Add admin API endpoint to reactivate user

Author: AndrewFerr

crates/cli/src/commands/manage.rs

@@ -542,7 +542,7 @@ impl Options {
 
                 warn!(%user.id, "User scheduling user reactivation");
                 repo.queue_job()
-                    .schedule_job(&mut rng, &clock, ReactivateUserJob::new(&user))
+                    .schedule_job(&mut rng, &clock, ReactivateUserJob::new(&user, true))
                     .await?;
 
                 repo.into_inner().commit().await?;

crates/handlers/src/admin/v1/mod.rs

@@ -94,6 +94,10 @@ where
             "/users/{id}/deactivate",
             post_with(self::users::deactivate, self::users::deactivate_doc),
         )
+        .api_route(
+            "/users/{id}/reactivate",
+            post_with(self::users::reactivate, self::users::reactivate_doc),
+        )
         .api_route(
             "/users/{id}/lock",
             post_with(self::users::lock, self::users::lock_doc),

crates/handlers/src/admin/v1/users/deactivate.rs

@@ -137,6 +137,7 @@ mod tests {
             body["data"]["attributes"]["locked_at"],
             serde_json::json!(state.clock.now())
         );
+        // TODO: have test coverage on deactivated_at timestamp
 
         // Make sure to run the jobs in the queue
         state.run_jobs_in_queue().await;
@@ -201,6 +202,11 @@ mod tests {
             body["data"]["attributes"]["locked_at"],
             serde_json::json!(state.clock.now())
         );
+        assert_ne!(
+            body["data"]["attributes"]["locked_at"],
+            serde_json::Value::Null
+        );
+        // TODO: have test coverage on deactivated_at timestamp
 
         // Make sure to run the jobs in the queue
         state.run_jobs_in_queue().await;

crates/handlers/src/admin/v1/users/lock.rs

@@ -157,6 +157,10 @@ mod tests {
             body["data"]["attributes"]["locked_at"],
             serde_json::json!(state.clock.now())
         );
+        assert_ne!(
+            body["data"]["attributes"]["locked_at"],
+            serde_json::Value::Null
+        );
     }
 
     #[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]

crates/handlers/src/admin/v1/users/mod.rs

@@ -10,6 +10,7 @@ mod deactivate;
 mod get;
 mod list;
 mod lock;
+mod reactivate;
 mod set_admin;
 mod set_password;
 mod unlock;
@@ -21,6 +22,7 @@ pub use self::{
     get::{doc as get_doc, handler as get},
     list::{doc as list_doc, handler as list},
     lock::{doc as lock_doc, handler as lock},
+    reactivate::{doc as reactivate_doc, handler as reactivate},
     set_admin::{doc as set_admin_doc, handler as set_admin},
     set_password::{doc as set_password_doc, handler as set_password},
     unlock::{doc as unlock_doc, handler as unlock},

