@open-mercato/core 0.4.2-canary-f6b7824b47 → 0.4.2-canary-70c8402224

package/src/modules/auth/api/profile/route.ts

@@ -0,0 +1,160 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import type { CommandBus, CommandRuntimeContext } from '@open-mercato/shared/lib/commands'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { signJwt } from '@open-mercato/shared/lib/auth/jwt'
+import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
+import { AuthService } from '@open-mercato/core/modules/auth/services/authService'
+import { User } from '@open-mercato/core/modules/auth/data/entities'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+
+const profileResponseSchema = z.object({
+  email: z.string().email(),
+})
+
+const updateSchema = z.object({
+  email: z.string().email().optional(),
+  password: z.string().min(6).optional(),
+}).refine((data) => Boolean(data.email || data.password), {
+  message: 'Provide an email or password.',
+  path: ['email'],
+})
+
+const profileUpdateResponseSchema = z.object({
+  ok: z.literal(true),
+  email: z.string().email(),
+})
+
+export const metadata = {
+  GET: { requireAuth: true },
+  PUT: { requireAuth: true },
+}
+
+function buildCommandContext(container: Awaited<ReturnType<typeof createRequestContainer>>, auth: NonNullable<Awaited<ReturnType<typeof getAuthFromRequest>>>, req: Request): CommandRuntimeContext {
+  return {
+    container,
+    auth,
+    organizationScope: null,
+    selectedOrganizationId: auth.orgId ?? null,
+    organizationIds: auth.orgId ? [auth.orgId] : null,
+    request: req,
+  }
+}
+
+export async function GET(req: Request) {
+  const { translate } = await resolveTranslations()
+  const auth = await getAuthFromRequest(req)
+  if (!auth?.sub) {
+    return NextResponse.json({ error: translate('api.errors.unauthorized', 'Unauthorized') }, { status: 401 })
+  }
+  try {
+    const container = await createRequestContainer()
+    const em = (container.resolve('em') as EntityManager)
+    const user = await findOneWithDecryption(
+      em,
+      User,
+      { id: auth.sub, deletedAt: null },
+      undefined,
+      { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },
+    )
+    if (!user) {
+      return NextResponse.json({ error: translate('auth.users.form.errors.notFound', 'User not found') }, { status: 404 })
+    }
+    return NextResponse.json({ email: String(user.email) })
+  } catch (err) {
+    console.error('auth.profile.load failed', err)
+    return NextResponse.json({ error: translate('auth.profile.form.errors.load', 'Failed to load profile.') }, { status: 400 })
+  }
+}
+
+export async function PUT(req: Request) {
+  const { translate } = await resolveTranslations()
+  const auth = await getAuthFromRequest(req)
+  if (!auth?.sub) {
+    return NextResponse.json({ error: translate('api.errors.unauthorized', 'Unauthorized') }, { status: 401 })
+  }
+  try {
+    const body = await req.json().catch(() => ({}))
+    const parsed = updateSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json(
+        {
+          error: translate('auth.profile.form.errors.invalid', 'Invalid profile update.'),
+          issues: parsed.error.issues,
+        },
+        { status: 400 },
+      )
+    }
+    const container = await createRequestContainer()
+    const commandBus = (container.resolve('commandBus') as CommandBus)
+    const ctx = buildCommandContext(container, auth, req)
+    const { result } = await commandBus.execute<{ id: string; email?: string; password?: string }, User>(
+      'auth.users.update',
+      {
+        input: {
+          id: auth.sub,
+          email: parsed.data.email,
+          password: parsed.data.password,
+        },
+        ctx,
+      },
+    )
+    const authService = container.resolve('authService') as AuthService
+    const roles = await authService.getUserRoles(result, result.tenantId ? String(result.tenantId) : null)
+    const jwt = signJwt({
+      sub: String(result.id),
+      tenantId: result.tenantId ? String(result.tenantId) : null,
+      orgId: result.organizationId ? String(result.organizationId) : null,
+      email: result.email,
+      roles,
+    })
+    const res = NextResponse.json({ ok: true, email: String(result.email) })
+    res.cookies.set('auth_token', jwt, {
+      httpOnly: true,
+      path: '/',
+      sameSite: 'lax',
+      secure: process.env.NODE_ENV === 'production',
+      maxAge: 60 * 60 * 8,
+    })
+    return res
+  } catch (err) {
+    if (err instanceof CrudHttpError) {
+      return NextResponse.json(err.body, { status: err.status })
+    }
+    console.error('auth.profile.update failed', err)
+    return NextResponse.json({ error: translate('auth.profile.form.errors.save', 'Failed to update profile.') }, { status: 400 })
+  }
+}
+
+export const openApi: OpenApiRouteDoc = {
+  tag: 'Authentication & Accounts',
+  summary: 'Profile settings',
+  methods: {
+    GET: {
+      summary: 'Get current profile',
+      description: 'Returns the email address for the signed-in user.',
+      responses: [
+        { status: 200, description: 'Profile payload', schema: profileResponseSchema },
+        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },
+        { status: 404, description: 'User not found', schema: z.object({ error: z.string() }) },
+      ],
+    },
+    PUT: {
+      summary: 'Update current profile',
+      description: 'Updates the email address or password for the signed-in user.',
+      requestBody: {
+        contentType: 'application/json',
+        schema: updateSchema,
+      },
+      responses: [
+        { status: 200, description: 'Profile updated', schema: profileUpdateResponseSchema },
+        { status: 400, description: 'Invalid payload', schema: z.object({ error: z.string() }) },
+        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },
+      ],
+    },
+  },
+}

