Password reset flow not functional (endpoints exist but no email sending)

[gzark1]

Description

Password reset endpoints exist but don't actually work because no email backend is configured. Users who forget their password have no way to recover their account.

Steps to Reproduce

1. Call POST /auth/forgot-password with {"email": "user@example.com"}
2. Response is 202 Accepted
3. No email is sent - user never receives reset token
4. User cannot complete password reset

Expected Behavior

User should receive an email with a reset link/token to change their password.

Actual Behavior

Endpoint accepts the request but no email is sent. Reset token is generated internally but never delivered.

Root Cause

fastapi-users provides password reset infrastructure but requires:

1. Email backend configuration (SMTP, SendGrid, AWS SES, etc.)
2. Implementation of on_after_forgot_password hook in UserManager to send emails
3. Frontend UI for forgot-password and reset-password flows

None of these are implemented.

Files involved:

• backend/api/auth.py:32-36 - mounts reset_password_router
• backend/core/user_manager.py - missing on_after_forgot_password hook
• frontend/ - no forgot-password or reset-password pages

Possible Solutions

1. Option A: Implement full email-based password reset

   • Configure email backend (add SMTP/SendGrid credentials to .env)
   • Implement on_after_forgot_password hook to send reset emails
   • Add frontend pages for forgot-password and reset-password

2. Option B: Remove/disable endpoints if not planning to implement

   • Don't mount get_reset_password_router() in auth.py
   • Document that password reset is not available