feat(user): accept custom roles in user invite

docs/api/openapi.yml

@@ -655,6 +655,29 @@ components:
         refreshToken:
           type: string
       type: object
+    AuthtypesPostableUser:
+      properties:
+        displayName:
+          type: string
+        email:
+          type: string
+        frontendBaseUrl:
+          type: string
+        roles:
+          items:
+            $ref: '#/components/schemas/AuthtypesPostableUserRole'
+          type: array
+      required:
+      - email
+      - roles
+      type: object
+    AuthtypesPostableUserRole:
+      properties:
+        id:
+          type: string
+      required:
+      - id
+      type: object
     AuthtypesRelation:
       enum:
       - create
@@ -10127,7 +10150,7 @@ paths:
       - global
   /api/v1/invite:
     post:
-      deprecated: false
+      deprecated: true
       description: This endpoint creates an invite for a user
       operationId: CreateInvite
       requestBody:
@@ -10190,7 +10213,7 @@ paths:
       - users
   /api/v1/invite/bulk:
     post:
-      deprecated: false
+      deprecated: true
       description: This endpoint creates a bulk invite for a user
       operationId: CreateBulkInvite
       requestBody:
@@ -12960,7 +12983,7 @@ paths:
       - tracedetail
   /api/v1/user:
     get:
-      deprecated: false
+      deprecated: true
       description: This endpoint lists all users
       operationId: ListUsersDeprecated
       responses:
@@ -13053,7 +13076,7 @@ paths:
       tags:
       - users
     get:
-      deprecated: false
+      deprecated: true
       description: This endpoint returns the user by id
       operationId: GetUserDeprecated
       parameters:
@@ -13110,7 +13133,7 @@ paths:
       tags:
       - users
     put:
-      deprecated: false
+      deprecated: true
       description: This endpoint updates the user by id
       operationId: UpdateUserDeprecated
       parameters:
@@ -13179,7 +13202,7 @@ paths:
       - users
   /api/v1/user/me:
     get:
-      deprecated: false
+      deprecated: true
       description: This endpoint returns the user I belong to
       operationId: GetMyUserDeprecated
       responses:
@@ -20595,6 +20618,68 @@ paths:
       summary: List users v2
       tags:
       - users
+    post:
+      deprecated: false
+      description: This endpoint creates a user for the organization
+      operationId: CreateUser
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/AuthtypesPostableUser'
+      responses:
+        "201":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/TypesIdentifiable'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: Created
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "409":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Conflict
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Create user
+      tags:
+      - users
   /api/v2/users/{id}:
     get:
       deprecated: false

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -2242,6 +2242,32 @@ export interface AuthtypesPostableRotateTokenDTO {
 	refreshToken?: string;
 }
 
+export interface AuthtypesPostableUserRoleDTO {
+	/**
+	 * @type string
+	 */
+	id: string;
+}
+
+export interface AuthtypesPostableUserDTO {
+	/**
+	 * @type string
+	 */
+	displayName?: string;
+	/**
+	 * @type string
+	 */
+	email: string;
+	/**
+	 * @type string
+	 */
+	frontendBaseUrl?: string;
+	/**
+	 * @type array
+	 */
+	roles: AuthtypesPostableUserRoleDTO[];
+}
+
 export interface AuthtypesRoleDTO {
 	/**
 	 * @type string
@@ -10744,6 +10770,14 @@ export type ListUsers200 = {
 	status: string;
 };
 
+export type CreateUser201 = {
+	data: TypesIdentifiableDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
 export type GetUserPathParameters = {
 	id: string;
 };

frontend/src/api/generated/services/users/index.ts

@@ -18,9 +18,11 @@ import type {
 } from 'react-query';
 
 import type {
+	AuthtypesPostableUserDTO,
 	CreateInvite201,
 	CreateResetPasswordToken201,
 	CreateResetPasswordTokenPathParameters,
+	CreateUser201,
 	DeleteUserPathParameters,
 	GetMyUser200,
 	GetMyUserDeprecated200,
@@ -169,6 +171,7 @@ export const invalidateGetResetPasswordTokenDeprecated = async (
 
