fix: add is_admin and full_name fields as optional in the request when updating user details

[marekdano]

🐛 Bug-fix PR

Closes #2693

📌 Summary

Updating admin privileges through the API requires mandatory fields (password, full_name), which results in unintended overwriting of existing user details.

The full_name and is_admin fields should be optional and should update the user's full_name and is_admin when they are included in the request

🔁 Reproduction Steps

1. Call the admin user update API without providing all required fields.
2. The API returns a "required field missing" error.
3. Provide all mandatory fields and update the user.

Example API Call:

curl -X 'PUT' \
  'http://localhost:4444/auth/email/admin/users/user_admin%40example.com' \
  -H "Authorization: Bearer $TOKEN" \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "email": "user_admin@example.com",
  "password": "abcd1235",
  "is_admin": true
}'

In this case, the user.full_name is going to be None and it'll be displayed as N/A in UI.

🐞 Root Cause

email, password, is_admin, and full_name are treated as mandatory fields.

If full_name is not included in the request payload, the existing full name is overwritten and becomes null / NA.

💡 Fix Description

1. Theupdate_user function in mcpgateway/routers/email_auth.py

• Replace EmailRegistrationRequest with AdminUserUpdateRequest to have fields optional.
• Handle full_name and is_admin fields from the request as optional and update them in the DB when they are available.
• Add to catch PasswordValidationError exception when the password does not meet the requirements

2. The AdminUserUpdateRequest in mcpgateway/schemas.py`

Add the optional password field to AdminUserUpdateRequest with basic min_length=8, and let the existing service validation handle the rest!

3. Add more unit tests to cover the change

🧪 Verification

Check	Command	Status
Lint suite	make lint	✅
Unit tests	make test	✅
Coverage ≥ 80 %	make coverage	✅
Manual regression no longer fails	steps / screenshots

📐 MCP Compliance (if relevant)

• Matches current MCP spec
• No breaking change to MCP clients

✅ Checklist

• Code formatted (make black isort pre-commit)
• No secrets/credentials committed

[crivetimihai]

Rebased onto latest main (18abdde) — no conflicts, all tests pass.

Review notes:

• Logic is correct. Optional fields default to None and are only applied when explicitly provided. Password validation is properly enforced through auth_service.validate_password() before hashing.
• No security concerns — schema provides baseline min_length=8, service layer enforces full complexity rules. PasswordValidationError is caught and returned as HTTP 400.
• No performance impact.

Minor observations (non-blocking):

1. hasattr() is redundant — on a Pydantic model, hasattr(user_request, "full_name") is always True since the field is declared. The is not None check alone suffices. Cosmetic — functionality is correct either way.
2. is_active not handled — AdminUserUpdateRequest defines is_active, but the endpoint ignores it. Pre-existing issue (not introduced by this PR); the UI uses separate /activate and /deactivate endpoints.
3. Consistency — other endpoints (e.g., rbac.py) use .dict(exclude_unset=True) for partial updates. This PR uses is not None checks. Both work correctly for this use case.
4. Test coverage — could add a test for single-field partial updates (e.g., only full_name or only is_admin), but existing tests cover the main scenarios well.

LGTM overall — the fix correctly addresses the reported bug.