feat: add password reset ("forgot password") flow

Add a self-service password reset to the login flow:

- Login page now shows a "Passwort vergessen?" link under the password field
- New /forgot-password page requests a reset email by address
- New /reset-password page sets a new password from an emailed token
- Backend: POST /auth/forgot-password and /auth/reset-password with
  dedicated rate limiters; tokens stored as SHA-256 hashes with a 1h expiry
- Generic responses avoid leaking account existence or SMTP/SSO state;
  SSO-only accounts are skipped
- New sendPasswordResetEmail mailer + email/auth i18n keys (de + en)
- DB migration: reset_token_hash, reset_token_expires, reset_requested_at

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

server/config/mailer.js

@@ -92,6 +92,50 @@ export async function sendVerificationEmail(to, name, verifyUrl, appName = 'Redl
   });
 }
 
+/**
+ * Send a password reset email with a clickable link.
+ * @param {string} to        - recipient email
+ * @param {string} name      - user's display name
+ * @param {string} resetUrl  - full password reset URL
+ * @param {string} appName   - branding app name (default "Redlight")
+ * @param {string} lang      - language code
+ */
+export async function sendPasswordResetEmail(to, name, resetUrl, appName = 'Redlight', lang = 'en') {
+  if (!transporter) {
+    throw new Error('SMTP not configured');
+  }
+
+  const from = process.env.SMTP_FROM || process.env.SMTP_USER;
+  const headerAppName = sanitizeHeaderValue(appName);
+  const safeName = escapeHtml(name);
+
+  await transporter.sendMail({
+    from: `"${headerAppName}" <${from}>`,
+    to,
+    subject: t(lang, 'email.resetPassword.subject', { appName: headerAppName }),
+    html: `
+      <div style="font-family:Arial,sans-serif;max-width:520px;margin:0 auto;padding:32px;background:#1e1e2e;color:#cdd6f4;border-radius:12px;">
+        <h2 style="color:#cba6f7;margin-top:0;">${t(lang, 'email.greeting', { name: safeName })}</h2>
+        <p>${t(lang, 'email.resetPassword.intro')}</p>
+        <p style="text-align:center;margin:28px 0;">
+          <a href="${resetUrl}"
+             style="display:inline-block;background:#cba6f7;color:#1e1e2e;padding:12px 32px;border-radius:8px;text-decoration:none;font-weight:bold;">
+            ${t(lang, 'email.resetPassword.button')}
+          </a>
+        </p>
+        <p style="font-size:13px;color:#7f849c;">
+          ${t(lang, 'email.linkHint')}<br/>
+          <a href="${resetUrl}" style="color:#89b4fa;word-break:break-all;">${escapeHtml(resetUrl)}</a>
+        </p>
+        <p style="font-size:13px;color:#7f849c;">${t(lang, 'email.resetPassword.validity')}</p>
+        <hr style="border:none;border-top:1px solid #313244;margin:24px 0;"/>
+        <p style="font-size:12px;color:#585b70;">${t(lang, 'email.resetPassword.footer')}</p>
+      </div>
+    `,
+    text: `${t(lang, 'email.greeting', { name })}\n\n${t(lang, 'email.resetPassword.intro')}\n${resetUrl}\n\n${t(lang, 'email.resetPassword.validity')}\n\n- ${appName}`,
+  });
+}
+
 /**
  * Send a federation meeting invitation email.
  * @param {string} to          - recipient email