package/src/modules/auth/api/reset/confirm.ts

@@ -3,6 +3,9 @@ import { NextResponse } from 'next/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { AuthService } from '@open-mercato/core/modules/auth/services/authService'
+import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
+import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
+import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 import { z } from 'zod'
 
 // validation via confirmPasswordResetSchema
@@ -15,8 +18,28 @@ export async function POST(req: Request) {
   if (!parsed.success) return NextResponse.json({ ok: false, error: 'Invalid request' }, { status: 400 })
   const c = await createRequestContainer()
   const auth = c.resolve<AuthService>('authService')
-  const ok = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)
-  if (!ok) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })
+  const user = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)
+  if (!user) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })
+  try {
+    const tenantId = user.tenantId ? String(user.tenantId) : null
+    if (tenantId) {
+      const notificationService = resolveNotificationService(c)
+      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.completed')
+      if (typeDef) {
+        const notificationInput = buildNotificationFromType(typeDef, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, {
+          tenantId,
+          organizationId: user.organizationId ? String(user.organizationId) : null,
+        })
+      }
+    }
+  } catch (err) {
+    console.error('[auth.reset.confirm] Failed to create notification:', err)
+  }
   return NextResponse.json({ ok: true, redirect: '/login' })
 }
 

package/src/modules/auth/api/reset.ts

@@ -6,6 +6,9 @@ import { AuthService } from '@open-mercato/core/modules/auth/services/authServic
 import { sendEmail } from '@open-mercato/shared/lib/email/send'
 import ResetPasswordEmail from '@open-mercato/core/modules/auth/emails/ResetPasswordEmail'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
+import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
+import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 import { z } from 'zod'
 
 // validation via requestPasswordResetSchema
@@ -35,6 +38,26 @@ export async function POST(req: Request) {
   }
 
   await sendEmail({ to: user.email, subject, react: ResetPasswordEmail({ resetUrl, copy }) })
+  try {
+    const tenantId = user.tenantId ? String(user.tenantId) : null
+    if (tenantId) {
+      const notificationService = resolveNotificationService(c)
+      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.requested')
+      if (typeDef) {
+        const notificationInput = buildNotificationFromType(typeDef, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, {
+          tenantId,
+          organizationId: user.organizationId ? String(user.organizationId) : null,
+        })
+      }
+    }
+  } catch (err) {
+    console.error('[auth.reset] Failed to create notification:', err)
+  }
   return NextResponse.json({ ok: true })
 }
 

package/src/modules/auth/api/sidebar/preferences/route.ts

@@ -64,12 +64,16 @@ export async function GET(req: Request) {
     { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },
   ) ?? false
 
