mirror/fosrl.pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2025-08-29 22:19:31 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

- Add API endpoint POST /admin/user/{userId}/password for server admins

Browse source 
- Create AdminPasswordReset component with email/manual link options
- Integrate password reset into admin user detail pages
- Add translation keys for internationalization (EN-US-ONLY)
- Support both email sending and manual link generation"
This commit is contained in:
Adrian Astles 2025-07-25 20:34:24 +08:00
parent 5c929badeb
commit d664eb2a8d
6 changed files with 487 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
messages/en-US.json
View file

@ -1247,6 +1247,14 @@
"adminEnabled2FaOnYourAccount": "Your administrator has enabled two-factor authentication for {email}. Please complete the setup process to continue.", "adminEnabled2FaOnYourAccount": "Your administrator has enabled two-factor authentication for {email}. Please complete the setup process to continue.",
"continueToApplication": "Continue to Application", "continueToApplication": "Continue to Application",
"securityKeyAdd": "Add Security Key", "securityKeyAdd": "Add Security Key",
"passwordResetAdminInstructions": "Clicking the button below will send a password reset email to the user. They will be able to set a new password using the link provided.",
"passwordResetError": "Failed to reset password",
"passwordResetErrorDescription": "An error occurred while resetting the user's password",
"passwordResetSending": "Sending...",
"passwordResetSendEmail": "Send Reset Email",
"sendEmailNotification": "Send email notification",
"linkCopied": "Link copied",
"linkCopiedDescription": "The reset link has been copied to your clipboard",
"securityKeyRegisterTitle": "Register New Security Key", "securityKeyRegisterTitle": "Register New Security Key",
"securityKeyRegisterDescription": "Connect your security key and enter a name to identify it", "securityKeyRegisterDescription": "Connect your security key and enter a name to identify it",
"securityKeyTwoFactorRequired": "Two-Factor Authentication Required", "securityKeyTwoFactorRequired": "Two-Factor Authentication Required",

5
server/routers/external.ts
View file

@ -540,6 +540,11 @@ authenticated.delete(
verifyUserIsServerAdmin, verifyUserIsServerAdmin,
user.adminRemoveUser user.adminRemoveUser
); );
authenticated.post(
"/admin/user/:userId/password",
verifyUserIsServerAdmin,
user.adminResetUserPassword
);
authenticated.put( authenticated.put(
"/org/:orgId/user", "/org/:orgId/user",

