use uuid

2026-02-04 04:37:11 +01:00 · 2022-10-31 23:42:37 -07:00 · 2022-10-31 23:42:37 -07:00 · 17041efaae
commit 17041efaae
parent 246e4e5f4f
73 changed files with 491 additions and 874 deletions
--- a/pages/api/users/[id]/index.js
+++ b/pages/api/users/[id]/index.js
@ -0,0 +1,66 @@
+import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
+import { getUser, deleteUser, updateUser } from 'queries';
+import { useAuth } from 'lib/middleware';
+
+export default async (req, res) => {
+  await useAuth(req, res);
+
+  const { isAdmin, userId } = req.auth;
+  const { id } = req.query;
+
+  if (req.method === 'GET') {
+    if (id !== userId && !isAdmin) {
+      return unauthorized(res);
+    }
+
+    const user = await getUser({ id });
+
+    return ok(res, user);
+  }
+
+  if (req.method === 'POST') {
+    const { username, password } = req.body;
+
+    if (id !== userId && !isAdmin) {
+      return unauthorized(res);
+    }
+
+    const user = await getUser({ id });
+
+    const data = {};
+
+    if (password) {
+      data.password = hashPassword(password);
+    }
+
+    // Only admin can change these fields
+    if (isAdmin) {
+      data.username = username;
+    }
+
+    // Check when username changes
+    if (data.username && user.username !== data.username) {
+      const userByUsername = await getUser({ username });
+
+      if (userByUsername) {
+        return badRequest(res, 'User already exists');
+      }
+    }
+
+    const updated = await updateUser(data, { id });
+
+    return ok(res, updated);
+  }
+
+  if (req.method === 'DELETE') {
+    if (!isAdmin) {
+      return unauthorized(res);
+    }
+
+    await deleteUser(id);
+
+    return ok(res);
+  }
+
+  return methodNotAllowed(res);
+};
--- a/pages/api/users/[id]/password.js
+++ b/pages/api/users/[id]/password.js
@ -0,0 +1,39 @@
+import { getUser, updateUser } from 'queries';
+import { useAuth } from 'lib/middleware';
+import {
+  badRequest,
+  methodNotAllowed,
+  ok,
+  unauthorized,
+  checkPassword,
+  hashPassword,
+} from 'next-basics';
+import { allowQuery } from 'lib/auth';
+import { TYPE_ACCOUNT } from 'lib/constants';
+
+export default async (req, res) => {
+  await useAuth(req, res);
+
+  const { current_password, new_password } = req.body;
+  const { id } = req.query;
+
+  if (!(await allowQuery(req, TYPE_ACCOUNT))) {
+    return unauthorized(res);
+  }
+
+  if (req.method === 'POST') {
+    const user = await getUser({ id });
+
+    if (!checkPassword(current_password, user.password)) {
+      return badRequest(res, 'Current password is incorrect');
+    }
+
+    const password = hashPassword(new_password);
+
+    const updated = await updateUser({ password }, { id });
+
+    return ok(res, updated);
+  }
+
+  return methodNotAllowed(res);
+};