Trigger Authelia password reset email on new user checkout

The triggerPasswordReset function existed but was never called.
New users now receive a set-password email immediately after their
Stripe checkout completes.

Made-with: Cursor

docker/ss-atlas/internal/handlers/webhook.go

@@ -55,8 +55,18 @@ func (a *App) onCheckoutCompleted(event stripego.Event) {
 
 	log.Printf("webhook: checkout completed email=%s customer=%s", email, customerID)
 
-	if err := a.ldap.EnsureUser(username, email, customerID); err != nil {
-		log.Printf("webhook: ldap ensure user failed: %v", err)
+	result, err := a.ldap.ProvisionUser(username, email, customerID)
+	if err != nil {
+		log.Printf("webhook: ldap provision user failed: %v", err)
+		return
+	}
+
+	if result.IsNew {
+		if err := a.triggerPasswordReset(username); err != nil {
+			log.Printf("webhook: password reset email failed for %s: %v", username, err)
+		} else {
+			log.Printf("webhook: password reset email sent to %s (%s)", username, email)
+		}
 	}
 }