diff --git a/build.sbt b/build.sbt index ff0f60c5..52eed4f0 100644 --- a/build.sbt +++ b/build.sbt @@ -130,6 +130,8 @@ val openapiScalaSettings = Seq( .addMapping(CustomMapping.forFormatType({ case "ident" => field => field.copy(typeDef = TypeDef("Ident", Imports("docspell.common.Ident"))) + case "accountid" => + field => field.copy(typeDef = TypeDef("AccountId", Imports("docspell.common.AccountId"))) case "collectivestate" => field => field.copy(typeDef = diff --git a/docker/docspell.conf b/docker/docspell.conf index a1c35bd7..31716b87 100644 --- a/docker/docspell.conf +++ b/docker/docspell.conf @@ -13,7 +13,6 @@ docspell.server { # Configuration of the full-text search engine. full-text-search { enabled = true - recreate-key = "" solr = { url = "http://solr:8983/solr/docspell" } diff --git a/modules/backend/src/main/scala/docspell/backend/ops/OCollective.scala b/modules/backend/src/main/scala/docspell/backend/ops/OCollective.scala index f68be8b7..1bee773b 100644 --- a/modules/backend/src/main/scala/docspell/backend/ops/OCollective.scala +++ b/modules/backend/src/main/scala/docspell/backend/ops/OCollective.scala @@ -44,6 +44,8 @@ trait OCollective[F[_]] { newPass: Password ): F[PassChangeResult] + def resetPassword(accountId: AccountId): F[PassResetResult] + def getContacts( collective: Ident, query: Option[String], @@ -77,6 +79,15 @@ object OCollective { type Classifier = RClassifierSetting.Classifier val Classifier = RClassifierSetting.Classifier + sealed trait PassResetResult + object PassResetResult { + case class Success(newPw: Password) extends PassResetResult + case object NotFound extends PassResetResult + + def success(np: Password): PassResetResult = Success(np) + def notFound: PassResetResult = NotFound + } + sealed trait PassChangeResult object PassChangeResult { case object UserNotFound extends PassChangeResult @@ -184,6 +195,17 @@ object OCollective { def tagCloud(collective: Ident): F[List[TagCount]] = store.transact(QCollective.tagCloud(collective)) + def resetPassword(accountId: AccountId): F[PassResetResult] = + for { + newPass <- Password.generate[F] + n <- store.transact( + RUser.updatePassword(accountId, PasswordCrypt.crypt(newPass)) + ) + res = + if (n <= 0) PassResetResult.notFound + else PassResetResult.success(newPass) + } yield res + def changePassword( accountId: AccountId, current: Password, diff --git a/modules/common/src/main/scala/docspell/common/Password.scala b/modules/common/src/main/scala/docspell/common/Password.scala index 88a9d09d..c7b7bef9 100644 --- a/modules/common/src/main/scala/docspell/common/Password.scala +++ b/modules/common/src/main/scala/docspell/common/Password.scala @@ -1,5 +1,8 @@ package docspell.common +import cats.effect.Sync +import cats.implicits._ + import io.circe.{Decoder, Encoder} final class Password(val pass: String) extends AnyVal { @@ -18,6 +21,12 @@ object Password { def apply(pass: String): Password = new Password(pass) + def generate[F[_]: Sync]: F[Password] = + for { + id <- Ident.randomId[F] + pass = id.id.take(11) + } yield Password(pass) + implicit val passwordEncoder: Encoder[Password] = Encoder.encodeString.contramap(_.pass) diff --git a/modules/restapi/src/main/resources/docspell-openapi.yml b/modules/restapi/src/main/resources/docspell-openapi.yml index d72425d0..cbde344a 100644 --- a/modules/restapi/src/main/resources/docspell-openapi.yml +++ b/modules/restapi/src/main/resources/docspell-openapi.yml @@ -151,9 +151,9 @@ paths: application/json: schema: $ref: "#/components/schemas/BasicResult" - /open/fts/reIndexAll/{id}: + /admin/fts/reIndexAll: post: - tags: [Full-Text Index] + tags: [Full-Text Index, Admin] summary: Re-creates the full-text index. description: | Clears the full-text index and inserts all data from the @@ -162,10 +162,10 @@ paths: by a job executor. Note that this affects all data of all collectives. - The `id` is required and refers to the key given in the config - file to ensure that only admins can call this route. - parameters: - - $ref: "#/components/parameters/id" + This is an admin route, so you need to provide the secret from + the config file as header `Docspell-Admin-Secret`. + security: + - adminHeader: [] responses: 200: description: Ok @@ -1184,6 +1184,31 @@ paths: application/json: schema: $ref: "#/components/schemas/BasicResult" + + /admin/user/resetPassword: + post: + tags: [ Collective, Admin ] + summary: Reset a user password. + description: | + Resets a user password to some random string which is returned + as the result. This is an admin route, so you need to specify + the secret from the config file via a http header + `Docspell-Admin-Secret`. + security: + - adminHeader: [] + requestBody: + content: + application/json: + schema: + $ref: "#/components/schemas/ResetPassword" + responses: + 200: + description: Ok + content: + application/json: + schema: + $ref: "#/components/schemas/ResetPasswordResult" + /sec/source: get: tags: [ Source ] @@ -3416,6 +3441,32 @@ paths: components: schemas: + ResetPassword: + description: | + The account to reset the password. + required: + - account + properties: + account: + type: string + format: accountid + + ResetPasswordResult: + description: | + Contains the newly generated password or an error. + required: + - success + - newPassword + - message + properties: + success: + type: boolean + newPassword: + type: string + format: password + message: + type: string + ItemsAndFieldValue: description: | Holds a list of item ids and a custom field value. @@ -5421,6 +5472,10 @@ components: type: apiKey in: header name: X-Docspell-Auth + adminHeader: + type: apiKey + in: header + name: Docspell-Admin-Secret parameters: id: name: id diff --git a/modules/restserver/src/main/resources/reference.conf b/modules/restserver/src/main/resources/reference.conf index d1c94119..e7ec39f8 100644 --- a/modules/restserver/src/main/resources/reference.conf +++ b/modules/restserver/src/main/resources/reference.conf @@ -111,6 +111,21 @@ docspell.server { } } + # This is a special endpoint that allows some basic administration. + # + # It is intended to be used by admins only, that is users who + # installed the app and have access to the system. Normal users + # should not have access and therefore a secret must be provided in + # order to access it. + # + # This is used for some endpoints, for example: + # - re-create complete fulltext index: + # curl -XPOST -H'Docspell-Admin-Secret: xyz' http://localhost:7880/api/v1/admin/fts/reIndexAll + admin-endpoint { + # The secret. If empty, the endpoint is disabled. + secret = "" + } + # Configuration of the full-text search engine. full-text-search { # The full-text search feature can be disabled. It requires an @@ -120,14 +135,6 @@ docspell.server { # Currently the SOLR search platform is supported. enabled = false - # When re-creating the complete index via a REST call, this key - # is required. If left empty (the default), recreating the index - # is disabled. - # - # Example curl command: - # curl -XPOST http://localhost:7880/api/v1/open/fts/reIndexAll/test123 - recreate-key = "" - # Configuration for the SOLR backend. solr = { # The URL to solr diff --git a/modules/restserver/src/main/scala/docspell/restserver/Config.scala