cameleer/cameleer-server
1
0
Fork 0
Code Issues 42 Pull Requests Actions Packages Projects Releases Wiki Activity

Add password reset/change for local users #80

New Issue
Open
opened 2026-03-17 19:14:10 +01:00 by claude · 0 comments
claude commented 2026-03-17 19:14:10 +01:00
Owner
Copy Link

Context

Password creation for local users was added in the feature/rbac-management branch (V3 migration adds password_hash column, UserAdminController.createUser() hashes via BCrypt). However there is no way to reset or change a password after creation.

Requirements

Admin password reset

  • PUT /api/v1/admin/users/{userId}/password — admin sets a new password for any local user
  • Request body: { "password": "newPassword" }
  • Protected by ADMIN role
  • Audit logged

Self-service password change

  • PUT /api/v1/auth/password — authenticated user changes their own password
  • Request body: { "currentPassword": "old", "newPassword": "new" }
  • Validates current password before accepting change
  • Audit logged

UI

  • Admin: "Reset password" button in user detail pane (RBAC page)
  • Self-service: password change form accessible from user menu / profile area

Notes

  • Only applies to provider = "local" users
  • OIDC users manage passwords at their identity provider
## Context Password creation for local users was added in the `feature/rbac-management` branch (V3 migration adds `password_hash` column, `UserAdminController.createUser()` hashes via BCrypt). However there is no way to reset or change a password after creation. ## Requirements ### Admin password reset - `PUT /api/v1/admin/users/{userId}/password` — admin sets a new password for any local user - Request body: `{ "password": "newPassword" }` - Protected by `ADMIN` role - Audit logged ### Self-service password change - `PUT /api/v1/auth/password` — authenticated user changes their own password - Request body: `{ "currentPassword": "old", "newPassword": "new" }` - Validates current password before accepting change - Audit logged ### UI - Admin: "Reset password" button in user detail pane (RBAC page) - Self-service: password change form accessible from user menu / profile area ## Notes - Only applies to `provider = "local"` users - OIDC users manage passwords at their identity provider
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
accessibility
Accessibility (a11y) improvements
 bug
Something isn't working correctly
 cleanup
Code cleanup, dead code removal, refactoring
 epic
Epic: groups related issues
 feature
New functionality
 pmf
Product-market fit: critical for first market offer
 route-diagram
Route diagram page and execution overlay
 security
Authentication, authorization, RBAC
 ui
Frontend / React UI
 ux
UX/usability improvements
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claude
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: cameleer/cameleer-server#80
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?