User creation and management

server/api/auth/register.post.ts

@@ -0,0 +1,78 @@
+import { createUser, getUserByUsername } from '~/server/utils/database'
+import { setAuthCookie } from '~/server/utils/auth'
+
+export default defineEventHandler(async (event) => {
+  const body = await readBody(event)
+  const { username, password } = body
+
+  if (!username || !password) {
+    throw createError({
+      statusCode: 400,
+      message: 'Username and password are required'
+    })
+  }
+
+  // Validate username format
+  if (username.length < 3) {
+    throw createError({
+      statusCode: 400,
+      message: 'Username must be at least 3 characters long'
+    })
+  }
+
+  // Validate password strength
+  if (password.length < 8) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must be at least 8 characters long'
+    })
+  }
+
+  if (!/[A-Z]/.test(password)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one uppercase letter'
+    })
+  }
+
+  if (!/[a-z]/.test(password)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one lowercase letter'
+    })
+  }
+
+  if (!/[0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one number or symbol'
+    })
+  }
+
+  // Check if user already exists
+  const existingUser = getUserByUsername(username.toLowerCase())
+  if (existingUser) {
+    throw createError({
+      statusCode: 409,
+      message: 'Username already exists'
+    })
+  }
+
+  try {
+    // Create the new user
+    createUser(username.toLowerCase(), password)
+    
+    // Log them in automatically
+    setAuthCookie(event, username.toLowerCase())
+
+    return {
+      success: true,
+      username: username.toLowerCase()
+    }
+  } catch (error) {
+    throw createError({
+      statusCode: 500,
+      message: 'Failed to create user account'
+    })
+  }
+})

server/api/auth/verify.get.ts

@@ -1,9 +1,21 @@
-import { isAuthenticated } from '~/server/utils/auth'
+import { getAuthCookie } from '~/server/utils/auth'
+import { getUserByUsername } from '~/server/utils/database'
 
 export default defineEventHandler(async (event) => {
-  const authenticated = isAuthenticated(event)
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    return {
+      authenticated: false,
+      isAdmin: false
+    }
+  }
+
+  const user = getUserByUsername(username)
   
   return {
-    authenticated
+    authenticated: true,
+    username: user?.username,
+    isAdmin: user?.is_admin === 1
   }
 })

server/api/users/delete/[id].delete.ts

@@ -0,0 +1,49 @@
+import { deleteUser, getUserByUsername } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+
+export default defineEventHandler(async (event) => {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const id = parseInt(event.context.params?.id || '')
+  
+  if (isNaN(id)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid user ID'
+    })
+  }
+
+  // Prevent deleting yourself
+  if (user.id === id) {
+    throw createError({
+      statusCode: 400,
+      message: 'Cannot delete your own account'
+    })
+  }
+
+  try {
+    deleteUser(id)
+    return { success: true }
+  } catch (error) {
+    throw createError({
+      statusCode: 500,
+      message: 'Failed to delete user'
+    })
+  }
+})

server/api/users/index.get.ts

@@ -0,0 +1,26 @@
+import { getAllUsers } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+import { getUserByUsername } from '~/server/utils/database'
+
+export default defineEventHandler(async (event) => {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const users = getAllUsers()
+  return users
+})

server/api/users/password/[id].put.ts

@@ -0,0 +1,79 @@
+import { resetUserPassword, getUserByUsername } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+
+export default defineEventHandler(async (event) => {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const id = parseInt(event.context.params?.id || '')
+  const body = await readBody(event)
+  const { newPassword } = body
+  
+  if (isNaN(id)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid user ID'
+    })
+  }
+
+  if (!newPassword || typeof newPassword !== 'string') {
+    throw createError({
+      statusCode: 400,
+      message: 'New password is required'
+    })
+  }
+
+  // Validate password strength
+  if (newPassword.length < 8) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must be at least 8 characters long'
+    })
+  }
+
+  if (!/[A-Z]/.test(newPassword)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one uppercase letter'
+    })
+  }
+
+  if (!/[a-z]/.test(newPassword)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one lowercase letter'
+    })
+  }
+
+  if (!/[0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(newPassword)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one number or symbol'
+    })
+  }
+
+  try {
+    resetUserPassword(id, newPassword)
+    return { success: true }
+  } catch (error) {
+    throw createError({
+      statusCode: 500,
+      message: 'Failed to reset password'
+    })
+  }
+})

server/api/users/role/[id].put.ts

@@ -0,0 +1,58 @@
+import { updateUserRole, getUserByUsername } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+
+export default defineEventHandler(async (event) => {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const id = parseInt(event.context.params?.id || '')
+  const body = await readBody(event)
+  const { isAdmin } = body
+  
+  if (isNaN(id)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid user ID'
+    })
+  }
+
+  if (typeof isAdmin !== 'boolean') {
+    throw createError({
+      statusCode: 400,
+      message: 'isAdmin must be a boolean'
+    })
+  }
+
+  // Prevent changing your own role
+  if (user.id === id) {
+    throw createError({
+      statusCode: 400,
+      message: 'Cannot change your own role'
+    })
+  }
+
+  try {
+    updateUserRole(id, isAdmin ? 1 : 0)
+    return { success: true }
+  } catch (error) {
+    throw createError({
+      statusCode: 500,
+      message: 'Failed to update user role'
+    })
+  }
+})