Complete the Administration page

Bubka · Apr 12, 2024 · ba8d4f4 · ba8d4f4
1 parent 220081c
commit ba8d4f4
Show file tree

Hide file tree

Showing 2 changed files with 110 additions and 14 deletions.
diff --git a/docs/Usage/administration.md b/docs/Usage/administration.md
@@ -12,7 +12,7 @@ The very first account created is automatically set up as an administrator accou
 
 Administrators can __consult__, __create__, __promote__, __manage__ or __delete__ any user account.
 
-User/account data visible to administrators are:
+The account details visible to an administrator include:
 
 - The username
 - The email address
@@ -33,10 +33,10 @@ Although administrators can view information on users, they cannot generate OTPs
 
 ### Promote to administrator
 
-Any user may be promote to administrator by another administrator. Edit the user account at _Admin > Users > [User] >_ [!button size="xs" variant="ghost" text="Manage"] and check the [!badge size="l" icon="checkbox" text="Is administrator"] flag. The change is effective immediately, without notification to the promoted user. Demoting is done the same way.
+Any user may be promoted to administrator by another administrator. Edit the user account at _Admin > Users > [User] >_ [!button size="xs" variant="ghost" text="Manage"] and check the [!badge size="l" icon="checkbox" text="Is administrator"] flag. The change is effective immediately, without notification to the promoted user. Demoting is done the same way.
 
 !!!warning
-There must always be at least one administrator. The last administrator account cannot be deleted or demoted.
+There must always be at least one administrator. The last administrator account cannot demoted.
 !!!
 
 An administrator account is identified as such by a banner in the _Settings > Account_ section.
@@ -47,11 +47,11 @@ An administrator account is identified as such by a banner in the _Settings > Ac
 
 ## Application setup
 
-In addition to environment information, the _Admin > App Setup_ page provides administrators with a number of features for controlling the instance.
+In addition to environment information, the _Admin > App Setup_ page provides administrators with a number of features for managing the instance.
 
 ### Version checking
 
-2FAuth can automatically check if a new version has been released. When enabled, a request will be made to GiHub every week to retrieve the latest version number. You can also run the check manually by clicking the [!button size="xs" corners="pill" text="Check now"] button.
+2FAuth can automatically check if a new version has been released. When enabled, a request will be made to GitHub every week to retrieve the latest version number. You can also run the check manually by clicking the [!button size="xs" corners="pill" text="Check now"] button.
 
 A new available version is reported to the administrators in the 2FAuth footer and the _App Setup_ page.
 
@@ -69,7 +69,7 @@ This feature makes outgoing requests that you may want to pass through a proxy.
 If so, set the [PROXY_FOR_OUTGOING_REQUESTS](/getting-started/configuration/#proxy_for_outgoing_requests) environment variable.
 !!!
 
-### Email configuration testing
+### Email testing
 
 2FAuth requires a valid email configuration to send emails to users. Features like password reset will not work otherwise.
 
@@ -81,9 +81,51 @@ Click the [!button variant="primary" icon="paper-airplane" iconAlign="left" corn
 Check your email inbox first. If the email is not received, [check your logs](/getting-started/troubleshooting/#check-logs) to get information on the issue.
 !!!
 
-## Users management
+### Security
+
+See [Data protection](/security/data-protection/#for-administrators).
+
+### Registration control
+
+It is possible to restrict user registration to a limited range of email addresses or to completly disable registrations.
+
+#### Restriction
+
+This is an authorization pattern, only email addresses that meet a condition are allowed to register.
+
+Once the [!badge size="l" icon="checkbox" text="Restrict registration"] setting is enabled in _Admin > App Setup_, there are 2 ways to define the registration policy:
+
+The filtering list
+:   Email addresses from this list are allowed to register on 2FAuth.
+
+    Separate the addresses with a `|`. All must be valid email addresses. Ex: `john@example.org|jane@example.net`
+
+    Leave the field blank to disable the filter.
+
+The filtering rule
+:   Email addresses that match a regular expression are allowed to register on 2FAuth.
+
+    For example, here is the regex to allow registering using any `@example.org` email address :
+
+    `^[A-Za-z0-9._%+-]+@example\.org`
 
-You can create as many accounts as you like, the only restriction is that each user must have a unique __name__ and __email address__.
+    Leave the field blank to disable the filter.
+
+!!!
+Both filtering options can be used simultaneously. The OR operator is applied, this means that the address only has to match one of the conditions to be allowed.
+!!!
+
+!!!
+The registration policy does not affect SSO.
+!!!
+
+#### No registration
+
+Check the [!badge size="l" icon="checkbox" text="Disable registration"] setting to fully disable registration. This affects SSO, so new users won't be able to sign in via SSO.
+
+Check the [!badge size="l" icon="checkbox" text="Keep SSO registration enabled"] setting to override this behavior. New users will be able to sign in for the first time using SSO whereas registration is disabled.
+
+## Users management
 
 ### User creation
 
@@ -92,13 +134,67 @@ Administrators can create new user account. Go to _Admin > Users_ and click the
 The form provides the exact same fields that a visitor would see in the registration form, with the same validation rules. An additional checkbox is available to directly grant administrator rights to the newly created user: [!badge size="l" icon="checkbox" text="Is administrator"]
 
 !!!warning
-When an administrator creates a new user, he is the one who set the user password so the password is not a secret to him.
-
+When an administrator creates a new user, the password is known.  
 It could be considered a bad practice, but this gives some flexibility to the administrator to manage its user base the way he wants.
 
-The administrator can always reset the password of the newly created user. Go to  _Admin > Users > [User] >_ [!button size="xs" variant="ghost" text="Manage"] and click the [!button size="xs" text="Reset password"] button
+The administrator can always reset the password of the newly created user. See [Access reset](#access-reset) below.
 !!!
 
-### Disable user registration
+### Access reset
+
+While users have the ability to manage their access themselves, administrators can also take action to reset user access at _Admin > Users > [User] >_ [!button size="xs" variant="ghost" text="Manage"].
+
+Possible actions:
+
+[!button size="xs" text="Reset password"]
+:   Force resets the current user password with a randomly generated new password then sends a password reset email to the user so they can set their own password.
+
+    Using this, you are guaranteed that the user password has been changed. However, the user is free to set a custom password or not. The token bound to the password reset email received by the user has an expiry time of 60 minutes.
+
+    Any previous request for a password reset, from the user or an administrator, will be revoked.
+
+[!button size="xs" text="Resend email"]
+:   Sends a new password reset email to the user without modifying their current password.
+
+    This generates a new reset token with an expiry time of 60 minutes, any previous request will be revoked.
+
+[!button size="xs" text="Revoke"] (<abbr title="Personal Access Token">PAT</abbr>)
+:   Revokes all of the user's [Personal Access Tokens](/api/#authentication).
+
+    Once their PATs have been revoked, the user will no longer be able to authenticate to the 2FAuth API.
+
+    !!!warning
+    This action is irreversible. Revoked tokens are not searchable, cannot be recovered, and cannot be deleted from the 2FAuth pages.
+    !!!
+
+    If for some reason you need to purge revoked (or expired) tokens, run the following Artisan commands:
+
+    ```bash !#
+    php artisan passport:purge --revoked
+    php artisan passport:purge --expired
+    ```
 
-Starting from v4.2.0, you can disable user registration. Go to _Admin > App setup_ and check the [!badge size="l" icon="checkbox" text="Disable registration"] setting.
+[!button size="xs" text="Revoke"] (WebAuthn security devices)
+:   Revokes all of the user's [WebAuthn security devices](/security/authentication/webauthn/).
+
+    Once their security devices have been revoked, the user will no longer be able to authenticate using WebAuthn.
+
+    If the user has checked the [!badge size="l" icon="checkbox" text="Use WebAuthn only"] option at _Settings > WebAuthn_, revoking their security devices will reset the option so they can log in with their username and password.
+
+    !!!warning
+    This action is irreversible. Revoked devices are not searchable and cannot be recovered from the 2FAuth pages.
+    !!!
+
+### User deletion
+
+A user account can be deleted by an administrator, even an account with the Admin role. All data associated with the deleted account will also be deleted, including 2FA records, preferences, access tokens and logs.
+
+Click the [!button size="s" variant="danger" text="Delete this user"] button at _Admin > Users > [User] >_ [!button size="xs" variant="ghost" text="Manage"] to perform the delete.
+
+!!!danger
+This is not a soft delete. Deleted account cannot be recovered.
+!!!
+
+!!!warning
+There must always be at least one administrator. The last administrator account cannot be deleted.
+!!!
diff --git a/docs/security/data-protection.md b/docs/security/data-protection.md
@@ -5,7 +5,7 @@ order: 90
 
 2FAuth provides several security mechanisms to protect your sensitive 2FA data, at administrator or user level.
 
-## For the administrator
+## For administrators
 
 ### DB encryption