feat(api): add admin password reset endpoint#51
Merged
Conversation
Add ability for administrators to reset any user's password using their web session token, without requiring re-authentication. Backend: - Add POST /api/v1/users/:uid/reset-password endpoint - Require web session (reject API keys for security) - Require admin role - Validate password length (min 8 chars) - Log admin actions Frontend: - Add ResetPasswordDialog component - Add canResetPassword permission helper - Update users page with dropdown menu for actions - Include reset password and delete user options Testing: - Add E2E tests for API and UI functionality - Test permission enforcement - Test password validation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add check to prevent admins from using the reset-password endpoint to reset their own password. Admins should use the regular password change endpoint which requires the current password. This maintains proper audit trail distinction between: - "admin reset another user's password" (reset-password endpoint) - "user changed their own password" (password change endpoint) Tests: - Add Go integration tests for password reset endpoint - Add E2E test for self-reset prevention Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Exclude password_reset_test.go from paralleltest linter (tests share DB state) - Fix canonical header name in ratelimit_test.go (X-Ratelimit-Limit) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add canonicalheader exclusion for ratelimit_test.go since X-RateLimit-Limit is the correct industry-standard header format - Revert header back to X-RateLimit-Limit (was incorrectly changed) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
POST /api/v1/users/:uid/reset-passwordrequires web session (rejects API keys) and admin roleChanges
Backend
handleResetPasswordhandler ininternal/api/auth.gointernal/api/server.goFrontend
ResetPasswordDialogcomponentcanResetPasswordpermission helperTesting
front/e2e/admin-password-reset.spec.tsTest plan
🤖 Generated with Claude Code