Merge branch 'dev' of https://github.com/umami-software/umami into dev

# Conflicts:
#	pages/api/account/index.js

pages/api/accounts/[id]/index.js

@@ -0,0 +1,68 @@
+import { badRequest, hashPassword, methodNotAllowed, ok, unauthorized } from 'next-basics';
+import { getAccountById, deleteAccount, getAccountByUsername, updateAccount } from 'queries';
+import { useAuth } from 'lib/middleware';
+
+export default async (req, res) => {
+  await useAuth(req, res);
+
+  const { is_admin: currentUserIsAdmin, user_id: currentUserId } = req.auth;
+  const { id } = req.query;
+  const userId = +id;
+
+  if (req.method === 'GET') {
+    if (userId !== currentUserId && !currentUserIsAdmin) {
+      return unauthorized(res);
+    }
+
+    const account = await getAccountById(userId);
+
+    return ok(res, account);
+  }
+
+  if (req.method === 'POST') {
+    const { username, password, is_admin } = req.body;
+
+    if (userId !== currentUserId && !currentUserIsAdmin) {
+      return unauthorized(res);
+    }
+
+    const account = await getAccountById(userId);
+
+    const data = {};
+
+    if (password) {
+      data.password = hashPassword(password);
+    }
+
+    // Only admin can change these fields
+    if (currentUserIsAdmin) {
+      data.username = username;
+      data.is_admin = is_admin;
+    }
+
+    // Check when username changes
+    if (data.username && account.username !== data.username) {
+      const accountByUsername = await getAccountByUsername(username);
+
+      if (accountByUsername) {
+        return badRequest(res, 'Account already exists');
+      }
+    }
+
+    const updated = await updateAccount(userId, data);
+
+    return ok(res, updated);
+  }
+
+  if (req.method === 'DELETE') {
+    if (!currentUserIsAdmin) {
+      return unauthorized(res);
+    }
+
+    await deleteAccount(userId);
+
+    return ok(res);
+  }
+
+  return methodNotAllowed(res);
+};

pages/api/accounts/[id]/password.js

@@ -0,0 +1,39 @@
+import { getAccountById, updateAccount } from 'queries';
+import { useAuth } from 'lib/middleware';
+import {
+  badRequest,
+  methodNotAllowed,
+  ok,
+  unauthorized,
+  checkPassword,
+  hashPassword,
+} from 'next-basics';
+
+export default async (req, res) => {
+  await useAuth(req, res);
+
+  const { user_id: currentUserId, is_admin: currentUserIsAdmin } = req.auth;
+  const { current_password, new_password } = req.body;
+  const { id } = req.query;
+  const userId = +id;
+
+  if (!currentUserIsAdmin && userId !== currentUserId) {
+    return unauthorized(res);
+  }
+
+  if (req.method === 'POST') {
+    const account = await getAccountById(userId);
+
+    if (!checkPassword(current_password, account.password)) {
+      return badRequest(res, 'Current password is incorrect');
+    }
+
+    const password = hashPassword(new_password);
+
+    const updated = await updateAccount(userId, { password });
+
+    return ok(res, updated);
+  }
+
+  return methodNotAllowed(res);
+};

pages/api/accounts/index.js

@@ -1,6 +1,7 @@
-import { getAccounts } from 'queries';
+import { ok, unauthorized, methodNotAllowed, badRequest, hashPassword } from 'next-basics';
 import { useAuth } from 'lib/middleware';
-import { ok, unauthorized, methodNotAllowed } from 'next-basics';
+import { uuid } from 'lib/crypto';
+import { createAccount, getAccountByUsername, getAccounts } from 'queries';
 
 export default async (req, res) => {
   await useAuth(req, res);
@@ -17,5 +18,29 @@ export default async (req, res) => {
     return ok(res, accounts);
   }
 
+  if (req.method === 'POST') {
+    await useAuth(req, res);
+
+    if (!req.auth.is_admin) {
+      return unauthorized(res);
+    }
+
+    const { username, password } = req.body;
+
+    const accountByUsername = await getAccountByUsername(username);
+
+    if (accountByUsername) {
+      return badRequest(res, 'Account already exists');
+    }
+
+    const created = await createAccount({
+      username,
+      password: hashPassword(password),
+      account_uuid: uuid(),
+    });
+
+    return ok(res, created);
+  }
+
   return methodNotAllowed(res);
 };