@agenticmail/enterprise 0.5.293 → 0.5.295

package/src/auth/routes.ts

@@ -298,7 +298,8 @@ export function createAuthRoutes(
       token,
       refreshToken,
       csrf,
-      user: { id: user.id, email: user.email, name: user.name, role: user.role },
+      user: { id: user.id, email: user.email, name: user.name, role: user.role, totpEnabled: !!user.totpEnabled },
+      mustResetPassword: !!user.mustResetPassword,
     });
   });
 
@@ -356,11 +357,113 @@ export function createAuthRoutes(
       token,
       refreshToken,
       csrf,
-      user: { id: user.id, email: user.email, name: user.name, role: user.role },
+      user: { id: user.id, email: user.email, name: user.name, role: user.role, totpEnabled: true },
+      mustResetPassword: !!user.mustResetPassword,
       ...(backupUsed ? { warning: 'Backup code used. You have fewer backup codes remaining.' } : {}),
     });
   });
 
+  // ─── Self-Service Password Reset (email + 2FA) ─────────
+
+  auth.post('/reset-password-self', async (c) => {
+    const { email, totpCode, newPassword } = await c.req.json();
+    if (!email || !newPassword) {
+      return c.json({ error: 'Email and new password are required' }, 400);
+    }
+    if (typeof newPassword !== 'string' || newPassword.length < 8) {
+      return c.json({ error: 'Password must be at least 8 characters' }, 400);
+    }
+
+    const user = await db.getUserByEmail(email);
+    if (!user) {
+      // Don't reveal whether email exists
+      return c.json({ error: 'If this email exists with 2FA enabled, a reset will be processed' }, 200);
+    }
+
+    // If user has 2FA, require code
+    if (user.totpEnabled && user.totpSecret) {
+      if (!totpCode) {
+        return c.json({ has2fa: true, message: 'Enter your 2FA code to reset password' });
+      }
+      const valid = await verifyTotp(user.totpSecret, totpCode.replace(/\s/g, ''));
+      if (!valid) {
+        // Try backup codes
+        let backupValid = false;
+        if (user.totpBackupCodes) {
+          try {
+            const { default: bcrypt } = await import('bcryptjs');
+            const codes: string[] = JSON.parse(user.totpBackupCodes);
+            for (let i = 0; i < codes.length; i++) {
+              if (await bcrypt.compare(totpCode.toUpperCase().replace(/\s/g, ''), codes[i])) {
+                codes.splice(i, 1);
+                await db.updateUser(user.id, { totpBackupCodes: JSON.stringify(codes) } as any);
+                backupValid = true;
+                break;
+              }
+            }
+          } catch { /* ignore */ }
+        }
+        if (!backupValid) {
+          return c.json({ error: 'Invalid 2FA code' }, 401);
+        }
+      }
+    } else {
+      // No 2FA — cannot self-reset
+      return c.json({ no2fa: true, error: 'Two-factor authentication is not enabled on this account. Please contact your organization administrator to reset your password.' }, 403);
+    }
+
+    // Reset password
+    const { default: bcrypt } = await import('bcryptjs');
+    const passwordHash = await bcrypt.hash(newPassword, 12);
+    try {
+      await (db as any).pool.query(
+        'UPDATE users SET password_hash = $1, must_reset_password = FALSE, updated_at = NOW() WHERE id = $2',
+        [passwordHash, user.id]
+      );
+    } catch {
+      const edb = (db as any).db;
+      if (edb?.prepare) edb.prepare('UPDATE users SET password_hash = ?, must_reset_password = 0, updated_at = CURRENT_TIMESTAMP WHERE id = ?').run(passwordHash, user.id);
+    }
+
+    return c.json({ ok: true, message: 'Password reset successfully. You can now sign in.' });
+  });
+
+  // ─── Force Password Reset (authenticated, must-reset users) ──
+
+  auth.post('/force-reset-password', async (c) => {
+    const token = await extractToken(c);
+    if (!token) return c.json({ error: 'Authentication required' }, 401);
+
+    let userId: string;
+    try {
+      const { jwtVerify } = await import('jose');
+      const secret = new TextEncoder().encode(jwtSecret);
+      const { payload } = await jwtVerify(token, secret);
+      userId = payload.sub as string;
+    } catch {
+      return c.json({ error: 'Invalid session' }, 401);
+    }
+
+    const { newPassword } = await c.req.json();
+    if (!newPassword || typeof newPassword !== 'string' || newPassword.length < 8) {
+      return c.json({ error: 'Password must be at least 8 characters' }, 400);
+    }
+
+    const { default: bcrypt } = await import('bcryptjs');
+    const passwordHash = await bcrypt.hash(newPassword, 12);
+    try {
+      await (db as any).pool.query(
+        'UPDATE users SET password_hash = $1, must_reset_password = FALSE, updated_at = NOW() WHERE id = $2',
+        [passwordHash, userId]
+      );
+    } catch {
+      const edb = (db as any).db;
+      if (edb?.prepare) edb.prepare('UPDATE users SET password_hash = ?, must_reset_password = 0, updated_at = CURRENT_TIMESTAMP WHERE id = ?').run(passwordHash, userId);
+    }
+
+    return c.json({ ok: true });
+  });
+
   // ─── 2FA Setup (authenticated users) ───────────────────
 