212
server/routers/user/adminResetUserPassword.ts Normal file
View file

@ -0,0 +1,212 @@
import { NextFunction, Request, Response } from "express";
import { z } from "zod";
import { fromError } from "zod-validation-error";
import createHttpError from "http-errors";
import { db } from "@server/db";
import { passwordResetTokens, users } from "@server/db";
import { eq } from "drizzle-orm";
import { alphabet, generateRandomString } from "oslo/crypto";
import { createDate, TimeSpan } from "oslo";
import { hashPassword } from "@server/auth/password";
import { sendEmail } from "@server/emails";
import ResetPasswordCode from "@server/emails/templates/ResetPasswordCode";
import config from "@server/lib/config";
import logger from "@server/logger";
import response from "@server/lib/response";
import HttpCode from "@server/types/HttpCode";
import { OpenAPITags, registry } from "@server/openApi";
import { UserType } from "@server/types/UserTypes";
const adminResetUserPasswordParamsSchema = z
.object({
userId: z.string()
})
.strict();
const adminResetUserPasswordBodySchema = z
.object({
sendEmail: z.boolean().optional().default(true),
expirationHours: z.number().int().positive().optional().default(24)
})
.strict();
export type AdminResetUserPasswordBody = z.infer<typeof adminResetUserPasswordBodySchema>;
export type AdminResetUserPasswordResponse = {
resetLink?: string;
emailSent: boolean;
};
registry.registerPath({
method: "post",
path: "/admin/user/{userId}/password",
description: "Generate a password reset link for a user (server admin only).",
tags: [OpenAPITags.User],
request: {
params: adminResetUserPasswordParamsSchema,
body: {
content: {
"application/json": {
schema: adminResetUserPasswordBodySchema
}
}
}
},
responses: {}
});
export async function adminResetUserPassword(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
const parsedParams = adminResetUserPasswordParamsSchema.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const parsedBody = adminResetUserPasswordBodySchema.safeParse(req.body);
if (!parsedBody.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedBody.error).toString()
)
);
}
const { userId } = parsedParams.data;
const { sendEmail: shouldSendEmail, expirationHours } = parsedBody.data;
try {
// Get the target user
const targetUser = await db
.select()
.from(users)
.where(eq(users.userId, userId));
if (!targetUser || !targetUser.length) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
"User not found"
)
);
}
const user = targetUser[0];
// Only allow resetting passwords for internal users
if (user.type !== UserType.Internal) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Password reset is only available for internal users"
)
);
}
if (!user.email) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"User does not have an email address"
)
);
}
// Generate reset token
const token = generateRandomString(16, alphabet("0-9", "A-Z", "a-z"));
const tokenHash = await hashPassword(token);
// Store reset token in database
await db.transaction(async (trx) => {
// Delete any existing reset tokens for this user
await trx
.delete(passwordResetTokens)
.where(eq(passwordResetTokens.userId, userId));
// Insert new reset token
await trx.insert(passwordResetTokens).values({
userId: userId,
email: user.email!,
tokenHash,
expiresAt: createDate(new TimeSpan(expirationHours, "h")).getTime()
});
});
const resetUrl = `${config.getRawConfig().app.dashboard_url}/auth/reset-password?email=${encodeURIComponent(user.email!)}&token=${token}`;
let emailSent = false;
// Get the admin identifier (either user ID or API key ID)
const adminId = req.user?.userId || req.apiKey?.apiKeyId || 'unknown';
// Send email if requested
if (shouldSendEmail) {
// Check if email is configured
if (!config.getRawConfig().email) {
logger.info(
`Server admin ${adminId} generated password reset link for user ${userId}. Email not configured, no email sent. Token expires in ${expirationHours} hours.`
);
emailSent = false;
} else {
try {
await sendEmail(
ResetPasswordCode({
email: user.email!,
code: token,
link: resetUrl
}),
{
from: config.getNoReplyEmail(),
to: user.email!,
subject: "Password Reset - Initiated by Server Administrator"
}
);
emailSent = true;
logger.info(
`Server admin ${adminId} initiated password reset for user ${userId}. Email sent to ${user.email}. Token expires in ${expirationHours} hours.`
);
} catch (e) {
logger.error("Failed to send server admin-initiated password reset email", e);
// Don't fail the request if email fails, just log it
emailSent = false;
}
}
} else {
logger.info(
`Server admin ${adminId} generated password reset link for user ${userId}. No email sent. Token expires in ${expirationHours} hours.`
);
}
return response<AdminResetUserPasswordResponse>(res, {
data: {
resetLink: resetUrl,
emailSent
},
success: true,
error: false,
message: emailSent
? `Password reset email sent to ${user.email}`
: "Password reset link generated successfully",
status: HttpCode.OK
});
} catch (e) {
logger.error("Failed to generate server admin password reset", e);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to generate password reset"
)
);
}
}

1
server/routers/user/index.ts
View file

@ -13,3 +13,4 @@ export * from "./removeInvitation";
export * from "./createOrgUser"; export * from "./createOrgUser";
export * from "./adminUpdateUser2FA"; export * from "./adminUpdateUser2FA";
export * from "./adminGetUser"; export * from "./adminGetUser";
export * from "./adminResetUserPassword";