 /**
  * This endpoint creates an invite for a user
+ * @deprecated
  * @summary Create invite
  */
 export const createInvite = (
@@ -230,6 +233,7 @@ export type CreateInviteMutationBody =
 export type CreateInviteMutationError = ErrorType<RenderErrorResponseDTO>;
 
 /**
+ * @deprecated
  * @summary Create invite
  */
 export const useCreateInvite = <
@@ -252,6 +256,7 @@ export const useCreateInvite = <
 };
 /**
  * This endpoint creates a bulk invite for a user
+ * @deprecated
  * @summary Create bulk invite
  */
 export const createBulkInvite = (
@@ -313,6 +318,7 @@ export type CreateBulkInviteMutationBody =
 export type CreateBulkInviteMutationError = ErrorType<RenderErrorResponseDTO>;
 
 /**
+ * @deprecated
  * @summary Create bulk invite
  */
 export const useCreateBulkInvite = <
@@ -418,6 +424,7 @@ export const useResetPassword = <
 };
 /**
  * This endpoint lists all users
+ * @deprecated
  * @summary List users
  */
 export const listUsersDeprecated = (signal?: AbortSignal) => {
@@ -463,6 +470,7 @@ export type ListUsersDeprecatedQueryResult = NonNullable<
 export type ListUsersDeprecatedQueryError = ErrorType<RenderErrorResponseDTO>;
 
 /**
+ * @deprecated
  * @summary List users
  */
 
@@ -486,6 +494,7 @@ export function useListUsersDeprecated<
 }
 
 /**
+ * @deprecated
  * @summary List users
  */
 export const invalidateListUsersDeprecated = async (
@@ -581,6 +590,7 @@ export const useDeleteUser = <
 };
 /**
  * This endpoint returns the user by id
+ * @deprecated
  * @summary Get user
  */
 export const getUserDeprecated = (
@@ -640,6 +650,7 @@ export type GetUserDeprecatedQueryResult = NonNullable<
 export type GetUserDeprecatedQueryError = ErrorType<RenderErrorResponseDTO>;
 
 /**
+ * @deprecated
  * @summary Get user
  */
 
@@ -666,6 +677,7 @@ export function useGetUserDeprecated<
 }
 
 /**
+ * @deprecated
  * @summary Get user
  */
 export const invalidateGetUserDeprecated = async (
@@ -683,6 +695,7 @@ export const invalidateGetUserDeprecated = async (
 
 /**
  * This endpoint updates the user by id
+ * @deprecated
  * @summary Update user
  */
 export const updateUserDeprecated = (
@@ -755,6 +768,7 @@ export type UpdateUserDeprecatedMutationError =
 	ErrorType<RenderErrorResponseDTO>;
 
 /**
+ * @deprecated
  * @summary Update user
  */
 export const useUpdateUserDeprecated = <
@@ -783,6 +797,7 @@ export const useUpdateUserDeprecated = <
 };
 /**
  * This endpoint returns the user I belong to
+ * @deprecated
  * @summary Get my user
  */
 export const getMyUserDeprecated = (signal?: AbortSignal) => {
@@ -828,6 +843,7 @@ export type GetMyUserDeprecatedQueryResult = NonNullable<
 export type GetMyUserDeprecatedQueryError = ErrorType<RenderErrorResponseDTO>;
 
 /**
+ * @deprecated
  * @summary Get my user
  */
 
@@ -851,6 +867,7 @@ export function useGetMyUserDeprecated<
 }
 
 /**
+ * @deprecated
  * @summary Get my user
  */
 export const invalidateGetMyUserDeprecated = async (
@@ -1209,6 +1226,89 @@ export const invalidateListUsers = async (
 	return queryClient;
 };
 
