login and password will be sent to this mail, as well as a link to the site authorization page. Thinking about what the recovery page should contain and what is its logic of work?
Today there is:
1. A field for entering mail.
2. Captcha input field + captcha images + captcha update button via AJAX.
3. Button for sending data.
Initially, the button for sending data is inactive (the disabled attribute is assigned). When a new character is entered (JQuery keyup event) or focus is lost (focusout), the value of the captcha text field is sent by an AJAX request to the PHP script that processes the value. When the expected value is equal to the actual value, that is, some value is returned, the captcha input field is highlighted in green, otherwise red. At the same time, when the correct captcha is entered, a flag variable is defined in the PHP session (array), signaling that the captcha was entered correctly.
A similar principle applies to the mail input field. If the field value is similar in format to the postal address, then a similar session element is also set. When either mail or captcha is successfully installed, it checks if the second part is successfully installed and then the submit button is unlocked, otherwise a block is set.
I also thought about it and decided to add a table of users to MySQL, from whom the mail field is read for sending data for recovery, the field with the last letter sent. So, if the sending is made and recorded in the database, then you can try to restore the data only after 10 minutes. This is done in order not to exceed the mail limit via the PHP mail function.
After successfully sending the data, the browser goes to the authorization page with a notification about the successful sending of mail. If not successful - on the same recovery page, a message simply appears that there is no account from such mail. If the sending limit is reached, it also goes to the recovery page with a corresponding notification.

So, the question is, did I program the logic correctly and take into account everything necessary for such a page?