sztab

Implement User Self-Service — Profile & Password Management (SZ-38)

rk@tigase.net opened 6 days ago

Description

The current Sztab backend supports full admin-level user CRUD but lacks self-service endpoints for logged-in users.
This task introduces minimal extensions to enable user autonomy while preserving admin control.

Scope

Extend the User entity with a mustChangePassword flag (default false).
Add REST endpoints for:
- GET /api/users/me — fetch logged-in user profile.
- PUT /api/users/me — update own profile (name, email).
- POST /api/users/change-password — securely change password.
Add PasswordChangeRequest DTO.
Update the backend README and OpenAPI docs to reflect new endpoints.

Notes

These endpoints operate under session-auth, authenticated via the current user’s context (SecurityContextHolder).
No new roles or permissions introduced; access is restricted to authenticated sessions only.

Deliverables

Compilable and tested backend code.
Verified response flow for both success and error cases (e.g., wrong old password).
Updated UserControllerTest to include /me and /change-password.

Activities

rk@tigase.net commented 6 days ago
Estimate

6 hours

2h for backend model and controller additions

2h for test coverage

2h for documentation and review

rk@tigase.net commented 6 days ago

Feature branch:

rksuma@Ramakrishnans-MacBook-Pro sztab % git checkout -b feature/sz-32-user-self-service
Switched to a new branch 'feature/sz-32-user-self-service'
rksuma@Ramakrishnans-MacBook-Pro sztab %

rk@tigase.net changed state to 'In Progress' 6 days ago
Previous Value Current Value
Open

In Progress
rk@tigase.net commented 3 days ago
User Self-Service Endpoints (SZ-38)

Sztab provides authenticated users with basic self-service account management. These endpoints work under session-auth, using the currently logged-in user from the SecurityContextHolder.

Get Current User

GET /api/users/me

Returns the profile of the authenticated user.

Example response:

200 OK { "id": 1, "username": "admin", "email": "admin@example.com", "fullName": "Administrator", "mustChangePassword": false }

Update Own Profile

PUT /api/users/me

Allows the user to update email and full name.

Example request:

{ "email": "new@example.com", "fullName": "New Name" }

Example response:

200 OK { "id": 1, "username": "admin", "email": "new@example.com", "fullName": "New Name" }

Change Password

POST /api/users/change-password

Allows the authenticated user to change their password using a secure, two-field request.

Example request:

{ "oldPassword": "current123", "newPassword": "newSecureP@ss" }

Successful response:

200 OK { "message": "Password changed successfully" }

Error response (wrong old password):

400 Bad Request { "error": "Invalid old password" }

OpenAPI Additions

/api/users/me: get: summary: Get current authenticated user's profile security: - sessionAuth: [] responses: '200': description: User profile put: summary: Update current user's profile security: - sessionAuth: [] requestBody: required: true responses: '200': description: Updated user profile /api/users/change-password: post: summary: Change current user's password security: - sessionAuth: [] requestBody: required: true responses: '200': description: Password updated successfully '400': description: Invalid old password
rk@tigase.net changed state to 'Closed' 3 days ago
Previous Value Current Value
In Progress

Closed
rk@tigase.net referenced from other issue 3 days ago

Admin User Management (Create, List, Update, Delete Users) (SZ-39)

In Progress
Login to comment

Previous Value	Current Value
Open	In Progress

Previous Value	Current Value
In Progress	Closed

Type	New Feature
Priority	Normal
Assignee	rk@tigase.net
Version	1.0
Sprints	n/a
Customer	n/a

Issue Votes (0)

Watchers (3)

Reference

SZ-38

Scope

Notes

Deliverables

Estimate

User Self-Service Endpoints (SZ-38)

Get Current User

Update Own Profile

Change Password

OpenAPI Additions