-  const settings = await loadSidebarPreference(em, {
-    userId: auth.sub,
-    tenantId: auth.tenantId ?? null,
-    organizationId: auth.orgId ?? null,
-    locale,
-  })
+  // For API key auth, use userId (the actual user) if available
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
+  const settings = effectiveUserId
+    ? await loadSidebarPreference(em, {
+        userId: effectiveUserId,
+        tenantId: auth.tenantId ?? null,
+        organizationId: auth.orgId ?? null,
+        locale,
+      })
+    : null
 
   let rolesPayload: Array<{ id: string; name: string; hasPreference: boolean }> = []
   if (canApplyToRoles) {
@@ -92,11 +96,11 @@ export async function GET(req: Request) {
   return NextResponse.json({
     locale,
     settings: {
-      version: settings.version ?? SIDEBAR_PREFERENCES_VERSION,
-      groupOrder: settings.groupOrder ?? [],
-      groupLabels: settings.groupLabels ?? {},
-      itemLabels: settings.itemLabels ?? {},
-      hiddenItems: settings.hiddenItems ?? [],
+      version: settings?.version ?? SIDEBAR_PREFERENCES_VERSION,
+      groupOrder: settings?.groupOrder ?? [],
+      groupLabels: settings?.groupLabels ?? {},
+      itemLabels: settings?.itemLabels ?? {},
+      hiddenItems: settings?.hiddenItems ?? [],
     },
     canApplyToRoles,
     roles: rolesPayload,
@@ -106,6 +110,11 @@ export async function GET(req: Request) {
 export async function PUT(req: Request) {
   const auth = await getAuthFromRequest(req)
   if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  // For API key auth, use userId (the actual user) if available
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
+  if (!effectiveUserId) {
+    return NextResponse.json({ error: 'Cannot save preferences: no user associated with this API key' }, { status: 403 })
+  }
 
   let parsedBody: unknown
   try {
@@ -182,7 +191,7 @@ export async function PUT(req: Request) {
   }
 
   const settings = await saveSidebarPreference(em, {
-    userId: auth.sub,
+    userId: effectiveUserId,
     tenantId: auth.tenantId ?? null,
     organizationId: auth.orgId ?? null,
     locale,

package/src/modules/auth/backend/auth/profile/page.meta.ts

@@ -0,0 +1,8 @@
+export const metadata = {
+  requireAuth: true,
+  pageTitle: 'Profile',
+  pageTitleKey: 'auth.profile.title',
+  breadcrumb: [
+    { label: 'Profile', labelKey: 'auth.profile.title' },
+  ],
+}

