From 7a64335e64575c2b9ffefa1c638e0080e15b728d Mon Sep 17 00:00:00 2001
From: Dotty Dotter <dotty@Mac-mini-von-Dotty.local>
Date: Tue, 28 Apr 2026 00:21:02 +0200
Subject: [PATCH] feat(auth): 'Passwort vergessen?'-Link im v2-Login-Modal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Klick öffnet /api/auth/forgot-password → 302 zur Keycloak-Reset-Page mit
client_id + redirect_uri (auf eigene Domain). Keycloak schickt Mail mit
Reset-Link, User setzt neues Passwort, kommt zurück.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 app/main.py                                 | 19 +++++++++++++++++++
 app/templates/v2/components/auth_modal.html |  4 ++++
 2 files changed, 23 insertions(+)

diff --git a/app/main.py b/app/main.py
index 37b2476..b1799e9 100644
--- a/app/main.py
+++ b/app/main.py
@@ -716,6 +716,25 @@ async def auth_login_url(request: Request, redirect: str = "/"):
     return {"enabled": True, "url": url}
 
 
+@app.get("/api/auth/forgot-password")
+async def auth_forgot_password(request: Request):
+    """Redirect zur Keycloak-Passwort-Reset-Seite (#143-Folge).
+
+    Keycloak bietet bei `resetPasswordAllowed=True` eine eigene Reset-Page,
+    die per Mail einen Link zum Passwort-Setzen schickt. Wir leiten direkt
+    dahin um statt eine eigene UI zu bauen.
+    """
+    from fastapi.responses import RedirectResponse
+    base = str(request.base_url).rstrip("/").replace("http://", "https://")
+    issuer = f"{settings.keycloak_url}/realms/{settings.keycloak_realm}"
+    target = (
+        f"{issuer}/login-actions/reset-credentials"
+        f"?client_id={settings.keycloak_client_id}"
+        f"&redirect_uri={base}/"
+    )
+    return RedirectResponse(url=target, status_code=302)
+
+
 @app.post("/api/auth/login")
 async def auth_direct_login(
     username: str = Form(...),
diff --git a/app/templates/v2/components/auth_modal.html b/app/templates/v2/components/auth_modal.html
index 8240d07..28b40b5 100644
--- a/app/templates/v2/components/auth_modal.html
+++ b/app/templates/v2/components/auth_modal.html
@@ -49,6 +49,10 @@
               style="padding:var(--space-3);background:var(--ecg-blue);color:#fff;border:none;border-radius:4px;cursor:pointer;font-family:var(--font-sans);font-size:0.95rem;font-weight:700;letter-spacing:0.04em;">
         Anmelden
       </button>
+      <a href="/api/auth/forgot-password" target="_blank" rel="noopener"
+         style="font-family:var(--font-mono);font-size:0.78rem;color:var(--ecg-blue);text-align:right;text-decoration:none;border-bottom:1px solid rgba(0,157,165,0.35);align-self:flex-end;">
+        Passwort vergessen?
+      </a>
     </form>
 
     <!-- Register Form -->