refactor(auth): route password reset through service layer + e2e helper

- PasswordResetService injects UserService instead of AppUserRepository.
- New UserService.findByEmailOptional preserves the silent-fail behaviour of
  the old findByEmail-returning-Optional path; the existing throwing
  findByEmail is unchanged.
- New PasswordResetService.findLatestActiveTokenForEmail exposes the latest
  active reset token without leaking the repository upward.
- New @Profile("e2e") PasswordResetTestHelper wraps that read so the
  AuthE2EController no longer touches PasswordResetTokenRepository directly.
  Profile guard moves from the controller-only annotation to also cover the
  helper bean, so the production graph never instantiates either.

Refs #417 (C6.1 violation #2 + C6.2 violation #12).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/controller/AuthE2EController.java

@@ -1,8 +1,8 @@
 package org.raddatz.familienarchiv.controller;
 
-import java.time.LocalDateTime;
-
-import org.raddatz.familienarchiv.repository.PasswordResetTokenRepository;
+import io.swagger.v3.oas.annotations.Operation;
+import lombok.RequiredArgsConstructor;
+import org.raddatz.familienarchiv.service.PasswordResetTestHelper;
 import org.springframework.context.annotation.Profile;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -10,10 +10,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
-import io.swagger.v3.oas.annotations.Operation;
-
-import lombok.RequiredArgsConstructor;
-
 /**
  * Test-only endpoint to retrieve a password reset token by email.
  * Only active under the "e2e" Spring profile.
@@ -24,14 +20,14 @@ import lombok.RequiredArgsConstructor;
 @RequiredArgsConstructor
 public class AuthE2EController {
 
-    private final PasswordResetTokenRepository tokenRepository;
+    private final PasswordResetTestHelper passwordResetTestHelper;
 
     // Hidden from the OpenAPI spec — this endpoint must never appear in the generated api.ts
     // even when the e2e profile is active alongside the dev profile during spec generation.
     @Operation(hidden = true)
     @GetMapping("/reset-token-for-test")
     public ResponseEntity<String> getResetTokenForTest(@RequestParam String email) {
-        return tokenRepository.findLatestActiveTokenByEmail(email, LocalDateTime.now())
+        return passwordResetTestHelper.getResetTokenForTest(email)
                 .map(ResponseEntity::ok)
                 .orElse(ResponseEntity.notFound().build());
     }

backend/src/main/java/org/raddatz/familienarchiv/service/PasswordResetService.java

@@ -10,7 +10,6 @@ import org.raddatz.familienarchiv.exception.DomainException;
 import org.raddatz.familienarchiv.exception.ErrorCode;
 import org.raddatz.familienarchiv.model.AppUser;
 import org.raddatz.familienarchiv.model.PasswordResetToken;
-import org.raddatz.familienarchiv.repository.AppUserRepository;
 import org.raddatz.familienarchiv.repository.PasswordResetTokenRepository;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
@@ -30,7 +29,7 @@ import lombok.extern.slf4j.Slf4j;
 @Slf4j
 public class PasswordResetService {
 
-    private final AppUserRepository userRepository;
+    private final UserService userService;
     private final PasswordResetTokenRepository tokenRepository;
     private final PasswordEncoder passwordEncoder;
 
@@ -49,7 +48,7 @@ public class PasswordResetService {
      * If no mail sender is configured, logs a warning.
      */
     public void requestReset(String email, String appBaseUrl) {
-        Optional<AppUser> userOpt = userRepository.findByEmail(email);
+        Optional<AppUser> userOpt = userService.findByEmailOptional(email);
         if (userOpt.isEmpty()) {
             log.debug("Password reset requested for unknown email: {}", email);
             return;
@@ -82,12 +81,21 @@ public class PasswordResetService {
 
         AppUser user = resetToken.getUser();
         user.setPassword(passwordEncoder.encode(request.getNewPassword()));
-        userRepository.save(user);
+        userService.save(user);
 
         resetToken.setUsed(true);
         tokenRepository.save(resetToken);
     }
 
+    /**
+     * Returns the raw token string of the most recent active (unused, unexpired)
+     * reset token for the given email, if any. Used by the e2e helper to drive
+     * automated password-reset flows; production code paths never call this.
+     */
+    public Optional<String> findLatestActiveTokenForEmail(String email) {
+        return tokenRepository.findLatestActiveTokenByEmail(email, LocalDateTime.now());
+    }
+
     /** Nightly cleanup of expired and used tokens. */
     @Scheduled(cron = "0 0 3 * * *")
     @Transactional

backend/src/main/java/org/raddatz/familienarchiv/service/PasswordResetTestHelper.java

@@ -0,0 +1,24 @@
+package org.raddatz.familienarchiv.service;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Profile;
+import org.springframework.stereotype.Service;
+
+import java.util.Optional;
+
+/**
+ * E2E-only thin wrapper around {@link PasswordResetService} that exposes
+ * the latest active reset token for a given email. Loaded only when the
+ * {@code e2e} Spring profile is active so production code paths never see it.
+ */
+@Service
+@Profile("e2e")
+@RequiredArgsConstructor
+public class PasswordResetTestHelper {
+
+    private final PasswordResetService passwordResetService;
+
+    public Optional<String> getResetTokenForTest(String email) {
+        return passwordResetService.findLatestActiveTokenForEmail(email);
+    }
+}

backend/src/main/java/org/raddatz/familienarchiv/service/UserService.java

@@ -248,6 +248,14 @@ public class UserService {
                 .orElseThrow(() -> DomainException.notFound(ErrorCode.USER_NOT_FOUND, "No user found for email: " + email));
     }
 
+    public Optional<AppUser> findByEmailOptional(String email) {
+        return userRepository.findByEmail(email);
+    }
+
+    public AppUser save(AppUser user) {
+        return userRepository.save(user);
+    }
+
     public List<AppUser> getAllUsers() {
         return userRepository.findAll();
     }