feat(auth): superadmin user-management page + CRUD

/admin/users page and /api/admin/users/* JSON CRUD endpoints, all behind require_role("superadmin"). Temp passwords are returned once on create/reset and never stored in plaintext. Admins get 403; password_hash is never leaked. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-17 19:42:05 +00:00
parent 41ab900c33
commit bff9a4af4a
4 changed files with 297 additions and 0 deletions
@@ -98,6 +98,9 @@ app.middleware("http")(operator_gate)
 from backend.routers import operator_auth_routes
 app.include_router(operator_auth_routes.router)
 from backend.routers import operator_users
 app.include_router(operator_users.router)
 # Override TemplateResponse to include environment and version in context
 original_template_response = templates.TemplateResponse
 def custom_template_response(name, context=None, *args, **kwargs):
@@ -0,0 +1,103 @@
 """Operator account management — superadmin only. Temp passwords are returned in
 the JSON response once (shown to the superadmin to hand off); only hashes persist."""
 from fastapi import APIRouter, Request, Depends, HTTPException
 from fastapi.responses import JSONResponse
 from pydantic import BaseModel
 from sqlalchemy.orm import Session
 from backend.database import get_db
 from backend.templates_config import templates
 from backend.models import OperatorUser
 from backend.operator_auth import (
    require_role, create_operator, reset_operator_password,
    set_operator_active, set_operator_role,
 )
 from backend.utils.timezone import format_local_datetime
 router = APIRouter(tags=["operator-users"])
 _superadmin = require_role("superadmin")
 class NewUser(BaseModel):
    email: str
    name: str
    role: str = "admin"
 class RoleChange(BaseModel):
    role: str
 def _serialize(u: OperatorUser) -> dict:
    from datetime import datetime
    return {
        "id": u.id, "email": u.email, "display_name": u.display_name, "role": u.role,
        "active": bool(u.active), "must_change_password": bool(u.must_change_password),
        "locked": bool(u.locked_until and u.locked_until > datetime.utcnow()),
        "last_login_at": format_local_datetime(u.last_login_at, "%Y-%m-%d %H:%M") if u.last_login_at else None,
    }
@router.get("/admin/users")
 async def users_page(request: Request, _=Depends(_superadmin)):
    return templates.TemplateResponse("admin/users.html", {"request": request})
@router.get("/api/admin/users")
 async def list_users(_=Depends(_superadmin), db: Session = Depends(get_db)):
    users = db.query(OperatorUser).order_by(OperatorUser.display_name).all()
    return {"users": [_serialize(u) for u in users]}
@router.post("/api/admin/users")
 async def add_user(body: NewUser, _=Depends(_superadmin), db: Session = Depends(get_db)):
    if body.role not in ("admin", "superadmin"):
        return JSONResponse(status_code=400, content={"detail": "role must be admin or superadmin"})
    try:
        user, raw = create_operator(db, body.email, body.name, body.role)
    except ValueError as e:
        return JSONResponse(status_code=400, content={"detail": str(e)})
    return {"user": _serialize(user), "password": raw}
@router.post("/api/admin/users/{user_id}/reset-password")
 async def reset_user_password(user_id: str, _=Depends(_superadmin), db: Session = Depends(get_db)):
    user = db.query(OperatorUser).filter_by(id=user_id).first()
    if not user:
        raise HTTPException(status_code=404, detail="User not found")
    raw = reset_operator_password(db, user)
    return {"password": raw}
@router.post("/api/admin/users/{user_id}/disable")
 async def disable_user(user_id: str, acting=Depends(_superadmin), db: Session = Depends(get_db)):
    if acting and acting.id == user_id:
        return JSONResponse(status_code=400, content={"detail": "Cannot disable your own account"})
    user = db.query(OperatorUser).filter_by(id=user_id).first()
    if not user:
        raise HTTPException(status_code=404, detail="User not found")
    set_operator_active(db, user, False)
    return {"active": False}
@router.post("/api/admin/users/{user_id}/enable")
 async def enable_user(user_id: str, _=Depends(_superadmin), db: Session = Depends(get_db)):
    user = db.query(OperatorUser).filter_by(id=user_id).first()
    if not user:
        raise HTTPException(status_code=404, detail="User not found")
    set_operator_active(db, user, True)
    return {"active": True}
@router.post("/api/admin/users/{user_id}/role")
 async def change_user_role(user_id: str, body: RoleChange,
                           acting=Depends(_superadmin), db: Session = Depends(get_db)):
    if acting and acting.id == user_id:
        return JSONResponse(status_code=400, content={"detail": "Cannot change your own role"})
    if body.role not in ("admin", "superadmin"):
        return JSONResponse(status_code=400, content={"detail": "role must be admin or superadmin"})
