feat: password authentication

[Ubisoft-potato]

Password Authentication Implementation

Summary

• Implement password authentication feature for Bucketeer
• Add password setup and reset functionality with email notifications
• Support multiple email providers (SendGrid, SES, SMTP)

key Changes

• Authentication API: Added password setup, reset, and update endpoints
• Email Service: Integrated SendGrid, SES, and SMTP for password notifications
• Database: Added account credentials table for password storage
• Configuration: Added password auth configuration with customizable templates
• Security: Implemented password validation and secure token handling

Password Setup Workflow

• New User Account Creation Workflow

  flowchart TD
      A[Admin Creates New User Account] --> B[System Creates Account in
  Database]
      B --> C[System Generates Password Setup Token]
      C --> D[System Sends Setup Email to User]
      D --> E[User Clicks Email Link]
      E --> F[User Sets New Password]
      F --> G[Password Setup Complete]

      style C fill:#e8f5e8
      style D fill:#fff3e0

Loading

Process:

1. Admin creates a new user account through the admin interface
2. System automatically creates the account and generates a secure setup token
3. Setup email with token link is sent to the new user
4. User clicks the link and sets their password
5. User can now login with email/password

• Existing OAuth User Password Setup Workflow

  flowchart TD
      A[User Logs in via OAuth] --> B[System Checks if User Has Password]
      B --> C{Has Password?}
      C -->|Yes| D[Login Complete - No Action Needed]
      C -->|No| E[System Generates Password Setup Token]
      E --> F[System Sends Setup Email to User]
      F --> G[User Clicks Email Link]
      G --> H[User Sets New Password]
      H --> I[User Now Has Both OAuth + Password Login]

      style E fill:#e8f5e8
      style F fill:#fff3e0

Loading

Process:

1. Existing OAuth user (Google/GitHub) logs in successfully
2. System checks if user already has password credentials
3. If no password exists, system generates setup token and sends email
4. User optionally sets up password for alternative login method
5. User can now login via OAuth OR email/password

Password Setup page workflow

  sequenceDiagram
      participant User
      participant Frontend
      participant Backend

      Note over User, Backend: User receives setup email with setupToken
      User->>Frontend: Clicks setup link with setupToken
      Frontend->>Backend: POST /v1/auth/password/setup/validate
      Note right of Frontend: Body: {"setupToken": "xyz"}
      Backend-->>Frontend: 200 OK with {"isValid": true, "email": "user@example.com"}

      alt Token Valid
          Frontend->>User: Show password setup form with email
          User->>Frontend: Enters new password
          Frontend->>Backend: POST /v1/auth/password/setup
          Note right of Frontend: Body: {"setupToken": "xyz", "newPassword": "newpass"}
          Backend-->>Frontend: 200 OK or 400 Bad Request

          alt Setup Success
              Frontend->>User: Show success message
              Frontend->>Frontend: Redirect to login page
          else Setup Failed
              Frontend->>User: Show error message and keep form open
          end
      else Token Invalid
          Frontend->>User: Show "Invalid Token" error
      end

Loading

[cre8ivejp]

We don't need to do this in this PR, but we will need to implement the password and google authentication as a setting in the organization settings.
So, the user can select the authentication types that are allowed in their organization.

When inviting a new user, we will need a flow for typing the new password when accessing the console for the first time, too.

[cre8ivejp]

Since we support multiple languages, we need it in the templates.

[Ubisoft-potato]

Oh, let me implement it.

[Ubisoft-potato]

I added ja and en language email template for now.

[cre8ivejp]

We are implementing password authentication to replace the old implementation.
We will also need to update the initialization scripts for the dev container and docker-compose so we can access the console when deploying.

[Ubisoft-potato]

Yes, I already implemented it, when web service started, it will create demo user's demo password to database.

[cre8ivejp]

@Ubisoft-potato, can you update the PR's description to show the whole flow using Mermaid?
That will make it much easier to visualize how it works.

[Ubisoft-potato]

@Ubisoft-potato, can you update the PR's description to show the whole flow using Mermaid? That will make it much easier to visualize how it works.

Sure, I will show the whole workflow using Mermaid!

[Ubisoft-potato]

@Ubisoft-potato, can you update the PR's description to show the whole flow using Mermaid? That will make it much easier to visualize how it works.

@cre8ivejp I had updated the description with the detailed worflow, please take a look.

[hvn2k1]

@Ubisoft-potato thank you for your great work 💯
I haven't fully reviewed your pr yet but left some comments