Kyle Pope
bcfebbc9ae
- Migration 062: adds users.passwordless_enabled and system_config.allow_passwordless (both default false)
- User model: passwordless_enabled field after must_change_password
- SystemConfig model: allow_passwordless field after enforce_mfa_new_users
- auth.py login(): block passwordless-enabled accounts from password login path (403) with audit log
- auth.py auth_status(): change has_passkeys query to full COUNT, add passkey_count + passwordless_enabled to response
- auth.py get_current_user(): add /api/auth/passkeys/login/begin and /login/complete to lock_exempt set
- passkeys.py: add PasswordlessEnableRequest + PasswordlessDisableRequest schemas
- passkeys.py: PUT /passwordless/enable — verify password, check system config, require >= 2 passkeys, set flag
- passkeys.py: POST /passwordless/disable/begin — generate user-bound challenge for passkey auth ceremony
- passkeys.py: PUT /passwordless/disable — verify passkey auth response, clear flag, update sign count
- passkeys.py: PasskeyLoginCompleteRequest.unlock field — passkey re-auth into locked session without new session
- passkeys.py: delete guard — 409 if passwordless user attempts to drop below 2 passkeys
- schemas/admin.py: add passwordless_enabled to UserListItem + UserDetailResponse; add allow_passwordless to SystemConfigResponse + SystemConfigUpdate; add TogglePasswordlessRequest
- admin.py: PUT /users/{user_id}/passwordless — admin-only disable (enabled=False only), revokes all sessions, audit log
- admin.py: update_system_config handles allow_passwordless field
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
189 lines
5.3 KiB
Python
189 lines
5.3 KiB
Python
"""
|
|
Admin API schemas — Pydantic v2.
|
|
|
|
All admin-facing request/response shapes live here to keep the admin router
|
|
clean and testable in isolation.
|
|
"""
|
|
import re
|
|
from datetime import date, datetime
|
|
from typing import Optional, Literal
|
|
|
|
from pydantic import BaseModel, ConfigDict, Field, field_validator
|
|
|
|
from app.schemas.auth import _validate_username, _validate_password_strength, _validate_email_format, _validate_name_field
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# User list / detail
|
|
# ---------------------------------------------------------------------------
|
|
|
|
class UserListItem(BaseModel):
|
|
id: int
|
|
username: str
|
|
umbral_name: str = ""
|
|
email: Optional[str] = None
|
|
first_name: Optional[str] = None
|
|
last_name: Optional[str] = None
|
|
role: str
|
|
is_active: bool
|
|
last_login_at: Optional[datetime] = None
|
|
last_password_change_at: Optional[datetime] = None
|
|
totp_enabled: bool
|
|
mfa_enforce_pending: bool
|
|
passwordless_enabled: bool = False
|
|
created_at: datetime
|
|
active_sessions: int = 0
|
|
|
|
model_config = ConfigDict(from_attributes=True)
|
|
|
|
|
|
class UserListResponse(BaseModel):
|
|
users: list[UserListItem]
|
|
total: int
|
|
|
|
|
|
class UserDetailResponse(UserListItem):
|
|
preferred_name: Optional[str] = None
|
|
date_of_birth: Optional[date] = None
|
|
must_change_password: bool = False
|
|
locked_until: Optional[datetime] = None
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Mutating user requests
|
|
# ---------------------------------------------------------------------------
|
|
|
|
class CreateUserRequest(BaseModel):
|
|
"""Admin-created user — allows role selection (unlike public RegisterRequest)."""