29
src/app/admin/users/[userId]/general/page.tsx
View file

@ -19,6 +19,7 @@ import {
SettingsSectionForm SettingsSectionForm
} from "@app/components/Settings"; } from "@app/components/Settings";
import { UserType } from "@server/types/UserTypes"; import { UserType } from "@server/types/UserTypes";
import AdminPasswordReset from "@app/components/AdminPasswordReset";
export default function GeneralPage() { export default function GeneralPage() {
const { userId } = useParams(); const { userId } = useParams();
@ -29,6 +30,8 @@ export default function GeneralPage() {
const [loading, setLoading] = useState(false); const [loading, setLoading] = useState(false);
const [twoFactorEnabled, setTwoFactorEnabled] = useState(false); const [twoFactorEnabled, setTwoFactorEnabled] = useState(false);
const [userType, setUserType] = useState<UserType | null>(null); const [userType, setUserType] = useState<UserType | null>(null);
const [userEmail, setUserEmail] = useState<string>("");
const [userName, setUserName] = useState<string>("");
useEffect(() => { useEffect(() => {
// Fetch current user 2FA status // Fetch current user 2FA status
@ -43,6 +46,8 @@ export default function GeneralPage() {
userData.twoFactorSetupRequested userData.twoFactorSetupRequested
); );
setUserType(userData.type); setUserType(userData.type);
setUserEmail(userData.email || "");
setUserName(userData.name || userData.username || "");
} }
} catch (error) { } catch (error) {
console.error("Failed to fetch user data:", error); console.error("Failed to fetch user data:", error);
@ -117,6 +122,30 @@ export default function GeneralPage() {
</SettingsSectionForm> </SettingsSectionForm>
</SettingsSectionBody> </SettingsSectionBody>
</SettingsSection> </SettingsSection>
<SettingsSection>
<SettingsSectionHeader>
<SettingsSectionTitle>
{t("passwordReset")}
</SettingsSectionTitle>
<SettingsSectionDescription>
{t("passwordResetAdminInstructions")}
</SettingsSectionDescription>
</SettingsSectionHeader>
<SettingsSectionBody>
<SettingsSectionForm>
<div className="space-y-6">
<AdminPasswordReset
userId={userId as string}
userEmail={userEmail}
userName={userName}
userType={userType || ""}
/>
</div>
</SettingsSectionForm>
</SettingsSectionBody>
</SettingsSection>
</SettingsContainer> </SettingsContainer>
<div className="flex justify-end mt-6"> <div className="flex justify-end mt-6">

232
src/components/AdminPasswordReset.tsx Normal file
View file

@ -0,0 +1,232 @@
"use client";
import { useState } from "react";
import { Button } from "@app/components/ui/button";
import {
Dialog,
DialogContent,
DialogDescription,
DialogFooter,
DialogHeader,
DialogTitle,
DialogTrigger,
} from "@app/components/ui/dialog";
import { Input } from "@app/components/ui/input";
import { Checkbox } from "@app/components/ui/checkbox";
import { Label } from "@app/components/ui/label";
import { toast } from "@app/hooks/useToast";
import { formatAxiosError } from "@app/lib/api";
import { createApiClient } from "@app/lib/api";
import { useEnvContext } from "@app/hooks/useEnvContext";
import { useTranslations } from "next-intl";
import { Key, Mail, Copy, Link } from "lucide-react";
import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
type AdminPasswordResetProps = {
userId: string;
userEmail: string;
userName: string;
userType: string;
};
export default function AdminPasswordReset({
userId,
userEmail,
userName,
userType,
}: AdminPasswordResetProps) {
const api = createApiClient(useEnvContext());
const { env } = useEnvContext();
const t = useTranslations();
const [open, setOpen] = useState(false);
const [passwordLoading, setPasswordLoading] = useState(false);
const [sendEmail, setSendEmail] = useState(env.email.emailEnabled);
const [resetLink, setResetLink] = useState<string | undefined>();
const isExternalUser = userType !== "internal";
// Don't render the button for external users
if (isExternalUser) {
return null;
}
const handleResetPassword = async () => {
setPasswordLoading(true);
try {
const response = await api.post(`/admin/user/${userId}/password`, {
sendEmail,
expirationHours: 24
});
const data = response.data.data;
if (data.resetLink) {
setResetLink(data.resetLink);
}
toast({
title: t('passwordResetSuccess'),
description: data.emailSent
? `Password reset email sent to ${userEmail}`
: data.message,
});
if (env.email.emailEnabled && sendEmail && data.emailSent) {
setOpen(false);
}
} catch (error) {
toast({
variant: "destructive",
title: t('passwordResetError'),
description: formatAxiosError(error, t('passwordResetErrorDescription')),
});
} finally {
setPasswordLoading(false);
}
};
const copyToClipboard = async (text: string) => {
try {
await navigator.clipboard.writeText(text);
toast({
title: t('linkCopied'),
description: t('linkCopiedDescription'),
});
} catch (e) {
toast({
variant: "destructive",
title: "Copy failed",
description: "Failed to copy to clipboard. Please copy manually.",
});
}
};
const handleClose = () => {
setOpen(false);
setResetLink(undefined);
setSendEmail(true);
};
return (
<>
<Dialog open={open} onOpenChange={setOpen}>
<DialogTrigger asChild>
<Button variant="outline" size="sm">
<Key className="h-4 w-4 mr-2" />
{t('passwordReset')}
</Button>
</DialogTrigger>
<DialogContent className="sm:max-w-[600px]">
<DialogHeader>
<DialogTitle className="flex items-center gap-2">
<Key className="h-4 w-4" />
{t('passwordReset')}
</DialogTitle>
<DialogDescription>
Reset password for <strong>{userName || userEmail}</strong>
</DialogDescription>
</DialogHeader>
<div className="space-y-4 mt-4">
{!env.email.emailEnabled && (
<Alert variant="neutral">
<AlertTitle className="font-semibold">
{t('otpEmailSmtpRequired')}
</AlertTitle>
<AlertDescription>
Email is not configured. A reset link will be generated for you to share manually.
</AlertDescription>
</Alert>
)}
{env.email.emailEnabled && (
<div className="space-y-3 p-4 bg-blue-50 border border-blue-200 rounded-lg">
<div className="flex items-center gap-2">
<Mail className="h-5 w-5 text-blue-600" />
<h4 className="font-medium text-blue-900">Email Notification</h4>
</div>
<p className="text-sm text-blue-700">
Send a password reset email to the user with a secure reset link.
</p>
<div className="flex items-center space-x-2">
<Checkbox
id="sendEmail"
checked={sendEmail}
onCheckedChange={(checked) => setSendEmail(checked as boolean)}
/>
<Label htmlFor="sendEmail" className="text-sm font-medium text-blue-900">
{t('sendEmailNotification')}
</Label>
</div>
</div>
)}
{resetLink && (!sendEmail || !env.email.emailEnabled) && (
<Alert className="border-green-200 bg-green-50">
<Link className="h-4 w-4 text-green-600" />
<AlertTitle className="text-green-800">Reset Link Generated</AlertTitle>
<AlertDescription className="text-green-700">
<div className="mt-2 space-y-2">
<p className="text-sm">Share this link with the user:</p>
<div className="flex items-center gap-2 p-2 bg-white border rounded border-green-200">
<Input
value={resetLink}
readOnly
className="text-xs"
/>
<Button
variant="outline"
size="sm"
onClick={() => copyToClipboard(resetLink)}
className="shrink-0"
>
<Copy className="h-3 w-3" />
</Button>
</div>
<p className="text-xs text-green-600">
This link expires in 24 hours.
</p>
</div>
</AlertDescription>
</Alert>
)}
</div>
<DialogFooter>
<Button variant="outline" onClick={handleClose}>
{resetLink ? 'Close' : t('cancel')}
</Button>
{!resetLink && (
<Button
onClick={handleResetPassword}
disabled={passwordLoading}
className="flex items-center gap-2"
>
{passwordLoading ? (
<>
<Key className="h-4 w-4 animate-spin" />
{t('passwordResetSending')}
</>
) : (
<>
{env.email.emailEnabled && sendEmail ? (
<Mail className="h-4 w-4" />
) : (
<Link className="h-4 w-4" />
)}
{env.email.emailEnabled && sendEmail
? t('passwordResetSendEmail')
: "Generate Reset Link"
}
</>
)}
</Button>
)}
</DialogFooter>
</DialogContent>
</Dialog>
</>
);
}