feat: password reset (endpoints forgot/reset, email service, migration colonnes)

alembic/versions/add_password_reset_columns.py

@@ -0,0 +1,29 @@
+"""add password reset columns to users
+
+Revision ID: add_password_reset
+Revises: add_ner_extraction
+Create Date: 2026-06-24 00:00:00.000000
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+revision: str = 'add_password_reset'
+down_revision: Union[str, None] = 'add_ner_extraction'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.add_column('users', sa.Column('reset_password_token', sa.String(), nullable=True))
+    op.add_column('users', sa.Column('reset_password_token_expires', sa.DateTime(), nullable=True))
+    op.create_index(op.f('ix_users_reset_password_token'), 'users', ['reset_password_token'], unique=False)
+
+
+def downgrade() -> None:
+    op.drop_index(op.f('ix_users_reset_password_token'), table_name='users')
+    op.drop_column('users', 'reset_password_token_expires')
+    op.drop_column('users', 'reset_password_token')

app/api/auth.py

@@ -3,10 +3,11 @@ Authentication API endpoints - ÉTAPE 3 COMPLÈTE
 This module handles user registration, login, and token generation.
 """
 
-from fastapi import APIRouter, Depends, status, HTTPException, Header
+from fastapi import APIRouter, Depends, status, HTTPException, Header, BackgroundTasks
 from sqlalchemy.orm import Session
 from typing import Optional
-from datetime import datetime
+from datetime import datetime, timedelta
+import secrets
 
 from app.core.security import (
     get_password_hash,
@@ -16,8 +17,14 @@ from app.core.security import (
     ACCESS_TOKEN_EXPIRE_MINUTES,
 )
 from app.core.dependencies import get_db, get_current_user, log_activity
-from app.schemas.user import UserCreate, UserLogin, UserResponse, Token, TokenData
+from app.schemas.user import (
+    UserCreate, UserLogin, UserResponse, Token, TokenData,
+    ForgotPasswordRequest, ResetPasswordRequest, MessageResponse,
+)
 from app.models.models import User, UserRole as DBUserRole
+from app.services.email import send_password_reset_email
+
+PASSWORD_RESET_TOKEN_EXPIRE_HOURS = 2
 
 
 router = APIRouter(prefix="/api/auth", tags=["authentication"])
@@ -132,6 +139,55 @@ async def login(user_login: UserLogin, db: Session = Depends(get_db)) -> Token:
     )
 
 
+@router.post("/forgot-password", response_model=MessageResponse)
+async def forgot_password(
+    request: ForgotPasswordRequest,
+    background_tasks: BackgroundTasks,
+    db: Session = Depends(get_db),
+) -> MessageResponse:
+    """
+    Request a password reset link.
+    Always returns the same message to avoid email enumeration.
+    """
+    user = db.query(User).filter(User.email == request.email).first()
+    if user:
+        token = secrets.token_urlsafe(32)
+        user.reset_password_token = token
+        user.reset_password_token_expires = datetime.utcnow() + timedelta(hours=PASSWORD_RESET_TOKEN_EXPIRE_HOURS)
+        db.commit()
+        background_tasks.add_task(send_password_reset_email, user.email, token)
+    return MessageResponse(
+        message="Si un compte existe avec cet email, un lien de réinitialisation a été envoyé."
+    )
+
+
+@router.post("/reset-password", response_model=MessageResponse)
+async def reset_password(
+    request: ResetPasswordRequest,
+    db: Session = Depends(get_db),
+) -> MessageResponse:
+    """
+    Reset password using a valid reset token.
+    """
+    user = db.query(User).filter(User.reset_password_token == request.token).first()
+    if not user or not user.reset_password_token_expires:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Lien de réinitialisation invalide ou expiré."
+        )
+    if datetime.utcnow() > user.reset_password_token_expires:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Lien de réinitialisation invalide ou expiré."
+        )
+    user.hashed_password = get_password_hash(request.new_password)
+    user.reset_password_token = None
+    user.reset_password_token_expires = None
+    db.commit()
+    log_activity(db, "auth.reset_password", user_id=user.id, detail=f"Mot de passe réinitialisé pour {user.email}")
+    return MessageResponse(message="Mot de passe réinitialisé avec succès.")
+
+
 @router.get("/me", response_model=UserResponse)
 async def get_me(
     current_user: User = Depends(get_current_user),

app/models/models.py

@@ -40,6 +40,8 @@ class User(Base):
     role = Column(Enum(UserRole), default=UserRole.recruiter, nullable=False)
     is_active = Column(Boolean, default=True, nullable=False)
     created_at = Column(DateTime, default=datetime.utcnow, nullable=False)
+    reset_password_token = Column(String, nullable=True, index=True)
+    reset_password_token_expires = Column(DateTime, nullable=True)
 
