User creation and management

2025-10-06 17:04:34 -04:00
parent dfa857c131
commit a50791e74c
10 changed files with 720 additions and 17 deletions
--- a/server/api/users/delete/[id].delete.ts
+++ b/server/api/users/delete/[id].delete.ts
@@ -0,0 +1,49 @@
+import { deleteUser, getUserByUsername } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+
+export default defineEventHandler(async (event) => {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const id = parseInt(event.context.params?.id || '')
+  
+  if (isNaN(id)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid user ID'
+    })
+  }
+
+  // Prevent deleting yourself
+  if (user.id === id) {
+    throw createError({
+      statusCode: 400,
+      message: 'Cannot delete your own account'
+    })
+  }
+
+  try {
+    deleteUser(id)
+    return { success: true }
+  } catch (error) {
+    throw createError({
+      statusCode: 500,
+      message: 'Failed to delete user'
+    })
+  }
+})
--- a/server/api/users/index.get.ts
+++ b/server/api/users/index.get.ts
@@ -0,0 +1,26 @@
+import { getAllUsers } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+import { getUserByUsername } from '~/server/utils/database'
+
+export default defineEventHandler(async (event) => {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const users = getAllUsers()
+  return users
+})
--- a/server/api/users/password/[id].put.ts
+++ b/server/api/users/password/[id].put.ts
@@ -0,0 +1,79 @@
+import { resetUserPassword, getUserByUsername } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+
+export default defineEventHandler(async (event) => {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const id = parseInt(event.context.params?.id || '')
+  const body = await readBody(event)
+  const { newPassword } = body
+  
+  if (isNaN(id)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid user ID'
+    })
+  }
+
+  if (!newPassword || typeof newPassword !== 'string') {
+    throw createError({
+      statusCode: 400,
+      message: 'New password is required'
+    })
+  }
+
+  // Validate password strength
+  if (newPassword.length < 8) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must be at least 8 characters long'
+    })
+  }
+
+  if (!/[A-Z]/.test(newPassword)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one uppercase letter'
+    })
+  }
+
+  if (!/[a-z]/.test(newPassword)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one lowercase letter'
+    })
+  }
+
+  if (!/[0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(newPassword)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Password must contain at least one number or symbol'
+    })
+  }
+
+  try {
+    resetUserPassword(id, newPassword)
+    return { success: true }
+  } catch (error) {
+    throw createError({
+      statusCode: 500,
+      message: 'Failed to reset password'
+    })
+  }
+})
--- a/server/api/users/role/[id].put.ts
+++ b/server/api/users/role/[id].put.ts
@@ -0,0 +1,58 @@
+import { updateUserRole, getUserByUsername } from '~/server/utils/database'
+import { getAuthCookie } from '~/server/utils/auth'
+
+export default defineEventHandler(async (event) => {
+  const username = getAuthCookie(event)
+  
+  if (!username) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized'
+    })
+  }
+
+  const user = getUserByUsername(username)
+  
+  if (!user || user.is_admin !== 1) {
+    throw createError({
+      statusCode: 403,
+      message: 'Forbidden - Admin access required'
+    })
+  }
+
+  const id = parseInt(event.context.params?.id || '')
+  const body = await readBody(event)
+  const { isAdmin } = body
+  
+  if (isNaN(id)) {
+    throw createError({
+      statusCode: 400,
+      message: 'Invalid user ID'
+    })
+  }
+
+  if (typeof isAdmin !== 'boolean') {
+    throw createError({
+      statusCode: 400,
+      message: 'isAdmin must be a boolean'
+    })
+  }
+
+  // Prevent changing your own role
+  if (user.id === id) {
+    throw createError({
+      statusCode: 400,
+      message: 'Cannot change your own role'
+    })
+  }
+
+  try {
+    updateUserRole(id, isAdmin ? 1 : 0)
+    return { success: true }
+  } catch (error) {
+    throw createError({
+      statusCode: 500,
+      message: 'Failed to update user role'
+    })
+  }
+})