feat: account management — change email, password, and CLI reset (#10)

API: - PATCH /auth/me — update email and display name - PATCH /auth/me/password — change password (requires current) - GET /auth/me now returns full profile (email, full_name, role) CLI: - python -m src.cli.reset_password --email <email> --password <pw> for recovery when locked out (run via docker exec) Admin UI: - User menu dropdown on the top nav (click username → Account / Sign out) replaces the inline sign-out link - /account page with profile form (email + display name) and change password form (current + new + confirm)
2026-04-18 21:53:32 +01:00
parent 142e2373d3
commit d8e0a34e04
10 changed files with 484 additions and 21 deletions
--- a/apps/api/src/cli/reset_password.py
+++ b/apps/api/src/cli/reset_password.py
@@ -0,0 +1,67 @@
+"""Reset a user's password from the command line.
+
+Usage:
+    docker exec consentos-api python -m src.cli.reset_password \\
+        --email admin@example.com --password new-secret
+
+For use when the password has been forgotten and the admin UI is
+inaccessible. Connects directly to the database, so it must run
+inside a container (or host) that can reach PostgreSQL.
+"""
+
+from __future__ import annotations
+
+import argparse
+import sys
+
+import sqlalchemy as sa
+
+
+def _build_sync_url(async_url: str) -> str:
+    return async_url.replace("postgresql+asyncpg://", "postgresql://")
+
+
+def reset(email: str, password: str) -> bool:
+    """Reset the password for the given email. Returns True on success."""
+    from src.config.settings import get_settings
+    from src.services.auth import hash_password
+
+    settings = get_settings()
+    engine = sa.create_engine(_build_sync_url(settings.database_url))
+
+    with engine.begin() as conn:
+        result = conn.execute(
+            sa.text("SELECT id FROM users WHERE email = :email AND deleted_at IS NULL"),
+            {"email": email},
+        )
+        row = result.fetchone()
+        if row is None:
+            return False
+
+        conn.execute(
+            sa.text("UPDATE users SET password_hash = :pw, updated_at = NOW() WHERE id = :id"),
+            {"pw": hash_password(password), "id": str(row[0])},
+        )
+
+    return True
+
+
+def main() -> None:
+    parser = argparse.ArgumentParser(description="Reset a user's password")
+    parser.add_argument("--email", required=True, help="User email address")
+    parser.add_argument("--password", required=True, help="New password")
+    args = parser.parse_args()
+
+    if len(args.password) < 8:
+        print("Error: password must be at least 8 characters", file=sys.stderr)
+        sys.exit(1)
+
+    if reset(args.email, args.password):
+        print(f"Password reset for {args.email}")
+    else:
+        print(f"Error: no active user found with email {args.email}", file=sys.stderr)
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()