Skip to content

feat: manage bot accounts from the admin UI, API and CLI#38181

Open
bircni wants to merge 13 commits into
go-gitea:mainfrom
bircni:bot-user-ui
Open

feat: manage bot accounts from the admin UI, API and CLI#38181
bircni wants to merge 13 commits into
go-gitea:mainfrom
bircni:bot-user-ui

Conversation

@bircni

@bircni bircni commented Jun 21, 2026

Copy link
Copy Markdown
Member

Bot accounts: admin UI, token management, type conversion, and auth hardening

Builds first-class bot account (UserTypeBot) support, addressing the design
questions raised.

Create & manage (admin UI)

  • New User page gains a User Type dropdown (Individual / Bot). For bots the
    auth-source, login-name, password and "must change password" fields are hidden.
  • Admin View User page shows a token panel for bots (list / create scoped / delete),
    since bots can't sign in to manage their own tokens.

Convert existing accounts (new)

A site admin can convert an account between individual and bot via:

  • the admin Edit User page (User Type dropdown),
  • the API: POST /admin/users/{username}/convert-type,
  • the CLI: gitea admin user change-type --username <name> --user-type bot|individual.

Only individual ↔ bot is allowed (organizations/reserved types are rejected —
fixing the "why can an org become an individual?" problem from #33758). Every side
effect is explicit:

Artifact Individual → Bot
Password / salt / hash cleared
Auth source reset to local
Sign-in sessions revoked
Access tokens kept (purpose of a bot)
OAuth2 apps + grants removed
External login links removed
Repos / org membership / issues unchanged

Bot → Individual just flips the type; the admin then sets a password to enable login.

Auth hardening (security)

Bots are non-interactive, but the reverse-proxy and external-source (LDAP/SMTP/PAM)
auth paths resolved users by name/email without a type check — a bot matching a proxy
header or external identity could get an interactive session. Both paths now require
an individual user, matching local-password and OAuth2. Regression tests included.

Screenshots

image image

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jun 21, 2026
@github-actions github-actions Bot added the type/feature Completely new functionality. Can only be merged if feature freeze is not active. label Jun 21, 2026
bircni added 2 commits June 21, 2026 10:22
…dlers

Extract the duplicated "scope-*" form parsing into
auth.AccessTokenScopeFromForm and use it from both the user-facing
ApplicationsPost and the new admin bot-token handler.
@wxiaoguang

Copy link
Copy Markdown
Contributor

Maybe it should have a complete design document before going deeper in this field: what a bot user can do, what they can't.

@bircni bircni marked this pull request as draft June 21, 2026 11:38
@wxiaoguang

wxiaoguang commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Manage tokens

That's another design problem. For a large instance, org admins also need "bot" users (IIRC some issues also mentioned the cases), then the site admin shouldn't be the only people who can manage "bot" users if the requirement is real. So, if it would become a widely-useful design for production, I think a complete design is needed.

update: I didn't mean "org admin manages bot users" is a must, such feature can also be rejected. I just meant it needs a document to clarify the whole design.

@wxiaoguang

wxiaoguang commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Bot accounts cannot sign in interactively — they are meant to be used with
access tokens. Since they have no password to log in and generate their own
tokens,

There are something like "reverse proxy auth", will the user with the same name as a bot be able to sign-in via reverse proxy auth?

@lafriks

lafriks commented Jun 21, 2026

Copy link
Copy Markdown
Member

Would it be possible to convert regular user to bot?

@wxiaoguang

Copy link
Copy Markdown
Contributor

Would it be possible to convert regular user to bot?

bircni added 4 commits June 21, 2026 16:06
Bot accounts are meant for token-based automation only, but the
reverse-proxy and external-source (LDAP/SMTP/PAM) auth paths resolved
users by name/email without checking the user type. A bot whose name or
email matched a proxy header or external identity could obtain an
interactive session.

Guard reverse-proxy auth and the UserSignIn external-source fallback so
only individual users may sign in interactively, matching the existing
local-password and OAuth2 behavior. Add regression tests covering both.

Assisted-by: Claude:claude-opus-4-8
Allow a site admin to convert an existing account between the individual
and bot types. Only individual <-> bot is permitted; organizations and
reserved types are rejected.

When converting to a bot the account becomes a local, token-only account:
password, auth source and persisted sessions are cleared, OAuth2
applications/grants and external login links are removed, while access
tokens and owned content (repositories, org membership, ...) are kept.

