feat: user management — admin create, password reset, archive/delete, quick invite

Phase 1: must_change_password enforcement + change password endpoint/page Phase 2: Admin user creation (M365-style) with temp password Phase 3: Password reset (self-service forgot + admin-triggered) Phase 4: User archive (soft delete) + hard delete with precheck Phase 5: Quick invite from admin Users page Also fixes: - Auto-create subscription for accounts missing one - Hard delete precheck ignores sole-member personal accounts - Seed script patches tree nodes for validation compliance Migrations: 031 (must_change_password), 032 (password_reset_tokens), 033 (user soft delete) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 01:42:51 -05:00
parent b8f25f19eb
commit ad59446332
32 changed files with 3064 additions and 38 deletions
--- a/backend/app/api/endpoints/admin.py
+++ b/backend/app/api/endpoints/admin.py
@@ -1,3 +1,5 @@
+import secrets
+import string
 from datetime import datetime, timezone, timedelta
 from typing import Annotated, Optional
 from uuid import UUID
@@ -8,14 +10,21 @@ from sqlalchemy.orm import selectinload

 from app.core.database import get_db
 from app.core.audit import log_audit
+from app.core.config import settings
+from app.core.security import get_password_hash, generate_temp_password, create_password_reset_token, decode_token, hash_token
+from app.core.email import EmailService
 from app.models.user import User
+from app.models.refresh_token import RefreshToken
+from app.models.password_reset_token import PasswordResetToken
 from app.models.account import Account
 from app.models.subscription import Subscription
 from app.models.session import Session
 from app.models.audit_log import AuditLog
 from app.models.invite_code import InviteCode
+from app.models.account_invite import AccountInvite
+from app.models.tree import Tree
 from app.schemas.user import UserResponse, RoleUpdate, AccountRoleUpdate
-from app.schemas.admin import MoveUserAccount
+from app.schemas.admin import MoveUserAccount, AdminUserCreate, AdminUserCreateResponse, AdminPasswordReset, AdminPasswordResetResponse, HardDeleteCheckResponse
 from app.schemas.subscription import SubscriptionPlanUpdate, ExtendTrialRequest
 from app.schemas.user_detail import (
    UserDetailResponse, AccountSummary, SubscriptionSummary,
@@ -34,11 +43,14 @@ async def list_users(
    limit: int = Query(100, ge=1, le=100),
    is_active: Optional[bool] = Query(None, description="Filter by active status"),
    role: Optional[str] = Query(None, description="Filter by role"),
-    account_id: Optional[UUID] = Query(None, description="Filter by account")
+    account_id: Optional[UUID] = Query(None, description="Filter by account"),
+    include_archived: bool = Query(False, description="Include archived (soft-deleted) users"),
 ):
    """List all users (super admin only)."""
    query = select(User)

+    if not include_archived:
+        query = query.where(User.deleted_at.is_(None))
    if is_active is not None:
        query = query.where(User.is_active == is_active)
    if role:
@@ -53,6 +65,137 @@ async def list_users(
    return users


+def _generate_display_code() -> str:
+    """Generate a random 8-character alphanumeric display code."""
+    chars = string.ascii_uppercase + string.digits
+    return ''.join(secrets.choice(chars) for _ in range(8))
+
+
+@router.post("/users", response_model=AdminUserCreateResponse, status_code=status.HTTP_201_CREATED)
+async def create_user(
+    data: AdminUserCreate,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    current_user: Annotated[User, Depends(require_admin)],
+):
+    """Create a new user with a temporary password (super admin only).
