feat: add password reset for default admin/user accounts

[jescalada]

Fixes #1022.

I opted for the password reset solution instead of relying on the config, since I didn't want to cause any extra confusion for new users (GitProxy administrators) or friction for testing/development which relies on these dummy accounts.

The bulk of the changes are test files and frontend additions/refactoring.

I also added tests to improve coverage for auth routes.

Disclaimer: This PR was created with agentic AI and refactored manually to improve code quality. I validated the password reset flow manually and with Cypress tests. Please keep this in mind during review - there may be some obvious mistakes I missed!

Screenshot

Shown automatically when logging in with admin/admin for the first time, and when trying to navigate to other pages. Note that this is only visible when NODE_ENV is set to production.

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 ready!

Name	Link
🔨 Latest commit	bd57b22
🔍 Latest deploy log	https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/69ca85417d0d1f0008de21bc
😎 Deploy Preview	https://deploy-preview-1457.git-proxy.preview.finos.org
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 89.87342% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.88%. Comparing base (4e2eea8) to head (bd57b22).

Files with missing lines	Patch %	Lines
src/service/routes/auth.ts	91.75%	7 Missing and 1 partial ⚠️
src/service/passport/passwordChangeHandler.ts	44.44%	5 Missing ⚠️
src/service/routes/utils.ts	62.50%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1457      +/-   ##
==========================================
+ Coverage   89.66%   89.88%   +0.21%     
==========================================
  Files          68       69       +1     
  Lines        4869     5011     +142     
  Branches      888      922      +34     
==========================================
+ Hits         4366     4504     +138     
- Misses        485      488       +3     
- Partials       18       19       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[dcoric]

The overall approach is solid. I spotted a few small things worth addressing

[jescalada]

@dcoric I've experimented with session regeneration/logging out after resetting password, but both of these seem to cause trouble due to differences between unit test vs E2E vs production. I made another PR for debugging the failing tests #1463 but couldn't find a setup that works as intended.

I believe there's no real risk of session-based attacks (orgs implementing GitProxy use OIDC/AD instead of local auth, plus password resetting is only used in the initial setup), so I've decided to skip the session refreshing.

[dcoric]

@dcoric I've experimented with session regeneration/logging out after resetting password, but both of these seem to cause trouble due to differences between unit test vs E2E vs production. I made another PR for debugging the failing tests #1463 but couldn't find a setup that works as intended.

I believe there's no real risk of session-based attacks (orgs implementing GitProxy use OIDC/AD instead of local auth, plus password resetting is only used in the initial setup), so I've decided to skip the session refreshing.

It is an extreme edge case. I think we are safe to proceed. If required we can always return to this in the future in a separated issue.

[dcoric]

Looks good!