   auth.post('/2fa/setup', async (c) => {

package/src/dashboard/app.js

@@ -94,6 +94,12 @@ function App() {
   const [user, setUser] = useState(null);
   const [pendingCount, setPendingCount] = useState(0);
   const [permissions, setPermissions] = useState('*'); // '*' = full access, or { pageId: true | ['tab1','tab2'] }
+  const [mustResetPassword, setMustResetPassword] = useState(false);
+  const [show2faReminder, setShow2faReminder] = useState(false);
+  const [forceResetPw, setForceResetPw] = useState('');
+  const [forceResetPw2, setForceResetPw2] = useState('');
+  const [forceResetLoading, setForceResetLoading] = useState(false);
+  const [forceResetError, setForceResetError] = useState('');
   const [needsSetup, setNeedsSetup] = useState(null);
   const [sidebarPinned, setSidebarPinned] = useState(() => localStorage.getItem('em_sidebar_pinned') === 'true');
   const [sidebarHovered, setSidebarHovered] = useState(false);
@@ -150,7 +156,54 @@ function App() {
 
   if (!authChecked) return h('div', { style: { minHeight: '100vh', display: 'flex', alignItems: 'center', justifyContent: 'center', background: 'var(--bg-primary)', color: 'var(--text-muted)' } }, 'Loading...');
   if (needsSetup === true && !authed) return h(OnboardingWizard, { onComplete: () => { setNeedsSetup(false); setAuthed(true); authCall('/me').then(d => { setUser(d.user || d); }).catch(() => {}); } });
-  if (!authed) return h(LoginPage, { onLogin: (d) => { setAuthed(true); if (d?.user) setUser(d.user); } });
+  if (!authed) return h(LoginPage, { onLogin: (d) => {
+    setAuthed(true);
+    if (d?.user) { setUser(d.user); if (!d.user.totpEnabled) setShow2faReminder(true); }
+    if (d?.mustResetPassword) setMustResetPassword(true);
+  } });
+
+  // Force password reset modal
+  const doForceReset = async () => {
+    if (forceResetPw !== forceResetPw2) { setForceResetError('Passwords do not match'); return; }
+    if (forceResetPw.length < 8) { setForceResetError('Password must be at least 8 characters'); return; }
+    setForceResetLoading(true); setForceResetError('');
+    try {
+      await authCall('/force-reset-password', { method: 'POST', body: JSON.stringify({ newPassword: forceResetPw }) });
+      setMustResetPassword(false);
+      toast('Password updated successfully', 'success');
+    } catch (e) { setForceResetError(e.message); }
+    setForceResetLoading(false);
+  };
+
+  if (mustResetPassword) {
+    return h('div', { style: { minHeight: '100vh', display: 'flex', alignItems: 'center', justifyContent: 'center', background: 'var(--bg-primary)', padding: 20 } },
+      h('div', { style: { maxWidth: 420, width: '100%', background: 'var(--bg-secondary)', borderRadius: 12, padding: 32, border: '1px solid var(--border)' } },
+        h('div', { style: { textAlign: 'center', marginBottom: 24 } },
+          h('div', { style: { width: 48, height: 48, borderRadius: '50%', background: 'var(--warning-soft, rgba(245,158,11,0.1))', display: 'flex', alignItems: 'center', justifyContent: 'center', margin: '0 auto 12px' } },
+            h('svg', { width: 24, height: 24, viewBox: '0 0 24 24', fill: 'none', stroke: 'var(--warning, #f59e0b)', strokeWidth: 2, strokeLinecap: 'round' },
+              h('path', { d: 'M12 9v4m0 4h.01M21 12a9 9 0 1 1-18 0 9 9 0 0 1 18 0z' })
+            )
+          ),
+          h('h2', { style: { fontSize: 18, fontWeight: 700 } }, 'Password Reset Required'),
+          h('p', { style: { color: 'var(--text-muted)', fontSize: 13, marginTop: 4 } }, 'Your administrator created this account with a temporary password. Please set a new password to continue.')
+        ),
+        h('div', { style: { display: 'flex', flexDirection: 'column', gap: 12 } },
+          h('div', null,
+            h('label', { style: { fontSize: 12, fontWeight: 600, color: 'var(--text-secondary)', display: 'block', marginBottom: 4 } }, 'New Password'),
+            h('input', { className: 'input', type: 'password', value: forceResetPw, onChange: (e) => setForceResetPw(e.target.value), placeholder: 'Min 8 characters', autoFocus: true })
+          ),
+          h('div', null,
+            h('label', { style: { fontSize: 12, fontWeight: 600, color: 'var(--text-secondary)', display: 'block', marginBottom: 4 } }, 'Confirm Password'),
+            h('input', { className: 'input', type: 'password', value: forceResetPw2, onChange: (e) => setForceResetPw2(e.target.value), placeholder: 'Confirm new password', onKeyDown: (e) => { if (e.key === 'Enter') doForceReset(); } })
+          ),
+          forceResetError && h('div', { style: { color: 'var(--danger)', fontSize: 12 } }, forceResetError),
+          h('button', { className: 'btn btn-primary', onClick: doForceReset, disabled: forceResetLoading || !forceResetPw || !forceResetPw2, style: { width: '100%', justifyContent: 'center', marginTop: 4 } },
+            forceResetLoading ? 'Updating...' : 'Set New Password'
+          )
+        )
+      )
+    );
+  }
 