    user = db.query(OperatorUser).filter_by(id=user_id).first()
    if not user:
        raise HTTPException(status_code=404, detail="User not found")
    set_operator_role(db, user, body.role)
    return {"role": user.role}
@@ -0,0 +1,71 @@
 {% extends "base.html" %}
 {% block title %}Operator Accounts{% endblock %}
 {% block content %}
 <div class="max-w-4xl mx-auto p-4">
  <div class="flex items-center justify-between mb-4">
    <h1 class="text-2xl font-semibold">Operator Accounts</h1>
    <button id="add-user-btn" class="px-3 py-2 rounded bg-orange-500 hover:bg-orange-600 text-white text-sm">+ Add operator</button>
  </div>
  <div id="temp-pw-banner" class="hidden mb-4 px-3 py-2 rounded bg-emerald-900/60 text-emerald-100 text-sm"></div>
  <table class="w-full text-sm">
    <thead><tr class="text-left border-b border-slate-600">
      <th class="py-2">Name</th><th>Email</th><th>Role</th><th>Status</th><th>Last login</th><th></th>
    </tr></thead>
    <tbody id="user-rows"></tbody>
  </table>
 </div>
 <script>
 const $ = (s) => document.querySelector(s);
 function showTemp(email, pw) {
  const b = $("#temp-pw-banner");
  b.textContent = `Temporary password for ${email}: ${pw} — copy it now, it won't be shown again.`;
  b.classList.remove("hidden");
 }
 async function load() {
  const r = await fetch("/api/admin/users");
  const { users } = await r.json();
  $("#user-rows").innerHTML = users.map(u => `
    <tr class="border-b border-slate-700">
      <td class="py-2">${u.display_name}</td>
      <td>${u.email}</td>
      <td>
        <select data-role="${u.id}" class="bg-slate-700 rounded px-1 py-0.5">
          <option value="admin"${u.role==='admin'?' selected':''}>admin</option>
          <option value="superadmin"${u.role==='superadmin'?' selected':''}>superadmin</option>
        </select>
      </td>
      <td>${u.active ? 'active' : 'disabled'}${u.locked ? ' (locked)' : ''}</td>
      <td>${u.last_login_at || '—'}</td>
      <td class="text-right space-x-2">
        <button data-reset="${u.id}" data-email="${u.email}" class="text-orange-400 hover:underline">Reset pw</button>
        <button data-toggle="${u.id}" data-active="${u.active}" class="text-slate-300 hover:underline">${u.active ? 'Disable' : 'Enable'}</button>
      </td>
    </tr>`).join("");
 }
 document.addEventListener("click", async (e) => {
  if (e.target.dataset.reset) {
    const r = await fetch(`/api/admin/users/${e.target.dataset.reset}/reset-password`, {method:"POST"});
    const d = await r.json(); showTemp(e.target.dataset.email, d.password); load();
  } else if (e.target.dataset.toggle) {
    const action = e.target.dataset.active === "true" ? "disable" : "enable";
    await fetch(`/api/admin/users/${e.target.dataset.toggle}/${action}`, {method:"POST"}); load();
  } else if (e.target.id === "add-user-btn") {
    const email = prompt("Email?"); if (!email) return;
    const name = prompt("Display name?") || email;
    const role = prompt("Role (admin / superadmin)?", "admin") || "admin";
    const r = await fetch("/api/admin/users", {method:"POST", headers:{"Content-Type":"application/json"},
      body: JSON.stringify({email, name, role})});
    if (r.ok) { const d = await r.json(); showTemp(email, d.password); load(); }
    else { alert((await r.json()).detail || "Failed"); }
  }
 });
 document.addEventListener("change", async (e) => {
  if (e.target.dataset.role) {
    await fetch(`/api/admin/users/${e.target.dataset.role}/role`, {method:"POST",
      headers:{"Content-Type":"application/json"}, body: JSON.stringify({role: e.target.value})});
    load();
  }
 });
 load();
 </script>
 {% endblock %}
@@ -0,0 +1,120 @@
 # tests/test_operator_users.py
 import uuid
 from tests.conftest import wire_operator_auth
 from backend.operator_auth import create_operator, make_operator_cookie, COOKIE_NAME
 from backend.models import OperatorUser
 def _login_as(client, user):
    client.cookies.set(COOKIE_NAME, make_operator_cookie(user.id))
 def test_admin_cannot_reach_user_management(client, db_session, monkeypatch):
    admin, _ = create_operator(db_session, "admin@x.com", "Admin", "admin", password="pw-123456")
    wire_operator_auth(monkeypatch, db_session, enabled=True)
    _login_as(client, admin)
    assert client.get("/admin/users", follow_redirects=False).status_code == 403
 def test_superadmin_sees_user_management(client, db_session, monkeypatch):
    su, _ = create_operator(db_session, "su@x.com", "Su", "superadmin", password="pw-123456")
    wire_operator_auth(monkeypatch, db_session, enabled=True)
    _login_as(client, su)
    assert client.get("/admin/users", follow_redirects=False).status_code == 200
 def test_superadmin_lists_users_json(client, db_session, monkeypatch):
    su, _ = create_operator(db_session, "su@x.com", "Su", "superadmin", password="pw-123456")
