[feature] Admin accounts endpoints; approve/reject sign-ups (#2826)

* update settings panels, add pending overview + approve/deny functions

* add admin accounts get, approve, reject

* send approved/rejected emails

* use signup URL

* docs!

* email

* swagger

* web linting

* fix email tests

* wee lil fixerinos

* use new paging logic for GetAccounts() series of admin endpoints, small changes to query building

* shuffle useAccountIDIn check *before* adding to query

* fix parse from toot react error

* use `netip.Addr`

* put valid slices in globals

* optimistic updates for account state

---------

Co-authored-by: kim <grufwub@gmail.com>

internal/api/client/admin/accountapprove.go

@@ -0,0 +1,105 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package admin
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+)
+
+// AccountApprovePOSTHandler swagger:operation POST /api/v1/admin/accounts/{id}/approve adminAccountApprove
+//
+// Approve pending account.
+//
+//	---
+//	tags:
+//	- admin
+//
+//	produces:
+//	- application/json
+//
+//	parameters:
+//	-
+//		name: id
+//		required: true
+//		in: path
+//		description: ID of the account.
+//		type: string
+//
+//	security:
+//	- OAuth2 Bearer:
+//		- admin
+//
+//	responses:
+//		'200':
+//			description: The now-approved account.
+//			schema:
+//				"$ref": "#/definitions/adminAccountInfo"
+//		'400':
+//			description: bad request
+//		'401':
+//			description: unauthorized
+//		'403':
+//			description: forbidden
+//		'404':
+//			description: not found
+//		'406':
+//			description: not acceptable
+//		'500':
+//			description: internal server error
+func (m *Module) AccountApprovePOSTHandler(c *gin.Context) {
+	authed, err := oauth.Authed(c, true, true, true, true)
+	if err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if !*authed.User.Admin {
+		err := fmt.Errorf("user %s not an admin", authed.User.ID)
+		apiutil.ErrorHandler(c, gtserror.NewErrorForbidden(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if authed.Account.IsMoving() {
+		apiutil.ForbiddenAfterMove(c)
+		return
+	}
+
+	targetAcctID, errWithCode := apiutil.ParseID(c.Param(apiutil.IDKey))
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	account, errWithCode := m.processor.Admin().AccountApprove(
+		c.Request.Context(),
+		authed.Account,
+		targetAcctID,
+	)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	apiutil.JSON(c, http.StatusOK, account)
+}

internal/api/client/admin/accountget.go

@@ -0,0 +1,101 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package admin
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+)
+
+// AccountGETHandler swagger:operation GET /api/v1/admin/accounts/{id} adminAccountGet
+//
+// View one account.
+//
+//	---
+//	tags:
+//	- admin
+//
+//	produces:
+//	- application/json
+//
+//	parameters:
+//	-
+//		name: id
+//		required: true
+//		in: path
+//		description: ID of the account.
+//		type: string
+//
+//	security:
+//	- OAuth2 Bearer:
+//		- admin
+//
+//	responses:
+//		'200':
+//			description: OK
+//			schema:
+//				"$ref": "#/definitions/adminAccountInfo"
+//		'400':
+//			description: bad request
+//		'401':
+//			description: unauthorized
+//		'403':
+//			description: forbidden
+//		'404':
+//			description: not found
+//		'406':
+//			description: not acceptable
+//		'500':
+//			description: internal server error
+func (m *Module) AccountGETHandler(c *gin.Context) {
+	authed, err := oauth.Authed(c, true, true, true, true)
+	if err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if !*authed.User.Admin {
+		err := fmt.Errorf("user %s not an admin", authed.User.ID)
+		apiutil.ErrorHandler(c, gtserror.NewErrorForbidden(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if authed.Account.IsMoving() {
+		apiutil.ForbiddenAfterMove(c)
+		return
+	}
+
+	targetAcctID, errWithCode := apiutil.ParseID(c.Param(apiutil.IDKey))
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	account, errWithCode := m.processor.Admin().AccountGet(c.Request.Context(), targetAcctID)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	apiutil.JSON(c, http.StatusOK, account)
+}