   const nav = [
     { section: 'Overview', items: [{ id: 'dashboard', icon: I.dashboard, label: 'Dashboard' }] },
@@ -279,6 +332,16 @@ function App() {
           )
         ),
         h('div', { className: 'page-content' },
+          // 2FA recommendation banner
+          show2faReminder && h('div', { style: { display: 'flex', alignItems: 'center', gap: 12, padding: '10px 16px', margin: '0 0 16px', background: 'var(--warning-soft, rgba(245,158,11,0.1))', border: '1px solid var(--warning, #f59e0b)', borderRadius: 8, fontSize: 13 } },
+            I.shield(),
+            h('div', { style: { flex: 1 } },
+              h('strong', null, 'Enable Two-Factor Authentication'),
+              h('span', { style: { color: 'var(--text-secondary)', marginLeft: 6 } }, 'Protect your account and enable self-service password reset.')
+            ),
+            h('button', { className: 'btn btn-warning btn-sm', onClick: () => { setPage('settings'); setShow2faReminder(false); history.pushState(null, '', '/dashboard/settings'); } }, 'Set Up 2FA'),
+            h('button', { className: 'btn btn-ghost btn-sm', onClick: () => setShow2faReminder(false), style: { padding: '2px 6px', minWidth: 0 } }, '\u00d7')
+          ),
           selectedAgentId
             ? h(AgentDetailPage, { agentId: selectedAgentId, onBack: () => { _setSelectedAgentId(null); _setPage('agents'); history.pushState(null, '', '/dashboard/agents'); } })
             : page === 'agents'

package/src/dashboard/pages/login.js

@@ -20,6 +20,16 @@ export function LoginPage({ onLogin }) {
   var [challengeToken, setChallengeToken] = useState('');
   var [totpCode, setTotpCode] = useState('');
 
+  // Forgot password state
+  var [forgotMode, setForgotMode] = useState(false);   // show forgot password form
+  var [forgotEmail, setForgotEmail] = useState('');
+  var [forgotCode, setForgotCode] = useState('');
+  var [forgotNewPw, setForgotNewPw] = useState('');
+  var [forgotNewPw2, setForgotNewPw2] = useState('');
+  var [forgotStep, setForgotStep] = useState('email');  // 'email' | 'code' | 'no2fa' | 'done'
+  var [forgotLoading, setForgotLoading] = useState(false);
+  var [forgotError, setForgotError] = useState('');
+
   useEffect(function() {
     fetch('/auth/sso/providers').then(function(r) { return r.ok ? r.json() : null; }).then(function(d) {
       if (d && d.providers && d.providers.length > 0) setSsoProviders(d.providers);
@@ -59,6 +69,43 @@ export function LoginPage({ onLogin }) {
     setLoading(false);
   };
 
