* Server Users: More precise message when inviting users
This lets the admin who invited a new user know whether or not an email has been sent. If the SMTP server hasn't been set up, they need to share the invite link with the user.
* Onboarding: Invite new users
- Separates the user self-registration and invite cases
- Adds invitation email for users created by the admin
- Adds invitation tokens to verify user was invited
- Adds handler action for invite links
- Refactors `UserEventHostedService`
* Remove duplicate status message from views that use the wizard layout
* Auto-approve users created by an admin
* Notify admins via email if a new account requires approval
* Update wording
* Fix update user error
* Fix redirect to email confirmation in invite action
* Fix precondition checks after signup
* Improve admin notification
Send notification only if the user does not require email confirmation or when they confirmed their email address. Rationale: We want to inform admins only about qualified users and not annoy them with bot registrations.
* Allow approval alongside resending confirm email
* Use user email in log messages instead of ID
* Prevent unnecessary notification after email confirmation
* Use ApplicationUser type explicitly
* Fix after rebase
* Refactoring: Do not subclass UserRegisteredEvent
* Admin overview of the stores on the instance
POC/Draft for #5674.
* Enable admin to access foreign stores
* Remove stores list link
* UI updates
* Grant admins guest access to foreign stores
* Optimize cookie auth handler
* Test fix
* Revert changes related to StoreRepository.FindStore with isAdmin
* Users list: Cleanups
* Policies: Flip registration settings
* Policies: Add RequireUserApproval setting
* Add approval to user
* Require approval on login and for API key
* API handling
* AccountController cleanups
* Test fix
* Apply suggestions from code review
Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
* Add missing imports
* Communicate login requirements to user on account creation
* Add login requirements to basic auth handler
* Cleanups and test fix
* Encapsulate approval logic in user service and log approval changes
* Send follow up "Account approved" email
Closes#5656.
* Add notification for admins
* Fix creating a user via the admin view
* Update list: Unify flags into status column, add approve action
* Adjust "Resend email" wording
* Incorporate feedback from code review
* Remove duplicate test server policy reset
---------
Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
Fixes#5698. Before this, the app lookup was constrained by the user having at least `CanModifyStoreSettings` permissions. This changes it to require the user being associated with a store, leaving the fine-grained authorization checks up to the individual actions.
* Adapt cookie auth to work with same API permission system
* Handle unscoped store permission case
* Do not consider Unscoped as a valid policy
* Add tests
* Refactor permissions scopes
---------
Co-authored-by: Dennis Reimann <mail@dennisreimann.de>
Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com>
* Greenfield: Admins can create/delete API keys of any user
* Greenfield: Improve doc for scoped apikey (Close#4673)
* Fix permissions hierarchy
* Update BTCPayServer.Client/Permissions.cs
* Fix tests
---------
Co-authored-by: Andrew Camilleri <evilkukka@gmail.com>
* Editorconfig: Add space_before_self_closing setting
This was a difference between the way dotnet-format and Rider format code. See https://www.jetbrains.com/help/rider/EditorConfig_Index.html
* Editorconfig: Keep 4 spaces indentation for Swagger JSON files
They are all formatted that way, let's keep it like that.
* Apply dotnet-format, mostly white-space related changes
* Plugins: Add authorization hook
Makes the `PolicyRequirement` available to plugins.
Adds a filter hook to the authorization handlers, so that plugins can extend and leverage the existing authorization policies and permissions.
