xtream-player/USERS_MANAGEMENT.md

# User Management - Xtream Player

## Overview

Users are stored in H2 database (`~/.xtream-player/users.db`).
If no users exist, application creates default user `admin` / `admin` on startup.

## Authentication for User API

User CRUD API is protected by a fixed bearer token:

- Header: `Authorization: Bearer MujBearer852654`

Without this header (or with wrong value), API returns `401 Unauthorized`.

## /user CRUD API

Base endpoint:

- `http://localhost:8080/user`

### List users

```bash
curl -H "Authorization: Bearer MujBearer852654" \
  http://localhost:8080/user
```

### Get one user

```bash
curl -H "Authorization: Bearer MujBearer852654" \
  "http://localhost:8080/user?username=admin"
```

### Create user

```bash
curl -X POST -H "Authorization: Bearer MujBearer852654" \
  -H "Content-Type: application/json" \
  -d '{"username":"user","password":"pass123"}' \
  http://localhost:8080/user
```

You can also send URL-encoded form data:

```bash
curl -X POST -H "Authorization: Bearer MujBearer852654" \
  -d "username=user&password=pass123" \
  http://localhost:8080/user
```

### Update password

```bash
curl -X PUT -H "Authorization: Bearer MujBearer852654" \
  -H "Content-Type: application/json" \
  -d '{"username":"user","newPassword":"newPass123"}' \
  http://localhost:8080/user
```

`password` is accepted as fallback key as well.

### Delete user

By query param:

```bash
curl -X DELETE -H "Authorization: Bearer MujBearer852654" \
  "http://localhost:8080/user?username=user"
```

Or by JSON body:

```bash
curl -X DELETE -H "Authorization: Bearer MujBearer852654" \
  -H "Content-Type: application/json" \
  -d '{"username":"user"}' \
  http://localhost:8080/user
```

## Response Notes

- Returned user objects include: `id`, `username`, `createdAt`, `updatedAt`
- Password hash is never returned by the API.