arcodange/dance-lessons-coach
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

User Story: Admin Password Reset Workflow #7

New Issue
Closed
opened 2026-04-06 19:55:00 +02:00 by arcodange · 0 comments
arcodange commented 2026-04-06 19:55:00 +02:00
Owner
Copy Link

As an admin user, I want to enable password reset for users who forgot their password so that users can regain access without email/phone verification.

🔒 CRITICAL SECURITY REQUIREMENT

ONLY AUTHENTICATED ADMIN USERS CAN FLAG USERS FOR PASSWORD RESET

Users CANNOT flag themselves or others. This is a security-critical feature.

📚 Documentation References (Wiki Pages)

Acceptance Criteria

Security Requirements (MUST PASS)

  • Admin Authentication Required: Only authenticated admins can access /api/v1/admin/users/{username}/allow-reset
  • Admin Privilege Verification: Middleware verifies admin role before allowing flag set
  • No Self-Service: Regular users receive 403 Forbidden when attempting to flag users
  • No User Flagging: Users cannot flag themselves or others (403 Forbidden)
  • Flag Validation: Password reset only works if admin has set allow_password_reset = true
  • Automatic Flag Clearing: Flag is cleared after successful password reset
  • Rate Limiting: Maximum 3 password reset attempts per hour per user

Functional Requirements

  • Admin can list all users (GET /api/v1/admin/users)
  • Admin can enable password reset for specific user (POST /api/v1/admin/users/{username}/allow-reset)
  • User can reset password without authentication ONLY if admin has flagged them (POST /api/v1/auth/reset-password)
  • Password reset flag is cleared after successful reset
  • Unauthenticated password reset endpoint available only for admin-flagged users

🎯 Implementation Workflow

  1. Read security documentation (wiki page above)
  2. Create BDD tests with security scenarios
  3. Implement admin service with security checks
  4. Implement password reset service with flag validation
  5. Add admin authentication middleware
  6. Add rate limiting
  7. Verify all security tests pass
  8. Update OpenAPI documentation

🔗 Related Issues

Priority: High (Security Critical) 🔒
Complexity: Medium (3 story points)
Security Impact: Critical - Improper implementation could allow unauthorized access
Wiki Documentation: Admin-Only-Password-Reset-Security

As an admin user, I want to enable password reset for users who forgot their password so that users can regain access without email/phone verification. ## 🔒 CRITICAL SECURITY REQUIREMENT **ONLY AUTHENTICATED ADMIN USERS CAN FLAG USERS FOR PASSWORD RESET** Users CANNOT flag themselves or others. This is a security-critical feature. ## 📚 Documentation References (Wiki Pages) - **🔒 PRIMARY SECURITY DOC:** [Admin-Only-Password-Reset-Security](https://gitea.arcodange.fr'/arcodange/dance-lessons-coach/wiki/Admin-Only-Password-Reset-Security) ← **READ THIS FIRST** - **🛠️ Technical ADR:** [ADR 0018 - Security Section](../../adr/0018-user-management-auth-system.md#password-reset-security) - **📋 Workflow:** [User-Story-Implementation-Workflow](https://gitea.arcodange.fr'/arcodange/dance-lessons-coach/wiki/User-Story-Implementation-Workflow) ## ✅ Acceptance Criteria ### Security Requirements (MUST PASS) - **Admin Authentication Required:** Only authenticated admins can access `/api/v1/admin/users/{username}/allow-reset` - **Admin Privilege Verification:** Middleware verifies admin role before allowing flag set - **No Self-Service:** Regular users receive 403 Forbidden when attempting to flag users - **No User Flagging:** Users cannot flag themselves or others (403 Forbidden) - **Flag Validation:** Password reset only works if admin has set `allow_password_reset = true` - **Automatic Flag Clearing:** Flag is cleared after successful password reset - **Rate Limiting:** Maximum 3 password reset attempts per hour per user ### Functional Requirements - Admin can list all users (GET /api/v1/admin/users) - Admin can enable password reset for specific user (POST /api/v1/admin/users/{username}/allow-reset) - User can reset password without authentication **ONLY if admin has flagged them** (POST /api/v1/auth/reset-password) - Password reset flag is cleared after successful reset - Unauthenticated password reset endpoint available only for admin-flagged users ## 🎯 Implementation Workflow 1. Read security documentation (wiki page above) 2. Create BDD tests with security scenarios 3. Implement admin service with security checks 4. Implement password reset service with flag validation 5. Add admin authentication middleware 6. Add rate limiting 7. Verify all security tests pass 8. Update OpenAPI documentation ## 🔗 Related Issues - **Epic:** #3 - [User Management & Authentication System](https://gitea.arcodange.fr'/arcodange/dance-lessons-coach/issues/3) - **Depends On:** #4 (User Registration), #5 (User Login) **Priority:** High (Security Critical) 🔒 **Complexity:** Medium (3 story points) **Security Impact:** Critical - Improper implementation could allow unauthorized access **Wiki Documentation:** [Admin-Only-Password-Reset-Security](https://gitea.arcodange.fr'/arcodange/dance-lessons-coach/wiki/Admin-Only-Password-Reset-Security)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
arcodange
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: arcodange/dance-lessons-coach#7
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?