feat(PROJ-28): Self-Service Onboarding — Signup, Verify, Password Reset, Invites

- internal/mailer: SMTP-Out via net/smtp (TLS + STARTTLS), HTML+Text-Templates
- internal/tokenstore: auth_tokens Tabelle, SHA-256-Hash, TTL, einmalig verwendbar
- userstore: CreateInactive(), Activate(), GetByEmail(), SetPassword()
- API: POST /signup, GET /verify, POST /forgot-password, POST /reset-password
- API: POST /admin/invite (domain_admin+), GET /auth/invite?token (check)
- Login-Seite: Links zu "Passwort vergessen" und "Registrieren"
- Frontend: /signup, /verify, /forgot-password, /reset-password Seiten
- server.fqdn nicht konfiguriert → Startup-Warnung, Self-Service deaktiviert
- LDAP-Nutzer: Passwort-Reset abgewiesen

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/api/invite_handlers.go

@@ -0,0 +1,106 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/archivmail/internal/audit"
+	"github.com/archivmail/internal/mailer"
+	"github.com/archivmail/internal/tokenstore"
+	"github.com/archivmail/internal/userstore"
+)
+
+// handleCreateInvite generates an invite token for a tenant and optionally emails it.
+// POST /api/admin/invite  — domain_admin+  (PROJ-28)
+func (s *Server) handleCreateInvite(w http.ResponseWriter, r *http.Request) {
+	var body struct {
+		TenantID int64  `json:"tenant_id"` // superadmin: arbitrary; domain_admin: own tenant
+		Email    string `json:"email"`     // optional: send invite by email
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid body")
+		return
+	}
+
+	sess := sessionFromCtx(r.Context())
+
+	// domain_admin may only invite to their own tenant
+	if sess.Role != userstore.RoleSuperAdmin {
+		tenantID := tenantFromCtx(r.Context())
+		if tenantID == nil || *tenantID != body.TenantID {
+			writeError(w, http.StatusForbidden, "forbidden")
+			return
+		}
+	}
+
+	tid := body.TenantID
+	token, err := s.tokenStore.Create(r.Context(), tokenstore.TypeInvite, nil, &tid, 72*time.Hour)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+
+	inviteURL := ""
+	if s.fqdn != "" {
+		inviteURL = "https://" + s.fqdn + "/signup?invite=" + token
+	}
+
+	// Optionally send invite email
+	if body.Email != "" && s.mailer.IsConfigured() {
+		tenantName := strconv.FormatInt(body.TenantID, 10)
+		if s.tenantStore != nil {
+			if t, err := s.tenantStore.Get(r.Context(), body.TenantID); err == nil {
+				tenantName = t.Name
+			}
+		}
+		go func() {
+			html := mailer.InviteHTML(s.fqdn, token, tenantName)
+			txt := mailer.InviteText(s.fqdn, token, tenantName)
+			_ = s.mailer.Send(body.Email, "Einladung zu archivmail", html, txt)
+		}()
+	}
+
+	if s.audlog != nil {
+		s.audlog.Log(audit.Entry{
+			EventType: "invite_created",
+			Username:  sess.Username,
+			IPAddress: s.remoteIP(r),
+			Success:   true,
+		})
+	}
+
+	writeJSON(w, http.StatusOK, map[string]interface{}{
+		"token":      token,
+		"invite_url": inviteURL,
+	})
+}
+
+// handleCheckInvite validates an invite token and returns the tenant name.
+// GET /api/auth/invite?token=...  (PROJ-28)
+func (s *Server) handleCheckInvite(w http.ResponseWriter, r *http.Request) {
+	plain := r.URL.Query().Get("token")
+	if plain == "" {
+		writeError(w, http.StatusBadRequest, "token required")
+		return
+	}
+
+	tok, err := s.tokenStore.Peek(r.Context(), tokenstore.TypeInvite, plain)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "ungültiger oder abgelaufener Einladungslink")
+		return
+	}
+
+	tenantName := ""
+	if tok.TenantID != nil && s.tenantStore != nil {
+		if t, err := s.tenantStore.Get(r.Context(), *tok.TenantID); err == nil {
+			tenantName = t.Name
+		}
+	}
+
+	writeJSON(w, http.StatusOK, map[string]interface{}{
+		"valid":       true,
+		"tenant_name": tenantName,
+	})
+}