+
+    Supports two modes:
+    - existing: Join an existing account (resolved by display_code)
+    - personal: Create a new personal account for the user
+    """
+    # Validate mode-specific fields
+    if data.account_mode == "existing":
+        if not data.account_display_code:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="account_display_code is required for existing mode",
+            )
+        if not data.account_role:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="account_role is required for existing mode",
+            )
+
+    # Check email uniqueness
+    result = await db.execute(select(User).where(User.email == data.email))
+    if result.scalar_one_or_none():
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Email already registered",
+        )
+
+    # Generate temp password
+    temp_password = generate_temp_password()
+    password_hash = get_password_hash(temp_password)
+
+    if data.account_mode == "existing":
+        # Resolve account by display code
+        result = await db.execute(
+            select(Account).where(Account.display_code == data.account_display_code)
+        )
+        account = result.scalar_one_or_none()
+        if not account:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail="Account not found for the given display code",
+            )
+
+        new_user = User(
+            email=data.email,
+            password_hash=password_hash,
+            name=data.name,
+            role="engineer",
+            account_id=account.id,
+            account_role=data.account_role,
+            must_change_password=True,
+        )
+        db.add(new_user)
+        await db.flush()
+
+    else:
+        # Personal mode: create new account + user as owner
+        new_account = Account(
+            name=f"{data.name}'s Account",
+            display_code=_generate_display_code(),
+        )
+        db.add(new_account)
+        await db.flush()
+
+        new_user = User(
+            email=data.email,
+            password_hash=password_hash,
+            name=data.name,
+            role="engineer",
+            account_id=new_account.id,
+            account_role="owner",
+            must_change_password=True,
+        )
+        db.add(new_user)
+        await db.flush()
+
+        new_account.owner_id = new_user.id
+
+        # Create free subscription for the new account
+        new_subscription = Subscription(
+            account_id=new_account.id,
+            plan="free",
+            status="active",
+        )
+        db.add(new_subscription)
+
+    await log_audit(
+        db, current_user.id, "user.create_admin", "user", new_user.id,
+        {"email": data.email, "account_mode": data.account_mode},
+    )
+    await db.commit()
+    await db.refresh(new_user)
+
+    # Send welcome email (best-effort)
+    email_sent = False
+    if data.send_email:
+        email_sent = await EmailService.send_welcome_email(
+            to_email=data.email,
+            temp_password=temp_password,
+        )
+
+    return AdminUserCreateResponse(
+        user={
+            "id": str(new_user.id),
+            "email": new_user.email,
+            "name": new_user.name,
+            "role": new_user.role,
+            "is_active": new_user.is_active,
+            "is_super_admin": new_user.is_super_admin,
+            "account_id": str(new_user.account_id) if new_user.account_id else None,
+            "account_role": new_user.account_role,
+            "must_change_password": new_user.must_change_password,
+            "created_at": new_user.created_at.isoformat() if new_user.created_at else None,
+        },
+        temporary_password=temp_password,
+        email_sent=email_sent,
+    )
+
+
@router.get("/users/{user_id}", response_model=UserDetailResponse)
 async def get_user(
    user_id: UUID,
@@ -162,6 +305,7 @@ async def get_user(
        is_super_admin=user.is_super_admin,
        is_team_admin=getattr(user, "is_team_admin", False),
        created_at=user.created_at,
+        deleted_at=user.deleted_at,
        account=account_summary, subscription=subscription_summary,
        invite_code_used=invite_code_used,
        recent_sessions=recent_sessions, total_sessions=total_sessions,
@@ -321,7 +465,14 @@ async def _get_user_subscription(user_id: UUID, db: AsyncSession) -> tuple[User,
    )
    subscription = sub_result.scalar_one_or_none()
    if not subscription:
-        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Subscription not found")
+        # Auto-create a free subscription for accounts that predate the subscription system
+        subscription = Subscription(
+            account_id=user.account_id,
+            plan="free",
+            status="active",
+        )
+        db.add(subscription)
+        await db.flush()
    return user, subscription


@@ -372,3 +523,357 @@ async def extend_user_trial(
    await db.commit()
    return {"plan": subscription.plan, "status": subscription.status,
            "current_period_end": subscription.current_period_end}
+
+
+@router.post("/users/{user_id}/password-reset", response_model=AdminPasswordResetResponse)
+async def admin_reset_password(
+    user_id: UUID,
+    data: AdminPasswordReset,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    current_user: Annotated[User, Depends(require_admin)],
+):
+    """Admin-triggered password reset (super admin only).
+
+    Two modes:
+    - email_link: sends a reset email to the user
+    - temp_password: generates a temp password and returns it once
+    """
+    result = await db.execute(select(User).where(User.id == user_id))
+    user = result.scalar_one_or_none()
+    if not user:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+
+    # Revoke all refresh tokens
+    rt_result = await db.execute(
+        select(RefreshToken).where(
+            RefreshToken.user_id == user.id,
+            RefreshToken.revoked_at.is_(None)
+        )
+    )
+    for rt in rt_result.scalars().all():
+        rt.revoked_at = datetime.now(timezone.utc)
+
+    user.must_change_password = True
+
+    if data.mode == "email_link":
+        # Create reset token and send email
+        raw_token = create_password_reset_token(str(user.id))
+        payload = decode_token(raw_token)
+        if payload and payload.get("jti"):
+            token_record = PasswordResetToken(
+                token_hash=hash_token(payload["jti"]),
+                user_id=user.id,
+                expires_at=datetime.fromtimestamp(payload["exp"], tz=timezone.utc),
+                created_by_admin_id=current_user.id,
+            )
+            db.add(token_record)
+
+        await log_audit(db, current_user.id, "user.password_reset.admin_email", "user", user.id)
+        await db.commit()
+
+        email_sent = False
+        if settings.FRONTEND_URL:
+            reset_url = f"{settings.FRONTEND_URL}/reset-password?token={raw_token}"
+            email_sent = await EmailService.send_password_reset_email(
+                to_email=user.email, reset_url=reset_url,
+            )
+
+        return AdminPasswordResetResponse(
+            message="Password reset email sent" if email_sent else "Reset token created (email not configured)",
+            email_sent=email_sent,
+        )
+
+    else:  # temp_password
+        temp_pw = generate_temp_password()
+        user.password_hash = get_password_hash(temp_pw)
+
+        await log_audit(db, current_user.id, "user.password_reset.admin_temp", "user", user.id)
+        await db.commit()
+
+        return AdminPasswordResetResponse(
+            message="Temporary password generated",
+            temporary_password=temp_pw,
+            email_sent=False,
+        )
+
+
+@router.put("/users/{user_id}/archive", response_model=UserResponse)
+async def archive_user(
+    user_id: UUID,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    current_user: Annotated[User, Depends(require_admin)],
+):
+    """Archive (soft delete) a user (super admin only)."""