+  var submitForgotEmail = async function() {
+    setForgotLoading(true); setForgotError('');
+    try {
+      // Check if user has 2FA by attempting reset without code
+      var d = await authCall('/reset-password-self', { method: 'POST', body: JSON.stringify({ email: forgotEmail, newPassword: 'check__only__12', totpCode: '' }) });
+      if (d.has2fa) { setForgotStep('code'); }
+      else if (d.no2fa) { setForgotStep('no2fa'); }
+      else { setForgotStep('code'); }
+    } catch (err) {
+      var msg = err.message || '';
+      if (msg.indexOf('not enabled') >= 0 || msg.indexOf('administrator') >= 0) {
+        setForgotStep('no2fa');
+      } else {
+        setForgotStep('code');
+      }
+    }
+    setForgotLoading(false);
+  };
+
+  var submitForgotReset = async function() {
+    if (forgotNewPw !== forgotNewPw2) { setForgotError('Passwords do not match'); return; }
+    if (forgotNewPw.length < 8) { setForgotError('Password must be at least 8 characters'); return; }
+    setForgotLoading(true); setForgotError('');
+    try {
+      var d = await authCall('/reset-password-self', { method: 'POST', body: JSON.stringify({ email: forgotEmail, totpCode: forgotCode, newPassword: forgotNewPw }) });
+      if (d.ok) { setForgotStep('done'); }
+      else if (d.no2fa) { setForgotStep('no2fa'); setForgotError(d.error); }
+      else if (d.error) { setForgotError(d.error); }
+    } catch (err) { setForgotError(err.message); }
+    setForgotLoading(false);
+  };
+
+  var cancelForgot = function() {
+    setForgotMode(false); setForgotStep('email'); setForgotEmail(''); setForgotCode('');
+    setForgotNewPw(''); setForgotNewPw2(''); setForgotError('');
+  };
+
   var cancel2fa = function() {
     setNeeds2fa(false);
     setChallengeToken('');
@@ -110,6 +157,103 @@ export function LoginPage({ onLogin }) {
     );
   }
 
