From e9486bd05adc076ad11f0ae859806742d060a80b Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Sat, 11 Apr 2026 09:46:26 +0200 Subject: [PATCH] feat: allow M2M password resets when OIDC is enabled The password reset endpoint was fully blocked under OIDC mode. Now M2M callers (identified by oidc: principal prefix) can reset local user passwords, enabling the SaaS platform to manage the server's built-in admin credentials. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../server/app/controller/UserAdminController.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/UserAdminController.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/UserAdminController.java index 4ff56d27..387cfd64 100644 --- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/UserAdminController.java +++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/UserAdminController.java @@ -207,8 +207,13 @@ public class UserAdminController { @PathVariable String userId, @Valid @RequestBody SetPasswordRequest request, HttpServletRequest httpRequest) { + // Block local UI users from resetting passwords when OIDC is enabled, + // but allow M2M callers (SaaS platform) identified by "oidc:" principal prefix if (oidcEnabled) { - return ResponseEntity.badRequest().build(); + String caller = httpRequest.getUserPrincipal() != null ? httpRequest.getUserPrincipal().getName() : ""; + if (!caller.startsWith("oidc:")) { + return ResponseEntity.badRequest().build(); + } } // Extract bare username from "user:username" format for policy check String username = userId.startsWith("user:") ? userId.substring(5) : userId;