feat: add user groups, password reset, email notifications, API keys,…

[naqvis]

New Features

User Groups

• Organize users within organizations with permission levels (Admin, Manager, User, Viewer)
• Automatic "Administrators" group created for each organization
• Group membership management with group admin roles
• Invite users to groups via email (auto-adds to organization if needed)

Password Reset

• Email-based password reset flow with secure tokens
• Token expiration and single-use validation
• New /auth/forgot-password and /auth/reset-password pages

Email Notifications

• SMTP integration for transactional emails
• Password reset emails
• Organization and group invite emails
• Mailpit added to docker-compose for local development

API Key Authentication

• Bearer token authentication (Authorization: Bearer sk_...)
• Scoped permissions per key
• Optional expiration dates
• Secure key hashing (raw key shown only once)

Audit Logging

• Track user actions: login, logout, org/member changes
• Captures IP address and user agent
• Queryable audit trail per organization

Health Check Endpoints

• GET /health - Basic health status
• GET /health/live - Liveness probe
• GET /health/ready - Readiness probe (checks database)

User Profile Page

• View account information
• Manage settings at /profile

UI Improvements

• Organizations page: Search, pagination, sorting, responsive design
• Dashboard: Modern layout with quick actions and account info cards
• Landing page: Redesigned with feature highlights
• Login page: Added "Forgot password?" link

Technical Changes

• Added email shard for SMTP support
• New database migrations:
  • groups, group_users, group_invites
  • audit_logs, api_keys, password_reset_tokens
  • Full-text search with tsvector
• Enhanced permission checking with group-based access control
• Pagination helper with Link headers and X-Total-Count
• Updated OpenAPI spec with all new endpoints

[stakach]

Looking great!
@naqvis I would obscure the password reset token in the database.

Similar to what we do here:
https://github.com/PlaceOS/models/blob/master/src/placeos-models/api_key.cr#L59

That will improve security significantly - bcrypt like we do for the users password is probably more secure again
What do you think?

[naqvis]

Good call! 👍

I'll implement this following the API key pattern with HMAC-SHA512:

• Split storage: id + hashed_secret
• Return full token (id.secret) only on creation
• Hash before storing, verify on lookup

[stakach]

LGTM