Account editing and change password.

2025-12-06 01:18:00 +01:00 · 2020-08-09 02:03:37 -07:00 · 2020-08-09 02:03:37 -07:00 · b392a51676
commit b392a51676
parent b5cf9f8719
23 changed files with 230 additions and 102 deletions
--- a/pages/api/account.js
+++ b/pages/api/account.js
@ -1,15 +1,15 @@
 import { getAccounts, getAccount, updateAccount, createAccount } from 'lib/db';
 import { useAuth } from 'lib/middleware';
 import { hashPassword, uuid } from 'lib/crypto';
-import { ok, unauthorized, methodNotAllowed } from 'lib/response';
+import { ok, unauthorized, methodNotAllowed, badRequest } from 'lib/response';

 export default async (req, res) => {
  await useAuth(req, res);

-  const { user_id: current_user_id, is_admin } = req.auth;
+  const { user_id: current_user_id, is_admin: current_user_is_admin } = req.auth;

  if (req.method === 'GET') {
-    if (is_admin) {
+    if (current_user_is_admin) {
      const accounts = await getAccounts();

      return ok(res, accounts);
@ -19,28 +19,47 @@ export default async (req, res) => {
  }

  if (req.method === 'POST') {
-    const { user_id, username, password } = req.body;
+    const { user_id, username, password, is_admin } = req.body;

    if (user_id) {
-      const account = getAccount({ user_id });
+      const account = await getAccount({ user_id });

-      if (account.user_id === current_user_id || is_admin) {
+      if (account.user_id === current_user_id || current_user_is_admin) {
        const data = { password: password ? await hashPassword(password) : undefined };

-        if (is_admin) {
-          data.username = username;
+        // Only admin can change these fields
+        if (current_user_is_admin) {
+          // Cannot change username of admin
+          if (username !== 'admin') {
+            data.username = username;
+          }
+          data.is_admin = is_admin;
        }

-        const updated = await updateAccount(user_id, { username, password });
+        if (data.username && account.username !== data.username) {
+          const accountByUsername = await getAccount({ username });
+
+          if (accountByUsername) {
+            return badRequest(res, 'Account already exists');
+          }
+        }
+
+        const updated = await updateAccount(user_id, data);

        return ok(res, updated);
      }

      return unauthorized(res);
    } else {
-      const account = await createAccount({ username, password: await hashPassword(password) });
+      const accountByUsername = await getAccount({ username });

-      return ok(res, account);
+      if (accountByUsername) {
+        return badRequest(res, 'Account already exists');
+      }
+
+      const created = await createAccount({ username, password: await hashPassword(password) });
+
+      return ok(res, created);
    }
  }

--- a/pages/api/account/[id].js
+++ b/pages/api/account/[id].js
@ -0,0 +1,33 @@
+import { getAccount, deleteAccount } from 'lib/db';
+import { useAuth } from 'lib/middleware';
+import { methodNotAllowed, ok, unauthorized } from 'lib/response';
+
+export default async (req, res) => {
+  await useAuth(req, res);
+
+  const { is_admin } = req.auth;
+  const { id } = req.query;
+  const user_id = +id;
+
+  if (req.method === 'GET') {
+    if (is_admin) {
+      const account = await getAccount({ user_id });
+
+      return ok(res, account);
+    }
+
+    return unauthorized(res);
+  }
+
+  if (req.method === 'DELETE') {
+    if (is_admin) {
+      await deleteAccount(user_id);
+
+      return ok(res);
+    }
+
+    return unauthorized(res);
+  }
+
+  return methodNotAllowed(res);
+};
--- a/pages/api/account/password.js
+++ b/pages/api/account/password.js
@ -0,0 +1,28 @@
+import { getAccount, updateAccount } from 'lib/db';
+import { useAuth } from 'lib/middleware';
+import { badRequest, methodNotAllowed, ok } from 'lib/response';
+import { checkPassword, hashPassword } from 'lib/crypto';
+
+export default async (req, res) => {
+  await useAuth(req, res);
+
+  const { user_id } = req.auth;
+  const { current_password, new_password } = req.body;
+
+  if (req.method === 'POST') {
+    const account = await getAccount({ user_id });
+    const valid = await checkPassword(current_password, account.password);
+
+    if (!valid) {
+      return badRequest(res, 'Current password is incorrect');
+    }
+
+    const password = await hashPassword(new_password);
+
+    const updated = await updateAccount(user_id, { password });
+
+    return ok(res, updated);
+  }
+
+  return methodNotAllowed(res);
+};
--- a/pages/api/auth/login.js
+++ b/pages/api/auth/login.js
@ -7,7 +7,7 @@ import { ok, unauthorized } from 'lib/response';
 export default async (req, res) => {
  const { username, password } = req.body;

-  const account = await getAccount(username);
+  const account = await getAccount({ username });

  if (account && (await checkPassword(password, account.password))) {
    const { user_id, username, is_admin } = account;