From 39e7ee2c71dce6e1aa0987ce8596787559c67fcc Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 5 May 2026 21:17:00 +0200
Subject: [PATCH] fix(e2e): use dedicated reset user instead of admin in
 password-reset test

Introduces a separate reset@familyarchive.local / reset123 seed account
(e2e profile only) so the password-reset flow test never touches the
shared admin credentials.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../familienarchiv/user/UserDataInitializer.java  | 15 +++++++++++++++
 frontend/e2e/password-reset.spec.ts               |  9 +++++----
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/backend/src/main/java/org/raddatz/familienarchiv/user/UserDataInitializer.java b/backend/src/main/java/org/raddatz/familienarchiv/user/UserDataInitializer.java
index edcf9b9a..e7c9f0c1 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/user/UserDataInitializer.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/user/UserDataInitializer.java
@@ -102,6 +102,21 @@ public class UserDataInitializer {
                 log.info("E2E seed: 'reader'-Testbenutzer erstellt.");
             }
 
+            if (userRepository.findByEmail("reset@familyarchive.local").isEmpty()) {
+                log.info("E2E seed: Erstelle 'reset'-Testbenutzer...");
+                UserGroup leserGroup = groupRepository.findByName("Leser").orElseGet(() ->
+                        groupRepository.save(UserGroup.builder()
+                                .name("Leser")
+                                .permissions(Set.of("READ_ALL"))
+                                .build()));
+                userRepository.save(AppUser.builder()
+                        .email("reset@familyarchive.local")
+                        .password(passwordEncoder.encode("reset123"))
+                        .groups(Set.of(leserGroup))
+                        .build());
+                log.info("E2E seed: 'reset'-Testbenutzer erstellt.");
+            }
+
             if (personRepo.count() > 0) {
                 log.info("E2E seed: Personendaten bereits vorhanden, überspringe Dokument-Seed.");
                 return;
diff --git a/frontend/e2e/password-reset.spec.ts b/frontend/e2e/password-reset.spec.ts
index fc864820..f2a15078 100644
--- a/frontend/e2e/password-reset.spec.ts
+++ b/frontend/e2e/password-reset.spec.ts
@@ -42,8 +42,9 @@ test.describe('Password reset', () => {
 	});
 
 	test('full password reset flow', async ({ page }) => {
-		const testEmail = process.env.E2E_EMAIL ?? 'admin@familyarchive.local';
-		const originalPassword = process.env.E2E_PASSWORD ?? 'admin123';
+		// Uses a dedicated low-privilege test account so the admin account is never touched.
+		const testEmail = 'reset@familyarchive.local';
+		const originalPassword = 'reset123';
 		const newPassword = 'NewP@ssw0rd_E2E!';
 
 		// 1. Request reset
@@ -70,7 +71,7 @@ test.describe('Password reset', () => {
 
 		// 5. Log in with new password
 		await expect(page).toHaveURL(/\/login/);
-		await page.getByLabel('Benutzername').fill(process.env.E2E_USERNAME ?? 'admin');
+		await page.getByLabel('Benutzername').fill(testEmail);
 		await page.getByLabel('Passwort').fill(newPassword);
 		await page.getByRole('button', { name: 'Anmelden' }).click();
 		await expect(page).toHaveURL('/');
@@ -85,7 +86,7 @@ test.describe('Password reset', () => {
 		await expect(page).toHaveURL(/\/login/);
 
 		// 7. Log back in with original password to confirm restore worked
-		await page.getByLabel('Benutzername').fill(process.env.E2E_USERNAME ?? 'admin');
+		await page.getByLabel('Benutzername').fill(testEmail);
 		await page.getByLabel('Passwort').fill(originalPassword);
 		await page.getByRole('button', { name: 'Anmelden' }).click();
 		await expect(page).toHaveURL('/');