Skip to content

feat(auth): admin user management + impersonation + magic/reset links#2

Open
fadymondy wants to merge 1 commit into
mainfrom
integ/user-admin-actions
Open

feat(auth): admin user management + impersonation + magic/reset links#2
fadymondy wants to merge 1 commit into
mainfrom
integ/user-admin-actions

Conversation

@fadymondy

Copy link
Copy Markdown
Contributor

Adds an admin route group /api/auth/admin/* to the auth plugin so every togo app that mounts auth gets functional user management out of the box (instead of each app hand-rolling it).

Endpoints (role=admin + double-submit CSRF; bearer exempt):

  • GET/POST /api/auth/admin/users, GET/PATCH/DELETE /api/auth/admin/users/{id} (refuses deleting the last admin → 409)
  • POST .../impersonate{token,identity} via Service.IssueToken
  • POST .../reset-password / POST .../magic-link → signed HMAC links (emailed:false; lifecycle events fire on the kernel bus for a mail/audit plugin)
  • GET /api/auth/magic?token= consumes the link → session

Reuses the plugin's own bcrypt hashing, FindOrCreateByEmail, IssueToken, and HMAC secret — no new framework primitive, no new env var. 5 focused tests (in-memory sqlite). go build/vet/test green.

Pairs with togo-framework/dashboard#(functional-admin) which consumes these endpoints.

Adds an admin route group (/api/auth/admin/*) for user CRUD, impersonation
(reuses Service.IssueToken), and signed reset/magic-login links — guarded by
RequireRole("admin") + double-submit CSRF, reusing the plugin's own bcrypt
hashing and HMAC secret. Mail kept out of scope: links return emailed:false
and lifecycle events fire on the kernel bus for a mail/audit plugin to consume.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant