Update settings/admin UI and misc fixes

app/routes/auth.py

@@ -7,7 +7,7 @@ from itsdangerous import BadSignature, SignatureExpired, URLSafeTimedSerializer
 
 from ..extensions import db
 from ..email_utils import send_email
-from ..models import User
+from ..models import AppSettings, User
 from ..auth_tokens import load_password_reset_user_id, make_password_reset_token
 
 bp = Blueprint("auth", __name__, url_prefix="/auth")
@@ -48,7 +48,18 @@ def forgot_password_post():
     user = User.query.filter_by(email=email).first()
     if user:
         token = _make_reset_token(user)
-        reset_url = url_for("auth.reset_password", token=token, _external=True)
+
+        # By default Flask uses the request host when building _external URLs.
+        # For deployments behind proxies or where the public host differs, allow
+        # admins to configure a public domain used in email links.
+        settings = db.session.get(AppSettings, 1)
+        if settings and settings.public_domain:
+            # Flask's url_for doesn't support overriding the host per-call.
+            # We generate the relative path and prefix it with the configured domain.
+            path = url_for("auth.reset_password", token=token, _external=False)
+            reset_url = f"https://{settings.public_domain}{path}"
+        else:
+            reset_url = url_for("auth.reset_password", token=token, _external=True)
         body = (
             "Someone requested a password reset for your account.\n\n"
             f"Reset your password using this link (valid for 30 minutes):\n{reset_url}\n\n"