internal/api/client/admin/accountreject.go

@@ -0,0 +1,136 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package admin
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
+	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+)
+
+// AccountRejectPOSTHandler swagger:operation POST /api/v1/admin/accounts/{id}/reject adminAccountReject
+//
+// Reject pending account.
+//
+//	---
+//	tags:
+//	- admin
+//
+//	produces:
+//	- application/json
+//
+//	parameters:
+//	-
+//		name: id
+//		required: true
+//		in: path
+//		description: ID of the account.
+//		type: string
+//	-
+//		name: private_comment
+//		in: formData
+//		description: >-
+//			Comment to leave on why the account was denied.
+//			The comment will be visible to admins only.
+//		type: string
+//	-
+//		name: message
+//		in: formData
+//		description: >-
+//			Message to include in email to applicant.
+//			Will be included only if send_email is true.
+//		type: string
+//	-
+//		name: send_email
+//		in: formData
+//		description: >-
+//			Send an email to the applicant informing
+//			them that their sign-up has been rejected.
+//		type: boolean
+//
+//	security:
+//	- OAuth2 Bearer:
+//		- admin
+//
+//	responses:
+//		'200':
+//			description: The now-rejected account.
+//			schema:
+//				"$ref": "#/definitions/adminAccountInfo"
+//		'400':
+//			description: bad request
+//		'401':
+//			description: unauthorized
+//		'403':
+//			description: forbidden
+//		'404':
+//			description: not found
+//		'406':
+//			description: not acceptable
+//		'500':
+//			description: internal server error
+func (m *Module) AccountRejectPOSTHandler(c *gin.Context) {
+	authed, err := oauth.Authed(c, true, true, true, true)
+	if err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if !*authed.User.Admin {
+		err := fmt.Errorf("user %s not an admin", authed.User.ID)
+		apiutil.ErrorHandler(c, gtserror.NewErrorForbidden(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if authed.Account.IsMoving() {
+		apiutil.ForbiddenAfterMove(c)
+		return
+	}
+
+	targetAcctID, errWithCode := apiutil.ParseID(c.Param(apiutil.IDKey))
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	form := new(apimodel.AdminAccountRejectRequest)
+	if err := c.ShouldBind(form); err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	account, errWithCode := m.processor.Admin().AccountReject(
+		c.Request.Context(),
+		authed.Account,
+		targetAcctID,
+		form.PrivateComment,
+		form.SendEmail,
+		form.Message,
+	)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	apiutil.JSON(c, http.StatusOK, account)
+}

internal/api/client/admin/accountsgetv1.go

@@ -0,0 +1,348 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+// AccountsGETHandlerV1 swagger:operation GET /api/v1/admin/accounts adminAccountsGetV1
+//
+// View + page through known accounts according to given filters.
+//
+// The next and previous queries can be parsed from the returned Link header.
+// Example:
+//
+// ```
+// <https://example.org/api/v1/admin/accounts?limit=80&max_id=01FC0SKA48HNSVR6YKZCQGS2V8>; rel="next", <https://example.org/api/v1/admin/accounts?limit=80&min_id=01FC0SKW5JK2Q4EVAV2B462YY0>; rel="prev"
+// ````
+//
+//	---
+//	tags:
+//	- admin
+//
+//	produces:
+//	- application/json
+//
+//	parameters:
+//	-
+//		name: local
+//		in: query
+//		type: boolean
+//		description: Filter for local accounts.
+//		default: false
+//	-
+//		name: remote
+//		in: query
+//		type: boolean
+//		description: Filter for remote accounts.
+//		default: false
+//	-
+//		name: active
+//		in: query
+//		type: boolean
+//		description: Filter for currently active accounts.
+//		default: false
+//	-
+//		name: pending
+//		in: query
+//		type: boolean
+//		description: Filter for currently pending accounts.
+//		default: false
+//	-
+//		name: disabled
+//		in: query
+//		type: boolean
+//		description: Filter for currently disabled accounts.
+//		default: false
+//	-
+//		name: silenced
+//		in: query
+//		type: boolean
+//		description: Filter for currently silenced accounts.
+//		default: false
+//	-
+//		name: suspended
+//		in: query
+//		type: boolean
+//		description: Filter for currently suspended accounts.
+//		default: false
+//	-
+//		name: sensitized
+//		in: query
+//		type: boolean
+//		description: Filter for accounts force-marked as sensitive.
+//		default: false
+//	-
+//		name: username
+//		in: query
+//		type: string
+//		description: Search for the given username.
+//	-
+//		name: display_name
+//		in: query
+//		type: string
+//		description: Search for the given display name.
+//	-
+//		name: by_domain
+//		in: query
+//		type: string
+//		description: Filter by the given domain.
+//	-
+//		name: email
+//		in: query
+//		type: string
+//		description: Lookup a user with this email.
+//	-
+//		name: ip
+//		in: query
+//		type: string
+//		description: Lookup users with this IP address.
+//	-
+//		name: staff
+//		in: query
+//		type: boolean
+//		description: Filter for staff accounts.
+//		default: false
+//	-
+//		name: max_id
+//		in: query
+//		type: string
+//		description: All results returned will be older than the item with this ID.
+//	-
+//		name: since_id
+//		in: query
+//		type: string
+//		description: All results returned will be newer than the item with this ID.
+//	-
+//		name: min_id
+//		in: query
+//		type: string
+//		description: Returns results immediately newer than the item with this ID.
+//	-
+//		name: limit
+//		in: query
+//		type: integer
+//		description: Maximum number of results to return.
+//		default: 100
+//		maximum: 200
+//		minimum: 1
+//
+//	security:
+//	- OAuth2 Bearer:
+//		- admin
+//
+//	responses:
+//		'200':
+//			headers:
+//				Link:
+//					type: string
+//					description: Links to the next and previous queries.
+//			schema:
+//				type: array
+//				items:
+//					"$ref": "#/definitions/adminAccountInfo"
+//		'400':
+//			description: bad request
+//		'401':
+//			description: unauthorized
+//		'403':
+//			description: forbidden
+//		'404':
+//			description: not found
+//		'406':
+//			description: not acceptable
+//		'500':
+//			description: internal server error
+package admin
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
+	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+	"github.com/superseriousbusiness/gotosocial/internal/paging"
+)
+
+func (m *Module) AccountsGETV1Handler(c *gin.Context) {
+	authed, err := oauth.Authed(c, true, true, true, true)
+	if err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if !*authed.User.Admin {
+		err := fmt.Errorf("user %s not an admin", authed.User.ID)
+		apiutil.ErrorHandler(c, gtserror.NewErrorForbidden(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if authed.Account.IsMoving() {
+		apiutil.ForbiddenAfterMove(c)
+		return
+	}
+
+	if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	page, errWithCode := paging.ParseIDPage(c, 1, 200, 100)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	/* Translate to v2 `origin` query param */
+
+	local, errWithCode := apiutil.ParseLocal(c.Query(apiutil.LocalKey), false)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	remote, errWithCode := apiutil.ParseAdminRemote(c.Query(apiutil.AdminRemoteKey), false)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	if local && remote {
+		keys := []string{apiutil.LocalKey, apiutil.AdminRemoteKey}
+		err := fmt.Errorf("only one of %+v can be true", keys)
+		apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	var origin string
+	if local {
+		origin = "local"
+	} else if remote {
+		origin = "remote"
+	}
+
+	/* Translate to v2 `status` query param */
+
+	active, errWithCode := apiutil.ParseAdminActive(c.Query(apiutil.AdminActiveKey), false)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	pending, errWithCode := apiutil.ParseAdminPending(c.Query(apiutil.AdminPendingKey), false)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	disabled, errWithCode := apiutil.ParseAdminDisabled(c.Query(apiutil.AdminDisabledKey), false)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	silenced, errWithCode := apiutil.ParseAdminSilenced(c.Query(apiutil.AdminSilencedKey), false)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	suspended, errWithCode := apiutil.ParseAdminSuspended(c.Query(apiutil.AdminSuspendedKey), false)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	// Ensure only one `status` query param set.
+	var status string
+	states := map[string]bool{
+		apiutil.AdminActiveKey:    active,
+		apiutil.AdminPendingKey:   pending,
+		apiutil.AdminDisabledKey:  disabled,
+		apiutil.AdminSilencedKey:  silenced,
+		apiutil.AdminSuspendedKey: suspended,
+	}
+	for k, v := range states {
+		if !v {
+			// False status,
+			// so irrelevant.
+			continue
+		}
+
+		if status != "" {
+			// Status was already set by another
+			// query param, this is an error.
+			keys := []string{
+				apiutil.AdminActiveKey,
+				apiutil.AdminPendingKey,
+				apiutil.AdminDisabledKey,
+				apiutil.AdminSilencedKey,
+				apiutil.AdminSuspendedKey,
+			}
+			err := fmt.Errorf("only one of %+v can be true", keys)
+			apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1)
+			return
+		}
+
+		// Use this
+		// account status.
+		status = k
+	}
+
+	/* Translate to v2 `permissions` query param */
+
+	staff, errWithCode := apiutil.ParseAdminStaff(c.Query(apiutil.AdminStaffKey), false)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	var permissions string
+	if staff {
+		permissions = "staff"
+	}
+
+	// Parse out all optional params from the query.
+	params := &apimodel.AdminGetAccountsRequest{
+		Origin:      origin,
+		Status:      status,
+		Permissions: permissions,
+		RoleIDs:     nil, // Can't do in V1.
+		InvitedBy:   "",  // Can't do in V1.
+		Username:    c.Query(apiutil.UsernameKey),
+		DisplayName: c.Query(apiutil.AdminDisplayNameKey),
+		ByDomain:    c.Query(apiutil.AdminByDomainKey),
+		Email:       c.Query(apiutil.AdminEmailKey),
+		IP:          c.Query(apiutil.AdminIPKey),
+		APIVersion:  1,
+	}
+
+	resp, errWithCode := m.processor.Admin().AccountsGet(
+		c.Request.Context(),
+		params,
+		page,
+	)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	if resp.LinkHeader != "" {
+		c.Header("Link", resp.LinkHeader)
+	}
+
+	apiutil.JSON(c, http.StatusOK, resp.Items)
+}

internal/api/client/admin/accountsgetv2.go

@@ -0,0 +1,212 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+// AccountsGETHandlerV2 swagger:operation GET /api/v2/admin/accounts adminAccountsGetV2
+//
+// View + page through known accounts according to given filters.
+//
+// The next and previous queries can be parsed from the returned Link header.
+// Example:
+//
+// ```
+// <https://example.org/api/v2/admin/accounts?limit=80&max_id=01FC0SKA48HNSVR6YKZCQGS2V8>; rel="next", <https://example.org/api/v2/admin/accounts?limit=80&min_id=01FC0SKW5JK2Q4EVAV2B462YY0>; rel="prev"
+// ````
+//
+//	---
+//	tags:
+//	- admin
+//
+//	produces:
+//	- application/json
+//
+//	parameters:
+//	-
+//		name: origin
+//		in: query
+//		type: string
+//		description: Filter for `local` or `remote` accounts.
+//	-
+//		name: status
+//		in: query
+//		type: string
+//		description: Filter for `active`, `pending`, `disabled`, `silenced`, or `suspended` accounts.
+//	-
+//		name: permissions
+//		in: query
+//		type: string
+//		description: Filter for accounts with staff permissions (users that can manage reports).
+//	-
+//		name: role_ids[]
+//		in: query
+//		type: array
+//		items:
+//			type: string
+//		description: Filter for users with these roles.
+//	-
+//		name: invited_by
+//		in: query
+//		type: string
+//		description: Lookup users invited by the account with this ID.
+//	-
+//		name: username
+//		in: query
+//		type: string
+//		description: Search for the given username.
+//	-
+//		name: display_name
+//		in: query
+//		type: string
+//		description: Search for the given display name.
+//	-
+//		name: by_domain
+//		in: query
+//		type: string
+//		description: Filter by the given domain.
+//	-
+//		name: email
+//		in: query
+//		type: string
+//		description: Lookup a user with this email.
+//	-
+//		name: ip
+//		in: query
+//		type: string
+//		description: Lookup users with this IP address.
+//	-
+//		name: max_id
+//		in: query
+//		type: string
+//		description: All results returned will be older than the item with this ID.
+//	-
+//		name: since_id
+//		in: query
+//		type: string
+//		description: All results returned will be newer than the item with this ID.
+//	-
+//		name: min_id
+//		in: query
+//		type: string
+//		description: Returns results immediately newer than the item with this ID.
+//	-
+//		name: limit
+//		in: query
+//		type: integer
+//		description: Maximum number of results to return.
+//		default: 100
+//		maximum: 200
+//		minimum: 1
+//
+//	security:
+//	- OAuth2 Bearer:
+//		- admin
+//
+//	responses:
+//		'200':
+//			headers:
+//				Link:
+//					type: string
+//					description: Links to the next and previous queries.
+//			schema:
+//				type: array
+//				items:
+//					"$ref": "#/definitions/adminAccountInfo"
+//		'400':
+//			description: bad request
+//		'401':
+//			description: unauthorized
+//		'403':
+//			description: forbidden
+//		'404':
+//			description: not found
+//		'406':
+//			description: not acceptable
+//		'500':
+//			description: internal server error
+package admin
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
+	apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+	"github.com/superseriousbusiness/gotosocial/internal/paging"
+)
+
+func (m *Module) AccountsGETV2Handler(c *gin.Context) {
+	authed, err := oauth.Authed(c, true, true, true, true)
+	if err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if !*authed.User.Admin {
+		err := fmt.Errorf("user %s not an admin", authed.User.ID)
+		apiutil.ErrorHandler(c, gtserror.NewErrorForbidden(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	if authed.Account.IsMoving() {
+		apiutil.ForbiddenAfterMove(c)
+		return
+	}
+
+	if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil {
+		apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
+	page, errWithCode := paging.ParseIDPage(c, 1, 200, 100)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	// Parse out all optional params from the query.
+	params := &apimodel.AdminGetAccountsRequest{
+		Origin:      c.Query(apiutil.AdminOriginKey),
+		Status:      c.Query(apiutil.AdminStatusKey),
+		Permissions: c.Query(apiutil.AdminPermissionsKey),
+		RoleIDs:     c.QueryArray(apiutil.AdminRoleIDsKey),
+		InvitedBy:   c.Query(apiutil.AdminInvitedByKey),
+		Username:    c.Query(apiutil.UsernameKey),
+		DisplayName: c.Query(apiutil.AdminDisplayNameKey),
+		ByDomain:    c.Query(apiutil.AdminByDomainKey),
+		Email:       c.Query(apiutil.AdminEmailKey),
+		IP:          c.Query(apiutil.AdminIPKey),
+		APIVersion:  2,
+	}
+
+	resp, errWithCode := m.processor.Admin().AccountsGet(
+		c.Request.Context(),
+		params,
+		page,
+	)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+		return
+	}
+
+	if resp.LinkHeader != "" {
+		c.Header("Link", resp.LinkHeader)
+	}
+
+	apiutil.JSON(c, http.StatusOK, resp.Items)
+}

