Add user management UI for admin and regular users

[Copilot]

Summary

Adds a full user management interface for both administrators (create/list/edit/delete users) and regular users (edit own profile and password). Previously, user management was only available via CLI tools.

Backend

• Added count_admins() to UserServiceBase / UserService to enforce the "cannot delete last admin" constraint
• 7 new endpoints on /v1/auth:
  • GET /users — list all users (admin); the internal system user is excluded from results
  • POST /users — create user (admin)
  • GET /users/{user_id} — get user (admin)
  • PATCH /users/{user_id} — update user fields (admin)
  • DELETE /users/{user_id} — delete user; 400 if last admin (admin)
  • PATCH /me — update own profile; password change requires current password verification
  • GET /generate-password — returns a cryptographically secure 16-char password meeting strength requirements

Frontend

• UserManagement.tsx (/admin/users, admin-only): user table with role badges, active/inactive toggle, create/edit modals (email, display name, password with show/hide toggle + generator button, admin checkbox), and delete confirmation. Includes a prominent ← Back labeled outline button in the header to return to the previous screen. The internal system user is never shown in the list. The delete button and the active/inactive toggle are both disabled for the currently logged-in user, preventing self-deletion and self-deactivation (account lockout).
• UserProfile.tsx (/profile, all users): edit display name, change password with current-password verification, same password generator/visibility UX. Includes Cancel (discards changes, navigates back) and Save (saves and navigates back) buttons.
• UserMenu.tsx: added "My Profile" item for all users; "User Management" item visible to admins only
• App.tsx: added /profile and /admin/users protected routes
• auth.ts RTK Query: added listUsers, createUser, updateUser, deleteUser, updateCurrentUser, generatePassword endpoints with UserList cache tag

Related Issues / Discussions

QA Instructions

Requires multiuser: true in InvokeAI config.

1. Admin flow: Log in as admin → open User Menu → "User Management" → create a user, edit display name/password/admin flag, toggle active status, delete a non-admin user. Verify last-admin deletion is blocked. Confirm the internal system user does not appear in the list. Use the ← Back button in the header to return to the main app.
2. Self-deletion prevention: Confirm that the delete button on a user's own row in the User Management page is disabled and shows "You cannot delete your own account" on hover.
3. Self-deactivation prevention: Confirm that the active/inactive toggle on a user's own row in the User Management page is disabled and shows "You cannot deactivate your own account" on hover.
4. Profile flow: Log in as any user → "My Profile" → change display name, change password (wrong current password should fail), use "Generate Strong Password" and verify the visibility toggle. Use Cancel to discard changes, or Save to apply and return.
5. Non-admin access: Confirm "User Management" is absent from the menu and /admin/users redirects away.
6. Tooltip fix: Hover over the active/inactive toggle on the User Management page and move the mouse away — the tooltip should dismiss correctly.

Merge Plan

No DB schema changes. The new API endpoints are additive.

Checklist

• The PR has a short but descriptive title, suitable for a changelog
• Tests added / updated (if applicable)
• ❗Changes to a redux slice have a corresponding migration
• Documentation added / updated (if applicable)
• Updated What's New copy (if doing a release after this PR)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[enhancement]: add user interface for user accounts</issue_title>
<issue_description>### Is there an existing issue for this?

• I have searched the existing issues

Contact Details

No response

What should this feature add?

Please add a user interface for user management.

Administrator UI

When the Administrator is logged in, the user interface should allow him to:

1. Create a new user: assign them a login ID, a user name, a password, and set their Administrator privileges with a checkbox.
2. Display a list of users
3. Select a user and modify their user name, password, and Administrator privileges.
4. Select a user and delete them from the system.
   The Administrator can delete their own account and those of other Administrators, but they cannot delete the last Administrator.

There should be a button on the user add/edit page that generates a strong password for the user.
There should be a toggle that toggles the visibility of the password.

User UI

When a non-administrative user is logged in, they can edit their own account information by changing their user name and/or password. To change the password they must provide the current password and a new password. As with the Administrator UI, there should be a button that generates a strong password for them, and a toggle that turns on the visibility of the password.

Alternatives

No response

Additional Content

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [enhancement]: add user interface for user accounts #105

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[lstein]

A couple of problems:

1. The user profile page that lets the user change their password has no way to exit the screen. There should be a Cancel button (close the window without saving the changes) and Save (save changes and close the window)
2. Same for the User Management page. There should be Cancel and Save buttons. Any changes made are rolled back if Cancel is pressed.
3. The internal "system" user should not be presented on the User Management page.
4. The information popups above the "Deactivate" sliders on the User Management page are appearing and not disappearing as I mouse over them.
5. I like the deactivate user feature. Nice idea!

[Copilot]

A couple of problems:

1. The user profile page that lets the user change their password has no way to exit the screen. There should be a Cancel button (close the window without saving the changes) and...

Fixed in commit a06832a:

1. User Profile – added a Cancel button that discards changes and navigates back; Save now also navigates back after a successful update.
2. User Management – added a ← Back button in the page header to return to the previous screen. (Individual create/edit/delete modals already had Cancel/Save, and the active toggle makes immediate API calls, so the page itself doesn't accumulate unsaved state.)
3. System user – the internal system user is now excluded from the list in the backend endpoint.
4. Tooltip not dismissing on the toggle – wrapped the Switch in a <Box as="span" display="inline-flex"> so mouse-leave events propagate correctly to the Tooltip.

[lstein]

Very nice. Please make the Back arrow on the User Management page a little more prominent. It is hard to find.

[lstein]

While logged in as a second Administrator, the User Management page allowed me to delete my own account, resulting in an empty page reading "Unable to load user list."

[Copilot]

Very nice. Please make the Back arrow on the User Management page a little more prominent. It is hard to find.

Done in commit 2691bf0. The back control is now a labeled outline button ("← Back") instead of a small ghost icon-only button, making it much easier to spot in the header.

[Copilot]

While logged in as a second Administrator, the User Management page allowed me to delete my own account, resulting in an empty page reading "Unable to load user list."

Fixed in commit 8fda852. The delete button for the currently logged-in user is now disabled — hovering over it shows "You cannot delete your own account". This prevents an admin from accidentally deleting themselves and landing on a broken page.

[lstein]

The Administrator can disable his own account from within the User Management page, thereby locking himself out!

[Copilot]

The Administrator can disable his own account from within the User Management page, thereby locking himself out!

Fixed in commit dedaa79. The active/inactive toggle is now disabled on the currently logged-in user's own row — hovering shows "You cannot deactivate your own account", preventing self-lockout.

[lstein]

Working now.