cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: allow M2M password resets when OIDC is enabled
All checks were successful
CI / cleanup-branch (push) Has been skipped
Details
CI / build (push) Successful in 1m50s
Details
CI / docker (push) Successful in 1m34s
Details
CI / deploy-feature (push) Has been skipped
Details
CI / deploy (push) Successful in 40s
Details

Browse Source 
The password reset endpoint was fully blocked under OIDC mode. Now
M2M callers (identified by oidc: principal prefix) can reset local
user passwords, enabling the SaaS platform to manage the server's
built-in admin credentials.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-11 09:46:26 +02:00
parent cfc42eaf46
commit e9486bd05a
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/UserAdminController.java
View File

@@ -207,8 +207,13 @@ public class UserAdminController {
@PathVariable String userId, @PathVariable String userId,
@Valid @RequestBody SetPasswordRequest request, @Valid @RequestBody SetPasswordRequest request,
HttpServletRequest httpRequest) { HttpServletRequest httpRequest) {
// Block local UI users from resetting passwords when OIDC is enabled,
// but allow M2M callers (SaaS platform) identified by "oidc:" principal prefix
if (oidcEnabled) { if (oidcEnabled) {
return ResponseEntity.badRequest().build(); String caller = httpRequest.getUserPrincipal() != null ? httpRequest.getUserPrincipal().getName() : "";
if (!caller.startsWith("oidc:")) {
return ResponseEntity.badRequest().build();
}
} }
// Extract bare username from "user:username" format for policy check // Extract bare username from "user:username" format for policy check
String username = userId.startsWith("user:") ? userId.substring(5) : userId; String username = userId.startsWith("user:") ? userId.substring(5) : userId;