jason/mrp-qrcode
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

phase 2 and 3

Browse Source
This commit is contained in:
jason
2026-04-21 08:56:51 -05:00
parent b98837a72c
commit d79aaf6ef8
42 changed files with 4962 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/api/v1/users/[id]/route.ts
+114
View File
@@ -0,0 +1,114 @@
import { type NextRequest } from "next/server";
import { prisma } from "@/lib/prisma";
import { ok, errorResponse, requireRole, parseJson, ApiError } from "@/lib/api";
import { UpdateUserSchema } from "@/lib/schemas";
import { hashPassword, hashPin } from "@/lib/password";
import { audit } from "@/lib/audit";
import { clientIp } from "@/lib/request";
export async function PATCH(req: NextRequest, ctx: { params: Promise<{ id: string }> }) {
try {
const actor = await requireRole("admin");
const { id } = await ctx.params;
const body = await parseJson(req, UpdateUserSchema);
const user = await prisma.user.findUnique({ where: { id } });
if (!user) throw new ApiError(404, "not_found", "User not found");
const data: Record<string, unknown> = {};
if (body.name !== undefined) data.name = body.name;
if (body.active !== undefined) data.active = body.active;
if (user.role === "admin") {
if (body.email) {
const dup = await prisma.user.findFirst({
where: { email: body.email, id: { not: id } },
});
if (dup) throw new ApiError(409, "duplicate", "Email already in use");
data.email = body.email;
}
if (body.password) data.passwordHash = await hashPassword(body.password);
if (body.pin) {
throw new ApiError(400, "invalid_field", "Admins don't have PINs");
}
} else {
if (body.email || body.password) {
throw new ApiError(400, "invalid_field", "Operators use PIN, not email/password");
}
if (body.pin) {
data.pinHash = await hashPin(body.pin);
data.failedAttempts = 0;
data.lockedUntil = null;
}
if (body.name && body.name !== user.name) {
const dup = await prisma.user.findFirst({
where: { role: "operator", name: body.name, id: { not: id } },
});
if (dup) throw new ApiError(409, "duplicate", "Operator name already in use");
}
}
const updated = await prisma.user.update({
where: { id },
data,
select: { id: true, role: true, name: true, email: true, active: true },
});
await audit({
actorId: actor.id,
action: "update",
entity: "User",
entityId: id,
after: {
changed: Object.keys(data).filter((k) => k !== "passwordHash" && k !== "pinHash"),
secretsChanged: "passwordHash" in data || "pinHash" in data,
},
ipAddress: clientIp(req),
});
return ok({ user: updated });
} catch (err) {
return errorResponse(err);
}
}
export async function DELETE(req: NextRequest, ctx: { params: Promise<{ id: string }> }) {
try {
const actor = await requireRole("admin");
const { id } = await ctx.params;
if (id === actor.id) {
throw new ApiError(400, "self_delete", "You cannot delete your own account");
}
const user = await prisma.user.findUnique({ where: { id } });
if (!user) throw new ApiError(404, "not_found", "User not found");
if (user.role === "admin") {
const otherAdmins = await prisma.user.count({
where: { role: "admin", active: true, id: { not: id } },
});
if (otherAdmins === 0) {
throw new ApiError(400, "last_admin", "Cannot remove the last active admin");
}
}
// soft-delete: deactivate and remove all sessions
await prisma.$transaction([
prisma.session.deleteMany({ where: { userId: id } }),
prisma.user.update({ where: { id }, data: { active: false } }),
]);
await audit({
actorId: actor.id,
action: "deactivate",
entity: "User",
entityId: id,
ipAddress: clientIp(req),
});
return ok({ ok: true });
} catch (err) {
return errorResponse(err);
}
}
app/api/v1/users/route.ts
+81
View File
@@ -0,0 +1,81 @@
import { type NextRequest } from "next/server";
import { prisma } from "@/lib/prisma";
import { ok, errorResponse, requireRole, parseJson, ApiError } from "@/lib/api";
import { CreateUserSchema } from "@/lib/schemas";
import { hashPassword, hashPin } from "@/lib/password";
import { audit } from "@/lib/audit";
import { clientIp } from "@/lib/request";
export async function GET() {
try {
await requireRole("admin");
const users = await prisma.user.findMany({
orderBy: [{ role: "asc" }, { name: "asc" }],
select: {
id: true,
role: true,
name: true,
email: true,
active: true,
lastLoginAt: true,
createdAt: true,
},
});
return ok({ users });
} catch (err) {
return errorResponse(err);
}
}
export async function POST(req: NextRequest) {
try {
const actor = await requireRole("admin");
const body = await parseJson(req, CreateUserSchema);
if (body.role === "admin") {
const existing = await prisma.user.findUnique({ where: { email: body.email } });
if (existing) throw new ApiError(409, "duplicate", "Email already in use");
const passwordHash = await hashPassword(body.password);
const created = await prisma.user.create({
data: { role: "admin", name: body.name, email: body.email, passwordHash },
select: { id: true, role: true, name: true, email: true, active: true, createdAt: true },
});
await audit({
actorId: actor.id,
action: "create",
entity: "User",
entityId: created.id,
after: { role: "admin", name: created.name, email: created.email },
ipAddress: clientIp(req),
});
return ok({ user: created }, { status: 201 });
}
// operator: name must be unique (case-insensitive) so login tile grid is unambiguous
const nameNorm = body.name.trim();
const dupe = await prisma.user.findFirst({
where: {
role: "operator",
name: { equals: nameNorm },
},
});
if (dupe) throw new ApiError(409, "duplicate", "Operator name already in use");
const pinHash = await hashPin(body.pin);
const created = await prisma.user.create({
data: { role: "operator", name: nameNorm, pinHash },
select: { id: true, role: true, name: true, email: true, active: true, createdAt: true },
});
await audit({
actorId: actor.id,
action: "create",
entity: "User",
entityId: created.id,
after: { role: "operator", name: created.name },
ipAddress: clientIp(req),
});
return ok({ user: created }, { status: 201 });
} catch (err) {
return errorResponse(err);
}
}