+  // ─── Forgot Password Screen ──────────────────────────
+
+  if (forgotMode) {
+    return h('div', { className: 'login-page', style: _brandBg ? { backgroundImage: 'url(' + _brandBg + ')', backgroundSize: 'cover', backgroundPosition: 'center' } : {} },
+      h('div', { className: 'login-card' },
+        h('div', { className: 'login-logo' },
+          h('img', { src: _brandLogo, alt: 'AgenticMail', style: { width: 48, height: 48, objectFit: 'contain' } }),
+          h('h1', null, 'Reset Password'),
+          h('p', null, forgotStep === 'email' ? 'Enter your email address' : forgotStep === 'code' ? 'Verify with your authenticator app' : forgotStep === 'done' ? 'Password updated' : 'Contact your administrator')
+        ),
+
+        // Step: enter email
+        forgotStep === 'email' && h('div', null,
+          h('div', { className: 'form-group' },
+            h('label', { className: 'form-label' }, 'Email Address'),
+            h('input', { className: 'input', type: 'email', value: forgotEmail, onChange: function(e) { setForgotEmail(e.target.value); }, placeholder: 'you@company.com', autoFocus: true })
+          ),
+          forgotError && h('div', { style: { color: 'var(--danger)', fontSize: 13, marginBottom: 12 } }, forgotError),
+          h('button', { className: 'btn btn-primary', onClick: submitForgotEmail, disabled: forgotLoading || !forgotEmail, style: { width: '100%', justifyContent: 'center', padding: '8px' } }, forgotLoading ? 'Checking...' : 'Continue'),
+          h('div', { style: { textAlign: 'center', marginTop: 16 } },
+            h('button', { type: 'button', className: 'btn btn-ghost btn-sm', onClick: cancelForgot }, 'Back to login')
+          )
+        ),
+
+        // Step: enter 2FA code + new password
+        forgotStep === 'code' && h('div', null,
+          h('div', { style: { background: 'var(--info-soft, rgba(59,130,246,0.1))', borderRadius: 8, padding: 12, marginBottom: 16, fontSize: 12, color: 'var(--text-secondary)' } },
+            'Enter the 6-digit code from your authenticator app (or a backup code) along with your new password.'
+          ),
+          h('div', { className: 'form-group' },
+            h('label', { className: 'form-label' }, '2FA Code'),
+            h('input', {
+              className: 'input', type: 'text', inputMode: 'numeric', autoComplete: 'one-time-code',
+              value: forgotCode, onChange: function(e) { setForgotCode(e.target.value.replace(/[^0-9A-Za-z]/g, '').slice(0, 8)); },
+              placeholder: '000000', autoFocus: true, maxLength: 8,
+              style: { textAlign: 'center', fontSize: 20, letterSpacing: '0.2em', fontFamily: 'var(--font-mono)' }
+            })
+          ),
+          h('div', { className: 'form-group' },
+            h('label', { className: 'form-label' }, 'New Password'),
+            h('input', { className: 'input', type: 'password', value: forgotNewPw, onChange: function(e) { setForgotNewPw(e.target.value); }, placeholder: 'Min 8 characters' })
+          ),
+          h('div', { className: 'form-group' },
+            h('label', { className: 'form-label' }, 'Confirm Password'),
+            h('input', { className: 'input', type: 'password', value: forgotNewPw2, onChange: function(e) { setForgotNewPw2(e.target.value); }, placeholder: 'Confirm new password' })
+          ),
+          forgotError && h('div', { style: { color: 'var(--danger)', fontSize: 13, marginBottom: 12 } }, forgotError),
+          h('button', { className: 'btn btn-primary', onClick: submitForgotReset, disabled: forgotLoading || !forgotCode || !forgotNewPw || !forgotNewPw2, style: { width: '100%', justifyContent: 'center', padding: '8px' } }, forgotLoading ? 'Resetting...' : 'Reset Password'),
+          h('div', { style: { textAlign: 'center', marginTop: 16 } },
+            h('button', { type: 'button', className: 'btn btn-ghost btn-sm', onClick: cancelForgot }, 'Back to login')
+          )
+        ),
+
+        // Step: no 2FA — contact admin
+        forgotStep === 'no2fa' && h('div', null,
+          h('div', { style: { textAlign: 'center', padding: '12px 0' } },
+            h('div', { style: { width: 48, height: 48, borderRadius: '50%', background: 'var(--danger-soft, rgba(220,38,38,0.1))', display: 'flex', alignItems: 'center', justifyContent: 'center', margin: '0 auto 12px' } },
+              h('svg', { width: 24, height: 24, viewBox: '0 0 24 24', fill: 'none', stroke: 'var(--danger, #dc2626)', strokeWidth: 2, strokeLinecap: 'round' },
+                h('path', { d: 'M12 9v4m0 4h.01M21 12a9 9 0 1 1-18 0 9 9 0 0 1 18 0z' })
+              )
+            ),
+            h('h3', { style: { fontSize: 16, fontWeight: 600, marginBottom: 8 } }, 'Cannot Reset Password'),
+            h('p', { style: { fontSize: 13, color: 'var(--text-muted)', lineHeight: 1.6, maxWidth: 320, margin: '0 auto' } },
+              'Two-factor authentication is not enabled on this account. Without 2FA, you cannot reset your password yourself.'
+            ),
+            h('div', { style: { marginTop: 16, padding: 12, background: 'var(--bg-tertiary)', borderRadius: 8, fontSize: 13 } },
+              h('strong', null, 'What to do:'), h('br', null),
+              'Contact your organization administrator and ask them to reset your password from the Users page.'
+            ),
+            h('div', { style: { marginTop: 16, padding: 10, background: 'var(--warning-soft, rgba(245,158,11,0.08))', borderRadius: 8, fontSize: 12, color: 'var(--text-secondary)' } },
+              'Tip: Once you regain access, enable 2FA immediately so you can reset your own password in the future.'
+            )
+          ),
+          h('div', { style: { textAlign: 'center', marginTop: 16 } },
+            h('button', { type: 'button', className: 'btn btn-primary', onClick: cancelForgot, style: { width: '100%', justifyContent: 'center' } }, 'Back to Login')
+          )
+        ),
+
+        // Step: done
+        forgotStep === 'done' && h('div', null,
+          h('div', { style: { textAlign: 'center', padding: '12px 0' } },
+            h('div', { style: { width: 48, height: 48, borderRadius: '50%', background: 'var(--success-soft, rgba(21,128,61,0.1))', display: 'flex', alignItems: 'center', justifyContent: 'center', margin: '0 auto 12px' } },
+              h('svg', { width: 24, height: 24, viewBox: '0 0 24 24', fill: 'none', stroke: 'var(--success, #15803d)', strokeWidth: 2, strokeLinecap: 'round' },
+                h('path', { d: 'M20 6L9 17l-5-5' })
+              )
+            ),
+            h('h3', { style: { fontSize: 16, fontWeight: 600, marginBottom: 8 } }, 'Password Reset Successfully'),
+            h('p', { style: { fontSize: 13, color: 'var(--text-muted)' } }, 'You can now sign in with your new password.')
+          ),
+          h('div', { style: { textAlign: 'center', marginTop: 16 } },
+            h('button', { type: 'button', className: 'btn btn-primary', onClick: cancelForgot, style: { width: '100%', justifyContent: 'center' } }, 'Sign In')
+          )
+        )
+      )
+    );
+  }
+
   // ─── Main Login Screen ────────────────────────────────
 