* Update to pass back and forth handle class
* Allow Users to be disabled/enabled
* rebrand to locked for api
* Update BTCPayServer/Views/UIAccount/Lockout.cshtml
Co-authored-by: d11n <mail@dennisreimann.de>
* fix docker compose and an uneeded check in api handler
* fix
* Add enabled user test
Co-authored-by: d11n <mail@dennisreimann.de>
Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
* Set store context in cookie
* Fix page id usages in view
* Move Pay Button to nav
* Move integrations to plugins nav
* Store switch links to wallet if present
* Test fixes
* Nav fixes
* Fix altcoin view
* Main nav updates
* Wallet setttings nav update
* Move storeId cookie fallback to cookie auth handler
* View fixes
* Test fixes
* Fix profile check
* Rename integrations nav extension point to store-integrations-nav-list
* Allow strings for Active page/category for plugins
* Make invoice list filter based on store context
* Do not set context if we are running authorizer through tag helper
* Fix test and unfiltered invoices
* Add permission helper for wallet links
* Add sanity checks for payment requests and invoices
* Store context in home controller
* Fix PayjoinViaUI test
* Store context for notifications
* Minor UI improvements
* Store context for userstores and vault controller
* Bring back integrations page
* Rename notifications nav pages file
* Fix user stores controller policies
* Controller policy fixes from code review
* CookieAuthHandler: Simplify CanViewInvoices case
* Revert "Controller policy fixes from code review"
This reverts commit 97e8b8379c.
* Simplify LayoutSimple
* Fix CanViewInvoices condition
Co-authored-by: Kukks <evilkukka@gmail.com>
* Mention the missing API permission in the response header or body
* Fixes + Added a unit test. 1 TODO remains.
* Added MissingPermissionDescription to the error
* Update BTCPayServer.Tests/GreenfieldAPITests.cs
Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
* Fix tests
* [GreenField]: Make sure we are sending fully typed errors
Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
* Update layout structure and header
* Implement store selector
* Simplify homepage
* Update layout
* Use dropdown for store selector
* Hide global nav in store context
* Horizontal section nav
* Remove outer section and container from content views
* Update nav
* Set store context for invoice and payment request lists
* Test fixes
* Persist menu collapse state on client-side
* MainNav as view component
* Update app routes to incorporate store context
* Test fixes
* Display ticker for altcoins build only
* Plugins nav
* Incorporate category for active page as well
* Update invoice icon
* Add apps list to nav
* Add store context to app type controllers
* Incorporate id for active page as well
* Test fixes
* AppsController cleanup
* Nav: Display only apps for the current store
* Remove leftover from merge
* Nav styles optimization
* Left-align content container
* Increase sidebar padding on desktop
* Use min-width for store selector menu
* Store settings nav update
* Update app and payment request routes
* Test fixes
* Refactor MainNav component to use StoresController
* Set store context for invoice actions
* Cleanups
* Remove CurrentStore checks
The response will be "Access denied" in case the CookieAuthorizationHandler cannot resolve the store.
* Remove unnecessary store context setters
* Test fix
* wip
* Local GreenField Client for Plugins
* support notification handlers being missing
* Initial support for scoped btcpay client
* test out scoped local client
* wip
* small fix
* Throw exception if using local greenfield client and it has not been implemented yet
* adapt based on new changes in BTCPay
* update
* fix tests
* Allow Local client to bypass authorization handler
* Add Misc endpoints to Local API Client
* Add new endpoints
* Apply code review changes
* Migrate existing U2F to Fido2
This seamlessly switches all u2f registrations over to the new FIDO2 support. Please note that I have not yet added a way to drop the u2f DB and its UI so that we can test the migration works properly for all.
* add testing logic
* fix u2f tests
* remove duplicate status message
* fix test and namespaces
* fix test
* GreenField: Notifications API
This refactors notifications so that we dont have a bunch of duplicated direct access to db contexts in controllers and then introduces new endpoints to fetch/toggle seen/remove notifications of the current user.
* add tests + docs
* fix test
* pr changes
* fix permission json
This allows plugins to create custom dbcontexts, which would be namespaced in the scheme with a prefix. Migrations are supported too and the table would be prefixed too
* BTCPay Extensions Part 2
This PR cleans up the extension system a bit in that:
* It renames the test extension to a more uniform name
* Allows yo uto have system extensions, which are extensions but bundled by default with the release (and cannot be removed)
* Adds a tool to help you generate an extension package from a csproj
* Refactors the UI extension points to a view component
* Moves some more interfaces to the Abstractions csproj
* Rename to plugins
This lets the authorize api key screen redirect to the defined url and provide it with the user id, permissions granted and the key.
This also allows apps to match existing api keys generated for it specifically using the application identifier, and if matched, presented with a confirmation page before redirection.