From 677bef195f0d339d53c93a89e4773066db99187a Mon Sep 17 00:00:00 2001
From: Leopere <colin@nixc.us>
Date: Tue, 3 Mar 2026 17:13:37 -0500
Subject: [PATCH] Trigger Authelia password reset email on new user checkout

The triggerPasswordReset function existed but was never called.
New users now receive a set-password email immediately after their
Stripe checkout completes.

Made-with: Cursor
---
 docker/ss-atlas/internal/handlers/webhook.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/docker/ss-atlas/internal/handlers/webhook.go b/docker/ss-atlas/internal/handlers/webhook.go
index ca87e2d..c7e664e 100644
--- a/docker/ss-atlas/internal/handlers/webhook.go
+++ b/docker/ss-atlas/internal/handlers/webhook.go
@@ -55,8 +55,18 @@ func (a *App) onCheckoutCompleted(event stripego.Event) {
 
 	log.Printf("webhook: checkout completed email=%s customer=%s", email, customerID)
 
-	if err := a.ldap.EnsureUser(username, email, customerID); err != nil {
-		log.Printf("webhook: ldap ensure user failed: %v", err)
+	result, err := a.ldap.ProvisionUser(username, email, customerID)
+	if err != nil {
+		log.Printf("webhook: ldap provision user failed: %v", err)
+		return
+	}
+
+	if result.IsNew {
+		if err := a.triggerPasswordReset(username); err != nil {
+			log.Printf("webhook: password reset email failed for %s: %v", username, err)
+		} else {
+			log.Printf("webhook: password reset email sent to %s (%s)", username, email)
+		}
 	}
 }