feat: Add password reset functionality

server/alembic/versions/2026_01_19_1200-add_password_reset_token_table.py

@@ -0,0 +1,45 @@
+# ========= Copyright 2025-2026 @ Eigent.ai All Rights Reserved. =========
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ========= Copyright 2025-2026 @ Eigent.ai All Rights Reserved. =========
+
+"""add_password_reset_token_table
+
+Revision ID: add_password_reset_token
+Revises: add_timestamp_to_chat_step
+Create Date: 2026-01-19 12:00:00.000000
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = "add_password_reset_token"
+down_revision: Union[str, None] = "add_timestamp_to_chat_step"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """No-op.
+
+    The password_reset_token flow is no longer used.
+    """
+    pass
+
+
+def downgrade() -> None:
+    """No-op."""
+    pass

server/app/controller/user/password_reset_controller.py

@@ -0,0 +1,65 @@
+# ========= Copyright 2025-2026 @ Eigent.ai All Rights Reserved. =========
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ========= Copyright 2025-2026 @ Eigent.ai All Rights Reserved. =========
+
+import logging
+
+from fastapi import APIRouter, Depends
+from fastapi_babel import _
+from sqlmodel import Session, col
+
+from app.component import code
+from app.component.database import session
+from app.component.encrypt import password_hash
+from app.exception.exception import UserException
+from app.model.user.password_reset import (
+    DirectResetPasswordRequest,
+)
+from app.model.user.user import User
+
+logger = logging.getLogger("server_password_reset_controller")
+
+router = APIRouter(tags=["Password Reset"])
+
+
+@router.post("/reset-password-direct", name="reset password directly")
+async def reset_password_direct(
+    data: DirectResetPasswordRequest,
+    session: Session = Depends(session),
+):
+    """
+    Reset password directly without token verification.
+    This endpoint is for Full Local Deployment only where email verification is not needed.
+    The password is updated directly in the local Docker database.
+    Password validation is handled by Pydantic model.
+    """
+    # Find the user by email
+    user = User.by(User.email == data.email, col(User.deleted_at).is_(None), s=session).one_or_none()
+
+    if not user:
+        logger.warning("Direct password reset failed: user not found")
+        raise UserException(code.error, _("User with this email not found"))
+
+    # Update password
+    user.password = password_hash(data.new_password)
+    user.save(session)
+
+    logger.info(
+        "Direct password reset successful",
+        extra={"user_id": user.id}
+    )
+
+    return {
+        "status": "success",
+        "message": "Password has been reset successfully. You can now log in with your new password.",
+    }

server/app/model/user/password_reset.py

@@ -0,0 +1,46 @@
+# ========= Copyright 2025-2026 @ Eigent.ai All Rights Reserved. =========
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ========= Copyright 2025-2026 @ Eigent.ai All Rights Reserved. =========
+
+from pydantic import BaseModel, EmailStr, field_validator, model_validator
+
+
+class DirectResetPasswordRequest(BaseModel):
+    """Request model for direct password reset (local deployment only)."""
+    email: EmailStr
+    new_password: str
+    confirm_password: str
+
+    @field_validator("new_password")
+    @classmethod
+    def validate_password_strength(cls, v: str) -> str:
+        """Validate password meets strength requirements."""
+        if len(v) < 8:
+            raise ValueError("Password must be at least 8 characters long")
+
+        has_letter = any(c.isalpha() for c in v)
+        has_number = any(c.isdigit() for c in v)
+
+        if not has_letter:
+            raise ValueError("Password must contain at least one letter")
+        if not has_number:
+            raise ValueError("Password must contain at least one number")
+
+        return v
+
+    @model_validator(mode="after")
+    def validate_passwords_match(self):
+        """Validate that new_password and confirm_password match."""
+        if self.new_password != self.confirm_password:
+            raise ValueError("Passwords do not match")
+        return self