+    result = await db.execute(select(User).where(User.id == user_id))
+    user = result.scalar_one_or_none()
+    if not user:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+
+    if user.id == current_user.id:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Cannot archive yourself")
+
+    if user.deleted_at:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="User is already archived")
+
+    user.deleted_at = datetime.now(timezone.utc)
+    user.deleted_by = current_user.id
+    user.is_active = False
+
+    # Revoke all refresh tokens
+    rt_result = await db.execute(
+        select(RefreshToken).where(RefreshToken.user_id == user.id, RefreshToken.revoked_at.is_(None))
+    )
+    for rt in rt_result.scalars().all():
+        rt.revoked_at = datetime.now(timezone.utc)
+
+    await log_audit(db, current_user.id, "user.archive", "user", user.id)
+    await db.commit()
+    await db.refresh(user)
+    return user
+
+
+@router.put("/users/{user_id}/restore", response_model=UserResponse)
+async def restore_user(
+    user_id: UUID,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    current_user: Annotated[User, Depends(require_admin)],
+):
+    """Restore an archived user (super admin only)."""
+    result = await db.execute(select(User).where(User.id == user_id))
+    user = result.scalar_one_or_none()
+    if not user:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+
+    if not user.deleted_at:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="User is not archived")
+
+    user.deleted_at = None
+    user.deleted_by = None
+    user.is_active = True
+
+    await log_audit(db, current_user.id, "user.restore", "user", user.id)
+    await db.commit()
+    await db.refresh(user)
+    return user
+
+
+@router.get("/users/{user_id}/hard-delete-check", response_model=HardDeleteCheckResponse)
+async def hard_delete_check(
+    user_id: UUID,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    current_user: Annotated[User, Depends(require_admin)],
+):
+    """Check if a user can be hard-deleted (super admin only). Returns blockers."""
+    result = await db.execute(select(User).where(User.id == user_id))
+    user = result.scalar_one_or_none()
+    if not user:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+
+    blockers: dict = {}
+
+    # Check if user owns any accounts with OTHER members (true blocker).
+    # Sole-member accounts (e.g. personal accounts) are cleaned up during delete.
+    owned_account_ids_result = await db.execute(
+        select(Account.id).where(Account.owner_id == user_id)
+    )
+    owned_account_ids = [row[0] for row in owned_account_ids_result.all()]
+    shared_accounts = 0
+    for acc_id in owned_account_ids:
+        other_members = (await db.execute(
+            select(func.count()).select_from(User).where(
+                User.account_id == acc_id, User.id != user_id
+            )
+        )).scalar() or 0
+        if other_members > 0:
+            shared_accounts += 1
+    if shared_accounts > 0:
+        blockers["owned_accounts_with_other_members"] = shared_accounts
+
+    # Check authored trees
+    authored_trees = (await db.execute(
+        select(func.count()).select_from(Tree).where(Tree.author_id == user_id)
+    )).scalar() or 0
+    if authored_trees > 0:
+        blockers["authored_trees"] = authored_trees
+
+    # Check sessions
+    sessions_count = (await db.execute(
+        select(func.count()).select_from(Session).where(Session.user_id == user_id)
+    )).scalar() or 0
+    if sessions_count > 0:
+        blockers["sessions"] = sessions_count
+
+    # Check audit logs
+    audit_count = (await db.execute(
+        select(func.count()).select_from(AuditLog).where(AuditLog.user_id == user_id)
+    )).scalar() or 0
+    if audit_count > 0:
+        blockers["audit_logs"] = audit_count
+
+    # Check invite codes created
+    invites_created = (await db.execute(
+        select(func.count()).select_from(InviteCode).where(InviteCode.created_by_id == user_id)
+    )).scalar() or 0
+    if invites_created > 0:
+        blockers["invite_codes_created"] = invites_created
+
+    # Check account invites
+    account_invites = (await db.execute(
+        select(func.count()).select_from(AccountInvite).where(AccountInvite.invited_by_id == user_id)
+    )).scalar() or 0
+    if account_invites > 0:
+        blockers["account_invites_created"] = account_invites
+
+    return HardDeleteCheckResponse(
+        can_delete=len(blockers) == 0,
+        blockers=blockers,
+    )
+
+
+@router.delete("/users/{user_id}/hard-delete", status_code=status.HTTP_204_NO_CONTENT)
+async def hard_delete_user(
+    user_id: UUID,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    current_user: Annotated[User, Depends(require_admin)],
+):
+    """Permanently delete a user (super admin only). User must be archived first."""