b/modules/restserver/src/main/scala/docspell/restserver/Config.scala index f90616a6..06b897df 100644 --- a/modules/restserver/src/main/scala/docspell/restserver/Config.scala +++ b/modules/restserver/src/main/scala/docspell/restserver/Config.scala @@ -18,13 +18,16 @@ case class Config( integrationEndpoint: Config.IntegrationEndpoint, maxItemPageSize: Int, maxNoteLength: Int, - fullTextSearch: Config.FullTextSearch + fullTextSearch: Config.FullTextSearch, + adminEndpoint: Config.AdminEndpoint ) object Config { case class Bind(address: String, port: Int) + case class AdminEndpoint(secret: String) + case class IntegrationEndpoint( enabled: Boolean, priority: Priority, @@ -56,7 +59,7 @@ object Config { } } - case class FullTextSearch(enabled: Boolean, recreateKey: Ident, solr: SolrConfig) + case class FullTextSearch(enabled: Boolean, solr: SolrConfig) object FullTextSearch {} diff --git a/modules/restserver/src/main/scala/docspell/restserver/RestServer.scala b/modules/restserver/src/main/scala/docspell/restserver/RestServer.scala index d0f987b6..1f582c47 100644 --- a/modules/restserver/src/main/scala/docspell/restserver/RestServer.scala +++ b/modules/restserver/src/main/scala/docspell/restserver/RestServer.scala @@ -35,6 +35,9 @@ object RestServer { "/api/v1/sec/" -> Authenticate(restApp.backend.login, cfg.auth) { token => securedRoutes(cfg, pools, restApp, token) }, + "/api/v1/admin" -> AdminRoutes(cfg.adminEndpoint) { + adminRoutes(cfg, restApp) + }, "/api/doc" -> templates.doc, "/app/assets" -> WebjarRoutes.appRoutes[F](pools.blocker), "/app" -> templates.app, @@ -95,8 +98,13 @@ object RestServer { "signup" -> RegisterRoutes(restApp.backend, cfg), "upload" -> UploadRoutes.open(restApp.backend, cfg), "checkfile" -> CheckFileRoutes.open(restApp.backend), - "integration" -> IntegrationEndpointRoutes.open(restApp.backend, cfg), - "fts" -> FullTextIndexRoutes.open(cfg, restApp.backend) + "integration" -> IntegrationEndpointRoutes.open(restApp.backend, cfg) + ) + + def adminRoutes[F[_]: Effect](cfg: Config, restApp: RestApp[F]): HttpRoutes[F] = + Router( + "fts" -> FullTextIndexRoutes.admin(cfg, restApp.backend), + "user" -> UserRoutes.admin(restApp.backend) ) def redirectTo[F[_]: Effect](path: String): HttpRoutes[F] = { diff --git a/modules/restserver/src/main/scala/docspell/restserver/http4s/QueryParam.scala b/modules/restserver/src/main/scala/docspell/restserver/http4s/QueryParam.scala index 4d91d959..aa846c7e 100644 --- a/modules/restserver/src/main/scala/docspell/restserver/http4s/QueryParam.scala +++ b/modules/restserver/src/main/scala/docspell/restserver/http4s/QueryParam.scala @@ -17,11 +17,6 @@ object QueryParam { implicit val queryStringDecoder: QueryParamDecoder[QueryString] = QueryParamDecoder[String].map(s => QueryString(s.trim.toLowerCase)) - // implicit val booleanDecoder: QueryParamDecoder[Boolean] = - // QueryParamDecoder.fromUnsafeCast(qp => Option(qp.value).exists(_.equalsIgnoreCase("true")))( - // "Boolean" - // ) - object FullOpt extends OptionalQueryParamDecoderMatcher[Boolean]("full") object OwningOpt extends OptionalQueryParamDecoderMatcher[Boolean]("owning") diff --git a/modules/restserver/src/main/scala/docspell/restserver/http4s/Responses.scala b/modules/restserver/src/main/scala/docspell/restserver/http4s/Responses.scala index fbd300a3..7a722d44 100644 --- a/modules/restserver/src/main/scala/docspell/restserver/http4s/Responses.scala +++ b/modules/restserver/src/main/scala/docspell/restserver/http4s/Responses.scala @@ -1,6 +1,8 @@ package docspell.restserver.http4s import cats.data.NonEmptyList +import cats.data.OptionT +import cats.effect.Sync import fs2.text.utf8Encode import fs2.