package/src/modules/auth/backend/auth/profile/page.tsx

@@ -0,0 +1,127 @@
+"use client"
+import * as React from 'react'
+import { useRouter } from 'next/navigation'
+import { Page, PageBody } from '@open-mercato/ui/backend/Page'
+import { CrudForm, type CrudField } from '@open-mercato/ui/backend/CrudForm'
+import { apiCall, readApiResultOrThrow } from '@open-mercato/ui/backend/utils/apiCall'
+import { createCrudFormError } from '@open-mercato/ui/backend/utils/serverErrors'
+import { flash } from '@open-mercato/ui/backend/FlashMessages'
+import { LoadingMessage, ErrorMessage } from '@open-mercato/ui/backend/detail'
+import { useT } from '@open-mercato/shared/lib/i18n/context'
+
+type ProfileResponse = {
+  email?: string | null
+}
+
+type ProfileUpdateResponse = {
+  ok?: boolean
+  email?: string | null
+}
+
+type ProfileFormValues = {
+  email: string
+  password: string
+  confirmPassword: string
+}
+
+export default function AuthProfilePage() {
+  const t = useT()
+  const router = useRouter()
+  const [loading, setLoading] = React.useState(true)
+  const [error, setError] = React.useState<string | null>(null)
+  const [email, setEmail] = React.useState('')
+  const [formKey, setFormKey] = React.useState(0)
+
+  React.useEffect(() => {
+    let cancelled = false
+    async function load() {
+      setLoading(true)
+      setError(null)
+      try {
+        const { ok, result } = await apiCall<ProfileResponse>('/api/auth/profile')
+        if (!ok) throw new Error('load_failed')
+        const resolvedEmail = typeof result?.email === 'string' ? result.email : ''
+        if (!cancelled) setEmail(resolvedEmail)
+      } catch (err) {
+        console.error('Failed to load auth profile', err)
+        if (!cancelled) setError(t('auth.profile.form.errors.load', 'Failed to load profile.'))
+      } finally {
+        if (!cancelled) setLoading(false)
+      }
+    }
+    load()
+    return () => { cancelled = true }
+  }, [t])
+
+  const fields = React.useMemo<CrudField[]>(() => [
+    { id: 'email', label: t('auth.profile.form.email', 'Email'), type: 'text', required: true },
+    { id: 'password', label: t('auth.profile.form.password', 'New password'), type: 'text' },
+    { id: 'confirmPassword', label: t('auth.profile.form.confirmPassword', 'Confirm new password'), type: 'text' },
+  ], [t])
+
+  const handleSubmit = React.useCallback(async (values: ProfileFormValues) => {
+    const nextEmail = values.email?.trim() ?? ''
+    const password = values.password?.trim() ?? ''
+    const confirmPassword = values.confirmPassword?.trim() ?? ''
+
+    if (!nextEmail) {
+      const message = t('auth.profile.form.errors.emailRequired', 'Email is required.')
+      throw createCrudFormError(message, { email: message })
+    }
+
+    if (password || confirmPassword) {
+      if (password !== confirmPassword) {
+        const message = t('auth.profile.form.errors.passwordMismatch', 'Passwords do not match.')
+        throw createCrudFormError(message, { confirmPassword: message })
+      }
+    }
+
+    if (!password && nextEmail === email) {
+      throw createCrudFormError(t('auth.profile.form.errors.noChanges', 'No changes to save.'))
+    }
+
+    const payload: { email: string; password?: string } = { email: nextEmail }
+    if (password) payload.password = password
+
+    const result = await readApiResultOrThrow<ProfileUpdateResponse>(
+      '/api/auth/profile',
+      {
+        method: 'PUT',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify(payload),
+      },
+      { errorMessage: t('auth.profile.form.errors.save', 'Failed to update profile.') },
+    )
+
+    const resolvedEmail = typeof result?.email === 'string' ? result.email : nextEmail
+    setEmail(resolvedEmail)
+    setFormKey((prev) => prev + 1)
+    flash(t('auth.profile.form.success', 'Profile updated.'), 'success')
+    router.refresh()
+  }, [email, router, t])
+
+  return (
+    <Page>
+      <PageBody>
+        {loading ? (
+          <LoadingMessage label={t('auth.profile.form.loading', 'Loading profile...')} />
+        ) : error ? (
+          <ErrorMessage label={error} />
+        ) : (
+          <CrudForm<ProfileFormValues>
+            key={formKey}
+            title={t('auth.profile.title', 'Profile')}
+            fields={fields}
+            initialValues={{
+              email,
+              password: '',
+              confirmPassword: '',
+            }}
+            submitLabel={t('auth.profile.form.save', 'Save changes')}
+            onSubmit={handleSubmit}
+          />
+        )}
+      </PageBody>
+    </Page>
+  )
+}

package/src/modules/auth/commands/users.ts

@@ -27,6 +27,9 @@ import {
 import { normalizeTenantId } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'
 import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
+import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
+import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 
 type SerializedUser = {
   email: string
@@ -105,6 +108,46 @@ export const userCrudIndexer: CrudIndexerConfig = {
   }),
 }
 
+async function notifyRoleChanges(
+  ctx: CommandRuntimeContext,
+  user: User,
+  assignedRoles: string[],
+  revokedRoles: string[],
+): Promise<void> {
+  const tenantId = user.tenantId ? String(user.tenantId) : null
+  if (!tenantId) return
+  const organizationId = user.organizationId ? String(user.organizationId) : null
+
+  try {
+    const notificationService = resolveNotificationService(ctx.container)
+    if (assignedRoles.length) {
+      const assignedType = notificationTypes.find((type) => type.type === 'auth.role.assigned')
+      if (assignedType) {
+        const notificationInput = buildNotificationFromType(assignedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, { tenantId, organizationId })
+      }
+    }
+
+    if (revokedRoles.length) {
+      const revokedType = notificationTypes.find((type) => type.type === 'auth.role.revoked')
+      if (revokedType) {
+        const notificationInput = buildNotificationFromType(revokedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, { tenantId, organizationId })
+      }
+    }
+  } catch (err) {
+    console.error('[auth.users.roles] Failed to create notification:', err)
+  }
+}
+
 const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
   id: 'auth.users.create',
   async execute(rawInput, ctx) {
@@ -147,8 +190,10 @@ const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
       throw error
     }
 
+    let assignedRoles: string[] = []
     if (Array.isArray(parsed.roles) && parsed.roles.length) {
       await syncUserRoles(em, user, parsed.roles, tenantId)
+      assignedRoles = await loadUserRoleNames(em, String(user.id))
     }
 
     await setCustomFieldsIfAny({
@@ -173,6 +218,10 @@ const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
       indexer: userCrudIndexer,
     })
 
