feat(admin): add user create, disable/enable, and OAuth/authorization management

[appleboy]

Summary

• Admin Create User — new /admin/users/new page with form, auto-generated password, and one-time password display
• Disable/Enable User — IsActive field on User model, middleware enforcement (disabled users auto-logout), token revocation on disable, admin UI toggle
• OAuth Connections View — per-user /admin/users/:id/connections page showing linked providers (GitHub/Gitea/Microsoft) with unlink action
• User Authorizations View — per-user /admin/users/:id/authorizations page showing granted apps with revoke action
• Clickable Stat Cards — user detail stat cards (Active Tokens, OAuth Connections, Authorized Apps) now link to their respective management pages
• Dashboard Update — shows disabled user count when present
• Code Quality — extracted getFlashMessage/flashAndRedirect helpers, unified disable/enable handler, consolidated error variables
• Security Hardening — tokens revoked before disable (not after), CountUsersByRole only counts active admins, username sanitized on create, efficient ownership-verified OAuth connection queries

New Routes (8)

Method	Path	Description
GET	/admin/users/new	Create user form
POST	/admin/users	Submit create user
POST	/admin/users/:id/disable	Disable user
POST	/admin/users/:id/enable	Enable user
GET	/admin/users/:id/connections	View OAuth connections
POST	/admin/users/:id/connections/:conn_id/delete	Unlink OAuth provider
GET	/admin/users/:id/authorizations	View authorized apps
POST	/admin/users/:id/authorizations/:uuid/revoke	Revoke authorization

Model Change

User.IsActive (bool, default:true) — GORM AutoMigrate handles the migration automatically.

Test plan

• make generate && make build succeeds
• go test ./internal/... all packages pass
• Create user via /admin/users/new — verify password shown once
• Disable user → verify they are logged out and cannot log in
• Enable user → verify they can log in again
• Cannot disable self or last admin
• View/unlink OAuth connections from user detail page
• View/revoke authorized apps from user detail page
• Stat cards on user detail page link to correct pages
• Dashboard shows disabled user count

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 24.40191% with 316 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/handlers/user_admin.go	0.00%	208 Missing ⚠️
internal/services/user.go	66.89%	37 Missing and 11 partials ⚠️
internal/mocks/mock_store.go	0.00%	18 Missing ⚠️
internal/handlers/utils.go	0.00%	15 Missing ⚠️
internal/bootstrap/router.go	0.00%	8 Missing ⚠️
internal/bootstrap/handlers.go	0.00%	7 Missing ⚠️
internal/store/oauth_connection.go	0.00%	7 Missing ⚠️
internal/middleware/auth.go	0.00%	5 Missing ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Adds comprehensive admin-side user management capabilities (create local users, enable/disable accounts, and manage per-user OAuth connections/authorizations), plus related UI/metrics updates.

Changes:

• Introduces User.IsActive with admin enable/disable flows and session enforcement for disabled users.
• Adds new admin pages for creating users, viewing/unlinking OAuth connections, and viewing/revoking authorized apps.
• Enhances admin UI (clickable stat cards, status badges, dashboard disabled-user count) and refactors flash-message helpers.