   return h('div', { className: 'login-page', style: _brandBg ? { backgroundImage: 'url(' + _brandBg + ')', backgroundSize: 'cover', backgroundPosition: 'center' } : {} },
@@ -138,7 +282,10 @@ export function LoginPage({ onLogin }) {
           h('input', { className: 'input', type: 'password', value: password, onChange: function(e) { setPassword(e.target.value); }, placeholder: 'Enter password', required: true })
         ),
         error && h('div', { style: { color: 'var(--danger)', fontSize: 13, marginBottom: 16 } }, error),
-        h('button', { className: 'btn btn-primary', type: 'submit', disabled: loading, style: { width: '100%', justifyContent: 'center', padding: '8px' } }, loading ? 'Signing in...' : 'Sign In')
+        h('button', { className: 'btn btn-primary', type: 'submit', disabled: loading, style: { width: '100%', justifyContent: 'center', padding: '8px' } }, loading ? 'Signing in...' : 'Sign In'),
+        h('div', { style: { textAlign: 'center', marginTop: 12 } },
+          h('button', { type: 'button', className: 'btn btn-ghost btn-sm', onClick: function() { setForgotMode(true); setForgotEmail(email); setError(''); }, style: { fontSize: 12, color: 'var(--text-muted)' } }, 'Forgot Password?')
+        )
       ),
 
       // ── API Key Tab ─────────────────────────────────

package/src/dashboard/pages/users.js

@@ -216,7 +216,7 @@ export function UsersPage() {
   var { toast } = useApp();
   var [users, setUsers] = useState([]);
   var [creating, setCreating] = useState(false);
-  var [form, setForm] = useState({ email: '', password: '', name: '', role: 'viewer' });
+  var [form, setForm] = useState({ email: '', password: '', name: '', role: 'viewer', permissions: '*' });
   var [resetTarget, setResetTarget] = useState(null);
   var [newPassword, setNewPassword] = useState('');
   var [resetting, setResetting] = useState(false);
@@ -230,10 +230,22 @@ export function UsersPage() {
     apiCall('/page-registry').then(function(d) { setPageRegistry(d); }).catch(function() {});
   }, []);
 
+  var generateCreatePassword = function() {
+    var chars = 'ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz23456789!@#$%';
+    var pw = '';
+    for (var i = 0; i < 16; i++) pw += chars[Math.floor(Math.random() * chars.length)];
+    setForm(function(f) { return Object.assign({}, f, { password: pw }); });
+  };
+
+  var [showCreatePerms, setShowCreatePerms] = useState(false);
+
   var create = async function() {
     try {
-      await apiCall('/users', { method: 'POST', body: JSON.stringify(form) });
-      toast('User created', 'success'); setCreating(false); setForm({ email: '', password: '', name: '', role: 'viewer' }); load();
+      var body = { email: form.email, password: form.password, name: form.name, role: form.role };
+      if (form.permissions !== '*') body.permissions = form.permissions;
+      await apiCall('/users', { method: 'POST', body: JSON.stringify(body) });
+      toast('User created. They will be prompted to set a new password on first login.', 'success');
+      setCreating(false); setForm({ email: '', password: '', name: '', role: 'viewer', permissions: '*' }); setShowCreatePerms(false); load();
     } catch (e) { toast(e.message, 'error'); }
   };
 
