[management] Add user approval (#4411)

This PR adds user approval functionality to the management system, allowing administrators to manually approve new users joining via domain matching. When enabled, users are blocked with pending approval status until explicitly approved by an admin. Adds UserApprovalRequired setting to control manual user approval requirement Introduces user approval and rejection endpoints with corresponding business logic Prevents pending approval users from adding peers or logging in
2026-04-16 15:26:40 +00:00 · 2025-09-01 13:00:45 -03:00
parent 21368b38d9
commit d39fcfd62a
19 changed files with 842 additions and 48 deletions
--- a/shared/management/http/api/openapi.yml
+++ b/shared/management/http/api/openapi.yml
@@ -158,6 +158,10 @@ components:
          description: (Cloud only) Enables or disables peer approval globally. If enabled, all peers added will be in pending state until approved by an admin.
          type: boolean
          example: true
+        user_approval_required:
+          description: Enables manual approval for new users joining via domain matching. When enabled, users are blocked with pending approval status until explicitly approved by an admin.
+          type: boolean
+          example: false
        network_traffic_logs_enabled:
          description: Enables or disables network traffic logging. If enabled, all network traffic events from peers will be stored.
          type: boolean
@@ -174,6 +178,7 @@ components:
          example: true
      required:
        - peer_approval_enabled
+        - user_approval_required
        - network_traffic_logs_enabled
        - network_traffic_logs_groups
        - network_traffic_packet_counter_enabled
@@ -235,6 +240,10 @@ components:
          description: Is true if this user is blocked. Blocked users can't use the system
          type: boolean
          example: false
+        pending_approval:
+          description: Is true if this user requires approval before being activated. Only applicable for users joining via domain matching when user_approval_required is enabled.
+          type: boolean
+          example: false
        issued:
          description: How user was issued by API or Integration
          type: string
@@ -249,6 +258,7 @@ components:
        - auto_groups
        - status
        - is_blocked
+        - pending_approval
    UserPermissions:
      type: object
      properties:
@@ -2544,6 +2554,63 @@ paths:
          "$ref": "#/components/responses/forbidden"
        '500':
          "$ref": "#/components/responses/internal_error"
+  /api/users/{userId}/approve:
+    post:
+      summary: Approve user
+      description: Approve a user that is pending approval
+      tags: [ Users ]
+      security:
+        - BearerAuth: [ ]
+        - TokenAuth: [ ]
+      parameters:
+        - in: path
+          name: userId
+          required: true
+          schema:
+            type: string
+          description: The unique identifier of a user
+      responses:
+        '200':
+          description: Returns the approved user
+          content:
+            application/json:
+              schema:
+                "$ref": "#/components/schemas/User"
+        '400':
+          "$ref": "#/components/responses/bad_request"
+        '401':
+          "$ref": "#/components/responses/requires_authentication"
+        '403':
+          "$ref": "#/components/responses/forbidden"
+        '500':
+          "$ref": "#/components/responses/internal_error"
+  /api/users/{userId}/reject:
+    delete:
+      summary: Reject user
+      description: Reject a user that is pending approval by removing them from the account
+      tags: [ Users ]
+      security:
+        - BearerAuth: [ ]
+        - TokenAuth: [ ]
+      parameters:
+        - in: path
+          name: userId
+          required: true
+          schema:
+            type: string
+          description: The unique identifier of a user
+      responses:
+        '200':
+          description: User rejected successfully
+          content: {}
+        '400':
+          "$ref": "#/components/responses/bad_request"
+        '401':
+          "$ref": "#/components/responses/requires_authentication"
+        '403':
+          "$ref": "#/components/responses/forbidden"
+        '500':
+          "$ref": "#/components/responses/internal_error"
  /api/users/current:
    get:
      summary: Retrieve current user
--- a/shared/management/http/api/types.gen.go
+++ b/shared/management/http/api/types.gen.go
@@ -268,6 +268,9 @@ type AccountExtraSettings struct {

 	// PeerApprovalEnabled (Cloud only) Enables or disables peer approval globally. If enabled, all peers added will be in pending state until approved by an admin.
 	PeerApprovalEnabled bool `json:"peer_approval_enabled"`
+
+	// UserApprovalRequired Enables manual approval for new users joining via domain matching. When enabled, users are blocked with pending approval status until explicitly approved by an admin.
+	UserApprovalRequired bool `json:"user_approval_required"`
 }

 // AccountOnboarding defines model for AccountOnboarding.
@@ -1015,8 +1018,6 @@ type OSVersionCheck struct {

 // Peer defines model for Peer.
 type Peer struct {
-    // CreatedAt Peer creation date (UTC)
-    CreatedAt time.Time `json:"created_at"`
 	// ApprovalRequired (Cloud only) Indicates whether peer needs approval
 	ApprovalRequired bool `json:"approval_required"`

@@ -1032,6 +1033,9 @@ type Peer struct {
 	// CountryCode 2-letter ISO 3166-1 alpha-2 code that represents the country
 	CountryCode CountryCode `json:"country_code"`

+	// CreatedAt Peer creation date (UTC)
+	CreatedAt time.Time `json:"created_at"`
+
 	// DnsLabel Peer's DNS label is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's domain to the peer label. e.g. peer-dns-label.netbird.cloud
 	DnsLabel string `json:"dns_label"`

@@ -1098,8 +1102,6 @@ type Peer struct {

 // PeerBatch defines model for PeerBatch.
 type PeerBatch struct {
-    // CreatedAt Peer creation date (UTC)
-    CreatedAt time.Time `json:"created_at"`
 	// AccessiblePeersCount Number of accessible peers
 	AccessiblePeersCount int `json:"accessible_peers_count"`

@@ -1118,6 +1120,9 @@ type PeerBatch struct {
 	// CountryCode 2-letter ISO 3166-1 alpha-2 code that represents the country
 	CountryCode CountryCode `json:"country_code"`

+	// CreatedAt Peer creation date (UTC)
+	CreatedAt time.Time `json:"created_at"`
+
 	// DnsLabel Peer's DNS label is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's domain to the peer label. e.g. peer-dns-label.netbird.cloud
 	DnsLabel string `json:"dns_label"`

@@ -1774,8 +1779,11 @@ type User struct {
 	LastLogin *time.Time `json:"last_login,omitempty"`

 	// Name User's name from idp provider
-	Name        string           `json:"name"`
-	Permissions *UserPermissions `json:"permissions,omitempty"`
+	Name string `json:"name"`
+
+	// PendingApproval Is true if this user requires approval before being activated. Only applicable for users joining via domain matching when user_approval_required is enabled.
+	PendingApproval bool             `json:"pending_approval"`
+	Permissions     *UserPermissions `json:"permissions,omitempty"`

 	// Role User's NetBird account role
 	Role string `json:"role"`