docs: add admin password reset documentation

devondragon · devondragon · commit 2c4dd35c83f4 · 2026-01-17T21:35:52.000-07:00
- Add admin password reset to Features list in README
- Add Admin Password Reset section with code examples and security notes
- Add Admin Settings section to CONFIG.md with new configuration properties
diff --git a/CONFIG.md b/CONFIG.md
@@ -29,6 +29,11 @@ Welcome to the User Framework SpringBoot Configuration Guide! This document outl
 - **Account Deletion (`user.actuallyDeleteAccount`)**: Set to `true` to enable account deletion. Defaults to `false` where accounts are disabled instead of deleted.
 - **Registration Email Verification (`user.registration.sendVerificationEmail`)**: Enable (`true`) or disable (`false`) sending verification emails post-registration.
 
+## Admin Settings
+
+- **Admin App URL (`user.admin.appUrl`)**: Base URL for admin-initiated password reset emails. Required when using `initiateAdminPasswordReset(user)` without explicit URL. Example: `https://myapp.com`
+- **Session Invalidation Warn Threshold (`user.session.invalidation.warn-threshold`)**: Number of active sessions that triggers a performance warning during session invalidation. Defaults to `1000`.
+
 ## Audit Logging
 
 - **Log File Path (`user.audit.logFilePath`)**: The path to the audit log file.
diff --git a/README.md b/README.md
@@ -62,6 +62,7 @@ Check out the [Spring User Framework Demo Application](https://github.com/devond
   - Registration, with optional email verification.
   - Login and logout functionality.
   - Forgot password flow.
+  - Admin-initiated password reset with optional session invalidation.
   - Database-backed user store using Spring JPA.
   - SSO support for Google
   - SSO support for Facebook
@@ -521,6 +522,43 @@ Users can:
 - Change their password
 - Delete their account (configurable to either disable or fully delete)
 
+### Admin Password Reset
+
+Administrators can trigger password resets for users programmatically:
+
+```java
+@Autowired
+private UserEmailService userEmailService;
+
+// Reset password and invalidate all user sessions
+int sessionsInvalidated = userEmailService.initiateAdminPasswordReset(user, appUrl, true);
+
+// Reset password without invalidating sessions
+userEmailService.initiateAdminPasswordReset(user, appUrl, false);
+
+// Use configured appUrl (from user.admin.appUrl property)
+userEmailService.initiateAdminPasswordReset(user);
+```
+
+**Features:**
+- Requires `ROLE_ADMIN` authorization (`@PreAuthorize`)
+- Optional session invalidation to force re-authentication
+- Sends password reset email with secure token
+- Comprehensive audit logging with correlation IDs
+- Cryptographically secure tokens (256-bit entropy)
+
+**Configuration:**
+```yaml
+user:
+  admin:
+    appUrl: https://myapp.com  # Base URL for password reset links
+```
+
+**Security Notes:**
+- Admin identity is derived from `SecurityContext`, not user input
+- Sessions are invalidated *after* email is sent to prevent lockout
+- URL validation prevents XSS (blocks javascript:, data: schemes)
+
 ## Email Verification
 
 
