v1.2.0 - The Foundation Edition

Backend APIs for Dashboard User Management

This release delivers the necessary backend infrastructure to power the new user management features in the web dashboard. The work involved creating secure endpoints for administrators to manage user roles and permissions. This implementation was then architecturally refined to harden security by centralizing critical user lifecycle operations within the authentication service, ensuring a clear separation of concerns.

👤 Administrator User Management Endpoints

The core of this release is the introduction of APIs that empower dashboard administrators with granular control over user accounts, directly supporting the new dashboard UI.

• 🔐 A secure, permission-aware user update endpoint has been established. This mechanism enforces that administrators can only modify a user's appRole and dashboardRole, while regular users are restricted to updating their own profile data, such as feedDecoratorStatus. [#88, #89]
• ✅ Essential validation has been added to the user creation process, such as requiring a non-empty email field to ensure data integrity. [#88]

🏛️ Security Hardening & Architectural Refinement

During implementation, the system's architecture was refined to improve security and create clearer service boundaries for handling sensitive user data.

• 🔑 User creation and deletion functionalities have been moved to be exclusively handled by the authentication service, removing these critical lifecycle events from the generic data API to centralize and better secure them. [#89]
• ✉️ A new, secure two-step email update process was added to the authentication service, requiring verification via a code sent to the new email address before any changes are committed. [#89]
• 🧹 As a result of this architectural shift, obsolete user.create and user.delete permissions were removed from the generic RBAC system, clarifying the new, more secure division of responsibilities. [#89]