[management] Enable PAT creation during setup (#6003)

* enable pat creation on setup * remove logic from handler towards setup service * fix lint issue * fix rollback on account id returning empty * fix coderabbit comments * fix setup PAT rollback behavior
2026-05-05 16:46:39 +00:00 · 2026-04-30 17:21:35 +02:00
parent f29f5a0978
commit dcd1db42ef
11 changed files with 997 additions and 19 deletions
--- a/shared/management/http/api/openapi.yml
+++ b/shared/management/http/api/openapi.yml
@@ -3426,6 +3426,17 @@ components:
          description: Display name for the admin user (defaults to email if not provided)
          type: string
          example: Admin User
+        create_pat:
+          description: If true and the server has setup-time PAT issuance enabled (NB_SETUP_PAT_ENABLED=true), create a Personal Access Token for the new owner user and return it in the response. Ignored when the server feature is disabled.
+          type: boolean
+          example: true
+        pat_expire_in:
+          description: Expiration of the Personal Access Token in days. Applies only when create_pat is true and the server feature is enabled. Defaults to 1 day when omitted.
+          type: integer
+          minimum: 1
+          maximum: 365
+          default: 1
+          example: 30
      required:
        - email
        - password
@@ -3442,6 +3453,12 @@ components:
          description: Email address of the created user
          type: string
          example: admin@example.com
+        personal_access_token:
+          description: Plain text Personal Access Token created during setup. Present only when create_pat was requested and the NB_SETUP_PAT_ENABLED feature was enabled on the server.
+          type: string
+          format: password
+          readOnly: true
+          example: nbp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      required:
        - user_id
        - email
@@ -4980,7 +4997,10 @@ paths:
  /api/setup:
    post:
      summary: Setup Instance
-      description: Creates the initial admin user for the instance. This endpoint does not require authentication but only works when setup is required (no accounts exist and embedded IDP is enabled).
+      description: |
+        Creates the initial admin user for the instance. This endpoint does not require authentication but only works when setup is required (no accounts exist and embedded IDP is enabled).
+
+        When the management server is started with `NB_SETUP_PAT_ENABLED=true` and the request includes `create_pat: true`, the endpoint also provisions the NetBird account for the new owner user and returns the plain text Personal Access Token in `personal_access_token`. The optional `pat_expire_in` value applies only when `create_pat` is true and defaults to 1 day when omitted. If a post-user step fails, setup-created resources are rolled back when safe; if account cleanup fails, the owner user is left in place to avoid leaving an account without its admin user.
      tags: [ Instance ]
      security: [ ]
      requestBody:
@@ -4993,6 +5013,12 @@ paths:
      responses:
        '200':
          description: Setup completed successfully
+          headers:
+            Cache-Control:
+              description: Always set to no-store because the response may contain a one-time plain text Personal Access Token.
+              schema:
+                type: string
+                example: no-store
          content:
            application/json:
              schema: