Admins can approve registered users (#5647)

* Users list: Cleanups * Policies: Flip registration settings * Policies: Add RequireUserApproval setting * Add approval to user * Require approval on login and for API key * API handling * AccountController cleanups * Test fix * Apply suggestions from code review Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com> * Add missing imports * Communicate login requirements to user on account creation * Add login requirements to basic auth handler * Cleanups and test fix * Encapsulate approval logic in user service and log approval changes * Send follow up "Account approved" email Closes #5656. * Add notification for admins * Fix creating a user via the admin view * Update list: Unify flags into status column, add approve action * Adjust "Resend email" wording * Incorporate feedback from code review * Remove duplicate test server policy reset --------- Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
2025-12-17 22:14:26 +01:00 · 2024-01-31 06:45:54 +01:00
parent 411e0334d0
commit 6290b0f3bf
40 changed files with 1010 additions and 353 deletions
--- a/BTCPayServer/Security/GreenField/APIKeysAuthenticationHandler.cs
+++ b/BTCPayServer/Security/GreenField/APIKeysAuthenticationHandler.cs
@@ -7,6 +7,7 @@ using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using BTCPayServer.Client;
 using BTCPayServer.Data;
+using BTCPayServer.Services;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Logging;
@@ -58,14 +59,12 @@ namespace BTCPayServer.Security.Greenfield
                return AuthenticateResult.NoResult();

            var key = await _apiKeyRepository.GetKey(apiKey, true);
-
-            if (key == null || await _userManager.IsLockedOutAsync(key.User))
+            if (!UserService.TryCanLogin(key?.User, out var error))
            {
-                return AuthenticateResult.Fail("ApiKey authentication failed");
+                return AuthenticateResult.Fail($"ApiKey authentication failed: {error}");
            }
-            List<Claim> claims = new List<Claim>();
-            claims.Add(new Claim(_identityOptions.CurrentValue.ClaimsIdentity.UserIdClaimType, key.UserId));

+            var claims = new List<Claim> { new (_identityOptions.CurrentValue.ClaimsIdentity.UserIdClaimType, key.UserId) };
            claims.AddRange((await _userManager.GetRolesAsync(key.User)).Select(s => new Claim(_identityOptions.CurrentValue.ClaimsIdentity.RoleClaimType, s)));
            claims.AddRange(Permission.ToPermissions(key.GetBlob()?.Permissions ?? Array.Empty<string>()).Select(permission =>
                new Claim(GreenfieldConstants.ClaimTypes.Permission, permission.ToString())));