+/**
+ * This endpoint creates a user for the organization
+ * @summary Create user
+ */
+export const createUser = (
+	authtypesPostableUserDTO?: BodyType<AuthtypesPostableUserDTO>,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<CreateUser201>({
+		url: `/api/v2/users`,
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: authtypesPostableUserDTO,
+		signal,
+	});
+};
+
+export const getCreateUserMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown,
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof createUser>>,
+		TError,
+		{ data?: BodyType<AuthtypesPostableUserDTO> },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof createUser>>,
+	TError,
+	{ data?: BodyType<AuthtypesPostableUserDTO> },
+	TContext
+> => {
+	const mutationKey = ['createUser'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+			'mutationKey' in options.mutation &&
+			options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof createUser>>,
+		{ data?: BodyType<AuthtypesPostableUserDTO> }
+	> = (props) => {
+		const { data } = props ?? {};
+
+		return createUser(data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type CreateUserMutationResult = NonNullable<
+	Awaited<ReturnType<typeof createUser>>
+>;
+export type CreateUserMutationBody =
+	| BodyType<AuthtypesPostableUserDTO>
+	| undefined;
+export type CreateUserMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Create user
+ */
+export const useCreateUser = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown,
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof createUser>>,
+		TError,
+		{ data?: BodyType<AuthtypesPostableUserDTO> },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof createUser>>,
+	TError,
+	{ data?: BodyType<AuthtypesPostableUserDTO> },
+	TContext
+> => {
+	return useMutation(getCreateUserMutationOptions(options));
+};
 /**
  * This endpoint returns the user by id
  * @summary Get user by user id

pkg/apiserver/signozapiserver/user.go

@@ -21,7 +21,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusCreated,
 		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
-		Deprecated:          false,
+		Deprecated:          true,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodPost).GetError(); err != nil {
 		return err
@@ -37,7 +37,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Response:           nil,
 		SuccessStatusCode:  http.StatusCreated,
 		ErrorStatusCodes:   []int{http.StatusBadRequest, http.StatusConflict},
-		Deprecated:         false,
+		Deprecated:         true,
 		SecuritySchemes:    newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodPost).GetError(); err != nil {
 		return err
@@ -54,7 +54,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
+		Deprecated:          true,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodGet).GetError(); err != nil {
 		return err
@@ -88,7 +88,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
+		Deprecated:          true,
 		SecuritySchemes:     []handler.OpenAPISecurityScheme{{Name: authtypes.IdentNProviderTokenizer.StringValue()}},
 	})).Methods(http.MethodGet).GetError(); err != nil {
 		return err
@@ -111,6 +111,23 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v2/users", handler.New(provider.authzMiddleware.AdminAccess(provider.userHandler.CreateUser), handler.OpenAPIDef{
+		ID:                  "CreateUser",
+		Tags:                []string{"users"},
+		Summary:             "Create user",
+		Description:         "This endpoint creates a user for the organization",
+		Request:             new(authtypes.PostableUser),
+		RequestContentType:  "application/json",
+		Response:            new(types.Identifiable),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusCreated,
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v2/users/me", handler.New(provider.authzMiddleware.OpenAccess(provider.userHandler.UpdateMyUser), handler.OpenAPIDef{
 		ID:                  "UpdateMyUserV2",
 		Tags:                []string{"users"},
@@ -139,7 +156,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
+		Deprecated:          true,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodGet).GetError(); err != nil {
 		return err
@@ -173,7 +190,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
-		Deprecated:          false,
+		Deprecated:          true,
 		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
 	})).Methods(http.MethodPut).GetError(); err != nil {
 		return err

pkg/modules/user/impluser/handler.go

@@ -25,6 +25,42 @@ func NewHandler(setter root.Setter, getter root.Getter) root.Handler {
 	return &handler{setter: setter, getter: getter}
 }
 
