{% extends "admin/_base.html" %}
{% block content %}
<div class="rio-form-shell">
<header class="rio-page-header">
<nav class="rio-breadcrumbs">
<a href="/admin">Home</a> ·
<a href="/admin/users">Users</a> ·
<a href="/admin/users/{{ target_user_id }}/edit">{{ target_email }}</a> ·
<span>Reset password</span>
</nav>
<h1>{% if success %}Password reset for {{ target_email }}{% else %}Reset password for {{ target_email }}{% endif %}</h1>
</header>
{% if success %}
{# ---- Success state ---- #}
{% if success_mode == "temp_pw" %}
<div class="rio-flash rio-flash--warning" role="alert">
<strong>Save this temporary password now.</strong>
It will not be shown again. Refreshing this page issues a new one and invalidates this value.
</div>
<section class="rio-card rio-card--callout">
<p class="rio-meta">Temporary password (one-time view)</p>
<p style="font-family: var(--rio-font-mono); font-size: var(--rio-fs-xl); user-select: all; word-break: break-all;">
{{ temp_password }}
</p>
</section>
<p class="rio-meta" style="margin-top: var(--rio-s4);">
Share this password with the user out-of-band (in person, secure chat, etc.).
When they sign in, they'll be required to set a new password before doing anything else.
{{ revoked_session_count }} session(s) were revoked as part of the reset.
</p>
{% elif success_mode == "email" %}
<div class="rio-flash rio-flash--success" role="status">
A reset email has been queued for delivery to {{ target_email }}.
</div>
<p class="rio-meta" style="margin-top: var(--rio-s4);">
The link expires in one hour. If the user doesn't receive it, check the audit log
(<a href="/admin/history">/admin/history</a>) for the dispatch status.
</p>
{% endif %}
<div class="rio-form-actions" style="margin-top: var(--rio-s5);">
<a href="/admin/users/{{ target_user_id }}/edit" class="rio-button rio-button--primary">Done</a>
<a href="/admin/users" class="rio-button rio-button--ghost">Back to users</a>
</div>
{% else %}
{# ---- Form state ---- #}
<p class="rio-meta">
Issue a password reset on behalf of <strong>{{ target_email }}</strong>. This action is
audited and counts as a destructive admin operation.
</p>
{% if errors %}
<div class="rio-flash rio-flash--error" role="alert">
<ul>{% for e in errors %}<li>{{ e }}</li>{% endfor %}</ul>
</div>
{% endif %}
<form method="post" action="/admin/users/{{ target_user_id }}/reset-password" class="rio-form">
<input type="hidden" name="_csrf" value="{{ csrf_token }}">
<fieldset class="rio-fieldset">
<legend>Mode</legend>
<label class="rio-radio">
<input type="radio" name="mode" value="email"{% if mode == "email" %} checked{% endif %}>
<span><strong>Email a reset link</strong> — sends a sign-in link to the user. Requires a working mailer.</span>
</label>
<label class="rio-radio">
<input type="radio" name="mode" value="temp_pw"{% if mode == "temp_pw" %} checked{% endif %}>
<span><strong>Issue a temporary password</strong> — generates a one-time password shown to you. Share out-of-band.</span>
</label>
</fieldset>
<fieldset class="rio-fieldset">
<legend>Reason</legend>
<label class="rio-label" for="rio-reason">
Reason
<span class="rio-meta">(audited; minimum 8 characters)</span>
</label>
<textarea
id="rio-reason"
name="reason"
rows="3"
required
minlength="8"
class="rio-input"
autofocus
>{{ reason }}</textarea>
{% if "reason" in field_errors %}
<p class="rio-field-error">{{ field_errors["reason"][0] }}</p>
{% endif %}
</fieldset>
<div class="rio-form-actions">
<button type="submit" class="rio-button rio-button--primary">Reset password</button>
<a href="/admin/users/{{ target_user_id }}/edit" class="rio-button rio-button--ghost">Cancel</a>
</div>
</form>
{% endif %}
</div>
{% endblock %}