User management endpoint documentation #574
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -39,8 +39,8 @@ In case of using different services or configurations, `REDIS_HOST` and `MONGO_S | |
|
|
||
| ## Users | ||
|
|
||
| This section describes API user accounts and various endpoints for | ||
| user management. | ||
|
|
||
| ### Create an admin user | ||
|
|
||
|
|
@@ -51,7 +51,7 @@ tool provided in the `kernelci-api` repository. | |
| setup an admin user. We can use this admin user to create other user accounts. | ||
|
|
||
|
|
||
| ### Create user using endpoint (Admin only) | ||
|
|
||
| Now, we can use above created admin user to create regular users and other | ||
| admin users using `/user/register` API endpoint. We need to provide token to the endpoint for the authorization. | ||
|
|
@@ -81,6 +81,222 @@ $ curl -X 'POST' 'http://localhost:8001/latest/user/register' -H 'accept: applic | |
| Another way of creating users is to use `kci user add` tool from kernelci-core. | ||
|
|
||
|
|
||
| ### Verify user account | ||
|
|
||
| A user account needs to be verified before a user token can be retrieved | ||
| for the account. | ||
| Send API request to `POST /user/request-verify-token` endpoint to receive | ||
| a verification token for provided email address: | ||
|
|
||
| ``` | ||
| $ curl -X 'POST' \ | ||
| 'http://localhost:8001/latest/user/request-verify-token' \ | ||
| -H 'accept: application/json' \ | ||
| -H 'Content-Type: application/json' \ | ||
| -d '{ | ||
| "email": "[email protected]" | ||
| ``` | ||
|
|
||
| The user will receive a verification token via email. | ||
| Now, request `POST /user/verify` endpoint and provide the verification | ||
| token in the request dictionary. | ||
|
|
||
| ``` | ||
| $ curl -X 'POST' \ | ||
| 'http://localhost:8001/latest/user/verify' \ | ||
| -H 'accept: application/json' \ | ||
| -H 'Content-Type: application/json' \ | ||
| -d '{ | ||
| "token": "<VERIFICATION-TOKEN-RECEIVED-BY-EMAIL>" | ||
| }' | ||
| {"id":"615f30020eb7c3c6616e5ac3","email":"[email protected]","is_active":true,"is_superuser":false,"is_verified":true,"username":"test","groups":[]} | ||
| ``` | ||
| `is_verified:true` in the response above denotes that a user account | ||
| has been verified successfully. The user will also receive an email | ||
| confirming the verification. | ||
|
|
||
|
|
||
| ### Get authorization token | ||
|
|
||
| After successful user verification, the user can retrieve authorization | ||
| token to use certain API endpoints requiring user authorization. | ||
|
|
||
| ``` | ||
| $ curl -X 'POST' \ | ||
| 'http://localhost:8001/latest/user/login' \ | ||
| -H 'accept: application/json' \ | ||
| -H 'Content-Type: application/x-www-form-urlencoded' \ | ||
| -d 'username=test&password=test' | ||
| ``` | ||
| This will return an authorization bearer token. | ||
|
|
||
|
|
||
| ### Get all existing users | ||
|
|
||
| To get information of all added user accounts, user `GET /users` request. | ||
|
|
||
| ``` | ||
| $ curl -X 'GET' \ | ||
| 'http://localhost:8001/latest/users' \ | ||
| -H 'accept: application/json' \ | ||
| -H 'Authorization: <USER-AUTHORIZATION-TOKEN>' | ||
| {"items":[{"id":"6526448e7d140ee220971a0e","email":"[email protected]","is_active":true,"is_superuser":true,"is_verified":true,"username":"admin","groups":[]},{"id":"615f30020eb7c3c6616e5ac3","email":"[email protected]","is_active":true,"is_superuser":true,"is_verified":false,"username":"test-user","groups":[{"id":"648ff894bd39930355ed16ad","name":"kernelci"}]}],"total":2,"limit":50,"offset":0} | ||
| ``` | ||
|
|
||
|
|
||
| ### Get user account matching user ID | ||
|
|
||
|
|
||
| To get user by ID, use `/user` endpoint with user ID as a path parameter: | ||
| ``` | ||
| $ curl -X 'GET' \ | ||
| 'http://localhost:8001/latest/user/6526448e7d140ee220971a0e' \ | ||
| -H 'accept: application/json' \ | ||
| -H 'Content-Type: application/json' \ | ||
| -H 'Authorization: Bearer <USER-AUTHORIZATION-TOKEN>' | ||
| {"id":"6526448e7d140ee220971a0e","email":"[email protected]","is_active":true,"is_superuser":true,"is_verified":true,"username":"admin","groups":[]} | ||
| ``` | ||
|
|
||
|
|
||
| ### Reset password | ||
|
|
||
| A user can reset password for the account in case the password is forgotten or lost. | ||
|
|
||
| First, send request to `POST /user/forgot-password` endpoint with the | ||
| user email address: | ||
| ``` | ||
| $ curl -X 'POST' \ | ||
| 'http://localhost:8001/latest/user/forgot-password' \ | ||
| -H 'accept: application/json' \ | ||
| -H 'Content-Type: application/json' \ | ||
| -d '{ | ||
| "email": "[email protected]" | ||
| }' | ||
| ``` | ||
|
|
||
| The user will receive password reset token via email. The token should | ||
| be sent to `POST /user/reset-password` request along with the new password to be set for the account: | ||
| ``` | ||
| $ curl -X 'POST' \T' \ | ||
| 'http://localhost:8001/latest/user/reset-password' \ | ||
| -H 'accept: application/json' \ | ||
| -H 'Content-Type: application/json' \ | ||
| -d '{ | ||
| "token": "PASSWORD-RESET-TOKEN-RECEIVED-BY-EMAIL", | ||
| "password": "<new-password>" | ||
| }' | ||
| ``` | ||
| The user will receive an email confirming a successful password reset. | ||
|
|
||
|
|
||
| ### Update user password | ||
|
|
||
| A user can update password for the account with the request to | ||
| `/user/update-password` endpoint. Please supply current password and new | ||
| password along with the username for the account: | ||
|
|
||
| ``` | ||
| $ curl -X 'POST' \ | ||
| 'http://localhost:8001/latest/user/update-password' \ | ||
| -H 'accept: application/json' \ | ||
| -H 'Content-Type: application/x-www-form-urlencoded' \ | ||
| -d 'username=test&password=<current-password>&new_password=<new-password>' | ||
| ``` | ||
|
|
||
|
|
||
| ### Update own user account | ||
|
|
||
| A user can update certain information for its own account, such as | ||
| `email`, `username`, `password`, and `groups` with a `PATCH /user/me` request. | ||
|
There was a problem hiding this comment.
