Wire up ConsoleEmailSender and send confirmation/reset emails

- Register ConsoleEmailSender as IAppEmailSender in both API and WebApp
- API Register endpoint now sends confirmation email via IAppEmailSender
- API ForgotPassword endpoint now sends reset email via IAppEmailSender
- WebApp ForgotPassword endpoint now sends reset email via IAppEmailSender
- In dev: emails appear in Aspire structured logs with clickable links
- In prod: swap ConsoleEmailSender for SmtpEmailSender

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: davidortinau

src/SentenceStudio.Api/Auth/AuthEndpoints.cs

@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
 using SentenceStudio.Data;
+using SentenceStudio.Services;
 using SentenceStudio.Shared.Models;
 
 namespace SentenceStudio.Api.Auth;
@@ -24,7 +25,9 @@ public static WebApplication MapAuthEndpoints(this WebApplication app)
     private static async Task<IResult> Register(
         RegisterRequest request,
         UserManager<ApplicationUser> userManager,
-        ApplicationDbContext db)
+        ApplicationDbContext db,
+        IAppEmailSender emailSender,
+        HttpContext httpContext)
     {
         var user = new ApplicationUser
         {
@@ -55,12 +58,15 @@ private static async Task<IResult> Register(
         await userManager.UpdateAsync(user);
         await db.SaveChangesAsync();
 
-        // Generate email confirmation token
+        // Generate email confirmation token and send confirmation email
         var token = await userManager.GenerateEmailConfirmationTokenAsync(user);
-        // In production, send the confirmation link via IEmailSender.
-        // For development, the token is generated but email sending is a no-op.
+        var encodedToken = Uri.EscapeDataString(token);
+        var baseUrl = $"{httpContext.Request.Scheme}://{httpContext.Request.Host}";
+        var confirmUrl = $"{baseUrl}/api/auth/confirm-email?userId={user.Id}&token={encodedToken}";
+
+        await emailSender.SendConfirmationLinkAsync(user, request.Email, confirmUrl);
 
-        return Results.Ok(new { message = "Check your email to confirm your account." });
+        return Results.Ok(new { message = "Check your email to confirm your account.", userId = user.Id });
     }
 
     private static async Task<IResult> Login(
@@ -178,14 +184,19 @@ private static async Task<IResult> ConfirmEmail(
 
     private static async Task<IResult> ForgotPassword(
         ForgotPasswordRequest request,
-        UserManager<ApplicationUser> userManager)
+        UserManager<ApplicationUser> userManager,
+        IAppEmailSender emailSender,
+        HttpContext httpContext)
     {
         var user = await userManager.FindByEmailAsync(request.Email);
         if (user is not null)
         {
             var token = await userManager.GeneratePasswordResetTokenAsync(user);
-            // In production, send this token via email.
-            // Always return 200 to prevent user enumeration.
+            var encodedToken = Uri.EscapeDataString(token);
+            var baseUrl = $"{httpContext.Request.Scheme}://{httpContext.Request.Host}";
+            var resetUrl = $"{baseUrl}/Account/ResetPassword?email={Uri.EscapeDataString(request.Email)}&token={encodedToken}";
+
+            await emailSender.SendPasswordResetLinkAsync(user, request.Email, resetUrl);
         }
 
         return Results.Ok(new { message = "If that email is registered, a reset link has been sent." });

src/SentenceStudio.Api/Program.cs

@@ -98,6 +98,10 @@
 
 builder.Services.AddScoped<JwtTokenService>();
 
+// Email sender — ConsoleEmailSender logs to Aspire structured logs in development;
+// swap for SmtpEmailSender in production.
+builder.Services.AddSingleton<IAppEmailSender, ConsoleEmailSender>();
+
 builder.Services.AddScoped<ITenantContext, TenantContext>();
 
 // CORS — basic policies for known callers.

src/SentenceStudio.WebApp/Auth/AccountEndpoints.cs

@@ -1,6 +1,7 @@
 using System.Security.Claims;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
+using SentenceStudio.Services;
 using SentenceStudio.Shared.Models;
 
 namespace SentenceStudio.WebApp.Auth;
@@ -91,15 +92,19 @@ public static void MapAccountEndpoints(this WebApplication app)
 
         group.MapPost("/ForgotPassword", async (
             [FromForm] string email,
-            UserManager<ApplicationUser> userManager) =>
+            UserManager<ApplicationUser> userManager,
+            IAppEmailSender emailSender,
+            HttpContext httpContext) =>
         {
             var user = await userManager.FindByEmailAsync(email);
             if (user is not null)
             {
-                // In production, send the reset token via email.
-                // For now, just redirect with a confirmation message.
                 var token = await userManager.GeneratePasswordResetTokenAsync(user);
-                // TODO: Send email with reset link containing token
+                var encodedToken = Uri.EscapeDataString(token);
+                var baseUrl = $"{httpContext.Request.Scheme}://{httpContext.Request.Host}";
+                var resetUrl = $"{baseUrl}/Account/ResetPassword?email={Uri.EscapeDataString(email)}&token={encodedToken}";
+
+                await emailSender.SendPasswordResetLinkAsync(user, email, resetUrl);
             }
 
             // Always redirect to avoid email enumeration

src/SentenceStudio.WebApp/Program.cs

@@ -116,6 +116,10 @@
 
 builder.Services.AddAuthorization();
 
+// Email sender — ConsoleEmailSender logs to Aspire structured logs in development;
+// swap for SmtpEmailSender in production.
+builder.Services.AddSingleton<IAppEmailSender, ConsoleEmailSender>();
+
 builder.Services.AddSingleton<IPreferencesService>(_ => new WebPreferencesService(preferencesPath));
 builder.Services.AddSingleton<ISecureStorageService, WebSecureStorageService>();
 builder.Services.AddSingleton<IConnectivityService, WebConnectivityService>();