Enable, Disable, and Unlock Accounts
Production - PUT /api/v1/users/{userId}/enable, /disable, /unlock
Administrators can enable, disable, and unlock user accounts. Disabled accounts cannot authenticate. Locked accounts are temporarily blocked due to failed login attempts.
6.4.7Enable User
curl -X PUT http://localhost:8081/api/v1/users/42/enable \
-H "Authorization: Bearer <admin-token>" \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000"Sets user.enabled = true. The user can authenticate again.
6.4.8Disable User
curl -X PUT http://localhost:8081/api/v1/users/42/disable \
-H "Authorization: Bearer <admin-token>" \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000"Sets user.enabled = false. Active sessions continue until tokens expire, but token refresh is blocked:
if (!user.isEnabled() || user.isAccountLocked()) {
refreshToken.revoke("User account disabled or locked");
throw new AuthenticationException("User account is not available");
}6.4.9Unlock User
curl -X PUT http://localhost:8081/api/v1/users/42/unlock \
-H "Authorization: Bearer <admin-token>" \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000"Resets the lock state, failed login attempts counter, and lockedUntil timestamp:
public void unlock() {
this.locked = false;
this.lockedUntil = null;
this.failedLoginAttempts = 0;
}Differences Between Disable and Lock
| Aspect | Disable | Lock |
|---|---|---|
| Trigger | Admin action | Too many failed login attempts |
| Auto-recovery | No (requires admin) | Yes (after lockout period expires) |
| Token refresh | Blocked | Blocked |
| Login | Blocked | Blocked |
| Resolution | Admin enables account | Wait for expiry or admin unlock |