feat(opsserver): add admin user create/delete management and default hosted idp.global auth support

2026-05-19 17:06:50 +00:00
parent 0b01a4c26b
commit 7986d01245
14 changed files with 436 additions and 27 deletions
@@ -16,6 +16,7 @@ let testDb: DcRouterDb;
 let storagePath: string;
 let bootstrapIdentity: interfaces.data.IIdentity;
 let persistedIdentity: interfaces.data.IIdentity;
+let createdUserId: string;

 const createStatusRequest = () => new TypedRequest<interfaces.requests.IReq_GetAdminBootstrapStatus>(
  baseUrl,
@@ -84,6 +85,7 @@ tap.test('reports bootstrap required without auto-persisting an admin', async ()
  expect(status.hasPersistentAdmin).toEqual(false);
  expect(status.needsBootstrap).toEqual(true);
  expect(status.ephemeralAdminAvailable).toEqual(true);
+  expect(status.idpGlobalConfigured).toEqual(true);
 });

 tap.test('allows temporary bootstrap admin login before persisted admin exists', async () => {
@@ -183,6 +185,45 @@ tap.test('rejects idp.global login when IdP email does not match local account',
  expect(rejected).toEqual(true);
 });

+tap.test('creates a persisted non-admin user explicitly', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_CreateUser>(baseUrl, 'createUser');
+  const response = await request.fire({
+    identity: persistedIdentity,
+    email: 'operator@example.com',
+    name: 'Operator User',
+    role: 'user',
+    password: 'operator-password',
+  });
+
+  expect(response.success).toEqual(true);
+  expect(response.user?.role).toEqual('user');
+  expect(response.user?.email).toEqual('operator@example.com');
+  if (!response.user?.id) {
+    throw new Error('Expected created user id');
+  }
+  createdUserId = response.user.id;
+});
+
+tap.test('rejects deleting the current persisted admin user', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_DeleteUser>(baseUrl, 'deleteUser');
+  const response = await request.fire({
+    identity: persistedIdentity,
+    id: persistedIdentity.userId,
+  });
+
+  expect(response.success).toEqual(false);
+});
+
+tap.test('deletes a persisted non-current user', async () => {
+  const request = new TypedRequest<interfaces.requests.IReq_DeleteUser>(baseUrl, 'deleteUser');
+  const response = await request.fire({
+    identity: persistedIdentity,
+    id: createdUserId,
+  });
+
+  expect(response.success).toEqual(true);
+});
+
 tap.test('lists persisted users without password material', async () => {
  const request = new TypedRequest<interfaces.requests.IReq_ListUsers>(baseUrl, 'listUsers');
  const response = await request.fire({ identity: persistedIdentity });