From 1b10c97099e697870909021ebb2bc9f6c808fb16 Mon Sep 17 00:00:00 2001 From: orion Date: Thu, 16 Apr 2026 21:17:13 +0000 Subject: [PATCH 1/2] feat: allow API key auth for reset-apikey endpoint Change dependency from get_current_user (OAuth2 only) to get_current_user_or_apikey, enabling account-manager API key to reset user API keys for provisioning workflows. Co-Authored-By: Claude Opus 4.6 --- app/api/routers/users.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/api/routers/users.py b/app/api/routers/users.py index 1325f3e..ec64c92 100644 --- a/app/api/routers/users.py +++ b/app/api/routers/users.py @@ -241,7 +241,7 @@ def delete_user( def reset_user_apikey( identifier: str, db: Session = Depends(get_db), - current_user: models.User = Depends(get_current_user), + current_user: models.User = Depends(get_current_user_or_apikey), ): """Reset (regenerate) a user's API key. @@ -249,6 +249,8 @@ def reset_user_apikey( - user.reset-apikey: can reset any user's API key - user.reset-self-apikey: can reset only own API key - admin: can reset any user's API key + + Accepts both OAuth2 Bearer token and X-API-Key authentication. """ import secrets from app.models.apikey import APIKey From 7326cadfecb14b25a8144a12b23b5060aeff8106 Mon Sep 17 00:00:00 2001 From: orion Date: Thu, 16 Apr 2026 21:19:13 +0000 Subject: [PATCH 2/2] feat: grant user.reset-apikey permission to account-manager role Allows acc-mgr to reset user API keys, enabling automated provisioning workflows via the CLI. Co-Authored-By: Claude Opus 4.6 --- app/init_wizard.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app/init_wizard.py b/app/init_wizard.py index 1d094b1..b51897b 100644 --- a/app/init_wizard.py +++ b/app/init_wizard.py @@ -189,6 +189,7 @@ _DEV_PERMISSIONS = { _ACCOUNT_MANAGER_PERMISSIONS = { "account.create", + "user.reset-apikey", } # Role definitions: (name, description, permission_set)