internal/api/client/admin/admin.go

@@ -39,9 +39,12 @@ const (
 	HeaderAllowsPathWithID  = HeaderAllowsPath + "/:" + IDKey
 	HeaderBlocksPath        = BasePath + "/header_blocks"
 	HeaderBlocksPathWithID  = HeaderBlocksPath + "/:" + IDKey
-	AccountsPath            = BasePath + "/accounts"
-	AccountsPathWithID      = AccountsPath + "/:" + IDKey
+	AccountsV1Path          = BasePath + "/accounts"
+	AccountsV2Path          = "/v2/admin/accounts"
+	AccountsPathWithID      = AccountsV1Path + "/:" + IDKey
 	AccountsActionPath      = AccountsPathWithID + "/action"
+	AccountsApprovePath     = AccountsPathWithID + "/approve"
+	AccountsRejectPath      = AccountsPathWithID + "/reject"
 	MediaCleanupPath        = BasePath + "/media_cleanup"
 	MediaRefetchPath        = BasePath + "/media_refetch"
 	ReportsPath             = BasePath + "/reports"
@@ -113,7 +116,12 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H
 	attachHandler(http.MethodPost, DomainKeysExpirePath, m.DomainKeysExpirePOSTHandler)
 
 	// accounts stuff
+	attachHandler(http.MethodGet, AccountsV1Path, m.AccountsGETV1Handler)
+	attachHandler(http.MethodGet, AccountsV2Path, m.AccountsGETV2Handler)
+	attachHandler(http.MethodGet, AccountsPathWithID, m.AccountGETHandler)
 	attachHandler(http.MethodPost, AccountsActionPath, m.AccountActionPOSTHandler)
+	attachHandler(http.MethodPost, AccountsApprovePath, m.AccountApprovePOSTHandler)
+	attachHandler(http.MethodPost, AccountsRejectPath, m.AccountRejectPOSTHandler)
 
 	// media stuff
 	attachHandler(http.MethodPost, MediaCleanupPath, m.MediaCleanupPOSTHandler)