Add admin user management and password-change flow

Introduce full admin user listing/detail endpoints and a forced password-change flow. Backend: make CurrentUserResponse.UserName nullable and add ToCurrentUserResponseAsync extension; AppUserController now exposes GET /auth/user (list) and GET /auth/user/{id} (detail) using UserManager and Admin-only policy; AuthController uses the new mapper and after successful password change clears MustChangePassword, updates UpdatedAt and persists changes (with error handling) before updating security stamp. Frontend: add admin users pages (list + detail), ChangePassword page and route, adminUsers and enhanced authSession services (typed responses, changePassword API, error mapping), router guard to redirect users with mustChangePassword=true to the change-password flow, and show success banner on login after password change. UI tweaks: separate admin section in sidebar, add password-change entries in account menu, footer sizing fixes, and various layout/UX improvements. These changes enable admin account management and enforce secure password updates across the app.
2026-04-20 21:02:16 +02:00
parent b2984fcf1a
commit 14176a3ee2
14 changed files with 995 additions and 92 deletions
@@ -58,16 +58,7 @@ namespace API.Controllers.Auth
            if (user is null)
                return Unauthorized();

-            var roles = await userManager.GetRolesAsync(user);
-
-            return Ok(new CurrentUserResponse
-            {
-                Id = user.Id,
-                UserName = user.UserName ?? string.Empty,
-                Roles = roles.OrderBy(x => x).ToList(),
-                IsActive = user.IsActive,
-                MustChangePassword = user.MustChangePassword
-            });
+            return Ok(await user.ToCurrentUserResponseAsync(userManager));
        }

        [HttpPost("password")]
@@ -105,6 +96,18 @@ namespace API.Controllers.Auth
                });
            }

+            user.MustChangePassword = false;
+            user.UpdatedAt = DateTimeOffset.UtcNow;
+            var updateResult = await userManager.UpdateAsync(user);
+            if (!updateResult.Succeeded)
+            {
+                return StatusCode(500, new
+                {
+                    message = "Passwort wurde geändert, Benutzerdaten konnten aber nicht final gespeichert werden.",
+                    errors = updateResult.Errors.Select(e => e.Description)
+                });
+            }
+
            var stampResult = await userManager.UpdateSecurityStampAsync(user);
            if (!stampResult.Succeeded)
            {