+func (handler *handler) CreateUser(rw http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	req := new(authtypes.PostableUser)
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	user, err := types.NewUser(req.DisplayName, req.Email, valuer.MustNewUUID(claims.OrgID), types.UserStatusPendingInvite)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	roleIDs := make([]valuer.UUID, 0, len(req.Roles))
+	for _, role := range req.Roles {
+		roleIDs = append(roleIDs, role.ID)
+	}
+
+	user, err = handler.setter.CreateUserInvite(ctx, valuer.MustNewUUID(claims.IdentityID()), valuer.MustNewEmail(claims.Email), req.FrontendBaseUrl, user, root.WithRoleIDs(roleIDs))
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusCreated, types.Identifiable{ID: user.ID})
+}
+
 func (handler *handler) CreateInvite(rw http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()

pkg/modules/user/impluser/setter.go

@@ -215,6 +215,68 @@ func (module *setter) CreateUser(ctx context.Context, user *types.User, opts ...
 	return nil
 }
 
+// CreateUserInvite creates a pending invite user with the roles given via opts and emails them a
+// link to set their password. The grant is deferred until the invite is accepted (see
+// UpdatePasswordByResetPasswordToken), so unlike CreateUser it never grants the roles here.
+func (module *setter) CreateUserInvite(ctx context.Context, identityID valuer.UUID, identityEmail valuer.Email, frontendBaseURL string, user *types.User, opts ...root.CreateUserOption) (*types.User, error) {
+	createUserOpts := root.NewCreateUserOptions(opts...)
+
+	// roles can be supplied either by name or by id, resolve the ids to names so both
+	// converge. ListByOrgIDAndIDs also validates that the roles exist in the org.
+	roleNames := createUserOpts.RoleNames
+	if len(createUserOpts.RoleIDs) > 0 {
+		roles, err := module.authz.ListByOrgIDAndIDs(ctx, user.OrgID, createUserOpts.RoleIDs)
+		if err != nil {
+			return nil, err
+		}
+		for _, role := range roles {
+			roleNames = append(roleNames, role.Name)
+		}
+	}
+
+	var resetPasswordToken *types.ResetPasswordToken
+	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
+		if err := module.createUserWithoutGrant(ctx, user, root.WithRoleNames(roleNames), root.WithFactorPassword(createUserOpts.FactorPassword)); err != nil {
+			return err
+		}
+
+		token, err := module.GetOrCreateResetPasswordToken(ctx, user.ID)
+		if err != nil {
+			return err
+		}
+		resetPasswordToken = token
+
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+
+	module.analytics.TrackUser(ctx, user.OrgID.String(), identityID.String(), "Invite Sent", map[string]any{
+		"invitee_email": user.Email,
+		"invitee_role":  roleNames,
+	})
+
+	if frontendBaseURL == "" {
+		module.settings.Logger().InfoContext(ctx, "frontend base url is not provided, skipping email", slog.Any("invitee_email", user.Email))
+		return user, nil
+	}
+
+	resetLink := resetPasswordToken.FactorPasswordResetLink(frontendBaseURL)
+
+	tokenLifetime := module.config.Password.Invite.MaxTokenLifetime
+	humanizedTokenLifetime := strings.TrimSpace(humanize.RelTime(time.Now(), time.Now().Add(tokenLifetime), "", ""))
+
+	if err := module.emailing.SendHTML(ctx, user.Email.String(), "You're Invited to Join SigNoz", emailtypes.TemplateNameInvitationEmail, map[string]any{
+		"inviter_email": identityEmail.StringValue(),
+		"link":          resetLink,
+		"Expiry":        humanizedTokenLifetime,
+	}); err != nil {
+		module.settings.Logger().ErrorContext(ctx, "failed to send invite email", errors.Attr(err))
+	}
+
+	return user, nil
+}
+
 func (module *setter) UpdateUserDeprecated(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser) (*types.DeprecatedUser, error) {
 	claims, err := authtypes.ClaimsFromContext(ctx)
 	if err != nil {

pkg/modules/user/option.go

@@ -8,6 +8,7 @@ import (
 type createUserOptions struct {
 	FactorPassword *types.FactorPassword
 	RoleNames      []string
+	RoleIDs        []valuer.UUID
 }
 
 type CreateUserOption func(*createUserOptions)
@@ -24,6 +25,12 @@ func WithRoleNames(roleNames []string) CreateUserOption {
 	}
 }
 
