Add admin account with user management endpoints

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-24 20:45:19 -07:00
parent 7994cc5ff2
commit 48a15c54f6
10 changed files with 238 additions and 5 deletions
--- a/README.md
+++ b/README.md
@@ -82,6 +82,18 @@ bourbonacci/
 |---|---|---|---|
 | GET | `/api/public/stats` | No | Aggregated stats for all users |

+### Admin
+| Method | Path | Auth | Description |
+|---|---|---|---|
+| GET | `/api/admin/users` | Admin | List all users |
+| POST | `/api/admin/users` | Admin | Create a user |
+| POST | `/api/admin/users/{id}/reset-password` | Admin | Force-reset a user's password |
+| POST | `/api/admin/users/{id}/disable` | Admin | Disable a user account |
+| POST | `/api/admin/users/{id}/enable` | Admin | Re-enable a user account |
+| DELETE | `/api/admin/users/{id}` | Admin | Hard-delete a user |
+| POST | `/api/admin/users/{id}/impersonate` | Admin | Get a token scoped as that user |
+| POST | `/api/admin/unimpersonate` | Admin | Swap back to the admin token |
+
 Authenticated routes expect `Authorization: Bearer <token>` header.

 ### Entry Schema
@@ -146,6 +158,8 @@ docker compose down -v
 | `DATABASE_URL` | SQLAlchemy async DSN | `mysql+aiomysql://...` |
 | `SECRET_KEY` | JWT signing secret (keep long & random) | — |
 | `ACCESS_TOKEN_EXPIRE_MINUTES` | JWT TTL in minutes | `480` |
+| `ADMIN_USERNAME` | Admin account email (seeded on every start) | — |
+| `ADMIN_PASSWORD` | Admin account password (re-synced on every start) | — |

 ## Data Model