CLI tool to issue user registration tokens

Author: sandhose

crates/cli/Cargo.toml

@@ -18,6 +18,7 @@ anyhow.workspace = true
 axum.workspace = true
 bytes.workspace = true
 camino.workspace = true
+chrono.workspace = true
 clap.workspace = true
 console = "0.15.11"
 dialoguer = { version = "0.11.0", default-features = false, features = [

crates/cli/src/commands/manage.rs

@@ -7,6 +7,7 @@
 use std::{collections::BTreeMap, process::ExitCode};
 
 use anyhow::Context;
+use chrono::Duration;
 use clap::{ArgAction, CommandFactory, Parser};
 use console::{Alignment, Style, Term, pad_str, style};
 use dialoguer::{Confirm, FuzzySelect, Input, Password, theme::ColorfulTheme};
@@ -28,7 +29,10 @@ use mas_storage::{
     user::{BrowserSessionFilter, UserEmailRepository, UserPasswordRepository, UserRepository},
 };
 use mas_storage_pg::{DatabaseError, PgRepository};
-use rand::{RngCore, SeedableRng};
+use rand::{
+    RngCore, SeedableRng,
+    distributions::{Alphanumeric, DistString as _},
+};
 use sqlx::{Acquire, types::Uuid};
 use tracing::{error, info, info_span, warn};
 use zeroize::Zeroizing;
@@ -95,6 +99,24 @@ enum Subcommand {
         admin: bool,
     },
 
+    /// Create a new user registration token
+    IssueUserRegistrationToken {
+        /// Specific token string to use. If not provided, a random token will
+        /// be generated.
+        #[arg(long)]
+        token: Option<String>,
+
+        /// Maximum number of times this token can be used.
+        /// If not provided, the token can be used an unlimited number of times.
+        #[arg(long)]
+        usage_limit: Option<u32>,
+
+        /// Time in seconds after which the token expires.
+        /// If not provided, the token never expires.
+        #[arg(long)]
+        expires_in: Option<u32>,
+    },
+
     /// Trigger a provisioning job for all users
     ProvisionAllUsers,
 
@@ -330,6 +352,38 @@ impl Options {
                 Ok(ExitCode::SUCCESS)
             }
 
+            SC::IssueUserRegistrationToken {
+                token,
+                usage_limit,
+                expires_in,
+            } => {
+                let _span = info_span!("cli.manage.add_user_registration_token").entered();
+
+                let database_config = DatabaseConfig::extract_or_default(figment)?;
+                let mut conn = database_connection_from_config(&database_config).await?;
+                let txn = conn.begin().await?;
+                let mut repo = PgRepository::from_conn(txn);
+
+                // Calculate expiration time if provided
+                let expires_at =
+                    expires_in.map(|seconds| clock.now() + Duration::seconds(seconds.into()));
+
+                // Generate a token if not provided
+                let token_str = token.unwrap_or_else(|| Alphanumeric.sample_string(&mut rng, 12));
+
+                // Create the token
+                let registration_token = repo
+                    .user_registration_token()
+                    .add(&mut rng, &clock, token_str, usage_limit, expires_at)
+                    .await?;
+
+                repo.into_inner().commit().await?;
+
+                info!(%registration_token.id, "Created user registration token: {}", registration_token.token);
+
+                Ok(ExitCode::SUCCESS)
+            }
+
             SC::ProvisionAllUsers => {
                 let _span = info_span!("cli.manage.provision_all_users").entered();
                 let database_config = DatabaseConfig::extract_or_default(figment)?;

docs/reference/cli/manage.md

@@ -46,6 +46,19 @@ Options:
 $ mas-cli manage issue-compatibility-token <username> --device-id <device_id> --yes-i-want-to-grant-synapse-admin-privileges
 ```
 
+## `manage issue-user-registration-token`
+
+Create a new user registration token.
+
+Options:
+- `--token <token>`: Specific token string to use. If not provided, a random token will be generated.
+- `--usage-limit <usage_limit>`: Limit the number of times the token can be used. If not provided, the token can be used an unlimited number of times.
+- `--expires-in <expires_in>`: Time in seconds after which the token expires. If not provided, the token never expires.
+
+```
+$ mas-cli manage issue-user-registration-token --token <token> --usage-limit <usage_limit> --expires-in <expires_in>
+```
+
 ## `manage provision-all-users`
 
 Trigger a provisioning job for all users.
@@ -101,4 +114,4 @@ Options:
 
 ```
 $ mas-cli manage register-user
-```
+```