    wire_operator_auth(monkeypatch, db_session, enabled=True)
    _login_as(client, su)
    r = client.get("/api/admin/users")
    assert r.status_code == 200
    emails = [u["email"] for u in r.json()["users"]]
    assert "su@x.com" in emails
    assert all("password_hash" not in u for u in r.json()["users"])  # never leak hashes
 def test_create_user_returns_temp_once(client, db_session, monkeypatch):
    su, _ = create_operator(db_session, "su@x.com", "Su", "superadmin", password="pw-123456")
    wire_operator_auth(monkeypatch, db_session, enabled=True)
    _login_as(client, su)
    r = client.post("/api/admin/users",
                    json={"email": "dad@x.com", "name": "Dad", "role": "admin"})
    assert r.status_code == 200
    assert len(r.json()["password"]) >= 12
    made = db_session.query(OperatorUser).filter_by(email="dad@x.com").first()
    assert made.must_change_password is True
 def test_reset_password_returns_temp_once(client, db_session, monkeypatch):
    su, _ = create_operator(db_session, "su@x.com", "Su", "superadmin", password="pw-123456")
    target, _ = create_operator(db_session, "t@x.com", "T", "admin", password="pw-123456")
    wire_operator_auth(monkeypatch, db_session, enabled=True)
    _login_as(client, su)
    r = client.post(f"/api/admin/users/{target.id}/reset-password")
    assert r.status_code == 200 and len(r.json()["password"]) >= 12
    db_session.refresh(target)
    assert target.must_change_password is True
 def test_disable_and_enable(client, db_session, monkeypatch):
    su, _ = create_operator(db_session, "su@x.com", "Su", "superadmin", password="pw-123456")
    target, _ = create_operator(db_session, "t@x.com", "T", "admin", password="pw-123456")
    wire_operator_auth(monkeypatch, db_session, enabled=True)
    _login_as(client, su)
    assert client.post(f"/api/admin/users/{target.id}/disable").status_code == 200
    db_session.refresh(target); assert target.active is False
    assert client.post(f"/api/admin/users/{target.id}/enable").status_code == 200
    db_session.refresh(target); assert target.active is True
 def test_change_role(client, db_session, monkeypatch):
    su, _ = create_operator(db_session, "su@x.com", "Su", "superadmin", password="pw-123456")
    target, _ = create_operator(db_session, "t@x.com", "T", "admin", password="pw-123456")
    wire_operator_auth(monkeypatch, db_session, enabled=True)
    _login_as(client, su)
    r = client.post(f"/api/admin/users/{target.id}/role", json={"role": "superadmin"})
    assert r.status_code == 200
    db_session.refresh(target); assert target.role == "superadmin"
 def test_admin_cannot_reach_json_endpoints(client, db_session, monkeypatch):
    admin, _ = create_operator(db_session, "a@x.com", "A", "admin", password="pw-123456")
    target, _ = create_operator(db_session, "t@x.com", "T", "admin", password="pw-123456")
    wire_operator_auth(monkeypatch, db_session, enabled=True)
    _login_as(client, admin)
    assert client.get("/api/admin/users").status_code == 403
    assert client.post("/api/admin/users", json={"email": "x@x.com", "name": "X", "role": "admin"}).status_code == 403
    assert client.post(f"/api/admin/users/{target.id}/reset-password").status_code == 403
    assert client.post(f"/api/admin/users/{target.id}/disable").status_code == 403
    assert client.post(f"/api/admin/users/{target.id}/enable").status_code == 403
    assert client.post(f"/api/admin/users/{target.id}/role", json={"role": "superadmin"}).status_code == 403
 def test_cannot_disable_own_account(client, db_session, monkeypatch):
    su, _ = create_operator(db_session, "su@x.com", "Su", "superadmin", password="pw-123456")
    wire_operator_auth(monkeypatch, db_session, enabled=True)
    _login_as(client, su)
    r = client.post(f"/api/admin/users/{su.id}/disable")
    assert r.status_code == 400
    db_session.refresh(su)
    assert su.active is True
 def test_cannot_change_own_role(client, db_session, monkeypatch):
    su, _ = create_operator(db_session, "su@x.com", "Su", "superadmin", password="pw-123456")
    wire_operator_auth(monkeypatch, db_session, enabled=True)
    _login_as(client, su)
    r = client.post(f"/api/admin/users/{su.id}/role", json={"role": "admin"})
    assert r.status_code == 400
    db_session.refresh(su)
    assert su.role == "superadmin"
 def test_deferred_operator_role_rejected_by_api(client, db_session, monkeypatch):
    su, _ = create_operator(db_session, "su@x.com", "Su", "superadmin", password="pw-123456")
    target, _ = create_operator(db_session, "t@x.com", "T", "admin", password="pw-123456")
    wire_operator_auth(monkeypatch, db_session, enabled=True)
    _login_as(client, su)
    assert client.post("/api/admin/users", json={"email": "op@x.com", "name": "Op", "role": "operator"}).status_code == 400
    assert client.post(f"/api/admin/users/{target.id}/role", json={"role": "operator"}).status_code == 400