{Pure, Stream} @@ -36,4 +38,7 @@ object Responses { ) ) + def notFoundRoute[F[_]: Sync]: HttpRoutes[F] = + HttpRoutes(_ => OptionT.pure(Response.notFound[F])) + } diff --git a/modules/restserver/src/main/scala/docspell/restserver/routes/AdminRoutes.scala b/modules/restserver/src/main/scala/docspell/restserver/routes/AdminRoutes.scala new file mode 100644 index 00000000..fe3d1f5d --- /dev/null +++ b/modules/restserver/src/main/scala/docspell/restserver/routes/AdminRoutes.scala @@ -0,0 +1,54 @@ +package docspell.restserver.routes + +import cats.data.{Kleisli, OptionT} +import cats.effect._ +import cats.implicits._ + +import docspell.restserver.Config +import docspell.restserver.http4s.Responses + +import org.http4s._ +import org.http4s.circe.CirceEntityEncoder._ +import org.http4s.dsl.Http4sDsl +import org.http4s.server._ +import org.http4s.util.CaseInsensitiveString + +object AdminRoutes { + private val adminHeader = CaseInsensitiveString("Docspell-Admin-Secret") + + def apply[F[_]: Effect](cfg: Config.AdminEndpoint)( + f: HttpRoutes[F] + ): HttpRoutes[F] = { + val dsl: Http4sDsl[F] = new Http4sDsl[F] {} + import dsl._ + + val authUser = checkSecret[F](cfg) + + val onFailure: AuthedRoutes[String, F] = + Kleisli(req => OptionT.liftF(Forbidden(req.context))) + + val middleware: AuthMiddleware[F, Unit] = + AuthMiddleware(authUser, onFailure) + + if (cfg.secret.isEmpty) Responses.notFoundRoute[F] + else middleware(AuthedRoutes(authReq => f.run(authReq.req))) + } + + private def checkSecret[F[_]: Effect]( + cfg: Config.AdminEndpoint + ): Kleisli[F, Request[F], Either[String, Unit]] = + Kleisli(req => + extractSecret[F](req) + .filter(compareSecret(cfg.secret)) + .toRight("Secret invalid") + .map(_ => ()) + .pure[F] + ) + + private def extractSecret[F[_]](req: Request[F]): Option[String] = + req.headers.get(adminHeader).map(_.value) + + private def compareSecret(s1: String)(s2: String): Boolean = + s1.length > 0 && s1.length == s2.length && + s1.zip(s2).forall({ case (a, b) => a == b }) +} diff --git a/modules/restserver/src/main/scala/docspell/restserver/routes/FullTextIndexRoutes.scala b/modules/restserver/src/main/scala/docspell/restserver/routes/FullTextIndexRoutes.scala index 301e086c..d6d927c4 100644 --- a/modules/restserver/src/main/scala/docspell/restserver/routes/FullTextIndexRoutes.scala +++ b/modules/restserver/src/main/scala/docspell/restserver/routes/FullTextIndexRoutes.scala @@ -1,14 +1,13 @@ package docspell.restserver.routes -import cats.data.OptionT import cats.effect._ import cats.implicits._ import docspell.backend.BackendApp import docspell.backend.auth.AuthToken -import docspell.common._ import docspell.restserver.Config import docspell.restserver.conv.Conversions +import docspell.restserver.http4s.Responses import org.http4s._ import org.http4s.circe.CirceEntityEncoder._ @@ -34,23 +33,20 @@ object FullTextIndexRoutes { } } - def open[F[_]: Effect](cfg: Config, backend: BackendApp[F]): HttpRoutes[F] = + def admin[F[_]: Effect](cfg: Config, backend: BackendApp[F]): HttpRoutes[F] = if (!cfg.fullTextSearch.enabled) notFound[F] else { val dsl = Http4sDsl[F] import dsl._ - HttpRoutes.of { case POST -> Root / "reIndexAll" / Ident(id) => + HttpRoutes.of { case POST -> Root / "reIndexAll" => for { - res <- - if (id.nonEmpty && id == cfg.fullTextSearch.recreateKey) - backend.fulltext.reindexAll.attempt - else Left(new Exception("The provided key is invalid.")).pure[F] + res <- backend.fulltext.reindexAll.attempt resp <- Ok(Conversions.basicResult(res, "Full-text index will be re-created.")) } yield resp } } private def notFound[F[_]: Effect]: HttpRoutes[F] = - HttpRoutes(_ => OptionT.pure(Response.notFound[F])) + Responses.notFoundRoute[F] } diff --git a/modules/restserver/src/main/scala/docspell/restserver/routes/UserRoutes.scala b/modules/restserver/src/main/scala/docspell/restserver/routes/UserRoutes.scala index dbe9008d..bdf0ac57 100644 --- a/modules/restserver/src/main/scala/docspell/restserver/routes/UserRoutes.scala +++ b/modules/restserver/src/main/scala/docspell/restserver/routes/UserRoutes.scala @@ -5,10 +5,10 @@ import cats.implicits._ import docspell.backend.BackendApp import docspell.backend.auth.AuthToken -import docspell.common.Ident +import docspell.backend.ops.OCollective +import docspell.common._ import docspell.restapi.model._ import docspell.restserver.conv.Conversions._ -import docspell.restserver.http4s.ResponseGenerator import org.http4s.HttpRoutes import org.http4s.circe.CirceEntityDecoder._ @@ -18,7 +18,7 @@ import org.http4s.dsl.Http4sDsl object UserRoutes { def apply[F[_]: Effect](backend: BackendApp[F], user: AuthToken): HttpRoutes[F] = { - val dsl = new Http4sDsl[F] with ResponseGenerator[F] {} + val dsl = new Http4sDsl[F] {} import dsl._ HttpRoutes.of { @@ -63,4 +63,25 @@ object UserRoutes { } } + def admin[F[_]: Effect](backend: BackendApp[F]): HttpRoutes[F] = { + val dsl = new Http4sDsl[F] {} + import dsl._ + + HttpRoutes.of { case req @ POST -> Root / "resetPassword" => + for { + input <- req.as[ResetPassword] + result <- backend.collective.resetPassword(input.account) + resp <- Ok(result match { + case OCollective.PassResetResult.Success(np) => + ResetPasswordResult(true, np, "Password updated") + case OCollective.PassResetResult.NotFound => + ResetPasswordResult( + false, + Password(""), + "Password update failed. User not found." + ) + }) + } yield resp + } + } } diff --git a/nix/module-server.nix b/nix/module-server.nix index 8e31c8ed..d079f778 100644 --- a/nix/module-server.nix +++ b/nix/module-server.nix @@ -40,6 +40,9 @@ let header-value = "some-secret"; }; }; + admin-endpoint = { + secret = ""; + }; full-text-search = { enabled = false; solr = { @@ -49,7 +52,6 @@ let def-type = "lucene"; q-op = "OR"; }; - recreate-key = ""; }; auth = { server-secret = "hex:caffee"; @@ -343,6 +345,20 @@ in { ''; }; + admin-endpoint = mkOption { + type = types.submodule({ + options = { + secret = mkOption { + type = types.str; + default = defaults.admin-endpoint.secret; + description = "The secret used to call admin endpoints."; + }; + }; + }); + default = defaults.admin-endpoint; + description = "An endpoint for administration tasks."; + }; + full-text-search = mkOption { type = types.submodule({ options = { @@ -394,18 +410,6 @@ in { default = defaults.full-text-search.solr; description = "Configuration for the SOLR backend."; }; - recreate-key = mkOption { - type = types.str; - default = defaults.full-text-search.recreate-key; - description = '' - When re-creating the complete index via a REST call, this key - is required. If left empty (the default), recreating the index - is disabled. - - Example curl command: - curl -XPOST http://localhost:7880/api/v1/open/fts/reIndexAll/test123 - ''; - }; }; }); default = defaults.full-text-search; diff --git a/tools/export-files.sh b/tools/export-files.sh index ce7583e3..6281d5d0 100755 --- a/tools/export-files.sh +++ b/tools/export-files.sh @@ -174,9 +174,9 @@ downloadAttachment() { rm -f "$attachOut" fi - checksum1=$(curl --fail -s -I -H "X-Docspell-Auth: $auth_token" "$ATTACH_URL/$attachId/original" | \ - grep 'ETag' | cut -d' ' -f2 | jq -r) - curl --fail -s -o "$attachOut" -H "X-Docspell-Auth: $auth_token" "$ATTACH_URL/$attachId/original" + checksum1=$(curl -s -I -H "X-Docspell-Auth: $auth_token" "$ATTACH_URL/$attachId/original" | \ + grep -i 'etag' | cut -d' ' -f2 | jq -r) + curl -s -o "$attachOut" -H "X-Docspell-Auth: $auth_token" "$ATTACH_URL/$attachId/original" checksum2=$(sha256sum "$attachOut" | cut -d' ' -f1 | xargs) if [ "$checksum1" == "$checksum2" ]; then errout " - Checksum ok." diff --git a/tools/reset-password/reset-password.sh b/tools/reset-password/reset-password.sh new file mode 100755 index 00000000..b80bf4c8 --- /dev/null +++ b/tools/reset-password/reset-password.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +# +# A script to reset a password. +# +# Usage: +# ./reset-password.sh +# +# Example: +# ./reset-password.sh http://localhost:7880 test123 your/account +# + +if [ -z "$1" ]; then + echo "The docspell base-url is required as first argument." + exit 1 +else + BASE_URL="$1" +fi + +if [ -z "$2" ]; then + echo "The admin secret is required as second argument." + exit 1 +else + SECRET="$2" +fi + +if [ -z "$3" ]; then + echo "The user account is required as third argument." + exit 1 +else + USER="$3" +fi + +RESET_URL="${BASE_URL}/api/v1/admin/user/resetPassword" + +OUT=$(curl -s -XPOST \ + -H "Docspell-Admin-Secret: $SECRET" \ + -H "Content-Type: application/json" \ + -d "{\"account\": \"$USER\"}" \ + "$RESET_URL") + + +if command -v jq > /dev/null; then + echo $OUT | jq +else + echo $OUT +fi diff --git a/website/site/content/docs/api/intro.md b/website/site/content/docs/api/intro.md index c4bb68ca..6d9a7818 100644 --- a/website/site/content/docs/api/intro.md +++ b/website/site/content/docs/api/intro.md @@ -16,11 +16,14 @@ workflow. The "raw" `openapi.yml` specification file can be found [here](/openapi/docspell-openapi.yml). -The routes can be divided into protected and unprotected routes. The -unprotected, or open routes are at `/open/*` while the protected -routes are at `/sec/*`. Open routes don't require authenticated access -and can be used by any user. The protected routes require an -authenticated user. +The routes can be divided into protected, unprotected routes and admin +routes. The unprotected, or open routes are at `/open/*` while the +protected routes are at `/sec/*` and admin routes are at `/admin/*`. +Open routes don't require authenticated access and can be used by any +user. The protected routes require an authenticated user. The admin +routes require a special http header with a value from the config +file. They are disabled by default, you need to specify a secret in +order to enable admin routes. ## Authentication @@ -38,6 +41,28 @@ a "normal" http header. If a cookie header is used, the cookie name must be `docspell_auth` and a custom header must be named `X-Docspell-Auth`. +The admin route (see below) `/admin/user/resetPassword` can be used to +reset a password of a user. + +## Admin + +There are some endpoints available for adminstration tasks, for +example re-creating the complete fulltext index or resetting a +password. These endpoints are not available to normal users, but to +admins only. Docspell has no special admin users, it simply uses a +secret defined in the configuration file. The person who installs +docspell is the admin and knows this secret (and may share it) and +requests must provide it as a http header `Docspell-Admin-Secret`. + +Example: re-create the fulltext index (over all collectives): + +``` bash +$ curl -XPOST -H "Docspell-Admin-Secret: test123" http://localhost:7880/api/v1/admin/fts/reIndexAll +``` + +To enable these endpoints, you must provide a secret in the +[configuration](@/docs/configure/_index.md#admin-endpoint). + ## Live Api Besides the statically generated documentation at this site, the rest diff --git a/website/site/content/docs/configure/_index.md b/website/site/content/docs/configure/_index.md index 1a5f3ddd..1ac7b928 100644 --- a/website/site/content/docs/configure/_index.md +++ b/website/site/content/docs/configure/_index.md @@ -73,6 +73,22 @@ H2 url = "jdbc:h2:///path/to/a/file.db;MODE=PostgreSQL;DATABASE_TO_LOWER=TRUE;AUTO_SERVER=TRUE" ``` +## Admin Endpoint + +The admin endpoint defines some [routes](@/docs/api/intro.md#admin) +for adminstration tasks. This is disabled by default and can be +enabled by providing a secret: + +``` bash +... + admin-endpoint { + secret = "123" + } +``` + +This secret must be provided to all requests to a `/api/v1/admin/` +endpoint. + ## Full-Text Search: SOLR @@ -105,27 +121,21 @@ documentation](https://lucene.apache.org/solr/guide/8_4/installing-solr.html). That will provide you with the connection url (the last part is the core name). -While the `full-text-search.solr` options are the same for joex and -the restserver, there are some settings that differ. The restserver -has this additional setting, that may be of interest: +The `full-text-search.solr` options are the same for joex and the +restserver. + +There is an [admin route](@/docs/api/intro.md#admin) that allows to +re-create the entire index (for all collectives). This is possible via +a call: ``` bash -full-text-search { - recreate-key = "test123" -} +$ curl -XPOST -H "Docspell-Admin-Secret: test123" http://localhost:7880/api/v1/admin/fts/reIndexAll ``` -This key is required if you want docspell to drop and re-create the -entire index. This is possible via a REST call: - -``` bash -$ curl -XPOST http://localhost:7880/api/v1/open/fts/reIndexAll/test123 -``` - -Here the `test123` is the key defined with `recreate-key`. If it is -empty (the default), this REST call is disabled. Otherwise, the POST -request will submit a system task that is executed by a joex instance -eventually. +Here the `test123` is the key defined with `admin-endpoint.secret`. If +it is empty (the default), this call is disabled (all admin routes). +Otherwise, the POST request will submit a system task that is executed +by a joex instance eventually. Using this endpoint, the index will be re-created. This is sometimes necessary, for example if you upgrade SOLR or delete the core to diff --git a/website/site/content/docs/tools/reset-password.md b/website/site/content/docs/tools/reset-password.md new file mode 100644 index 00000000..9c34b667 --- /dev/null +++ b/website/site/content/docs/tools/reset-password.md @@ -0,0 +1,39 @@ ++++ +title = "Reset Password" +description = "Resets a user password." +weight = 70 ++++ + + +This script can be used to reset a user password. This can be done by +admins, who know the `admin-endpoint.secret` value in the +[configuration](@/docs/configure/_index.md#admin-endpoint) file. + +The script is in `/tools/reset-password/reset-password.sh` and it is +only a wrapper around the admin endpoint `/admin/user/resetPassword`. + +## Usage + +It's very simple: + +``` bash +reset-password.sh +``` + +Three arguments are required to specify the docspell base url, the +admin secret and the account you want to reset the password. + +After the password has been reset, the user can login using it and +change it again in the webapp. + + +## Example + +``` json +❯ ./tools/reset-password/reset-password.sh http://localhost:7880 123 eike +{ + "success": true, + "newPassword": "HjtpG9BFo9y", + "message": "Password updated" +} +```