User account management with role-based access control.
Accounts are stored in CubDB alongside policies and audit logs. Passwords are hashed with bcrypt_elixir.
Roles
• :admin — full access: toggle, hide, reset, manage accounts
• :viewer — read-only: view routes and audit log, no mutations
Default account
On first use, if no accounts exist, a default admin is auto-created:
username "admin", password "admin123".
Override via env vars: API_CONSOLE_ADMIN_USERNAME / API_CONSOLE_ADMIN_PASSWORD.
Session
After login, the username and role are stored in Plug session:
:api_console_user → %{username: "john", role: :admin}
Summary
Functions
Authenticate a user. Returns {:ok, role} or {:error, reason}.
Returns true if a new account can be created (within tier limit).
Change a user's password.
Count admin accounts.
Create a new account. Returns :ok or {:error, reason}.
Delete an account. Cannot delete the last admin.
Ensure at least one admin exists. Creates default if none.
List all accounts.
Parses a role string into an atom. Returns :viewer for unknown values.
Change a user's role.
Returns the list of valid roles.
Functions
Authenticate a user. Returns {:ok, role} or {:error, reason}.
Returns true if a new account can be created (within tier limit).
Change a user's password.
Count admin accounts.
Create a new account. Returns :ok or {:error, reason}.
Delete an account. Cannot delete the last admin.
Ensure at least one admin exists. Creates default if none.
List all accounts.
Parses a role string into an atom. Returns :viewer for unknown values.
Change a user's role.
Returns the list of valid roles.