http: regenerate setup link + force-logout

2026-05-05 09:48:13 +01:00
parent 53016aee93
commit 18affc1f16
3 changed files with 127 additions and 0 deletions
@@ -323,3 +323,69 @@ func (s *Server) handleAPIUserEnable(w stdhttp.ResponseWriter, r *stdhttp.Reques
 	})
 	w.WriteHeader(stdhttp.StatusOK)
 }
+
+type regenerateSetupResponse struct {
+	SetupURL string `json:"setup_url"`
+}
+
+func (s *Server) handleAPIUserRegenerateSetup(w stdhttp.ResponseWriter, r *stdhttp.Request) {
+	actor, _ := s.requireUser(r)
+	id := chi.URLParam(r, "id")
+	if _, err := s.deps.Store.GetUserByID(r.Context(), id); err != nil {
+		writeJSONError(w, stdhttp.StatusNotFound, "user_not_found", "")
+		return
+	}
+	rawToken, err := generateSetupToken()
+	if err != nil {
+		writeJSONError(w, stdhttp.StatusInternalServerError, "internal", err.Error())
+		return
+	}
+	now := time.Now().UTC()
+	var actorID *string
+	if actor != nil {
+		actorID = &actor.ID
+	}
+	if err := s.deps.Store.SetSetupToken(r.Context(), store.SetupToken{
+		UserID: id, TokenHash: hashSetupToken(rawToken),
+		ExpiresAt: now.Add(time.Hour),
+		CreatedAt: now, CreatedBy: actorID,
+	}); err != nil {
+		writeJSONError(w, stdhttp.StatusInternalServerError, "internal", err.Error())
+		return
+	}
+	if err := s.deps.Store.SetMustChangePassword(r.Context(), id, true); err != nil {
+		writeJSONError(w, stdhttp.StatusInternalServerError, "internal", err.Error())
+		return
+	}
+	_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
+		ID: ulid.Make().String(), UserID: actorID, Actor: "user",
+		Action:     "user.setup_token.regenerated",
+		TargetKind: ptr("user"), TargetID: &id, TS: now,
+	})
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	_ = json.NewEncoder(w).Encode(regenerateSetupResponse{
+		SetupURL: s.deps.Cfg.BaseURL + "/setup?token=" + rawToken,
+	})
+}
+
+func (s *Server) handleAPIUserForceLogout(w stdhttp.ResponseWriter, r *stdhttp.Request) {
+	actor, _ := s.requireUser(r)
+	id := chi.URLParam(r, "id")
+	n, err := s.deps.Store.DeleteSessionsByUserID(r.Context(), id)
+	if err != nil {
+		writeJSONError(w, stdhttp.StatusInternalServerError, "internal", err.Error())
+		return
+	}
+	var actorID *string
+	if actor != nil {
+		actorID = &actor.ID
+	}
+	_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
+		ID: ulid.Make().String(), UserID: actorID, Actor: "user",
+		Action:     "user.force_logout",
+		TargetKind: ptr("user"), TargetID: &id,
+		TS: time.Now().UTC(),
+	})
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	_ = json.NewEncoder(w).Encode(map[string]int64{"sessions_killed": n})
+}