SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

On the email password recipe, is there support for allowing an admin to set a temporary password and forcing the user to update password on next login? We have this use case because some users struggle with the reset password flow due to aggressive spam filters etc. I guess setting the password is easy enough from the api, but recording the fact that the user has to reset password and rejecting all other api requests until it’s done would be something we have to enforce ourselves ?

that is correct. This is something you will have to customise on top of supertokens

We have an example of a similar flow here: https://supertokens.com/docs/emailpassword/common-customizations/disable-sign-up/emailpassword-changes