User creation and management

server/api/auth/register.post.ts

@@ -0,0 +1,78 @@
+import { createUser, getUserByUsername } from '~/server/utils/database'
+import { setAuthCookie } from '~/server/utils/auth'
+
+export default defineEventHandler(async (event) => {
+  const body = await readBody(event)
+  const { username, password } = body
+
+  if (!username || !password) {
+    throw createError({
+      statusCode: 400,
+      message: 'Username and password are required'
+    })
+  }
+
+  // Validate username format
+  if (username.length < 3) {
+    throw createError({
+      statusCode: 400,
+      message: 'Username must be at least 3 characters long'
+    })
+  }
+
+  // Validate password strength
+  if (password.length < 8) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must be at least 8 characters long'
+    })
+  }
+
+  if (!/[A-Z]/.test(password)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one uppercase letter'
+    })
+  }
+
+  if (!/[a-z]/.test(password)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one lowercase letter'
+    })
+  }
+
+  if (!/[0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one number or symbol'
+    })
+  }
+
+  // Check if user already exists
+  const existingUser = getUserByUsername(username.toLowerCase())
+  if (existingUser) {
+    throw createError({
+      statusCode: 409,
+      message: 'Username already exists'
+    })
+  }
+
+  try {
+    // Create the new user
+    createUser(username.toLowerCase(), password)
+    
+    // Log them in automatically
+    setAuthCookie(event, username.toLowerCase())
+
+    return {
+      success: true,
+      username: username.toLowerCase()
+    }
+  } catch (error) {
+    throw createError({
+      statusCode: 500,
+      message: 'Failed to create user account'
+    })
+  }
+})

server/api/auth/verify.get.ts

@@ -1,9 +1,21 @@
-import { isAuthenticated } from '~/server/utils/auth'
+import { getAuthCookie } from '~/server/utils/auth'
+import { getUserByUsername } from '~/server/utils/database'
 
 export default defineEventHandler(async (event) => {
-  const authenticated = isAuthenticated(event)
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    return {
+      authenticated: false,
+      isAdmin: false
+    }
+  }
+
+  const user = getUserByUsername(username)
   
   return {
-    authenticated
+    authenticated: true,
+    username: user?.username,
+    isAdmin: user?.is_admin === 1
   }
 })

server/api/users/delete/[id].delete.ts

@@ -0,0 +1,49 @@
+import { deleteUser, getUserByUsername } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+
+export default defineEventHandler(async (event) => {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const id = parseInt(event.context.params?.id || '')
+  
+  if (isNaN(id)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid user ID'
+    })
+  }
+
+  // Prevent deleting yourself
+  if (user.id === id) {
+    throw createError({
+      statusCode: 400,
+      message: 'Cannot delete your own account'
+    })
+  }
+
+  try {
+    deleteUser(id)
+    return { success: true }
+  } catch (error) {
+    throw createError({
+      statusCode: 500,
+      message: 'Failed to delete user'
+    })
+  }
+})

server/api/users/index.get.ts

@@ -0,0 +1,26 @@
+import { getAllUsers } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+import { getUserByUsername } from '~/server/utils/database'
+
+export default defineEventHandler(async (event) => {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const users = getAllUsers()
+  return users
+})

server/api/users/password/[id].put.ts

@@ -0,0 +1,79 @@
+import { resetUserPassword, getUserByUsername } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+
+export default defineEventHandler(async (event) => {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const id = parseInt(event.context.params?.id || '')
+  const body = await readBody(event)
+  const { newPassword } = body
+  
+  if (isNaN(id)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid user ID'
+    })
+  }
+
+  if (!newPassword || typeof newPassword !== 'string') {
+    throw createError({
+      statusCode: 400,
+      message: 'New password is required'
+    })
+  }
+
+  // Validate password strength
+  if (newPassword.length < 8) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must be at least 8 characters long'
+    })
+  }
+
+  if (!/[A-Z]/.test(newPassword)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one uppercase letter'
+    })
+  }
+
+  if (!/[a-z]/.test(newPassword)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one lowercase letter'
+    })
+  }
+
+  if (!/[0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(newPassword)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one number or symbol'
+    })
+  }
+
+  try {
+    resetUserPassword(id, newPassword)
+    return { success: true }
+  } catch (error) {
+    throw createError({
+      statusCode: 500,
+      message: 'Failed to reset password'
+    })
+  }
+})

