feat: user management — admin create, password reset, archive/delete, quick invite

Phase 1: must_change_password enforcement + change password endpoint/page Phase 2: Admin user creation (M365-style) with temp password Phase 3: Password reset (self-service forgot + admin-triggered) Phase 4: User archive (soft delete) + hard delete with precheck Phase 5: Quick invite from admin Users page Also fixes: - Auto-create subscription for accounts missing one - Hard delete precheck ignores sole-member personal accounts - Seed script patches tree nodes for validation compliance Migrations: 031 (must_change_password), 032 (password_reset_tokens), 033 (user soft delete) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 01:42:51 -05:00
parent b8f25f19eb
commit ad59446332
32 changed files with 3064 additions and 38 deletions
--- a/backend/app/api/deps.py
+++ b/backend/app/api/deps.py
@@ -1,6 +1,6 @@
 from typing import Annotated, Optional
 from uuid import UUID
-from fastapi import Depends, HTTPException, status
+from fastapi import Depends, HTTPException, Request, status
 from fastapi.security import OAuth2PasswordBearer
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select
@@ -10,6 +10,13 @@ from app.core.security import decode_token
 from app.models.user import User
 from app.models.plan_limits import PlanLimits

+# Routes that are allowed even when must_change_password is True
+_PASSWORD_CHANGE_ALLOWLIST = {
+    "/api/v1/auth/password/change",
+    "/api/v1/auth/logout",
+    "/api/v1/auth/me",
+}
+
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login")


@@ -65,16 +72,26 @@ async def get_refresh_token_payload(


 async def get_current_active_user(
+    request: Request,
    current_user: Annotated[User, Depends(get_current_user)],
    db: Annotated[AsyncSession, Depends(get_db)],
 ) -> User:
-    """Ensure user is active (not disabled). Auto-downgrades expired trials."""
+    """Ensure user is active (not disabled). Auto-downgrades expired trials.
+    Enforces must_change_password — blocks all routes except allowlist."""
    if not current_user.is_active:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Account has been deactivated"
        )

+    # Enforce must_change_password (backend hard lock)
+    if current_user.must_change_password:
+        if request.url.path not in _PASSWORD_CHANGE_ALLOWLIST:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="password_change_required"
+            )
+
    # Lightweight trial expiry check
    if current_user.account_id:
        from app.models.subscription import Subscription