web/routes/reset.py

import secrets
from datetime import datetime, timezone, timedelta

from fastapi import APIRouter, Depends, Request
from fastapi.responses import HTMLResponse, RedirectResponse
from sqlalchemy.orm import Session

from web.auth.password import hash_password
from web.config import settings
from web.database import get_db
from web.models.user import User
from web.notifications.tasks import send_email_task
from web.templates_env import templates

router = APIRouter()


def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
    ctx["request"] = request
    ctx.setdefault("jivosite_widget_id", settings.JIVOSITE_WIDGET_ID)
    return templates.TemplateResponse(ctx.pop("request"), template, ctx)


@router.get("/forgot-password")
async def forgot_get(request: Request):
    return _render(request, "forgot_password.html", {"user": None})


@router.post("/forgot-password")
async def forgot_post(request: Request, db: Session = Depends(get_db)):
    form = await request.form()
    email = str(form.get("email", "")).strip()
    user = db.query(User).filter(User.email == email).first()
    if user:
        token = secrets.token_urlsafe(32)
        user.password_reset_token = token
        user.password_reset_expires = datetime.now(timezone.utc).replace(tzinfo=None) + timedelta(
            minutes=settings.PASSWORD_RESET_EXPIRE_MINUTES
        )
        db.commit()
        reset_url = f"{settings.BASE_URL}/reset-password?token={token}"
        html = f'<p>Сброс пароля: <a href="{reset_url}">{reset_url}</a></p>'
        send_email_task.delay(user.email, "Сброс пароля — ЭВОСИНК", html)
    # Always show same message to prevent user enumeration
    return _render(request, "message.html", {
        "user": None,
        "title": "Ссылка отправлена",
        "message": "Если указанный email зарегистрирован, вы получите ссылку для сброса пароля.",
        "link": "/login", "link_text": "Войти",
    })


@router.get("/reset-password")
async def reset_get(request: Request, db: Session = Depends(get_db)):
    token = request.query_params.get("token", "")
    user = db.query(User).filter(User.password_reset_token == token).first()
    if not user or not user.password_reset_expires or user.password_reset_expires < datetime.now(timezone.utc).replace(tzinfo=None):
        return _render(request, "message.html", {
            "user": None, "title": "Ссылка недействительна",
            "message": "Ссылка для сброса пароля устарела или недействительна.",
            "link": "/forgot-password", "link_text": "Запросить новую ссылку",
        })
    return _render(request, "reset_password.html", {"user": None, "token": token})


@router.post("/reset-password")
async def reset_post(request: Request, db: Session = Depends(get_db)):
    token = request.query_params.get("token", "")
    form = await request.form()
    password = str(form.get("password", ""))
    password_confirm = str(form.get("password_confirm", ""))
    errors = []

    user = db.query(User).filter(User.password_reset_token == token).first()
    if not user or not user.password_reset_expires or user.password_reset_expires < datetime.now(timezone.utc).replace(tzinfo=None):
        return _render(request, "message.html", {
            "user": None, "title": "Ссылка недействительна",
            "message": "Ссылка для сброса пароля устарела.",
            "link": "/forgot-password", "link_text": "Запросить новую ссылку",
        })

    if len(password) < 8:
        errors.append("Пароль должен содержать минимум 8 символов")
    if password != password_confirm:
        errors.append("Пароли не совпадают")

    if errors:
        return _render(request, "reset_password.html", {
            "user": None, "token": token, "errors": errors,
        })

    user.password_hash = hash_password(password)
    user.password_reset_token = None
    user.password_reset_expires = None
    db.commit()

    return _render(request, "message.html", {
        "user": None, "title": "Пароль изменён",
        "message": "Ваш пароль успешно изменён.",
        "link": "/login", "link_text": "Войти",
    })
-												feat: Evotor user lifecycle, RBAC, admin panel

- Receive Evotor webhooks: POST /user/create, /user/verify, /user/token
- Create users in pending status; match to existing users by email/phone
- Send invite link via Celery notification task; user sets password at /invite
- Abstract EmailProvider/SMSProvider with ConsoleEmailProvider default
- Role-based access control: role enum on users + roles/permissions tables
- Admin panel: /admin/users (list, filter, search, paginate), user detail card
  with activate/suspend/reset-password/send-invite/edit/delete actions
- Admin roles management: /admin/roles with per-role permission assignment
- Extend user profile card: role, status, Evotor ID, email confirmation badge
- Auth routes: register, login, logout, confirm-email, forgot/reset password
- Alembic migrations 0002 (full schema + new fields) and 0003 (RBAC + seeds)
- Port Pico CSS + Bootstrap Icons UI from Node.js commit (854c912)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-28 12:01:25 +03:00
+								import secrets
-												test: add test suite with 65 tests, 73% coverage