server/api/users/role/[id].put.ts

@@ -0,0 +1,58 @@
+import { updateUserRole, getUserByUsername } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+
+export default defineEventHandler(async (event) => {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const id = parseInt(event.context.params?.id || '')
+  const body = await readBody(event)
+  const { isAdmin } = body
+  
+  if (isNaN(id)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid user ID'
+    })
+  }
+
+  if (typeof isAdmin !== 'boolean') {
+    throw createError({
+      statusCode: 400,
+      message: 'isAdmin must be a boolean'
+    })
+  }
+
+  // Prevent changing your own role
+  if (user.id === id) {
+    throw createError({
+      statusCode: 400,
+      message: 'Cannot change your own role'
+    })
+  }
+
+  try {
+    updateUserRole(id, isAdmin ? 1 : 0)
+    return { success: true }
+  } catch (error) {
+    throw createError({
+      statusCode: 500,
+      message: 'Failed to update user role'
+    })
+  }
+})

server/utils/database.ts

@@ -21,6 +21,7 @@ export interface User {
   id?: number
   username: string
   password: string
+  is_admin: number
 }
 
 export function getDatabase() {
@@ -49,7 +50,8 @@ export function getDatabase() {
       CREATE TABLE IF NOT EXISTS users (
         id INTEGER PRIMARY KEY AUTOINCREMENT,
         username TEXT UNIQUE NOT NULL,
-        password TEXT NOT NULL
+        password TEXT NOT NULL,
+        is_admin INTEGER DEFAULT 0
       )
     `)
     
@@ -63,7 +65,7 @@ export function getDatabase() {
       // Hash the password before storing
       const saltRounds = 10
       const hashedPassword = bcrypt.hashSync(adminPassword, saltRounds)
-      db.prepare('INSERT INTO users (username, password) VALUES (?, ?)').run(adminUsername, hashedPassword)
+      db.prepare('INSERT INTO users (username, password, is_admin) VALUES (?, ?, 1)').run(adminUsername, hashedPassword)
     }
   }
   
@@ -117,3 +119,32 @@ export function getUserByUsername(username: string) {
   const db = getDatabase()
   return db.prepare('SELECT * FROM users WHERE username = ?').get(username) as User | undefined
 }
+
+export function createUser(username: string, password: string) {
+  const db = getDatabase()
+  const saltRounds = 10
+  const hashedPassword = bcrypt.hashSync(password, saltRounds)
+  return db.prepare('INSERT INTO users (username, password, is_admin) VALUES (?, ?, 0)').run(username, hashedPassword)
+}
+
+export function getAllUsers() {
+  const db = getDatabase()
+  return db.prepare('SELECT id, username, is_admin FROM users ORDER BY username').all() as Omit<User, 'password'>[]
+}
+
+export function deleteUser(id: number) {
+  const db = getDatabase()
+  return db.prepare('DELETE FROM users WHERE id = ?').run(id)
+}
+
+export function updateUserRole(id: number, isAdmin: number) {
+  const db = getDatabase()
+  return db.prepare('UPDATE users SET is_admin = ? WHERE id = ?').run(isAdmin, id)
+}
+
+export function resetUserPassword(id: number, newPassword: string) {
+  const db = getDatabase()
+  const saltRounds = 10
+  const hashedPassword = bcrypt.hashSync(newPassword, saltRounds)
+  return db.prepare('UPDATE users SET password = ? WHERE id = ?').run(hashedPassword, id)
+}