     # Relationships
     job_criteria = relationship("JobCriteria", back_populates="recruiter")

app/schemas/user.py

@@ -46,3 +46,16 @@ class UserResponse(BaseModel):
 
     class Config:
         from_attributes = True
+
+
+class ForgotPasswordRequest(BaseModel):
+    email: EmailStr
+
+
+class ResetPasswordRequest(BaseModel):
+    token: str
+    new_password: str = Field(..., min_length=6)
+
+
+class MessageResponse(BaseModel):
+    message: str

app/services/email.py

@@ -0,0 +1,80 @@
+import os
+import smtplib
+import asyncio
+from email.mime.text import MIMEText
+from email.mime.multipart import MIMEMultipart
+from functools import partial
+
+
+SMTP_HOST = os.getenv("SMTP_HOST", "smtp.gmail.com")
+SMTP_PORT = int(os.getenv("SMTP_PORT", "587"))
+SMTP_USER = os.getenv("SMTP_USER", "")
+SMTP_PASSWORD = os.getenv("SMTP_PASSWORD", "")
+SMTP_FROM_EMAIL = os.getenv("SMTP_FROM_EMAIL", SMTP_USER)
+SMTP_FROM_NAME = os.getenv("SMTP_FROM_NAME", "AI Talent Finder")
+FRONTEND_URL = os.getenv("FRONTEND_URL", "http://localhost:3000")
+
+
+def _send_email_sync(to_email: str, subject: str, html_body: str) -> None:
+    msg = MIMEMultipart("alternative")
+    msg["Subject"] = subject
+    msg["From"] = f"{SMTP_FROM_NAME} <{SMTP_FROM_EMAIL}>"
+    msg["To"] = to_email
+    msg.attach(MIMEText(html_body, "html"))
+
+    with smtplib.SMTP(SMTP_HOST, SMTP_PORT) as server:
+        server.ehlo()
+        server.starttls()
+        server.login(SMTP_USER, SMTP_PASSWORD)
+        server.sendmail(SMTP_FROM_EMAIL, to_email, msg.as_string())
+
+
+async def send_email(to_email: str, subject: str, html_body: str) -> None:
+    loop = asyncio.get_event_loop()
+    await loop.run_in_executor(None, partial(_send_email_sync, to_email, subject, html_body))
+
+
+async def send_password_reset_email(to_email: str, reset_token: str) -> None:
+    reset_url = f"{FRONTEND_URL}/auth/reset-password?token={reset_token}"
+    subject = "Réinitialisation de votre mot de passe – AI Talent Finder"
+    html_body = f"""
+    <!DOCTYPE html>
+    <html lang="fr">
+    <head><meta charset="UTF-8"></head>
+    <body style="font-family: Arial, sans-serif; background: #f8fafc; padding: 40px 0;">
+      <div style="max-width: 520px; margin: 0 auto; background: #fff; border-radius: 16px;
+                  border: 1px solid #e2e8f0; padding: 40px;">
+        <div style="text-align: center; margin-bottom: 32px;">
+          <div style="display: inline-block; background: linear-gradient(135deg, #4f46e5, #6366f1);
+                      border-radius: 12px; padding: 12px 16px;">
+            <span style="color: #fff; font-weight: 800; font-size: 18px;">AI Talent Finder</span>
+          </div>
+        </div>
+        <h2 style="color: #0f172a; font-size: 22px; margin: 0 0 12px;">
+          Réinitialisation de votre mot de passe
+        </h2>
+        <p style="color: #475569; font-size: 15px; line-height: 1.6; margin: 0 0 28px;">
+          Nous avons reçu une demande de réinitialisation du mot de passe associé à votre compte
+          <strong>{to_email}</strong>. Cliquez sur le bouton ci-dessous pour choisir un nouveau mot de passe.
+        </p>
+        <div style="text-align: center; margin-bottom: 28px;">
+          <a href="{reset_url}"
+             style="display: inline-block; background: linear-gradient(135deg, #4f46e5, #6366f1);
+                    color: #fff; text-decoration: none; padding: 14px 32px;
+                    border-radius: 10px; font-weight: 700; font-size: 15px;">
+            Réinitialiser mon mot de passe
+          </a>
+        </div>
+        <p style="color: #94a3b8; font-size: 13px; line-height: 1.6; margin: 0 0 8px;">
+          Ce lien est valable pendant <strong>2 heures</strong>. Si vous n'avez pas fait cette demande,
+          ignorez simplement cet email.
+        </p>
+        <hr style="border: none; border-top: 1px solid #e2e8f0; margin: 24px 0;">
+        <p style="color: #cbd5e1; font-size: 12px; text-align: center; margin: 0;">
+          &copy; 2026 AI Talent Finder. Tous droits réservés.
+        </p>
+      </div>
+    </body>
+    </html>
+    """
+    await send_email(to_email, subject, html_body)