- Unit tests: password hashing, notification providers, webhook field parsing
- Integration tests: auth routes (register/login/confirm-email/logout),
  invite flow, Evotor webhooks (/user/create, /user/verify, /user/token),
  admin panel (access control, activate/suspend/delete/reset-password)
- conftest: SQLite in-memory engine, transactional sessions, factory-boy
  factories (UserFactory with UserRoleEnum variants)
- Fix bcrypt: replace passlib (broken on Python 3.14 + bcrypt 5.x) with
  direct bcrypt calls; drop passlib from requirements.txt
- Fix datetime.utcnow() deprecation across routes and tests
- Fix Jinja2 TemplateResponse signature (request as first positional arg)
- Add coverage config to pyproject.toml

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-28 12:27:42 +03:00
+								from datetime import datetime, timezone, timedelta
-												feat: Evotor user lifecycle, RBAC, admin panel

- Receive Evotor webhooks: POST /user/create, /user/verify, /user/token
- Create users in pending status; match to existing users by email/phone
- Send invite link via Celery notification task; user sets password at /invite
- Abstract EmailProvider/SMSProvider with ConsoleEmailProvider default
- Role-based access control: role enum on users + roles/permissions tables
- Admin panel: /admin/users (list, filter, search, paginate), user detail card
  with activate/suspend/reset-password/send-invite/edit/delete actions
- Admin roles management: /admin/roles with per-role permission assignment
- Extend user profile card: role, status, Evotor ID, email confirmation badge
- Auth routes: register, login, logout, confirm-email, forgot/reset password
- Alembic migrations 0002 (full schema + new fields) and 0003 (RBAC + seeds)
- Port Pico CSS + Bootstrap Icons UI from Node.js commit (854c912)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-28 12:01:25 +03:00
 								from fastapi import APIRouter, Depends, Request
 								from fastapi.responses import HTMLResponse, RedirectResponse
 								from sqlalchemy.orm import Session
 								from web.auth.password import hash_password
 								from web.config import settings
 								from web.database import get_db
 								from web.models.user import User
 								from web.notifications.tasks import send_email_task
 								from web.templates_env import templates
 								router = APIRouter()
 								def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
 								    ctx["request"] = request
 								    ctx.setdefault("jivosite_widget_id", settings.JIVOSITE_WIDGET_ID)
-												test: add test suite with 65 tests, 73% coverage

- Unit tests: password hashing, notification providers, webhook field parsing
- Integration tests: auth routes (register/login/confirm-email/logout),
  invite flow, Evotor webhooks (/user/create, /user/verify, /user/token),
  admin panel (access control, activate/suspend/delete/reset-password)
- conftest: SQLite in-memory engine, transactional sessions, factory-boy
  factories (UserFactory with UserRoleEnum variants)
- Fix bcrypt: replace passlib (broken on Python 3.14 + bcrypt 5.x) with
  direct bcrypt calls; drop passlib from requirements.txt
- Fix datetime.utcnow() deprecation across routes and tests
- Fix Jinja2 TemplateResponse signature (request as first positional arg)
- Add coverage config to pyproject.toml

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-28 12:27:42 +03:00
+								    return templates.TemplateResponse(ctx.pop("request"), template, ctx)
-												feat: Evotor user lifecycle, RBAC, admin panel

- Receive Evotor webhooks: POST /user/create, /user/verify, /user/token
- Create users in pending status; match to existing users by email/phone
- Send invite link via Celery notification task; user sets password at /invite
- Abstract EmailProvider/SMSProvider with ConsoleEmailProvider default
- Role-based access control: role enum on users + roles/permissions tables
- Admin panel: /admin/users (list, filter, search, paginate), user detail card
  with activate/suspend/reset-password/send-invite/edit/delete actions
- Admin roles management: /admin/roles with per-role permission assignment
- Extend user profile card: role, status, Evotor ID, email confirmation badge
- Auth routes: register, login, logout, confirm-email, forgot/reset password
- Alembic migrations 0002 (full schema + new fields) and 0003 (RBAC + seeds)
- Port Pico CSS + Bootstrap Icons UI from Node.js commit (854c912)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-28 12:01:25 +03:00
 								@router.get("/forgot-password")
 								async def forgot_get(request: Request):
 								    return _render(request, "forgot_password.html", {"user": None})
 								@router.post("/forgot-password")
 								async def forgot_post(request: Request, db: Session = Depends(get_db)):
 								    form = await request.form()
 								    email = str(form.get("email", "")).strip()
 								    user = db.query(User).filter(User.email == email).first()
 								    if user:
 								        token = secrets.token_urlsafe(32)
 								        user.password_reset_token = token
-												test: add test suite with 65 tests, 73% coverage

