feat(server): add --reset-password admin subcommand

Self-hosters can now run:
  ./solitaire_server --reset-password <username>
to update a player's password and invalidate all their refresh tokens
(forcing re-login on every device). Password is read from stdin so it
can be piped from scripts or a password manager without appearing in
shell history.

Implementation:
- reset_password() in auth.rs: validates length, bcrypt-hashes new
  password, updates users.password_hash, deletes all refresh_tokens
  rows for the user.
- main.rs: --reset-password dispatch before HTTP server startup;
  JWT_SECRET not required for this path.
- 4 integration tests covering: login works after reset, old password
  rejected, refresh tokens invalidated, unknown user → NotFound,
  short password → BadRequest.
- README_SERVER.md: admin password-reset section with examples.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

This commit is contained in:

funman300

2026-05-12 14:10:13 -07:00

parent 566b112d9e

commit 75146847f6

7 changed files with 305 additions and 4 deletions

									
										solitaire_server/src/lib.rs
									
		+2
		
												View File
												
				@@ -12,6 +12,8 @@ pub mod middleware;

				pub mod replays;

				pub mod sync;

				pub use auth::reset_password;

				use axum::{

				    extract::DefaultBodyLimit,

				    middleware as axum_middleware,