|
|
model_config = ConfigDict(extra="forbid")
|
|
|
|
username: str
|
|
password: str
|
|
role: Literal["admin", "standard", "public_event_manager"] = "standard"
|
|
email: Optional[str] = Field(None, max_length=254)
|
|
first_name: Optional[str] = Field(None, max_length=100)
|
|
last_name: Optional[str] = Field(None, max_length=100)
|
|
preferred_name: Optional[str] = Field(None, max_length=100)
|
|
|
|
@field_validator("username")
|
|
@classmethod
|
|
def validate_username(cls, v: str) -> str:
|
|
return _validate_username(v)
|
|
|
|
@field_validator("password")
|
|
@classmethod
|
|
def validate_password(cls, v: str) -> str:
|
|
return _validate_password_strength(v)
|
|
|
|
@field_validator("email")
|
|
@classmethod
|
|
def validate_email(cls, v: str | None) -> str | None:
|
|
return _validate_email_format(v)
|
|
|
|
@field_validator("first_name", "last_name", "preferred_name")
|
|
@classmethod
|
|
def validate_name_fields(cls, v: str | None) -> str | None:
|
|
return _validate_name_field(v)
|
|
|
|
|
|
class UpdateUserRoleRequest(BaseModel):
|
|
model_config = ConfigDict(extra="forbid")
|
|
role: Literal["admin", "standard", "public_event_manager"]
|
|
|
|
|
|
class ToggleActiveRequest(BaseModel):
|
|
model_config = ConfigDict(extra="forbid")
|
|
is_active: bool
|
|
|
|
|
|
class ToggleMfaEnforceRequest(BaseModel):
|
|
model_config = ConfigDict(extra="forbid")
|
|
enforce: bool
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# System config
|
|
# ---------------------------------------------------------------------------
|
|
|
|
class SystemConfigResponse(BaseModel):
|
|
allow_registration: bool
|
|
enforce_mfa_new_users: bool
|
|
allow_passwordless: bool = False
|
|
|
|
model_config = ConfigDict(from_attributes=True)
|
|
|
|
|
|
class SystemConfigUpdate(BaseModel):
|
|
model_config = ConfigDict(extra="forbid")
|
|
allow_registration: Optional[bool] = None
|
|
enforce_mfa_new_users: Optional[bool] = None
|
|
allow_passwordless: Optional[bool] = None
|
|
|
|
|
|
class TogglePasswordlessRequest(BaseModel):
|
|
model_config = ConfigDict(extra="forbid")
|
|
enabled: bool
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Admin dashboard
|
|
# ---------------------------------------------------------------------------
|
|
|
|
class RecentLoginItem(BaseModel):
|
|
username: str
|
|
last_login_at: Optional[datetime] = None
|
|
|
|
model_config = ConfigDict(from_attributes=True)
|
|
|
|
|
|
class RecentAuditItem(BaseModel):
|
|
action: str
|
|
actor_username: Optional[str] = None
|
|
target_username: Optional[str] = None
|
|
created_at: datetime
|
|
|
|
model_config = ConfigDict(from_attributes=True)
|
|
|
|
|
|
class AdminDashboardResponse(BaseModel):
|
|
total_users: int
|
|
active_users: int
|
|
admin_count: int
|
|
active_sessions: int
|
|
mfa_adoption_rate: float
|
|
recent_logins: list[RecentLoginItem]
|
|
recent_audit_entries: list[RecentAuditItem]
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Password reset
|
|
# ---------------------------------------------------------------------------
|
|
|
|
class ResetPasswordResponse(BaseModel):
|
|
message: str
|
|
temporary_password: str
|
|
|
|
|
|
class DeleteUserResponse(BaseModel):
|
|
message: str
|
|
deleted_username: str
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Audit log
|
|
# ---------------------------------------------------------------------------
|
|
|
|
class AuditLogEntry(BaseModel):
|
|
id: int
|
|
actor_username: Optional[str] = None
|
|
target_username: Optional[str] = None
|
|
action: str
|
|
detail: Optional[str] = None
|
|
ip_address: Optional[str] = None
|
|
created_at: datetime
|
|
|
|
|
|
class AuditLogResponse(BaseModel):
|
|
entries: list[AuditLogEntry]
|
|
total: int
|