feat(api): admin-initiated user creation via POST /admin/users (0.43.0)

Pairs with the ALLOW_SELF_REGISTER toggle from 0.42.0: admins can mint accounts regardless of the toggle state, so a closed-membership deployment still has a working enrollment path. The endpoint accepts { username, password, is_admin? } so admins can mint co-admins in one call (avoiding a separate promote + extra audit row for the common "invite a co-admin" flow). Implementation: - POST /api/v1/admin/users guarded by RequireAdmin - Reuses validate_username / validate_password from api::auth (made pub(crate)) so the admin path can never produce an account self- register would reject and vice versa - repo::user::admin_create_user wraps INSERT + admin_audit insert in a single tx — same "audit reflects what committed" semantics as the existing admin_safe_* fns - Audit row: action="create_user", payload={username, is_admin} Frontend: - createAdminUser() in lib/api/admin.ts - /admin/users grows a collapsible "Create user" form above the table (username, password, "Make admin" checkbox). Errors surface inline; the list reloads on success. Backend tests: 7 new, including the headline `create_user_works_even_when_self_register_disabled` that pins the admin-create path is NOT gated by the public toggle.
2026-05-31 14:00:31 +02:00
parent 2f47faa11c
commit 030b27754b
10 changed files with 505 additions and 6 deletions
--- a/frontend/src/lib/api/admin.test.ts
+++ b/frontend/src/lib/api/admin.test.ts
@@ -11,6 +11,7 @@ import {
    listAdminUsers,
    deleteAdminUser,
    setUserAdmin,
+    createAdminUser,
    listAdminMangas,
    listAdminChapters,
    getSystemStats
@@ -126,6 +127,49 @@ describe('admin api client', () => {
        });
    });

+    it('createAdminUser POSTs to /v1/admin/users with body and returns the created user', async () => {
+        const created = { ...userFixture, username: 'invited01' };
+        fetchSpy.mockResolvedValueOnce(ok(created, 201));
+        const got = await createAdminUser({
+            username: 'invited01',
+            password: 'freshpass1234'
+        });
+        expect(got).toEqual(created);
+        const url = fetchSpy.mock.calls[0][0] as string;
+        expect(url).toMatch(/\/v1\/admin\/users$/);
+        const init = fetchSpy.mock.calls[0][1] as RequestInit;
+        expect(init.method).toBe('POST');
+        expect(JSON.parse(init.body as string)).toEqual({
+            username: 'invited01',
+            password: 'freshpass1234'
+        });
+    });
+
+    it('createAdminUser forwards is_admin when provided', async () => {
+        const created = { ...userFixture, username: 'coadmin', is_admin: true };
+        fetchSpy.mockResolvedValueOnce(ok(created, 201));
+        await createAdminUser({
+            username: 'coadmin',
+            password: 'freshpass1234',
+            is_admin: true
+        });
+        const init = fetchSpy.mock.calls[0][1] as RequestInit;
+        expect(JSON.parse(init.body as string)).toEqual({
+            username: 'coadmin',
+            password: 'freshpass1234',
+            is_admin: true
+        });
+    });
+
+    it('createAdminUser surfaces 409 conflict on duplicate username', async () => {
+        fetchSpy.mockResolvedValueOnce(
+            envelope(409, 'conflict', 'username is already taken')
+        );
+        await expect(
+            createAdminUser({ username: 'taken', password: 'freshpass1234' })
+        ).rejects.toMatchObject({ status: 409, code: 'conflict' });
+    });
+
    it('setUserAdmin PATCHes is_admin and returns the updated user', async () => {
        const updated = { ...userFixture, is_admin: true };
        fetchSpy.mockResolvedValueOnce(ok(updated));
--- a/frontend/src/lib/api/admin.ts
+++ b/frontend/src/lib/api/admin.ts
@@ -44,6 +44,23 @@ export async function setUserAdmin(id: string, isAdmin: boolean): Promise<User>
    });
 }

+export type CreateAdminUserInput = {
+    username: string;
+    password: string;
+    is_admin?: boolean;
+};
+
+/** POST /v1/admin/users — admin-initiated account creation. Works
+ *  regardless of the ALLOW_SELF_REGISTER toggle, since the entire
+ *  point is for an admin to enroll someone when self-register is off. */
+export async function createAdminUser(input: CreateAdminUserInput): Promise<User> {
+    return request<User>('/v1/admin/users', {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify(input)
+    });
+}
+
 // ---- mangas / chapters with sync state -------------------------------------

 export type MangaSyncState = 'in_progress' | 'dropped' | 'synced';