feat(admin): add user create, disable/enable, and OAuth/authorization management

internal/bootstrap/handlers.go

@@ -96,9 +96,13 @@ func initializeHandlers(deps handlerDeps) handlerSet {
 			deps.auditService,
 			deps.cfg,
 		),
-		docs:        handlers.NewDocsHandler(deps.templatesFS),
-		jwks:        jwksHandler,
-		userAdmin:   handlers.NewUserAdminHandler(deps.services.user, deps.services.token),
+		docs: handlers.NewDocsHandler(deps.templatesFS),
+		jwks: jwksHandler,
+		userAdmin: handlers.NewUserAdminHandler(
+			deps.services.user,
+			deps.services.token,
+			deps.services.authorization,
+		),
 		dashboard:   handlers.NewDashboardHandler(deps.services.dashboard),
 		tokenAdmin:  handlers.NewTokenAdminHandler(deps.services.token),
 		userService: deps.services.user,

internal/bootstrap/router.go

@@ -314,11 +314,19 @@ func setupAllRoutes(
 
 		// User management routes
 		admin.GET("/users", h.userAdmin.ShowUsersPage)
+		admin.GET("/users/new", h.userAdmin.ShowCreateUserPage)
+		admin.POST("/users", h.userAdmin.CreateUser)
 		admin.GET("/users/:id", h.userAdmin.ViewUser)
 		admin.GET("/users/:id/edit", h.userAdmin.ShowEditUserPage)
 		admin.POST("/users/:id", h.userAdmin.UpdateUser)
 		admin.POST("/users/:id/reset-password", h.userAdmin.ResetPassword)
 		admin.POST("/users/:id/delete", h.userAdmin.DeleteUser)
+		admin.POST("/users/:id/disable", h.userAdmin.DisableUser)
+		admin.POST("/users/:id/enable", h.userAdmin.EnableUser)
+		admin.GET("/users/:id/connections", h.userAdmin.ShowUserConnections)
+		admin.POST("/users/:id/connections/:conn_id/delete", h.userAdmin.DeleteUserConnection)
+		admin.GET("/users/:id/authorizations", h.userAdmin.ShowUserAuthorizations)
+		admin.POST("/users/:id/authorizations/:uuid/revoke", h.userAdmin.RevokeUserAuthorization)
 
 		// Token management routes
 		admin.GET("/tokens", h.tokenAdmin.ShowTokensPage)

internal/core/store.go

@@ -133,6 +133,7 @@ type OAuthConnectionStore interface {
 	CreateOAuthConnection(conn *models.OAuthConnection) error
 	GetOAuthConnection(provider, providerUserID string) (*models.OAuthConnection, error)
 	GetOAuthConnectionByUserAndProvider(userID, provider string) (*models.OAuthConnection, error)
+	GetOAuthConnectionByUserAndID(userID, connectionID string) (*models.OAuthConnection, error)
 	GetOAuthConnectionsByUserID(userID string) ([]models.OAuthConnection, error)
 	UpdateOAuthConnection(conn *models.OAuthConnection) error
 	DeleteOAuthConnection(id string) error

internal/handlers/auth.go

@@ -132,9 +132,12 @@ func (h *AuthHandler) Login(c *gin.Context,
 		var errorMsg string
 
 		// Check for specific error types
-		if errors.Is(err, services.ErrUsernameConflict) {
+		switch {
+		case errors.Is(err, services.ErrAccountDisabled):
+			errorMsg = "Your account has been disabled. Please contact your administrator."
+		case errors.Is(err, services.ErrUsernameConflict):
 			errorMsg = "Username conflict with existing user. Please contact administrator."
-		} else {
+		default:
 			errorMsg = "Invalid username or password"
 		}
 

internal/handlers/authorization.go

@@ -253,18 +253,7 @@ func (h *AuthorizationHandler) ListAuthorizations(c *gin.Context) {
 		return
 	}
 
-	// Build display models
-	displayAuths := make([]templates.AuthorizationDisplay, 0, len(auths))
-	for _, a := range auths {
-		displayAuths = append(displayAuths, templates.AuthorizationDisplay{
-			UUID:       a.UUID,
-			ClientID:   a.ClientID,
-			ClientName: a.ClientName,
-			Scopes:     a.Scopes,
-			GrantedAt:  a.GrantedAt,
-			IsActive:   a.IsActive,
-		})
-	}
+	displayAuths := toAuthorizationDisplaySlice(auths)
 
 	userModel := getUserFromContext(c)
 	if userModel == nil {

internal/handlers/client.go

@@ -10,7 +10,6 @@ import (
 	"github.com/go-authgate/authgate/internal/services"
 	"github.com/go-authgate/authgate/internal/templates"
 
-	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
 )
 
@@ -71,20 +70,7 @@ func (h *ClientHandler) ShowClientsPage(c *gin.Context) {
 		return
 	}
 
-	// Get flash messages from session
-	session := sessions.Default(c)
-	flashes := session.Flashes()
-	if err := session.Save(); err != nil {
-		// Log error but continue - flash message is not critical
-		c.Set("session_save_error", err)
-	}
-
-	var successMsg string
-	if len(flashes) > 0 {
-		if msg, ok := flashes[0].(string); ok {
-			successMsg = msg
-		}
-	}
+	successMsg := getFlashMessage(c)
 
 	userModel := getUserFromContext(c)
 
@@ -286,15 +272,7 @@ func (h *ClientHandler) DeleteClient(c *gin.Context) {
 		return
 	}
 
-	// Store success message in session flash
-	session := sessions.Default(c)
-	session.AddFlash("Client deleted successfully")
-	if err := session.Save(); err != nil {
-		renderErrorPage(c, http.StatusInternalServerError, "Failed to save session: "+err.Error())
-		return
-	}
-
-	c.Redirect(http.StatusFound, "/admin/clients")
+	flashAndRedirect(c, "Client deleted successfully", "/admin/clients")
 }
 
 // RegenerateSecret handles POST /admin/clients/:id/regenerate-secret to regenerate the client secret

internal/handlers/oauth_handler.go

@@ -198,21 +198,26 @@ func (h *OAuthHandler) OAuthCallback(c *gin.Context) {
 		log.Printf("[OAuth] Authentication failed: %v", err)
 
 		// Handle specific errors
-		if errors.Is(err, services.ErrOAuthAutoRegisterDisabled) {
+		switch {
+		case errors.Is(err, services.ErrOAuthAutoRegisterDisabled):
 			renderErrorPage(
 				c,
 				http.StatusForbidden,
 				"Registration Disabled. New account registration via OAuth is currently disabled. Please contact your administrator.",
 			)
-			return
+		case errors.Is(err, services.ErrAccountDisabled):
+			renderErrorPage(
+				c,
+				http.StatusForbidden,
+				"Account Disabled. Your account has been disabled by an administrator. Please contact your administrator for assistance.",
+			)
+		default:
+			renderErrorPage(
+				c,
+				http.StatusInternalServerError,
+				"Authentication failed. Unable to authenticate your account at this time. Please try again later.",
+			)
 		}
-
-		// Generic error
-		renderErrorPage(
-			c,
-			http.StatusInternalServerError,
-			"Authentication failed. Unable to authenticate your account at this time. Please try again later.",
-		)
 		return
 	}