@@ -324,13 +336,48 @@ export function UsersPage() {
     ),
 
     // Create user modal
-    creating && h(Modal, { title: 'Add User', onClose: function() { setCreating(false); }, footer: h(Fragment, null, h('button', { className: 'btn btn-secondary', onClick: function() { setCreating(false); } }, 'Cancel'), h('button', { className: 'btn btn-primary', onClick: create, disabled: !form.email || !form.password }, 'Create')) },
-      h('div', { className: 'form-group' }, h('label', { className: 'form-label' }, 'Name'), h('input', { className: 'input', value: form.name, onChange: function(e) { setForm(function(f) { return Object.assign({}, f, { name: e.target.value }); }); } })),
+    creating && h(Modal, { title: 'Add User', onClose: function() { setCreating(false); setShowCreatePerms(false); }, width: 520, footer: h(Fragment, null, h('button', { className: 'btn btn-secondary', onClick: function() { setCreating(false); setShowCreatePerms(false); } }, 'Cancel'), h('button', { className: 'btn btn-primary', onClick: create, disabled: !form.email || !form.password }, 'Create User')) },
+      h('div', { className: 'form-group' }, h('label', { className: 'form-label' }, 'Name'), h('input', { className: 'input', value: form.name, onChange: function(e) { setForm(function(f) { return Object.assign({}, f, { name: e.target.value }); }); }, autoFocus: true })),
       h('div', { className: 'form-group' }, h('label', { className: 'form-label' }, 'Email *'), h('input', { className: 'input', type: 'email', value: form.email, onChange: function(e) { setForm(function(f) { return Object.assign({}, f, { email: e.target.value }); }); } })),
-      h('div', { className: 'form-group' }, h('label', { className: 'form-label' }, 'Password *'), h('input', { className: 'input', type: 'password', value: form.password, onChange: function(e) { setForm(function(f) { return Object.assign({}, f, { password: e.target.value }); }); } })),
+      h('div', { className: 'form-group' },
+        h('label', { className: 'form-label' }, 'Initial Password *'),
+        h('div', { style: { display: 'flex', gap: 8 } },
+          h('input', { className: 'input', type: 'text', value: form.password, onChange: function(e) { setForm(function(f) { return Object.assign({}, f, { password: e.target.value }); }); }, placeholder: 'Min 8 characters', style: { flex: 1, fontFamily: 'var(--font-mono)', fontSize: 13 } }),
+          h('button', { type: 'button', className: 'btn btn-secondary btn-sm', onClick: generateCreatePassword, title: 'Generate random password', style: { whiteSpace: 'nowrap' } }, I.refresh(), ' Generate')
+        ),
+        form.password && h('div', { style: { marginTop: 6, padding: 8, background: 'var(--warning-soft, rgba(245,158,11,0.08))', borderRadius: 6, fontSize: 11, color: 'var(--text-secondary)' } },
+          'The user will be required to change this password on their first login. Share it securely.'
+        )
+      ),
       h('div', { className: 'form-group' }, h('label', { className: 'form-label' }, 'Role'), h('select', { className: 'input', value: form.role, onChange: function(e) { setForm(function(f) { return Object.assign({}, f, { role: e.target.value }); }); } }, h('option', { value: 'viewer' }, 'Viewer'), h('option', { value: 'member' }, 'Member'), h('option', { value: 'admin' }, 'Admin'), h('option', { value: 'owner' }, 'Owner'))),
-      (form.role === 'member' || form.role === 'viewer') && h('div', { style: { marginTop: 8, padding: 10, background: 'var(--info-soft)', borderRadius: 'var(--radius)', fontSize: 12, color: 'var(--info)' } },
-        'After creating this user, click the shield icon to set their page permissions. By default, new Member/Viewer users have full access.'
+      // Inline permissions for member/viewer
+      (form.role === 'member' || form.role === 'viewer') && h('div', { style: { marginTop: 4 } },
+        h('div', { style: { display: 'flex', alignItems: 'center', justifyContent: 'space-between' } },
+          h('label', { className: 'form-label', style: { marginBottom: 0 } }, 'Page Permissions'),
+          h('button', { type: 'button', className: 'btn btn-ghost btn-sm', onClick: function() { setShowCreatePerms(!showCreatePerms); }, style: { fontSize: 11 } }, showCreatePerms ? 'Hide' : 'Customize')
+        ),
+        !showCreatePerms && h('div', { style: { fontSize: 12, color: 'var(--text-muted)', marginTop: 4 } }, 'Full access (default). Click "Customize" to restrict.'),
+        showCreatePerms && pageRegistry && h('div', { style: { maxHeight: 200, overflowY: 'auto', border: '1px solid var(--border)', borderRadius: 6, marginTop: 8 } },
+          Object.keys(pageRegistry).map(function(pid) {
+            var page = pageRegistry[pid];
+            var grants = form.permissions === '*' ? null : form.permissions;
+            var checked = !grants || (grants && grants[pid]);
+            return h('div', { key: pid, style: { display: 'flex', alignItems: 'center', gap: 8, padding: '4px 10px', fontSize: 12, cursor: 'pointer' }, onClick: function() {
+              setForm(function(f) {
+                var current = f.permissions === '*' ? (function() { var a = {}; Object.keys(pageRegistry).forEach(function(p) { a[p] = true; }); return a; })() : Object.assign({}, f.permissions);
+                if (current[pid]) { delete current[pid]; } else { current[pid] = true; }
+                if (Object.keys(current).length === Object.keys(pageRegistry).length) return Object.assign({}, f, { permissions: '*' });
+                return Object.assign({}, f, { permissions: current });
+              });
+            } },
+              h('input', { type: 'checkbox', checked: checked, readOnly: true, style: { width: 14, height: 14, accentColor: 'var(--primary)' } }),
+              h('span', null, page.label)
+            );
+          })
+        )
+      ),
+      (form.role === 'owner' || form.role === 'admin') && h('div', { style: { marginTop: 8, padding: 8, background: 'var(--info-soft)', borderRadius: 'var(--radius)', fontSize: 11, color: 'var(--info)' } },
+        'Owner and Admin roles always have full access to all pages.'
       )
     ),
 

