Add init link.

API/ROLAC.API/Services/AuthService.cs

@@ -60,6 +60,22 @@ public class AuthService : IAuthService
             throw new UnauthorizedAccessException("Account is inactive.");
         }
 
+        _audit.Write(
+            AuditActions.Login, AuditCategories.Security, LogLevelEnum.Information,
+            entityName: nameof(AppUser), entityId: user.Id,
+            summary: $"Login succeeded: {user.Email}",
+            userId: user.Id, userEmail: user.Email, ipAddress: ipAddress);
+
+        return await IssueSessionAsync(user, ipAddress, deviceInfo);
+    }
+
+    // -------------------------------------------------------------------------
+    // Issue session (shared by login and passwordless flows like invitations)
+    // -------------------------------------------------------------------------
+
+    public async Task<(LoginResponse Response, string RawRefreshToken)> IssueSessionAsync(
+        AppUser user, string? ipAddress = null, string? deviceInfo = null)
+    {
         var roles       = await _userManager.GetRolesAsync(user);
         var accessToken = _tokenService.GenerateAccessToken(user, roles);
         var rawRefresh  = _tokenService.GenerateRefreshToken();
@@ -79,12 +95,6 @@ public class AuthService : IAuthService
         await _userManager.UpdateAsync(user);
         await _db.SaveChangesAsync();
 
-        _audit.Write(
-            AuditActions.Login, AuditCategories.Security, LogLevelEnum.Information,
-            entityName: nameof(AppUser), entityId: user.Id,
-            summary: $"Login succeeded: {user.Email}",
-            userId: user.Id, userEmail: user.Email, ipAddress: ipAddress);
-
         return (await BuildResponseAsync(accessToken, user, roles), rawRefresh);
     }