feat: add admin user creation capability (#13)

Allows administrators to create users directly from the admin dashboard,
eliminating the need to enable public signup for controlled user onboarding.

Backend Changes:
- Add adminCreateUserSchema validation with role selection and active status
- Implement POST /api/admin/users endpoint with comprehensive validation
- Check for duplicate email/username before user creation
- Hash passwords with bcrypt (12 rounds)
- Audit logging for CREATE_USER action with full metadata
- Return proper validation error messages

Frontend Changes:
- Add createUser() API function in adminApi.ts
- Create user creation dialog in UserManagement component
- Form fields: email, username, password, role (USER/ADMIN), active status
- Real-time validation error display
- Password requirements helper text
- Loading states during user creation
- Auto-refresh user list after successful creation

Security Features:
- Admin-only endpoint (requireAdmin middleware)
- Full password complexity validation (12+ chars, mixed case, numbers, special chars)
- Weak password dictionary blocking
- Duplicate user prevention
- Comprehensive audit logging with IP and user agent tracking
- CSRF protection via existing middleware

User Experience:
- Single-click user creation from admin dashboard
- Clear validation feedback
- Role selection (User/Admin)
- Optional active status (user can login immediately or requires activation)
- Seamless integration with existing user management UI

Documentation:
- Updated README to highlight admin user creation capability
- Updated audit events tracking list
- Enhanced admin dashboard feature description

Use Cases:
- Controlled user onboarding without public signup
- Pre-create accounts for known team members
- Bulk user provisioning by admins
- Closed beta or private deployment scenarios

This feature complements the existing user approval system, giving admins
complete control over user account creation and management.

Author: vasandkumar

README.md

@@ -57,10 +57,12 @@ TriTerm brings the power of your terminal to the browser with enterprise feature
 ### Admin Dashboard
 
 - ✅ **System overview** with real-time statistics
-- ✅ **User management** (create, update, delete, role assignment)
+- ✅ **User management** (create users directly, update roles, activate/deactivate, delete)
+- ✅ **User approval system** - Approve or reject pending registrations
 - ✅ **Session monitoring** - Track active terminal sessions
 - ✅ **Audit log viewer** - Security event tracking
 - ✅ **System metrics** - CPU, memory, uptime monitoring
+- ✅ **System settings** - Toggle public signup on/off
 
 ### Developer Experience
 
@@ -516,7 +518,8 @@ TriTerm implements enterprise-grade security measures aligned with OWASP Top 10
 **Account Protection**
 
 - ✅ Account lockout: 5 failed attempts = 15 min lockout
-- ✅ User approval system (admin-controlled)
+- ✅ User approval system (admin-controlled registration)
+- ✅ Admin user creation (admins can create users directly)
 - ✅ Generic error messages (prevents user enumeration)
 - ✅ Comprehensive audit logging
 
@@ -559,7 +562,7 @@ X-Permitted-Cross-Domain-Policies: none
 - Account lockouts & unlocks
 - Password changes
 - Token refresh & revocation
-- Admin actions (user activation/deactivation)
+- Admin actions (user creation/activation/deactivation)
 - Role changes
 - Failed authentication attempts
 

client/src/lib/adminApi.ts

@@ -118,6 +118,21 @@ export async function getAllUsers(): Promise<User[]> {
   return fetchWithAuth(`${API_URL}/admin/users`);
 }
 
+export interface CreateUserInput {
+  email: string;
+  username: string;
+  password: string;
+  role: 'USER' | 'ADMIN';
+  isActive: boolean;
+}
+
+export async function createUser(input: CreateUserInput): Promise<User> {
+  return fetchWithAuth(`${API_URL}/admin/users`, {
+    method: 'POST',
+    body: JSON.stringify(input),
+  });
+}
+
 export async function updateUserRole(userId: string, role: 'USER' | 'ADMIN'): Promise<User> {
   return fetchWithAuth(`${API_URL}/admin/users/${userId}`, {
     method: 'PATCH',