package/src/db/adapter.ts

@@ -66,6 +66,7 @@ export interface User {
   totpEnabled?: boolean;     // Whether 2FA is active
   totpBackupCodes?: string;  // JSON array of hashed backup codes
   permissions?: any;         // '*' or { pageId: true | string[] }
+  mustResetPassword?: boolean;
   createdAt: Date;
   updatedAt: Date;
   lastLoginAt?: Date;

package/src/db/postgres.ts

@@ -190,6 +190,7 @@ export class PostgresAdapter extends DatabaseAdapter {
         ALTER TABLE users ADD COLUMN IF NOT EXISTS totp_enabled BOOLEAN DEFAULT FALSE;
         ALTER TABLE users ADD COLUMN IF NOT EXISTS totp_backup_codes TEXT;
         ALTER TABLE users ADD COLUMN IF NOT EXISTS permissions JSONB DEFAULT '"*"';
+        ALTER TABLE users ADD COLUMN IF NOT EXISTS must_reset_password BOOLEAN DEFAULT FALSE;
       `).catch(() => {});
       await client.query('COMMIT');
     } catch (err) {
@@ -706,7 +707,8 @@ export class PostgresAdapter extends DatabaseAdapter {
       id: r.id, email: r.email, name: r.name, role: r.role,
       passwordHash: r.password_hash, ssoProvider: r.sso_provider, ssoSubject: r.sso_subject,
       totpSecret: r.totp_secret, totpEnabled: !!r.totp_enabled, totpBackupCodes: r.totp_backup_codes,
-      permissions: r.permissions != null ? (typeof r.permissions === 'string' ? JSON.parse(r.permissions) : r.permissions) : '*',
+      permissions: r.permissions != null ? (typeof r.permissions === 'string' ? (() => { try { return JSON.parse(r.permissions); } catch { return '*'; } })() : r.permissions) : '*',
+      mustResetPassword: !!r.must_reset_password,
       createdAt: new Date(r.created_at), updatedAt: new Date(r.updated_at),
       lastLoginAt: r.last_login_at ? new Date(r.last_login_at) : undefined,
     };

package/src/db/sqlite.ts

@@ -60,9 +60,8 @@ export class SqliteAdapter extends DatabaseAdapter {
         `INSERT OR IGNORE INTO company_settings (id, name, subdomain) VALUES ('default', 'My Company', 'my-company')`
       ).run();
       // Add permissions column if missing
-      try {
-        this.db.exec(`ALTER TABLE users ADD COLUMN permissions TEXT DEFAULT '"*"'`);
-      } catch { /* column already exists */ }
+      try { this.db.exec(`ALTER TABLE users ADD COLUMN permissions TEXT DEFAULT '"*"'`); } catch { /* exists */ }
+      try { this.db.exec(`ALTER TABLE users ADD COLUMN must_reset_password INTEGER DEFAULT 0`); } catch { /* exists */ }
     });
     tx();
   }