crates/handlers/src/admin/v1/users/reactivate.rs

@@ -0,0 +1,223 @@
+// Copyright 2025 New Vector Ltd.
+//
+// SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
+// Please see LICENSE files in the repository root for full details.
+
+use aide::{NoApi, OperationIo, transform::TransformOperation};
+use axum::{Json, response::IntoResponse};
+use hyper::StatusCode;
+use mas_axum_utils::record_error;
+use mas_storage::{
+    BoxRng,
+    queue::{QueueJobRepositoryExt as _, ReactivateUserJob},
+};
+use tracing::info;
+use ulid::Ulid;
+
+use crate::{
+    admin::{
+        call_context::CallContext,
+        model::{Resource, User},
+        params::UlidPathParam,
+        response::{ErrorResponse, SingleResponse},
+    },
+    impl_from_error_for_route,
+};
+
+#[derive(Debug, thiserror::Error, OperationIo)]
+#[aide(output_with = "Json<ErrorResponse>")]
+pub enum RouteError {
+    #[error(transparent)]
+    Internal(Box<dyn std::error::Error + Send + Sync + 'static>),
+
+    #[error("User ID {0} not found")]
+    NotFound(Ulid),
+}
+
+impl_from_error_for_route!(mas_storage::RepositoryError);
+
+impl IntoResponse for RouteError {
+    fn into_response(self) -> axum::response::Response {
+        let error = ErrorResponse::from_error(&self);
+        let sentry_event_id = record_error!(self, Self::Internal(_));
+        let status = match self {
+            Self::Internal(_) => StatusCode::INTERNAL_SERVER_ERROR,
+            Self::NotFound(_) => StatusCode::NOT_FOUND,
+        };
+        (status, sentry_event_id, Json(error)).into_response()
+    }
+}
+
+pub fn doc(operation: TransformOperation) -> TransformOperation {
+    operation
+        .id("reactivateUser")
+        .summary("Reactivate a user")
+        .description("Calling this endpoint will reactivate a deactivated user, both locally and on the Matrix homeserver.")
+        .tag("user")
+        .response_with::<200, Json<SingleResponse<User>>, _>(|t| {
+            // In the samples, the third user is the one locked
+            let [sample, ..] = User::samples();
+            let id = sample.id();
+            let response = SingleResponse::new(sample, format!("/api/admin/v1/users/{id}/reactivate"));
+            t.description("User was reactivated").example(response)
+        })
+        .response_with::<404, RouteError, _>(|t| {
+            let response = ErrorResponse::from_error(&RouteError::NotFound(Ulid::nil()));
+            t.description("User ID not found").example(response)
+        })
+}
+
+#[tracing::instrument(name = "handler.admin.v1.users.reactivate", skip_all)]
+pub async fn handler(
+    CallContext {
+        mut repo, clock, ..
+    }: CallContext,
+    NoApi(mut rng): NoApi<BoxRng>,
+    id: UlidPathParam,
+) -> Result<Json<SingleResponse<User>>, RouteError> {
+    let id = *id;
+    let user = repo
+        .user()
+        .lookup(id)
+        .await?
+        .ok_or(RouteError::NotFound(id))?;
+
+    info!(%user.id, "Scheduling reactivation of user");
+    repo.queue_job()
+        .schedule_job(&mut rng, &clock, ReactivateUserJob::new(&user, false))
+        .await?;
+
+    repo.save().await?;
+
+    Ok(Json(SingleResponse::new(
+        User::from(user),
+        format!("/api/admin/v1/users/{id}/reactivate"),
+    )))
+}
+
+#[cfg(test)]
+mod tests {
+    use hyper::{Request, StatusCode};
+    use mas_matrix::{HomeserverConnection, ProvisionRequest};
+    use mas_storage::{Clock, RepositoryAccess, user::UserRepository};
+    use sqlx::{PgPool, types::Json};
+
+    use crate::test_utils::{RequestBuilderExt, ResponseExt, TestState, setup};
+
+    #[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
+    async fn test_reactivate_deactivated_user(pool: PgPool) {
+        setup();
+        let mut state = TestState::from_pool(pool.clone()).await.unwrap();
+        let token = state.token_with_scope("urn:mas:admin").await;
+
+        let mut repo = state.repository().await.unwrap();
+        let user = repo
+            .user()
+            .add(&mut state.rng(), &state.clock, "alice".to_owned())
+            .await
+            .unwrap();
+        let user = repo.user().lock(&state.clock, user).await.unwrap();
+        let user = repo.user().deactivate(&state.clock, user).await.unwrap();
+        repo.save().await.unwrap();
+
+        // Provision and immediately deactivate the user on the homeserver,
+        // because this endpoint will try to reactivate it
+        let mxid = state.homeserver_connection.mxid(&user.username);
+        state
+            .homeserver_connection
+            .provision_user(&ProvisionRequest::new(&mxid, &user.sub))
+            .await
+            .unwrap();
+        state
+            .homeserver_connection
+            .delete_user(&mxid, true)
+            .await
+            .unwrap();
+
+        // The user should be deactivated on the homeserver
+        let mx_user = state.homeserver_connection.query_user(&mxid).await.unwrap();
+        assert!(mx_user.deactivated);
+
+        let request = Request::post(format!("/api/admin/v1/users/{}/reactivate", user.id))
+            .bearer(&token)
+            .empty();
+        let response = state.request(request).await;
+        response.assert_status(StatusCode::OK);
+        let body: serde_json::Value = response.json();
+
+        // The user should remain locked after being reactivated
+        assert_eq!(
+            body["data"]["attributes"]["locked_at"],
+            serde_json::json!(state.clock.now())
+        );
+        // TODO: have test coverage on deactivated_at timestamp
+
+        // It should have scheduled a reactivation job for the user
+        // XXX: we don't have a good way to look for the reactivation job
+        let job: Json<serde_json::Value> = sqlx::query_scalar(
+            "SELECT payload FROM queue_jobs WHERE queue_name = 'reactivate-user'",
+        )
+        .fetch_one(&pool)
+        .await
+        .expect("Reactivation job to be scheduled");
+        assert_eq!(job["user_id"], serde_json::json!(user.id));
+        assert_eq!(job["unlock"], serde_json::Value::Bool(false));
+    }
+
+    #[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
+    async fn test_reactivate_active_user(pool: PgPool) {
+        setup();
+        let mut state = TestState::from_pool(pool.clone()).await.unwrap();
+        let token = state.token_with_scope("urn:mas:admin").await;
+
+        let mut repo = state.repository().await.unwrap();
+        let user = repo
+            .user()
+            .add(&mut state.rng(), &state.clock, "alice".to_owned())
+            .await
+            .unwrap();
+        repo.save().await.unwrap();
+
+        let request = Request::post(format!("/api/admin/v1/users/{}/reactivate", user.id))
+            .bearer(&token)
+            .empty();
+        let response = state.request(request).await;
+        response.assert_status(StatusCode::OK);
+        let body: serde_json::Value = response.json();
+
+        assert_eq!(
+            body["data"]["attributes"]["locked_at"],
+            serde_json::Value::Null
+        );
+        // TODO: have test coverage on deactivated_at timestamp
+
+        // It should have scheduled a reactivation job for the user
+        // XXX: we don't have a good way to look for the reactivation job
+        let job: Json<serde_json::Value> = sqlx::query_scalar(
+            "SELECT payload FROM queue_jobs WHERE queue_name = 'reactivate-user'",
+        )
+        .fetch_one(&pool)
+        .await
+        .expect("Reactivation job to be scheduled");
+        assert_eq!(job["user_id"], serde_json::json!(user.id));
+        assert_eq!(job["unlock"], serde_json::Value::Bool(false));
+    }
+
+    #[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
+    async fn test_reactivate_unknown_user(pool: PgPool) {
+        setup();
+        let mut state = TestState::from_pool(pool).await.unwrap();
+        let token = state.token_with_scope("urn:mas:admin").await;
+
+        let request = Request::post("/api/admin/v1/users/01040G2081040G2081040G2081/reactivate")
+            .bearer(&token)
+            .empty();
+        let response = state.request(request).await;
+        response.assert_status(StatusCode::NOT_FOUND);
+        let body: serde_json::Value = response.json();
+        assert_eq!(
+            body["errors"][0]["title"],
+            "User ID 01040G2081040G2081040G2081 not found"
+        );
+    }
+}