- Unit tests: password hashing, notification providers, webhook field parsing
- Integration tests: auth routes (register/login/confirm-email/logout),
  invite flow, Evotor webhooks (/user/create, /user/verify, /user/token),
  admin panel (access control, activate/suspend/delete/reset-password)
- conftest: SQLite in-memory engine, transactional sessions, factory-boy
  factories (UserFactory with UserRoleEnum variants)
- Fix bcrypt: replace passlib (broken on Python 3.14 + bcrypt 5.x) with
  direct bcrypt calls; drop passlib from requirements.txt
- Fix datetime.utcnow() deprecation across routes and tests
- Fix Jinja2 TemplateResponse signature (request as first positional arg)
- Add coverage config to pyproject.toml

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-28 12:27:42 +03:00
+								        user.password_reset_expires = datetime.now(timezone.utc).replace(tzinfo=None) + timedelta(
-												feat: Evotor user lifecycle, RBAC, admin panel

- Receive Evotor webhooks: POST /user/create, /user/verify, /user/token
- Create users in pending status; match to existing users by email/phone
- Send invite link via Celery notification task; user sets password at /invite
- Abstract EmailProvider/SMSProvider with ConsoleEmailProvider default
- Role-based access control: role enum on users + roles/permissions tables
- Admin panel: /admin/users (list, filter, search, paginate), user detail card
  with activate/suspend/reset-password/send-invite/edit/delete actions
- Admin roles management: /admin/roles with per-role permission assignment
- Extend user profile card: role, status, Evotor ID, email confirmation badge
- Auth routes: register, login, logout, confirm-email, forgot/reset password
- Alembic migrations 0002 (full schema + new fields) and 0003 (RBAC + seeds)
- Port Pico CSS + Bootstrap Icons UI from Node.js commit (854c912)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-28 12:01:25 +03:00
+								            minutes=settings.PASSWORD_RESET_EXPIRE_MINUTES
 								        )
 								        db.commit()
 								        reset_url = f"{settings.BASE_URL}/reset-password?token={token}"
 								        html = f'<p>Сброс пароля: <a href="{reset_url}">{reset_url}</a></p>'
 								        send_email_task.delay(user.email, "Сброс пароля — ЭВОСИНК", html)
 								    # Always show same message to prevent user enumeration
 								    return _render(request, "message.html", {
 								        "user": None,
 								        "title": "Ссылка отправлена",
 								        "message": "Если указанный email зарегистрирован, вы получите ссылку для сброса пароля.",
 								        "link": "/login", "link_text": "Войти",
 								    })
 								@router.get("/reset-password")
 								async def reset_get(request: Request, db: Session = Depends(get_db)):
 								    token = request.query_params.get("token", "")
 								    user = db.query(User).filter(User.password_reset_token == token).first()
-												test: add test suite with 65 tests, 73% coverage

- Unit tests: password hashing, notification providers, webhook field parsing
- Integration tests: auth routes (register/login/confirm-email/logout),
  invite flow, Evotor webhooks (/user/create, /user/verify, /user/token),
  admin panel (access control, activate/suspend/delete/reset-password)
- conftest: SQLite in-memory engine, transactional sessions, factory-boy
  factories (UserFactory with UserRoleEnum variants)
- Fix bcrypt: replace passlib (broken on Python 3.14 + bcrypt 5.x) with
  direct bcrypt calls; drop passlib from requirements.txt
- Fix datetime.utcnow() deprecation across routes and tests
- Fix Jinja2 TemplateResponse signature (request as first positional arg)
- Add coverage config to pyproject.toml

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-28 12:27:42 +03:00
+								    if not user or not user.password_reset_expires or user.password_reset_expires < datetime.now(timezone.utc).replace(tzinfo=None):
-												feat: Evotor user lifecycle, RBAC, admin panel