+    if (assignedRoles.length) {
+      await notifyRoleChanges(ctx, user, assignedRoles, [])
+    }
+
     return user
   },
   captureAfter: async (_input, result, ctx) => {
@@ -288,6 +337,9 @@ const updateUserCommand: CommandHandler<Record<string, unknown>, User> = {
   async execute(rawInput, ctx) {
     const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput)
     const em = (ctx.container.resolve('em') as EntityManager)
+    const rolesBefore = Array.isArray(parsed.roles)
+      ? await loadUserRoleNames(em, parsed.id)
+      : null
 
     if (parsed.email !== undefined) {
       const emailHash = computeEmailHash(parsed.email)
@@ -377,6 +429,14 @@ const updateUserCommand: CommandHandler<Record<string, unknown>, User> = {
       indexer: userCrudIndexer,
     })
 
+    if (Array.isArray(parsed.roles) && rolesBefore) {
+      const rolesAfter = await loadUserRoleNames(em, String(user.id))
+      const { assigned, revoked } = diffRoleChanges(rolesBefore, rolesAfter)
+      if (assigned.length || revoked.length) {
+        await notifyRoleChanges(ctx, user, assigned, revoked)
+      }
+    }
+
     await invalidateUserCache(ctx, parsed.id)
 
     return user
@@ -772,6 +832,14 @@ async function invalidateUserCache(ctx: CommandRuntimeContext, userId: string) {
   }
 }
 
+function diffRoleChanges(before: string[], after: string[]) {
+  const beforeSet = new Set(before)
+  const afterSet = new Set(after)
+  const assigned = after.filter((role) => !beforeSet.has(role))
+  const revoked = before.filter((role) => !afterSet.has(role))
+  return { assigned, revoked }
+}
+
 function arrayEquals(left: string[] | undefined, right: string[]): boolean {
   if (!left) return false
   if (left.length !== right.length) return false

package/src/modules/auth/i18n/de.json

@@ -80,6 +80,19 @@
   "auth.users.form.errors.load": "Benutzerdaten konnten nicht geladen werden",
   "auth.users.form.errors.aclUpdate": "Aktualisierung der Benutzerberechtigungen fehlgeschlagen",
   "auth.users.form.errors.delete": "Benutzer konnte nicht gelöscht werden",
+  "auth.profile.title": "Profil",
+  "auth.profile.form.email": "E-Mail",
+  "auth.profile.form.password": "Neues Passwort",
+  "auth.profile.form.confirmPassword": "Neues Passwort bestätigen",
+  "auth.profile.form.save": "Änderungen speichern",
+  "auth.profile.form.loading": "Profil wird geladen...",
+  "auth.profile.form.errors.load": "Profil konnte nicht geladen werden.",
+  "auth.profile.form.errors.save": "Profil konnte nicht aktualisiert werden.",
+  "auth.profile.form.errors.invalid": "Ungültige Profilaktualisierung.",
+  "auth.profile.form.errors.passwordMismatch": "Die Passwörter stimmen nicht überein.",
+  "auth.profile.form.errors.noChanges": "Keine Änderungen zu speichern.",
+  "auth.profile.form.errors.emailRequired": "E-Mail ist erforderlich.",
+  "auth.profile.form.success": "Profil aktualisiert.",
   "auth.users.list.error.load": "Benutzer konnten nicht geladen werden",
   "auth.users.list.error.delete": "Benutzer konnte nicht gelöscht werden",
   "auth.users.flash.created": "Benutzer erstellt",
@@ -95,5 +108,20 @@
   "auth.email.resetPassword.title": "Passwort zurücksetzen",
   "auth.email.resetPassword.body": "Klicken Sie auf den Link unten, um ein neues Passwort festzulegen. Dieser Link läuft in 60 Minuten ab.",
   "auth.email.resetPassword.cta": "Neues Passwort festlegen",
-  "auth.email.resetPassword.hint": "Wenn Sie dies nicht angefordert haben, können Sie diese E-Mail ignorieren."
+  "auth.email.resetPassword.hint": "Wenn Sie dies nicht angefordert haben, können Sie diese E-Mail ignorieren.",
+  "auth.notifications.passwordReset.requested.title": "Passwort-Zurücksetzung angefordert",
+  "auth.notifications.passwordReset.requested.body": "Ein Link zum Zurücksetzen des Passworts wurde an Ihre E-Mail gesendet",
+  "auth.notifications.passwordReset.completed.title": "Passwort erfolgreich geändert",
+  "auth.notifications.passwordReset.completed.body": "Ihr Passwort wurde erfolgreich aktualisiert",
+  "auth.notifications.account.locked.title": "Konto gesperrt",
+  "auth.notifications.account.locked.body": "Ihr Konto wurde aus Sicherheitsgründen gesperrt. Bitte wenden Sie sich an den Support.",
+  "auth.notifications.login.newDevice.title": "Neues Gerät erkannt",
+  "auth.notifications.login.newDevice.body": "Es wurde eine Anmeldung von einem unbekannten Gerät für Ihr Konto erkannt",
+  "auth.notifications.role.assigned.title": "Neue Rolle zugewiesen",
+  "auth.notifications.role.assigned.body": "Ihnen wurde eine neue Rolle mit zusätzlichen Berechtigungen zugewiesen",
+  "auth.notifications.role.revoked.title": "Rolle entfernt",
+  "auth.notifications.role.revoked.body": "Eine Rolle wurde von Ihrem Konto entfernt",
+  "auth.actions.contactSupport": "Support kontaktieren",
+  "auth.actions.viewSessions": "Sitzungen anzeigen",
+  "auth.actions.viewPermissions": "Berechtigungen anzeigen"
 }

