feat(auth): 'Passwort vergessen?'-Link im v2-Login-Modal

Klick öffnet /api/auth/forgot-password → 302 zur Keycloak-Reset-Page mit
client_id + redirect_uri (auf eigene Domain). Keycloak schickt Mail mit
Reset-Link, User setzt neues Passwort, kommt zurück.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app/main.py

@@ -716,6 +716,25 @@ async def auth_login_url(request: Request, redirect: str = "/"):
     return {"enabled": True, "url": url}
 
 
+@app.get("/api/auth/forgot-password")
+async def auth_forgot_password(request: Request):
+    """Redirect zur Keycloak-Passwort-Reset-Seite (#143-Folge).
+
+    Keycloak bietet bei `resetPasswordAllowed=True` eine eigene Reset-Page,
+    die per Mail einen Link zum Passwort-Setzen schickt. Wir leiten direkt
+    dahin um statt eine eigene UI zu bauen.
+    """
+    from fastapi.responses import RedirectResponse
+    base = str(request.base_url).rstrip("/").replace("http://", "https://")
+    issuer = f"{settings.keycloak_url}/realms/{settings.keycloak_realm}"
+    target = (
+        f"{issuer}/login-actions/reset-credentials"
+        f"?client_id={settings.keycloak_client_id}"
+        f"&redirect_uri={base}/"
+    )
+    return RedirectResponse(url=target, status_code=302)
+
+
 @app.post("/api/auth/login")
 async def auth_direct_login(
     username: str = Form(...),

app/templates/v2/components/auth_modal.html

@@ -49,6 +49,10 @@
               style="padding:var(--space-3);background:var(--ecg-blue);color:#fff;border:none;border-radius:4px;cursor:pointer;font-family:var(--font-sans);font-size:0.95rem;font-weight:700;letter-spacing:0.04em;">
         Anmelden
       </button>
+      <a href="/api/auth/forgot-password" target="_blank" rel="noopener"
+         style="font-family:var(--font-mono);font-size:0.78rem;color:var(--ecg-blue);text-align:right;text-decoration:none;border-bottom:1px solid rgba(0,157,165,0.35);align-self:flex-end;">
+        Passwort vergessen?
+      </a>
     </form>
 
     <!-- Register Form -->