🔧 Auto-Admin Creation
When it happens:
- ✅ Application starts up
- ✅ Database is empty (no existing users)
- ✅
ENABLE_DEFAULT_ADMIN=true(default setting)
What you get:
- Fully configured admin account
- Secure default permissions
- Ready to use immediately
User Management
This guide covers everything you need to know about managing users in LeafLock, from setting up admin accounts to troubleshooting user issues.
Default Admin Account
Section titled “Default Admin Account”Quick Setup
Section titled “Quick Setup”LeafLock automatically creates an admin account when starting up with an empty database. This makes initial setup simple and secure.
Environment Configuration
Section titled “Environment Configuration”# Enable automatic admin creationENABLE_DEFAULT_ADMIN=true
# Admin login credentialsDEFAULT_ADMIN_EMAIL=admin@leaflock.appDEFAULT_ADMIN_PASSWORD=YourSecurePassword123!# Use strong passwords with special charactersDEFAULT_ADMIN_PASSWORD=#wmR8xWxZ&#JHZPd8HTYmafctWSe0N*jgPG%bYS@
# Consider your actual domainDEFAULT_ADMIN_EMAIL=admin@yourdomain.com
# Optional: Disable after first setupENABLE_DEFAULT_ADMIN=falseUser Operations
Section titled “User Operations”Viewing Users
Section titled “Viewing Users”-- Quick user overviewSELECT id, email_search_hash, is_admin, mfa_enabled, failed_attempts, locked_until, created_at, last_loginFROM usersORDER BY created_at DESC;# List all users (admin required)curl -X GET http://localhost:8080/api/v1/admin/users \ -H "Authorization: Bearer your-admin-jwt-token"# Connect to databasedocker compose exec postgres psql -U postgres -d notes
# Or with Podmanpodman exec -it leaflock-postgres psql -U postgres -d notesUser Statistics
Section titled “User Statistics”📊 User Counts
-- Total usersSELECT COUNT(*) as total_users FROM users;
-- Admin usersSELECT COUNT(*) as admin_usersFROM users WHERE is_admin = true;
-- Locked accountsSELECT COUNT(*) as locked_accountsFROM users WHERE locked_until > NOW();💾 Storage Usage
-- Storage by userSELECT id, storage_used, storage_limit, ROUND((storage_used::float / storage_limit * 100), 2) as usage_percentFROM usersWHERE storage_used > 0ORDER BY usage_percent DESC;User Administration
Section titled “User Administration”Managing Permissions
Section titled “Managing Permissions”-- Make user an adminUPDATE usersSET is_admin = trueWHERE id = 'user-uuid-here';# Via APIcurl -X PATCH http://localhost:8080/api/v1/admin/users/user-id \ -H "Authorization: Bearer admin-token" \ -H "Content-Type: application/json" \ -d '{"is_admin": true}'-- Remove admin privilegesUPDATE usersSET is_admin = falseWHERE id = 'user-uuid-here';-- Enable MFAUPDATE usersSET mfa_enabled = trueWHERE id = 'user-uuid-here';
-- Disable MFA (emergency)UPDATE usersSET mfa_enabled = false, mfa_secret_encrypted = NULLWHERE id = 'user-uuid-here';Account Recovery
Section titled “Account Recovery”🔓 Unlock Locked Accounts
Single user:
UPDATE usersSET failed_attempts = 0, locked_until = NULLWHERE id = 'user-uuid-here';All locked users:
UPDATE usersSET failed_attempts = 0, locked_until = NULLWHERE locked_until IS NOT NULL;Storage Management
Section titled “Storage Management”-- Update storage limit (10MB example)UPDATE usersSET storage_limit = 10485760WHERE id = 'user-uuid-here';
-- Check users near storage limitSELECT id, email_search_hash, storage_used, storage_limit, ROUND((storage_used::float / storage_limit * 100), 1) as usage_percentFROM usersWHERE (storage_used::float / storage_limit) > 0.8ORDER BY usage_percent DESC;User Registration
Section titled “User Registration”API Registration
Section titled “API Registration”📝 New User Registration
curl -X POST http://localhost:8080/api/v1/auth/register \ -H "Content-Type: application/json" \ -d '{ "email": "newuser@example.com", "password": "SecurePassword123!" }'Requirements:
- Valid email format
- Password: 8+ chars, mixed case, numbers, special chars
- Unique email address
- Registration enabled (
ENABLE_REGISTRATION=true- defaults tofalsefor security)
Troubleshooting
Section titled “Troubleshooting”Common Issues
Section titled “Common Issues”🚫 Cannot Login
Check account status:
SELECT id, failed_attempts, locked_until, is_adminFROM usersWHERE email_search_hash = encode( sha256(lower('user@example.com')::bytea), 'hex')::bytea;Fix locked account:
UPDATE usersSET failed_attempts = 0, locked_until = NULLWHERE id = 'user-id';🔑 Lost Admin Access
Promote existing user:
UPDATE usersSET is_admin = trueWHERE id = 'trusted-user-id';Or create emergency admin:
# In .env fileENABLE_DEFAULT_ADMIN=trueDEFAULT_ADMIN_EMAIL=recovery@yourdomain.comDEFAULT_ADMIN_PASSWORD=TempRecovery123!
# Restart applicationdocker compose restartFinding Users by Email
Section titled “Finding Users by Email”Since emails are encrypted, you need to use the search hash:
-- Find user by email (requires the actual email)SELECT id, is_admin, created_at, last_loginFROM usersWHERE email_search_hash = encode( sha256(lower('user@example.com')::bytea), 'hex')::bytea;Emergency Data Reset
Section titled “Emergency Data Reset”Admin Panel Features
Section titled “Admin Panel Features”Available Functions
Section titled “Available Functions”👥 User Management
- View all registered users
- Modify user permissions (admin/regular)
- Lock/unlock user accounts
- Reset password tokens
- Monitor user activity
⚙️ System Settings
- Global application configuration
- User registration settings
- Security policy management
- System announcements
📋 Audit Logs
- User login attempts
- Permission changes
- Security events
- Data access patterns
Access Requirements
Section titled “Access Requirements”- Authentication: Must be logged in
- Authorization:
is_admin = truein database - Endpoints: All admin functions at
/api/v1/admin/*
Security Architecture
Section titled “Security Architecture”Encryption & Privacy
Section titled “Encryption & Privacy”🔒 Zero-Knowledge Architecture
User data protection:
- All emails encrypted at rest
- Password hashing with Argon2id (64MB memory, 3 iterations)
- User master keys encrypted with user passwords
- Server never sees plaintext notes or sensitive data
Session security:
- JWT tokens with Redis-backed refresh rotation
- Secure cookie settings (HttpOnly, Secure, SameSite)
- Automatic session expiry and cleanup
Backup Considerations
Section titled “Backup Considerations”When backing up user data, ensure you preserve:
- ✅ Database encryption keys
- ✅ JWT signing secrets
- ✅ User master keys (encrypted)
- ✅ Server encryption keys
- ✅ Redis session data (for active sessions)
Critical Backup Note
Without the proper encryption keys, backed up user data cannot be decrypted or restored. Keep encryption keys secure and separate from data backups.
Best Practices
Section titled “Best Practices”Admin Account Security
Section titled “Admin Account Security”-
Strong Authentication
- Use complex passwords with special characters
- Enable MFA on all admin accounts
- Regularly rotate admin passwords
-
Access Control
- Limit number of admin users
- Use principle of least privilege
- Monitor admin activity through audit logs
-
Operational Security
- Keep admin credentials secure
- Use dedicated admin accounts (don’t use for regular notes)
- Regularly review admin permissions
User Privacy
Section titled “User Privacy”- Never log or store plaintext passwords
- Minimize data collection to essential fields only
- Respect user deletion requests completely
- Audit access to user data regularly
This guide covers the essential user management operations for LeafLock. For additional security features or enterprise deployment considerations, consult the deployment guides.