crates/handlers/src/admin/v1/users/unlock.rs

@@ -141,7 +141,7 @@ mod tests {
 
         assert_eq!(
             body["data"]["attributes"]["locked_at"],
-            serde_json::json!(null)
+            serde_json::Value::Null
         );
     }
 
@@ -158,6 +158,7 @@ mod tests {
             .await
             .unwrap();
         let user = repo.user().lock(&state.clock, user).await.unwrap();
+        let user = repo.user().deactivate(&state.clock, user).await.unwrap();
         repo.save().await.unwrap();
 
         // Provision the user on the homeserver
@@ -187,8 +188,10 @@ mod tests {
 
         assert_eq!(
             body["data"]["attributes"]["locked_at"],
-            serde_json::json!(null)
+            serde_json::Value::Null
         );
+        // TODO: have test coverage on deactivated_at timestamp
+
         // The user should be reactivated on the homeserver
         let mx_user = state.homeserver_connection.query_user(&mxid).await.unwrap();
         assert!(!mx_user.deactivated);

crates/storage-pg/.sqlx/query-98a5491eb5f10997ac1f3718c835903ac99d9bb8ca4d79c908b25a6d1209b9b1.json

@@ -384,6 +384,39 @@ impl UserRepository for PgUserRepository<'_> {
         Ok(user)
     }
 
+    #[tracing::instrument(
+        name = "db.user.reactivate",
+        skip_all,
+        fields(
+            db.query.text,
+            %user.id,
+        ),
+        err,
+    )]
+    async fn reactivate(&mut self, mut user: User) -> Result<User, Self::Error> {
+        if user.deactivated_at.is_none() {
+            return Ok(user);
+        }
+
+        let res = sqlx::query!(
+            r#"
+                UPDATE users
+                SET deactivated_at = NULL
+                WHERE user_id = $1
+            "#,
+            Uuid::from(user.id),
+        )
+        .traced()
+        .execute(&mut *self.conn)
+        .await?;
+
+        DatabaseError::ensure_affected_rows(&res, 1)?;
+
+        user.deactivated_at = None;
+
+        Ok(user)
+    }
+
     #[tracing::instrument(
         name = "db.user.set_can_request_admin",
         skip_all,