# User Security API BotServer provides RESTful endpoints for user management, authentication, authorization, and security features. ## Overview The User Security API enables: - User authentication and sessions - Role-based access control - Security settings management - Audit logging - Password policies - Two-factor authentication ## Base URL ``` http://localhost:8080/api/v1/security ``` ## Authentication Most security endpoints require authentication: ```http Authorization: Bearer ``` ## User Management ### Create User **POST** `/users` Create a new user account. **Request Body:** ```json { "username": "johndoe", "email": "john@example.com", "full_name": "John Doe", "role": "user", "groups": ["support_team"], "metadata": { "department": "Customer Service", "employee_id": "EMP001" } } ``` **Response:** ```json { "user_id": "usr_abc123", "username": "johndoe", "email": "john@example.com", "created_at": "2024-01-15T10:00:00Z", "status": "pending_activation" } ``` ### Get User **GET** `/users/{user_id}` Retrieve user information. **Response:** ```json { "user_id": "usr_abc123", "username": "johndoe", "email": "john@example.com", "full_name": "John Doe", "role": "user", "groups": ["support_team"], "status": "active", "created_at": "2024-01-15T10:00:00Z", "last_login": "2024-01-15T14:30:00Z", "email_verified": true, "two_factor_enabled": false } ``` ### Update User **PATCH** `/users/{user_id}` Update user information. **Request Body:** ```json { "full_name": "John Smith", "role": "admin", "groups": ["support_team", "admin_team"] } ``` ### Delete User **DELETE** `/users/{user_id}` Delete or deactivate a user account. **Response:** ```json { "user_id": "usr_abc123", "status": "deactivated", "deactivated_at": "2024-01-15T15:00:00Z" } ``` ### List Users **GET** `/users` List all users with pagination and filters. **Query Parameters:** - `page` - Page number (default: 1) - `limit` - Items per page (default: 20) - `role` - Filter by role - `group` - Filter by group - `status` - Filter by status: `active`, `inactive`, `pending` - `search` - Search in username, email, full name **Response:** ```json { "users": [ { "user_id": "usr_abc123", "username": "johndoe", "email": "john@example.com", "full_name": "John Doe", "role": "user", "status": "active" } ], "total": 150, "page": 1, "limit": 20 } ``` ## Authentication ### Login **POST** `/auth/login` Authenticate user via directory service. **Request Body:** ```json { "username": "johndoe", "password": "secure_password", "two_factor_code": "123456" } ``` **Response:** ```json { "access_token": "eyJhbGciOiJIUzI1NiIs...", "refresh_token": "eyJhbGciOiJIUzI1NiIs...", "token_type": "Bearer", "expires_in": 3600, "user": { "user_id": "usr_abc123", "username": "johndoe", "role": "user" } } ``` ### Refresh Token **POST** `/auth/refresh` Refresh an expired access token. **Request Body:** ```json { "refresh_token": "eyJhbGciOiJIUzI1NiIs..." } ``` ### Logout **POST** `/auth/logout` Invalidate current session. **Request Body:** ```json { "refresh_token": "eyJhbGciOiJIUzI1NiIs..." } ``` ### Verify Token **GET** `/auth/verify` Verify if a token is valid. **Headers:** ```http Authorization: Bearer ``` **Response:** ```json { "valid": true, "user_id": "usr_abc123", "expires_at": "2024-01-15T15:00:00Z" } ``` ## Roles and Permissions ### List Roles **GET** `/roles` Get all available roles. **Response:** ```json { "roles": [ { "role_id": "admin", "name": "Administrator", "permissions": ["users.manage", "bots.manage", "system.configure"] }, { "role_id": "user", "name": "User", "permissions": ["bots.use", "profile.edit"] } ] } ``` ### Assign Role **POST** `/users/{user_id}/roles` Assign a role to a user. **Request Body:** ```json { "role_id": "admin" } ``` ### Check Permission **GET** `/users/{user_id}/permissions/{permission}` Check if user has a specific permission. **Response:** ```json { "user_id": "usr_abc123", "permission": "bots.manage", "granted": true, "source": "role:admin" } ``` ## Groups ### Create Group **POST** `/groups` Create a user group. **Request Body:** ```json { "name": "support_team", "description": "Customer support team", "permissions": ["tickets.manage", "kb.edit"] } ``` ### Add User to Group **POST** `/groups/{group_id}/members` Add a user to a group. **Request Body:** ```json { "user_id": "usr_abc123" } ``` ### Remove User from Group **DELETE** `/groups/{group_id}/members/{user_id}` Remove a user from a group. ## Security Settings ### Get Security Settings **GET** `/settings/security` Get current security configuration. **Response:** ```json { "password_policy": { "min_length": 12, "require_uppercase": true, "require_lowercase": true, "require_numbers": true, "require_special": true, "expiry_days": 90, "history_count": 5 }, "session_policy": { "timeout_minutes": 30, "max_sessions": 5, "remember_me_days": 30 }, "two_factor": { "enabled": false, "required_for_roles": ["admin"], "methods": ["totp", "sms"] }, "lockout_policy": { "max_attempts": 5, "lockout_duration_minutes": 30, "reset_window_minutes": 15 } } ``` ### Update Security Settings **PATCH** `/settings/security` Update security configuration. **Request Body:** ```json { "password_policy": { "min_length": 14, "expiry_days": 60 }, "two_factor": { "enabled": true } } ``` ## Two-Factor Authentication ### Enable 2FA **POST** `/users/{user_id}/2fa/enable` Enable two-factor authentication. **Response:** ```json { "secret": "JBSWY3DPEHPK3PXP", "qr_code": "data:image/png;base64,iVBORw0KGgoAAAA...", "backup_codes": [ "12345678", "87654321", "11223344" ] } ``` ### Verify 2FA **POST** `/users/{user_id}/2fa/verify` Verify 2FA setup. **Request Body:** ```json { "code": "123456" } ``` ### Disable 2FA **POST** `/users/{user_id}/2fa/disable` Disable two-factor authentication. ## Audit Logs ### Get Audit Logs **GET** `/audit/logs` Retrieve security audit logs. **Query Parameters:** - `user_id` - Filter by user - `action` - Filter by action type - `start_date` - Start of date range - `end_date` - End of date range - `page` - Page number - `limit` - Items per page **Response:** ```json { "logs": [ { "log_id": "log_123", "timestamp": "2024-01-15T14:30:00Z", "user_id": "usr_abc123", "action": "login", "ip_address": "192.168.1.100", "user_agent": "Mozilla/5.0...", "success": true, "details": { "method": "password", "session_id": "sess_xyz" } } ], "total": 500, "page": 1 } ``` ### Export Audit Logs **POST** `/audit/export` Export audit logs for compliance. **Request Body:** ```json { "format": "csv", "date_range": { "start": "2024-01-01", "end": "2024-01-31" }, "filters": { "actions": ["login", "permission_change", "data_access"] } } ``` ## Session Management ### List Sessions **GET** `/users/{user_id}/sessions` List active sessions for a user. **Response:** ```json { "sessions": [ { "session_id": "sess_xyz", "created_at": "2024-01-15T10:00:00Z", "last_activity": "2024-01-15T14:30:00Z", "ip_address": "192.168.1.100", "user_agent": "Mozilla/5.0...", "location": "New York, US" } ], "total": 2 } ``` ### Revoke Session **DELETE** `/sessions/{session_id}` Revoke a specific session. ### Revoke All Sessions **POST** `/users/{user_id}/sessions/revoke-all` Revoke all sessions for a user. ## Password Management ### Change Password **POST** `/users/{user_id}/password` Change user password (handled by directory service). **Request Body:** ```json { "current_password": "old_password", "new_password": "new_secure_password" } ``` ### Reset Password Request **POST** `/auth/password/reset-request` Request password reset. **Request Body:** ```json { "email": "john@example.com" } ``` ### Reset Password **POST** `/auth/password/reset` Reset password with token. **Request Body:** ```json { "token": "reset_token_123", "new_password": "new_secure_password" } ``` ## API Keys ### Generate API Key **POST** `/users/{user_id}/api-keys` Generate an API key for programmatic access. **Request Body:** ```json { "name": "Integration Key", "permissions": ["bots.use"], "expires_at": "2024-12-31T23:59:59Z" } ``` **Response:** ```json { "key_id": "key_123", "api_key": "sk_live_abcdef123456...", "created_at": "2024-01-15T10:00:00Z", "expires_at": "2024-12-31T23:59:59Z" } ``` ### List API Keys **GET** `/users/{user_id}/api-keys` List user's API keys. ### Revoke API Key **DELETE** `/api-keys/{key_id}` Revoke an API key. ## Error Responses ### 401 Unauthorized ```json { "error": "unauthorized", "message": "Invalid credentials" } ``` ### 403 Forbidden ```json { "error": "forbidden", "message": "Insufficient permissions" } ``` ### 423 Locked ```json { "error": "account_locked", "message": "Account locked due to too many failed attempts", "locked_until": "2024-01-15T15:00:00Z" } ``` ## Security Best Practices 1. **Use Strong Passwords**: Enforce complex password requirements 2. **Enable 2FA**: Require for administrative accounts 3. **Regular Audits**: Review audit logs regularly 4. **Session Limits**: Limit concurrent sessions 5. **API Key Rotation**: Rotate keys periodically 6. **Least Privilege**: Grant minimal necessary permissions 7. **Monitor Failed Logins**: Track and alert on suspicious activity ## Rate Limits | Operation | Limit | Window | |-----------|-------|--------| | Login | 5/minute | Per IP | | Password Reset | 3/hour | Per email | | API Key Generation | 10/day | Per user | ## Related APIs - [Authentication](../chapter-11/authentication.md) - Auth details - [Audit Logs](./monitoring-api.md) - System monitoring - [Notifications](./notifications-api.md) - Security alerts