Users and roles
In this page
UserRole
Enum: SUPERADMIN, ADMIN, RESELLER, CLIENT, DEVELOPER, VIEWER.
Controllers annotate methods with allowed roles; stricter than “any authenticated user”.
User model
Includes email, passwordHash, name, optional TOTP fields, lockout counters, relations to RefreshToken, AuditLog, SshKey.
API
GET /users lists users (role-guarded). Admins can use POST /users and PATCH /users/:id; the /users UI wires invite and edit to those routes.
Auth endpoints: /auth/login, /auth/refresh, /auth/logout, /auth/me, password reset flows.