client/src/pages/Admin/UserManagement.tsx

@@ -16,6 +16,14 @@ import {
   SelectTrigger,
   SelectValue,
 } from '../../components/ui/select';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from '../../components/ui/dialog';
 import {
   AlertDialog,
   AlertDialogAction,
@@ -27,9 +35,11 @@ import {
   AlertDialogTitle,
 } from '../../components/ui/alert-dialog';
 import { Badge } from '../../components/ui/badge';
-import { Users, Shield, UserX, AlertCircle, RefreshCw, CheckCircle, XCircle } from 'lucide-react';
-import { getAllUsers, updateUserRole, deleteUser, activateUser, deactivateUser } from '../../lib/adminApi';
-import type { User } from '../../lib/adminApi';
+import { Input } from '../../components/ui/input';
+import { Label } from '../../components/ui/label';
+import { Users, Shield, UserX, AlertCircle, RefreshCw, CheckCircle, XCircle, UserPlus } from 'lucide-react';
+import { getAllUsers, updateUserRole, deleteUser, activateUser, deactivateUser, createUser } from '../../lib/adminApi';
+import type { User, CreateUserInput } from '../../lib/adminApi';
 import { useAuth } from '../../contexts/AuthContext';
 
 export function UserManagement() {
@@ -41,6 +51,16 @@ export function UserManagement() {
   const [userToDelete, setUserToDelete] = useState<User | null>(null);
   const [updatingRole, setUpdatingRole] = useState<string | null>(null);
   const [togglingStatus, setTogglingStatus] = useState<string | null>(null);
+  const [createDialogOpen, setCreateDialogOpen] = useState(false);
+  const [creating, setCreating] = useState(false);
+  const [createFormData, setCreateFormData] = useState<CreateUserInput>({
+    email: '',
+    username: '',
+    password: '',
+    role: 'USER',
+    isActive: true,
+  });
+  const [createErrors, setCreateErrors] = useState<string[]>([]);
 
   useEffect(() => {
     loadUsers();
@@ -125,6 +145,52 @@ export function UserManagement() {
     return new Date(date).toLocaleString();
   };
 
+  const openCreateDialog = () => {
+    setCreateFormData({
+      email: '',
+      username: '',
+      password: '',
+      role: 'USER',
+      isActive: true,
+    });
+    setCreateErrors([]);
+    setCreateDialogOpen(true);
+  };
+
+  const handleCreateUser = async () => {
+    try {
+      setCreateErrors([]);
+      setCreating(true);
+
+      const newUser = await createUser(createFormData);
+      setUsers([newUser, ...users]);
+      setCreateDialogOpen(false);
+      setCreateFormData({
+        email: '',
+        username: '',
+        password: '',
+        role: 'USER',
+        isActive: true,
+      });
+    } catch (err) {
+      const errorMessage = err instanceof Error ? err.message : 'Failed to create user';
+
+      // Parse validation errors if they exist
+      if (errorMessage.includes('Validation failed')) {
+        try {
+          const errorData = JSON.parse(errorMessage.split('Validation failed: ')[1] || '[]');
+          setCreateErrors(errorData.map((e: any) => e.message || e));
+        } catch {
+          setCreateErrors([errorMessage]);
+        }
+      } else {
+        setCreateErrors([errorMessage]);
+      }
+    } finally {
+      setCreating(false);
+    }
+  };
+
   if (loading) {
     return (
       <Card>
@@ -174,10 +240,16 @@ export function UserManagement() {
                 Manage user accounts and permissions ({users.length} total)
               </CardDescription>
             </div>
-            <Button onClick={loadUsers} variant="outline" size="sm">
-              <RefreshCw className="h-4 w-4 mr-2" />
-              Refresh
-            </Button>
+            <div className="flex items-center gap-2">
+              <Button onClick={openCreateDialog} variant="default" size="sm">
+                <UserPlus className="h-4 w-4 mr-2" />
+                Create User
+              </Button>
+              <Button onClick={loadUsers} variant="outline" size="sm">
+                <RefreshCw className="h-4 w-4 mr-2" />
+                Refresh
+              </Button>
+            </div>
           </div>
         </CardHeader>
         <CardContent>
@@ -306,6 +378,143 @@ export function UserManagement() {
           </AlertDialogFooter>
         </AlertDialogContent>
       </AlertDialog>
+
+      <Dialog open={createDialogOpen} onOpenChange={setCreateDialogOpen}>
+        <DialogContent className="sm:max-w-[500px]">
+          <DialogHeader>
+            <DialogTitle className="flex items-center gap-2">
+              <UserPlus className="h-5 w-5" />
+              Create New User
+            </DialogTitle>
+            <DialogDescription>
+              Create a new user account. The user will be able to login immediately if active.
+            </DialogDescription>
+          </DialogHeader>
+
+          <div className="grid gap-4 py-4">
+            {createErrors.length > 0 && (
+              <div className="p-3 rounded-md bg-destructive/10 border border-destructive/20">
+                <div className="flex items-start gap-2">
+                  <AlertCircle className="h-4 w-4 text-destructive mt-0.5" />
+                  <div className="flex-1">
+                    <p className="text-sm font-medium text-destructive">Validation errors:</p>
+                    <ul className="list-disc list-inside text-sm text-destructive mt-1">
+                      {createErrors.map((error, index) => (
+                        <li key={index}>{error}</li>
+                      ))}
+                    </ul>
+                  </div>
+                </div>
+              </div>
+            )}
+
+            <div className="grid gap-2">
+              <Label htmlFor="email">Email</Label>
+              <Input
+                id="email"
+                type="email"
+                placeholder="user@example.com"
+                value={createFormData.email}
+                onChange={(e) => setCreateFormData({ ...createFormData, email: e.target.value })}
+                disabled={creating}
+              />
+            </div>
+
+            <div className="grid gap-2">
+              <Label htmlFor="username">Username</Label>
+              <Input
+                id="username"
+                type="text"
+                placeholder="johndoe"
+                value={createFormData.username}
+                onChange={(e) => setCreateFormData({ ...createFormData, username: e.target.value })}
+                disabled={creating}
+              />
+            </div>
+
+            <div className="grid gap-2">
+              <Label htmlFor="password">Password</Label>
+              <Input
+                id="password"
+                type="password"
+                placeholder="Min 12 chars, uppercase, lowercase, number, special"
+                value={createFormData.password}
+                onChange={(e) => setCreateFormData({ ...createFormData, password: e.target.value })}
+                disabled={creating}
+              />
+              <p className="text-xs text-muted-foreground">
+                Min 12 characters with uppercase, lowercase, number, and special character
+              </p>
+            </div>
+
+            <div className="grid gap-2">
+              <Label htmlFor="role">Role</Label>
+              <Select
+                value={createFormData.role}
+                onValueChange={(value: 'USER' | 'ADMIN') =>
+                  setCreateFormData({ ...createFormData, role: value })
+                }
+                disabled={creating}
+              >
+                <SelectTrigger id="role">
+                  <SelectValue />
+                </SelectTrigger>
+                <SelectContent>
+                  <SelectItem value="USER">
+                    <div className="flex items-center gap-2">
+                      <Users className="h-4 w-4" />
+                      User
+                    </div>
+                  </SelectItem>
+                  <SelectItem value="ADMIN">
+                    <div className="flex items-center gap-2">
+                      <Shield className="h-4 w-4" />
+                      Admin
+                    </div>
+                  </SelectItem>
+                </SelectContent>
+              </Select>
+            </div>
+
+            <div className="flex items-center gap-2">
+              <input
+                id="isActive"
+                type="checkbox"
+                checked={createFormData.isActive}
+                onChange={(e) => setCreateFormData({ ...createFormData, isActive: e.target.checked })}
+                disabled={creating}
+                className="h-4 w-4 rounded border-gray-300"
+              />
+              <Label htmlFor="isActive" className="cursor-pointer">
+                Active (user can login immediately)
+              </Label>
+            </div>
+          </div>
+
+          <DialogFooter>
+            <Button
+              variant="outline"
+              onClick={() => setCreateDialogOpen(false)}
+              disabled={creating}
+            >
+              Cancel
+            </Button>
+            <Button onClick={handleCreateUser} disabled={creating}>
+              {creating ? (
+                <>
+                  <RefreshCw className="h-4 w-4 mr-2 animate-spin" />
+                  Creating...
+                </>
+              ) : (
+                <>
+                  <UserPlus className="h-4 w-4 mr-2" />
+                  Create User
+                </>
+              )}
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
     </>
   );
 }

server/lib/validation.ts

@@ -63,7 +63,21 @@ export const refreshTokenSchema = z.object({
   refreshToken: z.string().min(1, 'Refresh token is required'),
 });
 
+// Admin user creation schema (includes role selection)
+export const adminCreateUserSchema = z.object({
+  email: z.string().email('Invalid email address'),
+  username: z
+    .string()
+    .min(3, 'Username must be at least 3 characters')
+    .max(20, 'Username must be at most 20 characters')
+    .regex(/^[a-zA-Z0-9_-]+$/, 'Username can only contain letters, numbers, underscores, and hyphens'),
+  password: passwordValidator,
+  role: z.enum(['USER', 'ADMIN']),
+  isActive: z.boolean().default(true),
+});
+
 // Types inferred from schemas
 export type RegisterInput = z.infer<typeof registerSchema>;
 export type LoginInput = z.infer<typeof loginSchema>;
 export type RefreshTokenInput = z.infer<typeof refreshTokenSchema>;
+export type AdminCreateUserInput = z.infer<typeof adminCreateUserSchema>;