Merge remote-tracking branch 'origin/master'

svc/internal/mailer/password_reset.go

@@ -9,8 +9,9 @@ func (m *GraphMailer) SendPasswordResetMail(toEmail string, resetURL string) err
 		<p>Merhaba,</p>
 		<p>Parolanızı sıfırlamak için aşağıdaki bağlantıya tıklayın:</p>
 		<p>
-		  <a href="%s">%s</a>
+		  <a href="%s">Parolayı sıfırla</a>
 		</p>
+		<p style="font-size:12px;color:#666;">Bağlantı: %s</p>
 		<p>Bu bağlantı <strong>30 dakika</strong> geçerlidir ve tek kullanımlıktır.</p>
 	`, resetURL, resetURL)
 

svc/internal/security/password_reset.go

@@ -2,12 +2,28 @@ package security
 
 import (
 	"os"
+	"strings"
 )
 
 func BuildResetURL(token string) string {
-	base := os.Getenv("FRONTEND_URL")
+	base := os.Getenv("APP_FRONTEND_URL")
+	if base == "" {
+		base = os.Getenv("FRONTEND_URL")
+	}
 	if base == "" {
 		base = "http://localhost:9000"
 	}
-	return base + "/password-reset/" + token
+	base = strings.TrimRight(base, "/")
+	// If base already points to password-reset, just append token if needed.
+	if strings.Contains(base, "/password-reset") {
+		if strings.HasSuffix(base, "/password-reset") || strings.HasSuffix(base, "/password-reset/") ||
+			strings.HasSuffix(base, "/#/password-reset") || strings.HasSuffix(base, "/#/password-reset/") {
+			return strings.TrimRight(base, "/") + "/" + token
+		}
+		return base
+	}
+	if strings.Contains(base, "#") {
+		return base + "/password-reset/" + token
+	}
+	return base + "/#/password-reset/" + token
 }

svc/routes/password_forgot.go

@@ -6,9 +6,7 @@ import (
 	"bssapp-backend/internal/security"
 	"database/sql"
 	"encoding/json"
-	"fmt"
 	"net/http"
-	"os"
 	"strings"
 	"time"
 )
@@ -84,11 +82,7 @@ func ForgotPasswordHandler(
 		// -------------------------------------------------------
 		// 5️⃣ Reset URL (PLAIN token)
 		// -------------------------------------------------------
-		resetURL := fmt.Sprintf(
-			"%s/password-reset/%s",
-			os.Getenv("FRONTEND_URL"),
-			plain,
-		)
+		resetURL := security.BuildResetURL(plain)
 
 		// -------------------------------------------------------
 		// 6️⃣ Mail gönder (fail olsa bile enumeration yok)

svc/routes/user_detail.go

@@ -14,7 +14,6 @@ import (
 	"io"
 	"log"
 	"net/http"
-	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -462,11 +461,7 @@ func SendPasswordResetMailHandler(
 		`, userID, hash, expires)
 
 		// 🔗 URL → PLAIN
-		resetURL := fmt.Sprintf(
-			"%s/password-reset/%s",
-			os.Getenv("FRONTEND_URL"),
-			plain,
-		)
+		resetURL := security.BuildResetURL(plain)
 
 		_ = mailer.SendPasswordResetMail(email, resetURL)