Reviewed changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
internal/templates/static/css/pages/admin-forms.css	Adds link styling for clickable user stat cards.
internal/templates/props.go	Adds props structs for new admin user management pages.
internal/templates/admin_users.templ	Adds “Create User” CTA and user status column/badge.
internal/templates/admin_user_detail.templ	Displays user status, adds clickable stat cards, adds enable/disable actions.
internal/templates/admin_user_created.templ	New “created” page showing one-time password with copy action.
internal/templates/admin_user_create.templ	New admin “create user” form.
internal/templates/admin_user_connections.templ	New OAuth connections list + unlink action UI.
internal/templates/admin_user_authorizations.templ	New authorized-apps list + revoke action UI.
internal/templates/admin_dashboard.templ	Shows disabled user count when present.
internal/store/user.go	Ensures external users are active; changes CountUsersByRole to count only active users.
internal/store/user_test.go	Updates test user factory for new IsActive field.
internal/store/types/dashboard.go	Adds DisabledUsers to dashboard counts DTO.
internal/store/sqlite.go	Seeds default admin with IsActive: true.
internal/store/oauth_connection.go	Adds ownership-verified connection lookup by (user_id, id).
internal/store/dashboard.go	Adds disabled-users scalar count to dashboard query.
internal/services/user.go	Adds admin create user, enable/disable, and OAuth connection deletion service methods.
internal/models/user.go	Adds IsActive field to User model.
internal/models/audit_log.go	Adds new audit event types for user created/disabled/enabled and OAuth connection deletion.
internal/mocks/mock_store.go	Updates mocks for new store interface method.
internal/middleware/auth.go	Clears session when a disabled user is encountered.
internal/handlers/utils.go	Adds getFlashMessage / flashAndRedirect helpers.
internal/handlers/user_admin.go	Adds routes/handlers for create user, enable/disable, connections, authorizations; refactors flash usage.
internal/core/store.go	Extends OAuthConnectionStore interface with GetOAuthConnectionByUserAndID.
internal/bootstrap/router.go	Registers new admin routes.
internal/bootstrap/handlers.go	Wires AuthorizationService into UserAdminHandler.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 26 out of 26 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 26 out of 26 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The disabled-account check was added to Authenticate(), but OAuth logins use AuthenticateWithOAuth() (and helpers) which currently don’t verify user.IsActive. A disabled user could still complete an OAuth login flow and potentially obtain new sessions/tokens after being disabled. Consider enforcing IsActive consistently across all authentication paths (e.g., check in AuthenticateWithOAuth after loading the user, and in any external-auth flows that return an existing user) and return ErrAccountDisabled.

[Copilot]

CreateUserAdmin maps any gorm.ErrDuplicatedKey from store.CreateUser to ErrUsernameConflict. Since both username and email have unique indexes, a duplicated key could be caused by an email conflict (race vs. the earlier uniqueness check) and should return ErrEmailConflict (or re-check which field conflicts, similar to Store.UpsertExternalUser).

Suggested change

	return nil, "", ErrUsernameConflict
	errText := strings.ToLower(err.Error())
	switch {
	case strings.Contains(errText, "email"):
	return nil, "", ErrEmailConflict
	case strings.Contains(errText, "username"):
	return nil, "", ErrUsernameConflict
	}

[Copilot]

toggleUserActive treats all validation errors as HTTP 400. ValidateSetUserActiveStatus can also fail due to internal problems (e.g., DB lookup/count errors), which should be surfaced as 500 (and ideally a generic message) rather than a client error. Consider switching on known guard errors (self/last-admin/already-active/disabled/not-found) and defaulting to 500, similar to DeleteUser().

[Copilot]

toggleUserActive renders SetUserActiveStatus errors as HTTP 400 unconditionally. Store/update failures are internal errors and shouldn’t be returned as Bad Request (and err.Error() may leak implementation details). Consider mapping known guard errors to 400/404 and defaulting to 500 with a generic message.

Suggested change

	renderErrorPage(c, http.StatusBadRequest, err.Error())
	renderErrorPage(c, http.StatusInternalServerError, "Failed to update user status")

[Copilot]

RevokeUserAuthorization returns ErrAuthorizationNotFound when the authorization doesn’t exist, but the handler currently renders any error as HTTP 400. Consider mapping ErrAuthorizationNotFound to 404 (and reserving 400 for true validation errors) to better reflect the failure mode and align with DeleteUserConnection’s 404 handling.

Suggested change

	renderErrorPage(c, http.StatusBadRequest, err.Error())
	status := http.StatusBadRequest
	if errors.Is(err, services.ErrAuthorizationNotFound) {
	status = http.StatusNotFound
	}
	renderErrorPage(c, status, err.Error())