- Receive Evotor webhooks: POST /user/create, /user/verify, /user/token
- Create users in pending status; match to existing users by email/phone
- Send invite link via Celery notification task; user sets password at /invite
- Abstract EmailProvider/SMSProvider with ConsoleEmailProvider default
- Role-based access control: role enum on users + roles/permissions tables
- Admin panel: /admin/users (list, filter, search, paginate), user detail card
  with activate/suspend/reset-password/send-invite/edit/delete actions
- Admin roles management: /admin/roles with per-role permission assignment
- Extend user profile card: role, status, Evotor ID, email confirmation badge
- Auth routes: register, login, logout, confirm-email, forgot/reset password
- Alembic migrations 0002 (full schema + new fields) and 0003 (RBAC + seeds)
- Port Pico CSS + Bootstrap Icons UI from Node.js commit (854c912)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-28 12:01:25 +03:00
+								        return _render(request, "message.html", {
 								            "user": None, "title": "Ссылка недействительна",
 								            "message": "Ссылка для сброса пароля устарела или недействительна.",
 								            "link": "/forgot-password", "link_text": "Запросить новую ссылку",
 								        })
 								    return _render(request, "reset_password.html", {"user": None, "token": token})
 								@router.post("/reset-password")
 								async def reset_post(request: Request, db: Session = Depends(get_db)):
 								    token = request.query_params.get("token", "")
 								    form = await request.form()
 								    password = str(form.get("password", ""))
 								    password_confirm = str(form.get("password_confirm", ""))
 								    errors = []
 								    user = db.query(User).filter(User.password_reset_token == token).first()
-												test: add test suite with 65 tests, 73% coverage

- Unit tests: password hashing, notification providers, webhook field parsing
- Integration tests: auth routes (register/login/confirm-email/logout),
  invite flow, Evotor webhooks (/user/create, /user/verify, /user/token),
  admin panel (access control, activate/suspend/delete/reset-password)
- conftest: SQLite in-memory engine, transactional sessions, factory-boy
  factories (UserFactory with UserRoleEnum variants)
- Fix bcrypt: replace passlib (broken on Python 3.14 + bcrypt 5.x) with
  direct bcrypt calls; drop passlib from requirements.txt
- Fix datetime.utcnow() deprecation across routes and tests
- Fix Jinja2 TemplateResponse signature (request as first positional arg)
- Add coverage config to pyproject.toml

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-28 12:27:42 +03:00
+								    if not user or not user.password_reset_expires or user.password_reset_expires < datetime.now(timezone.utc).replace(tzinfo=None):
-												feat: Evotor user lifecycle, RBAC, admin panel

- Receive Evotor webhooks: POST /user/create, /user/verify, /user/token
- Create users in pending status; match to existing users by email/phone
- Send invite link via Celery notification task; user sets password at /invite
- Abstract EmailProvider/SMSProvider with ConsoleEmailProvider default
- Role-based access control: role enum on users + roles/permissions tables
- Admin panel: /admin/users (list, filter, search, paginate), user detail card
  with activate/suspend/reset-password/send-invite/edit/delete actions
- Admin roles management: /admin/roles with per-role permission assignment
- Extend user profile card: role, status, Evotor ID, email confirmation badge
- Auth routes: register, login, logout, confirm-email, forgot/reset password
- Alembic migrations 0002 (full schema + new fields) and 0003 (RBAC + seeds)
- Port Pico CSS + Bootstrap Icons UI from Node.js commit (854c912)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-28 12:01:25 +03:00
+								        return _render(request, "message.html", {
 								            "user": None, "title": "Ссылка недействительна",
 								            "message": "Ссылка для сброса пароля устарела.",
 								            "link": "/forgot-password", "link_text": "Запросить новую ссылку",
 								        })
 								    if len(password) < 8:
 								        errors.append("Пароль должен содержать минимум 8 символов")
 								    if password != password_confirm:
 								        errors.append("Пароли не совпадают")
 								    if errors:
 								        return _render(request, "reset_password.html", {
 								            "user": None, "token": token, "errors": errors,
 								        })
 								    user.password_hash = hash_password(password)
 								    user.password_reset_token = None
 								    user.password_reset_expires = None
 								    db.commit()
 								    return _render(request, "message.html", {
 								        "user": None, "title": "Пароль изменён",
 								        "message": "Ваш пароль успешно изменён.",
 								        "link": "/login", "link_text": "Войти",
 								    })