+    result = await db.execute(select(User).where(User.id == user_id))
+    user = result.scalar_one_or_none()
+    if not user:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+
+    if user.id == current_user.id:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Cannot delete yourself")
+
+    if user.is_super_admin:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Cannot hard-delete a super admin")
+
+    if not user.deleted_at:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="User must be archived before hard-deleting"
+        )
+
+    # Run precheck
+    precheck = await hard_delete_check(user_id, db, current_user)
+    if not precheck.can_delete:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"Cannot delete: user has dependencies ({', '.join(precheck.blockers.keys())})"
+        )
+
+    # Audit BEFORE delete
+    await log_audit(db, current_user.id, "user.hard_delete", "user", user.id,
+                    {"email": user.email, "name": user.name})
+
+    from sqlalchemy import delete as sa_delete
+
+    # Delete technical artifacts
+    await db.execute(sa_delete(RefreshToken).where(RefreshToken.user_id == user_id))
+    await db.execute(sa_delete(PasswordResetToken).where(PasswordResetToken.user_id == user_id))
+
+    # Clean up sole-member owned accounts (personal accounts)
+    owned_accounts_result = await db.execute(
+        select(Account).where(Account.owner_id == user_id)
+    )
+    for account in owned_accounts_result.scalars().all():
+        # Null out owner_id first (RESTRICT FK)
+        account.owner_id = None
+        await db.flush()
+        # Delete subscription if exists
+        await db.execute(sa_delete(Subscription).where(Subscription.account_id == account.id))
+        # Delete the account
+        await db.delete(account)
+
+    # Delete the user
+    await db.delete(user)
+    await db.commit()
+
+
+@router.post("/invites", status_code=status.HTTP_201_CREATED)
+async def admin_create_invite(
+    data: dict,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    current_user: Annotated[User, Depends(require_admin)],
+):
+    """Quick-invite a user to an account (super admin only).
+
+    Body: {email, account_display_code, role}
+    Creates an AccountInvite and sends the invite email.
+    """
+    email = data.get("email")
+    account_display_code = data.get("account_display_code")
+    role = data.get("role", "engineer")
+
+    if not email or not account_display_code:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="email and account_display_code are required",
+        )
+
+    if role not in ("engineer", "viewer"):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="role must be 'engineer' or 'viewer'",
+        )
+
+    # Resolve account
+    result = await db.execute(
+        select(Account).where(Account.display_code == account_display_code)
+    )
+    account = result.scalar_one_or_none()
+    if not account:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Account with display code '{account_display_code}' not found",
+        )
+
+    # Check if email already has a pending invite to this account
+    existing = await db.execute(
+        select(AccountInvite).where(
+            AccountInvite.account_id == account.id,
+            AccountInvite.email == email,
+            AccountInvite.accepted_by_id.is_(None),
+        )
+    )
+    if existing.scalar_one_or_none():
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail="A pending invite already exists for this email and account",
+        )
+
+    # Generate invite code
+    code = secrets.token_urlsafe(16)
+
+    invite = AccountInvite(
+        account_id=account.id,
+        invited_by_id=current_user.id,
+        email=email,
+        code=code,
+        role=role,
+        expires_at=datetime.now(timezone.utc) + timedelta(days=7),
+    )
+    db.add(invite)
+
+    await log_audit(
+        db, current_user.id, "user.invite_admin", "account_invite", invite.id,
+        {"email": email, "account_id": str(account.id), "role": role},
+    )
+    await db.commit()
+
+    # Send email (best-effort)
+    email_sent = await EmailService.send_account_invite_email(
+        to_email=email,
+        code=code,
+        account_name=account.name or account_display_code,
+        role=role,
+    )
+
+    return {
+        "id": str(invite.id),
+        "email": email,
+        "code": code,
+        "role": role,
+        "account_display_code": account_display_code,
+        "email_sent": email_sent,
+    }