+func WithRoleIDs(roleIDs []valuer.UUID) CreateUserOption {
+	return func(o *createUserOptions) {
+		o.RoleIDs = roleIDs
+	}
+}
+
 func NewCreateUserOptions(opts ...CreateUserOption) *createUserOptions {
 	o := &createUserOptions{
 		FactorPassword: nil,

pkg/modules/user/user.go

@@ -45,6 +45,9 @@ type Setter interface {
 	// invite
 	CreateBulkInvite(ctx context.Context, orgID valuer.UUID, identityID valuer.UUID, identityEmail valuer.Email, bulkInvites *types.PostableBulkInviteRequest) ([]*types.Invite, error)
 
+	// Creates a pending invite user with the roles given via opts and emails them the invite link.
+	CreateUserInvite(ctx context.Context, identityID valuer.UUID, identityEmail valuer.Email, frontendBaseURL string, user *types.User, opts ...CreateUserOption) (*types.User, error)
+
 	// Roles
 	UpdateUserRoles(ctx context.Context, orgID, userID valuer.UUID, finalRoleNames []string) error
 	AddUserRole(ctx context.Context, orgID, userID valuer.UUID, roleName string) error
@@ -107,6 +110,7 @@ type Handler interface {
 	// users
 	ListUsersDeprecated(http.ResponseWriter, *http.Request)
 	ListUsers(http.ResponseWriter, *http.Request)
+	CreateUser(http.ResponseWriter, *http.Request)
 	UpdateUserDeprecated(http.ResponseWriter, *http.Request)
 	UpdateUser(http.ResponseWriter, *http.Request)
 	DeleteUser(http.ResponseWriter, *http.Request)

pkg/types/authtypes/user_role.go

@@ -2,6 +2,7 @@ package authtypes
 
 import (
 	"context"
+	"encoding/json"
 	"time"
 
 	"github.com/SigNoz/signoz/pkg/errors"
@@ -28,6 +29,38 @@ type UserRole struct {
 	Role *Role `bun:"rel:belongs-to,join:role_id=id" json:"role" required:"true"`
 }
 
+type UserWithRoles struct {
+	*types.User
+	UserRoles []*UserRole `json:"userRoles"`
+}
+
+type PostableUser struct {
+	DisplayName     string              `json:"displayName"`
+	Email           valuer.Email        `json:"email" required:"true"`
+	FrontendBaseUrl string              `json:"frontendBaseUrl"`
+	Roles           []*PostableUserRole `json:"roles" required:"true" nullable:"false"`
+}
+
+type PostableUserRole struct {
+	ID valuer.UUID `json:"id" required:"true"`
+}
+
+func (p *PostableUser) UnmarshalJSON(data []byte) error {
+	type Alias PostableUser
+
+	var temp Alias
+	if err := json.Unmarshal(data, &temp); err != nil {
+		return err
+	}
+
+	if temp.Roles == nil {
+		return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "roles is required")
+	}
+
+	*p = PostableUser(temp)
+	return nil
+}
+
 func newUserRole(userID valuer.UUID, roleID valuer.UUID) *UserRole {
 	return &UserRole{
 		ID:        valuer.GenerateUUID(),
@@ -48,11 +81,6 @@ func NewUserRoles(userID valuer.UUID, roles []*Role) []*UserRole {
 	return userRoles
 }
 
-type UserWithRoles struct {
-	*types.User
-	UserRoles []*UserRole `json:"userRoles"`
-}
-
 type UserRoleStore interface {
 	// create user roles in bulk
 	CreateUserRoles(ctx context.Context, userRoles []*UserRole) error