(this comment does not affect merging this patch but a new task to limit user access might be required) There was a problem hiding this comment. Yes, the idea was that the user should be able to add and remove its user account to a group. |
||
| For example, | ||
| ``` | ||
| $ curl -X 'PATCH' \ | ||
| 'http://localhost:8001/latest/user/me' \ | ||
| -H 'accept: application/json' \ | ||
| -H 'Content-Type: application/json' \ | ||
| -H 'Authorization: Bearer <USER-AUTHORIZATION-TOKEN>' \ | ||
| -d '{ | ||
| "password": "<new-password-to-be-set>", | ||
| "email": "<new-email-to-be-set>", | ||
| }' | ||
| ``` | ||
|
|
||
| Please note that user management fields such as `is_useruser`, `is_verified`, and `is_active` can not be updated by this request for security purposes. | ||
|
|
||
|
|
||
| ### Update an existing user account (Admin only) | ||
|
|
||
| Admin users can update other existing user accounts using a `PATCH /user/<user-id>` request. | ||
|
|
||
| For example, the below command will update an existing `test` user with a new email address and add it to `kernelci` user group. | ||
|
|
||
| ``` | ||
| $ curl -X 'PATCH' \ | ||
| 'http://localhost:8001/latest/user/615f30020eb7c3c6616e5ac3' \ | ||
| -H 'accept: application/json' \ | ||
| -H 'Content-Type: application/json' \ | ||
| -H 'Authorization: Bearer <ADMIN-USER-AUTHORIZATION-TOKEN>' \ | ||
| -d '{"email": "[email protected]", "groups": ["kernelci"]}' | ||
| ``` | ||
|
|
||
|
|
||
| ### Delete user matching user ID (Admin only) | ||
|
|
||
| Only admin users can delete existing user account by providing user ID to | ||
| `DELETE /user/<user-id>` endpoint: | ||
| ``` | ||
| $ curl -X 'DELETE' \ | ||
| 'http://localhost:8001/latest/user/658d1edecf0bce203d594f1c' \ | ||
| -H 'Authorization: Bearer <ADMIN-USER-AUTHORIZATION-TOKEN>' | ||
| ``` | ||
|
|
||
|
|
||
| ## User groups | ||
|
|
||
| User accounts can be added to different user groups. This section | ||
| explains different API endpoints for user group management operations. | ||
|
|
||
| ### Create a user group (Admin only) | ||
|
|
||
| Admin users can create user groups using `POST /group` endpoint: | ||
| ``` | ||
| $ curl -X 'POST' \ | ||
| 'http://localhost:8001/group' \ | ||
| -H 'accept: application/json' \ | ||
| -H 'Content-Type: application/json' \ | ||
| -H 'Authorization: Bearer <ADMIN-USER-AUTHORIZATION-TOKEN>' \ | ||
| -d '{"name": "test-user-group"}' | ||
| ``` | ||
|
|
||
|
|
||
| ### Get all existing user groups | ||
|
|
||
| Get all existing user groups using `GET /groups` endpoint: | ||
| ``` | ||
| $ curl 'http://localhost:8001/groups' | ||
| {"items":[{"id":"648ff894bd39930355ed16ad","name":"kernelci"},{"id":"6704f354ffaa8f6fa017faa3","name":"test"}],"total":2,"limit":50,"offset":0} | ||
| ``` | ||
|
|
||
|
|
||
| ### Get user group matching ID | ||
|
|
||
| To get user group by ID, use `/group` endpoint with group ID as a path parameter: | ||
| ``` | ||
| $ curl 'http://localhost:8001/group/648ff894bd39930355ed16ad' | ||
| {"id":"648ff894bd39930355ed16ad","name":"kernelci"} | ||
| ``` | ||
|
|
||
|
|
||
| ### Delete user group matching ID (Admin only) | ||
|
|
||
| Only admin users can delete existing user groups by providing group ID to | ||
| `DELETE /group/<group-id>` endpoint: | ||
| ``` | ||
| $ curl -X 'DELETE' \ | ||
| 'http://localhost:8001/group/6704f354ffaa8f6fa017faa3' \ | ||
| -H 'Authorization: Bearer <ADMIN-USER-AUTHORIZATION-TOKEN>' | ||
| ``` | ||
|
|
||
|
|
||
| ## Nodes | ||
|
|
||
| `Node` objects form the basis of the API models to represent tests runs, | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this not an admin-only action? I believe this kind of information should have limited exposure
(this comment does not affect merging this patch but a new task to limit information access might be required)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This endpoint was initially admin only. But then requirements changed and we needed to make it public. I believe it was one of the requirements from @nuclearcat.