package/src/modules/auth/i18n/en.json

@@ -80,6 +80,19 @@
   "auth.users.form.errors.load": "Failed to load user data",
   "auth.users.form.errors.aclUpdate": "Failed to update user access control",
   "auth.users.form.errors.delete": "Failed to delete user",
+  "auth.profile.title": "Profile",
+  "auth.profile.form.email": "Email",
+  "auth.profile.form.password": "New password",
+  "auth.profile.form.confirmPassword": "Confirm new password",
+  "auth.profile.form.save": "Save changes",
+  "auth.profile.form.loading": "Loading profile...",
+  "auth.profile.form.errors.load": "Failed to load profile.",
+  "auth.profile.form.errors.save": "Failed to update profile.",
+  "auth.profile.form.errors.invalid": "Invalid profile update.",
+  "auth.profile.form.errors.passwordMismatch": "Passwords do not match.",
+  "auth.profile.form.errors.noChanges": "No changes to save.",
+  "auth.profile.form.errors.emailRequired": "Email is required.",
+  "auth.profile.form.success": "Profile updated.",
   "auth.users.list.error.load": "Failed to load users",
   "auth.users.list.error.delete": "Failed to delete user",
   "auth.users.flash.created": "User created",
@@ -95,5 +108,20 @@
   "auth.email.resetPassword.title": "Reset your password",
   "auth.email.resetPassword.body": "Click the link below to set a new password. This link will expire in 60 minutes.",
   "auth.email.resetPassword.cta": "Set a new password",
-  "auth.email.resetPassword.hint": "If you didn't request this, you can safely ignore this email."
+  "auth.email.resetPassword.hint": "If you didn't request this, you can safely ignore this email.",
+  "auth.notifications.passwordReset.requested.title": "Password reset requested",
+  "auth.notifications.passwordReset.requested.body": "A password reset link has been sent to your email",
+  "auth.notifications.passwordReset.completed.title": "Password successfully changed",
+  "auth.notifications.passwordReset.completed.body": "Your password has been updated successfully",
+  "auth.notifications.account.locked.title": "Account locked",
+  "auth.notifications.account.locked.body": "Your account has been locked due to security reasons. Please contact support.",
+  "auth.notifications.login.newDevice.title": "New device login detected",
+  "auth.notifications.login.newDevice.body": "A new login from an unrecognized device was detected on your account",
+  "auth.notifications.role.assigned.title": "New role assigned",
+  "auth.notifications.role.assigned.body": "You have been assigned a new role with additional permissions",
+  "auth.notifications.role.revoked.title": "Role removed",
+  "auth.notifications.role.revoked.body": "A role has been removed from your account",
+  "auth.actions.contactSupport": "Contact Support",
+  "auth.actions.viewSessions": "View Sessions",
+  "auth.actions.viewPermissions": "View Permissions"
 }