FR: Add User management

pglombardo / PasswordPusher

🔐 Securely share sensitive information with automatic expiration & deletion after a set number of views or duration. Track who, what and when with full audit logs.

https://docs.pwpush.com

Apache License 2.0

2.11k stars 358 forks source link

FR: Add User management #1346

Open pglombardo opened 1 year ago

pglombardo commented 1 year ago

Discussed in https://github.com/pglombardo/PasswordPusher/discussions/1337

^{Originally posted by **kayvanaarssen** August 10, 2023} Manage Active users on an server. When sign-ups are enabled, either with domain validation or Public. We would like to be able to manage the users and or delete them / block when needed. Or even block domains. This of course would need to have Password Pusher with a DB deployed.

technofab commented 1 year ago

Hi, in my point of view, for this request it can be useful use also a "LDAP" backend for users, for example full LDAP TBSAM or Active Directory, some projects like openproject use LDAP and Active Directory for user management.

pglombardo commented 1 year ago

OpenProject is a great example that I can use - built with the same stack as Password Pusher too . Implementing LDAP blindly is hard to do.

petskratt commented 1 year ago

Two user-stories that perhaps could be considered when picking implementation for this feature, related to instance with domain-limited user registration for file sharing functionality:

I would like to delete or lock-out accounts of employees when they leave the company
I would like to add / invite users from client domains that are not in the configured allowlist regex

note: my current "hack" solution is to add a scheduled job that removes verification from inactive users, so they need to re-verify email and are technically locked out when they don't control the email anymore

pglombardo commented 1 year ago

That's helpful @petskratt thanks.

note: my current "hack" solution is to add a scheduled job that removes verification from inactive users, so they need to re-verify email and are technically locked out when they don't control the email anymore

That's a slick solution for now :-)

I have this half implemented in a branch that I need to resurrect. Hopefully I'll get to this soon.

petskratt commented 1 year ago

Follow-up to my hack - setting locked_at timestamp is actually better, as token is generated and cleared automatically. The actual command, presuming credentials in env (in my case it runs in CronJob container, so having pwd on commandline not a great problem):

mysql -h $DATABASE_HOST -u $DATABASE_USER -p$DATABASE_PASS $DATABASE_DB -e "UPDATE users SET locked_at = now() where confirmed_at is not null and locked_at is null and current_sign_in_at < date_sub(now(), interval 1 month)"

dorian33160 commented 2 weeks ago

Hi, any news on this feature ?

pglombardo commented 2 weeks ago

Hi @dorian33160 - this issue has gotten a bit stale/out of date and should probably be closed.

SSO & LDAP additions are filed in separate issues.

Password Pusher now has an Administration Dashboard that you can use to manage (and destroy) users.

Further, if you want to limit user signups, see PWP__SIGNUP_EMAIL_REGEXP in the Configuration documentation.

@petskratt - you can create users through the dashboard as well.

@technofab - How are you? Hope all is well!

If there are no objections, I'll close out this issue soon.