feat: user management — admin create, password reset, archive/delete, quick invite

Phase 1: must_change_password enforcement + change password endpoint/page Phase 2: Admin user creation (M365-style) with temp password Phase 3: Password reset (self-service forgot + admin-triggered) Phase 4: User archive (soft delete) + hard delete with precheck Phase 5: Quick invite from admin Users page Also fixes: - Auto-create subscription for accounts missing one - Hard delete precheck ignores sole-member personal accounts - Seed script patches tree nodes for validation compliance Migrations: 031 (must_change_password), 032 (password_reset_tokens), 033 (user soft delete) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 01:42:51 -05:00
parent b8f25f19eb
commit ad59446332
32 changed files with 3064 additions and 38 deletions
--- a/backend/app/core/email.py
+++ b/backend/app/core/email.py
@@ -51,6 +51,76 @@ class EmailService:
            return False


+    @staticmethod
+    async def send_password_reset_email(
+        to_email: str,
+        reset_url: str,
+    ) -> bool:
+        if not settings.email_enabled:
+            logger.warning("Email not sent — RESEND_API_KEY not configured")
+            return False
+
+        try:
+            import resend
+
+            resend.api_key = settings.RESEND_API_KEY
+
+            subject = "Reset Your Password — ResolutionFlow"
+
+            html = _render_password_reset_html(reset_url=reset_url)
+
+            resend.Emails.send(
+                {
+                    "from": settings.FROM_EMAIL,
+                    "to": [to_email],
+                    "subject": subject,
+                    "html": html,
+                }
+            )
+            logger.info("Password reset email sent to %s", to_email)
+            return True
+
+        except Exception:
+            logger.exception("Failed to send password reset email to %s", to_email)
+            return False
+
+    @staticmethod
+    async def send_welcome_email(
+        to_email: str,
+        temp_password: str,
+        login_url: str = "https://resolutionflow.com/login",
+    ) -> bool:
+        if not settings.email_enabled:
+            logger.warning("Email not sent — RESEND_API_KEY not configured")
+            return False
+
+        try:
+            import resend
+
+            resend.api_key = settings.RESEND_API_KEY
+
+            subject = "Welcome to ResolutionFlow — Your Account Is Ready"
+
+            html = _render_welcome_html(
+                temp_password=temp_password,
+                login_url=login_url,
+            )
+
+            resend.Emails.send(
+                {
+                    "from": settings.FROM_EMAIL,
+                    "to": [to_email],
+                    "subject": subject,
+                    "html": html,
+                }
+            )
+            logger.info("Welcome email sent to %s", to_email)
+            return True
+
+        except Exception:
+            logger.exception("Failed to send welcome email to %s", to_email)
+            return False
+
    @staticmethod
    async def send_account_invite_email(
        to_email: str,
@@ -189,3 +259,78 @@ def _render_account_invite_html(
 </td></tr>
 </table>
 </body></html>"""
+
+
+def _render_welcome_html(
+    temp_password: str,
+    login_url: str,
+) -> str:
+    return f"""<!DOCTYPE html>
+<html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width"></head>
+<body style="margin:0;padding:0;background:#000;font-family:'Inter',Helvetica,Arial,sans-serif;">
+<table width="100%" cellpadding="0" cellspacing="0" style="background:#000;padding:40px 0;">
+<tr><td align="center">
+<table width="560" cellpadding="0" cellspacing="0" style="background:#111;border:1px solid rgba(255,255,255,0.06);border-radius:16px;">
+  <tr><td style="padding:40px 40px 24px;text-align:center;">
+    <h1 style="margin:0;color:#fff;font-size:24px;font-weight:600;">ResolutionFlow</h1>
+    <p style="margin:8px 0 0;color:#a0a0a0;font-size:14px;">Decision Tree Platform for MSP Professionals</p>
+  </td></tr>
+  <tr><td style="padding:0 40px 24px;">
+    <p style="margin:0;color:#e0e0e0;font-size:16px;line-height:1.6;">
+      Your account has been created. Use the temporary password below to sign in.
+      You will be asked to change it on first login.
+    </p>
+  </td></tr>
+  <tr><td style="padding:0 40px 24px;text-align:center;">
+    <div style="background:#000;border:1px solid rgba(255,255,255,0.1);border-radius:12px;padding:20px;">
+      <p style="margin:0 0 4px;color:#a0a0a0;font-size:12px;text-transform:uppercase;letter-spacing:1px;">Temporary Password</p>
+      <p style="margin:0;color:#fff;font-size:20px;font-weight:700;letter-spacing:2px;font-family:monospace;">{temp_password}</p>
+    </div>
+  </td></tr>
+  <tr><td style="padding:0 40px 32px;text-align:center;">
+    <a href="{login_url}" style="display:inline-block;background:#fff;color:#000;font-size:16px;font-weight:600;text-decoration:none;padding:14px 40px;border-radius:8px;">
+      Sign In
+    </a>
+  </td></tr>
+  <tr><td style="padding:0 40px 32px;">
+    <p style="margin:0;color:#666;font-size:12px;text-align:center;">
+      For security, please change your password immediately after signing in.
+    </p>
+  </td></tr>
+</table>
+</td></tr>
+</table>
+</body></html>"""
+
+
+def _render_password_reset_html(reset_url: str) -> str:
+    return f"""<!DOCTYPE html>
+<html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width"></head>
+<body style="margin:0;padding:0;background:#000;font-family:'Inter',Helvetica,Arial,sans-serif;">
+<table width="100%" cellpadding="0" cellspacing="0" style="background:#000;padding:40px 0;">
+<tr><td align="center">
+<table width="560" cellpadding="0" cellspacing="0" style="background:#111;border:1px solid rgba(255,255,255,0.06);border-radius:16px;">
+  <tr><td style="padding:40px 40px 24px;text-align:center;">
+    <h1 style="margin:0;color:#fff;font-size:24px;font-weight:600;">ResolutionFlow</h1>
+    <p style="margin:8px 0 0;color:#a0a0a0;font-size:14px;">Decision Tree Platform for MSP Professionals</p>
+  </td></tr>
+  <tr><td style="padding:0 40px 24px;">
+    <p style="margin:0;color:#e0e0e0;font-size:16px;line-height:1.6;">
+      We received a request to reset your password. Click the button below to choose a new password.
+      This link expires in 30 minutes.
+    </p>
+  </td></tr>
+  <tr><td style="padding:0 40px 32px;text-align:center;">
+    <a href="{reset_url}" style="display:inline-block;background:#fff;color:#000;font-size:16px;font-weight:600;text-decoration:none;padding:14px 40px;border-radius:8px;">
+      Reset Your Password
+    </a>
+  </td></tr>
+  <tr><td style="padding:0 40px 32px;">
+    <p style="margin:0;color:#666;font-size:12px;text-align:center;">
+      If you didn't request this, you can safely ignore this email. Your password will not be changed.
+    </p>
+  </td></tr>
+</table>
+</td></tr>
+</table>
+</body></html>"""