Hotfix: add logged-out password reset flow

2026-03-02 20:44:58 +13:00
parent 9c69d9fd17
commit 5f2dc52771
11 changed files with 943 additions and 7 deletions
--- a/backend/app/services/invite_email.py
+++ b/backend/app/services/invite_email.py
@@ -537,3 +537,63 @@ async def send_test_email(recipient_email: Optional[str] = None) -> Dict[str, st
    if warning:
        result["warning"] = warning
    return result
+
+
+async def send_password_reset_email(
+    *,
+    recipient_email: str,
+    username: str,
+    token: str,
+    expires_at: str,
+    auth_provider: str,
+) -> Dict[str, str]:
+    ready, detail = smtp_email_config_ready()
+    if not ready:
+        raise RuntimeError(detail)
+
+    resolved_email = _normalize_email(recipient_email)
+    if not resolved_email:
+        raise RuntimeError("No valid recipient email is available for password reset.")
+
+    app_url = _build_default_base_url()
+    reset_url = f"{app_url}/reset-password?token={token}"
+    provider_label = "Jellyfin, Seerr, and Magent" if auth_provider == "jellyfin" else "Magent"
+    subject = f"{env_settings.app_name} password reset"
+    body_text = (
+        f"A password reset was requested for {username}.\n\n"
+        f"This link will reset the password used for {provider_label}.\n"
+        f"Reset link: {reset_url}\n"
+        f"Expires: {expires_at}\n\n"
+        "If you did not request this reset, you can ignore this email.\n"
+    )
+    body_html = (
+        f"<h1>{html.escape(env_settings.app_name)} password reset</h1>"
+        f"<p>A password reset was requested for <strong>{html.escape(username)}</strong>.</p>"
+        f"<p>This link will reset the password used for <strong>{html.escape(provider_label)}</strong>.</p>"
+        f"<p><a href=\"{html.escape(reset_url)}\">Reset password</a></p>"
+        f"<p><strong>Expires:</strong> {html.escape(expires_at)}</p>"
+        "<p>If you did not request this reset, you can ignore this email.</p>"
+    )
+
+    await asyncio.to_thread(
+        _send_email_sync,
+        recipient_email=resolved_email,
+        subject=subject,
+        body_text=body_text,
+        body_html=body_html,
+    )
+    logger.info(
+        "Password reset email sent: username=%s recipient=%s provider=%s",
+        username,
+        resolved_email,
+        auth_provider,
+    )
+    result = {
+        "recipient_email": resolved_email,
+        "subject": subject,
+        "reset_url": reset_url,
+    }
+    warning = smtp_email_delivery_warning()
+    if warning:
+        result["warning"] = warning
+    return result