Exposed through the admin Edit User page (User Type dropdown), the API
(POST /admin/users/{username}/convert-type) and the CLI
(gitea admin user change-type), all backed by user_service.ConvertUserType.
The CLI user-type parsing is shared with "user create".

Assisted-by: Claude:claude-opus-4-8
Document the bot account model: definition, the no-interactive-sign-in
guarantee across all auth paths, the capability matrix, and the
individual <-> bot conversion rules with every side effect spelled out.

Assisted-by: Claude:claude-opus-4-8
@bircni

bircni commented Jun 21, 2026

Copy link
Copy Markdown
Member Author

addressed and added a design doc in fab3275

@bircni bircni changed the title feat: admin UI to create bot accounts and manage their access tokens feat: manage bot accounts from the admin UI, API and CLI Jun 21, 2026
@bircni bircni marked this pull request as ready for review June 21, 2026 14:09
- reject and clear passwords when creating a bot via the admin UI, so
  bots stay passwordless like the CLI and edit-user paths already enforce
- wrap the individual->bot credential teardown in a transaction so a
  mid-sequence failure cannot leave a half-converted account
- guard DeleteBotToken so the admin bot-token route only acts on bots

Assisted-by: Claude Code:claude-opus-4-8
@lafriks

lafriks commented Jun 21, 2026

Copy link
Copy Markdown
Member

Would probably be better as separate dangerous button "Convert to bot user" (similar how repos have converting mirror to regular repo)

@bircni

bircni commented Jun 21, 2026

Copy link
Copy Markdown
Member Author

Would probably be better as separate dangerous button "Convert to bot user" (similar how repos have converting mirror to regular repo)

@lafriks adjusted

@lunny

lunny commented Jun 22, 2026

Copy link
Copy Markdown
Member

When switching a bot user to an individual user, the email might need to be filled? For a bot user, email might not be a required field?

@bircni

bircni commented Jun 24, 2026

Copy link
Copy Markdown
Member Author

When switching a bot user to an individual user, the email might need to be filled? For a bot user, email might not be a required field?

No, email won't be missing. Bot users are required to have an email at creation in both paths (web form binding:"Required;Email", CLI --email is Required: true), and ConvertUserType never clears it. So bot → individual keeps the existing email — nothing to fill.

It'd only become an issue if you later make email optional for bots but idk why because you need to have an email if the bot commits...

@bircni bircni requested review from lafriks and lunny June 24, 2026 21:30

@lafriks lafriks left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also when converting std user to bot does it clear notifications etc or does bot users receive them. Currently it's one of pain points for users that are used as a bot users that they receive a lot of notifications and unnecessary bloat notification db table

Comment thread models/auth/access_token_scope.go
Comment thread routers/web/admin/users.go Outdated
@bircni bircni requested a review from lafriks June 28, 2026 08:49
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jun 28, 2026
@bircni bircni requested a review from wxiaoguang June 28, 2026 09:14
@lunny lunny added this to the 1.28.0 milestone Jun 30, 2026
@lunny

lunny commented Jun 30, 2026

Copy link
Copy Markdown
Member

1 bot user have 3 levels. Global bot user, user's bot user and org's bot user.
2 admin could create global bot user and user could create user level bot user and org bot user.
3 user level bot user and org bot user have a manager user which should be an individual or an organization

@TheFox0x7

Copy link
Copy Markdown
Contributor

At this point shouldn't it be a new table? Users have no concept of ownership between each other and bot should have no more access than it's owner.

@lunny

lunny commented Jun 30, 2026

Copy link
Copy Markdown
Member

The relationship could be another new table.

@lunny lunny added the docs-update-needed The document needs to be updated synchronously label Jun 30, 2026
@bircni

bircni commented Jun 30, 2026

Copy link
Copy Markdown
Member Author

@lunny @TheFox0x7 isn't this completely out of scope here?

@TheFox0x7

Copy link
Copy Markdown
Contributor

It very much is. I really don't get how bots ended up mixed with users... but that's a topic for later resolution.

@lunny

lunny commented Jun 30, 2026

Copy link
Copy Markdown
Member

It's better to have a filter in admin user list for different user type Individual or Bot?


1 bot user have 3 levels. Global bot user, user's bot user and org's bot user. 2 admin could create global bot user and user could create user level bot user and org bot user. 3 user level bot user and org bot user have a manager user which should be an individual or an organization

Related but out of the scope of this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs-update-needed The document needs to be updated synchronously lgtm/need 1 This PR needs approval from one additional maintainer to be merged. type/feature Completely new functionality. Can only be merged if feature freeze is not active.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants