Feature: add detailed user info update for admin panel

[Musicminion]

User Admin Panel need to be more specific, so we add some changes to CEP admin panel.

• add features for UserApi
• add reset password and Features for user info update

Description

We want a more detailed admin panel for user management.

Related issues / Pull Requests

Contributor Agreement

• I confirm I have signed the Contributor License Agreement

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e967ba486d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Call exported HIBP checker for admin password updates

When an admin sets a password, this calls HaveIBeenPwned.promises.isPasswordReused, but HaveIBeenPwned only exports promises.checkPasswordForReuse (see services/web/app/src/Features/Authentication/HaveIBeenPwned.mjs). The resulting TypeError is swallowed by the catch, so the reused-password check is silently skipped and weak/reused passwords can still be accepted.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Remove hashed password from update response

In the password-update path, update.hashedPassword is set and later returned via res.json(update), but this sanitization block only deletes update.password. As a result, changing a user's password exposes the bcrypt hash in the API response and propagates it to frontend state (performUpdateUser merges response fields), which is an unnecessary credential leak.

Useful? React with 👍 / 👎.

[Musicminion]

@codex, I have fixed now

[chatgpt-codex-connector]

Thanks — I verified the two previously flagged P1 issues appear fixed in the current branch.

What I checked

• The password reuse check now calls the exported HIBP function HaveIBeenPwned.promises.checkPasswordForReuse(value) in the admin password update path, which addresses the earlier isPasswordReused call mismatch issue. services/web/modules/admin-tools/app/src/UserListController.mjsL581-L584
• The response sanitization now removes update.hashedPassword (in addition to update.password) before returning res.json(update), preventing hash leakage in the update response. services/web/modules/admin-tools/app/src/UserListController.mjsL626-L633

Checks run

• ✅ git status --short && git rev-parse --abbrev-ref HEAD && git log --oneline -n 5
• ✅ sed -n '560,700p' services/web/modules/admin-tools/app/src/UserListController.mjs
• ✅ nl -ba services/web/modules/admin-tools/app/src/UserListController.mjs | sed -n '570,590p'
• ✅ nl -ba services/web/modules/admin-tools/app/src/UserListController.mjs | sed -n '585,675p'

No additional code changes were needed from my side, so I did not create a commit or PR.

View task →

[Musicminion]

Need to test on cloud VM before merged. I am interested in if some features is really limited by db params.