mirror of
https://github.com/Termix-SSH/Termix.git
synced 2026-07-15 04:43:36 +00:00
d1a8dcf3c6
* chore(deps-dev): bump the dev-minor-updates group across 1 directory with 12 updates (#910) Bumps the dev-minor-updates group with 12 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@radix-ui/react-select](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/select) | `2.2.6` | `2.3.1` | | [@radix-ui/react-slider](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/slider) | `1.3.6` | `1.4.1` | | [@radix-ui/react-slot](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/slot) | `1.2.5` | `1.3.0` | | [@radix-ui/react-switch](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/switch) | `1.2.6` | `1.3.1` | | [cytoscape](https://github.com/cytoscape/cytoscape.js) | `3.33.4` | `3.34.0` | | [electron](https://github.com/electron/electron) | `42.2.0` | `42.4.1` | | [electron-builder](https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-builder) | `26.8.1` | `26.15.3` | | [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `1.16.0` | `1.20.0` | | [radix-ui](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/radix-ui) | `1.4.3` | `1.6.0` | | [react-hook-form](https://github.com/react-hook-form/react-hook-form) | `7.76.1` | `7.79.0` | | [sharp](https://github.com/lovell/sharp) | `0.34.5` | `0.35.1` | | [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.60.0` | `8.61.1` | Updates `@radix-ui/react-select` from 2.2.6 to 2.3.1 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/select/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/select) Updates `@radix-ui/react-slider` from 1.3.6 to 1.4.1 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/slider/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/slider) Updates `@radix-ui/react-slot` from 1.2.5 to 1.3.0 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/slot/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/slot) Updates `@radix-ui/react-switch` from 1.2.6 to 1.3.1 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/switch/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/switch) Updates `cytoscape` from 3.33.4 to 3.34.0 - [Release notes](https://github.com/cytoscape/cytoscape.js/releases) - [Commits](https://github.com/cytoscape/cytoscape.js/compare/v3.33.4...v3.34.0) Updates `electron` from 42.2.0 to 42.4.1 - [Release notes](https://github.com/electron/electron/releases) - [Commits](https://github.com/electron/electron/compare/v42.2.0...v42.4.1) Updates `electron-builder` from 26.8.1 to 26.15.3 - [Release notes](https://github.com/electron-userland/electron-builder/releases) - [Changelog](https://github.com/electron-userland/electron-builder/blob/master/packages/electron-builder/CHANGELOG.md) - [Commits](https://github.com/electron-userland/electron-builder/commits/electron-builder@26.15.3/packages/electron-builder) Updates `lucide-react` from 1.16.0 to 1.20.0 - [Release notes](https://github.com/lucide-icons/lucide/releases) - [Commits](https://github.com/lucide-icons/lucide/commits/1.20.0/packages/lucide-react) Updates `radix-ui` from 1.4.3 to 1.6.0 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/radix-ui/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/radix-ui) Updates `react-hook-form` from 7.76.1 to 7.79.0 - [Release notes](https://github.com/react-hook-form/react-hook-form/releases) - [Changelog](https://github.com/react-hook-form/react-hook-form/blob/master/CHANGELOG.md) - [Commits](https://github.com/react-hook-form/react-hook-form/compare/v7.76.1...v7.79.0) Updates `sharp` from 0.34.5 to 0.35.1 - [Release notes](https://github.com/lovell/sharp/releases) - [Commits](https://github.com/lovell/sharp/compare/v0.34.5...v0.35.1) Updates `typescript-eslint` from 8.60.0 to 8.61.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.1/packages/typescript-eslint) --- updated-dependencies: - dependency-name: "@radix-ui/react-select" dependency-version: 2.3.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: "@radix-ui/react-slider" dependency-version: 1.4.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: "@radix-ui/react-slot" dependency-version: 1.3.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: "@radix-ui/react-switch" dependency-version: 1.3.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: cytoscape dependency-version: 3.34.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: electron dependency-version: 42.4.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: electron-builder dependency-version: 26.15.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: lucide-react dependency-version: 1.18.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: radix-ui dependency-version: 1.6.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: react-hook-form dependency-version: 7.79.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: sharp dependency-version: 0.35.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates - dependency-name: typescript-eslint dependency-version: 8.61.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump node in /docker in the docker-major-updates group (#914) Bumps the docker-major-updates group in /docker with 1 update: node. Updates `node` from 24-slim to 26-slim --- updated-dependencies: - dependency-name: node dependency-version: 26-slim dependency-type: direct:production dependency-group: docker-major-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump the github-actions group with 2 updates (#915) Bumps the github-actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/setup-node](https://github.com/actions/setup-node). Updates `actions/checkout` from 5 to 6 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) Updates `actions/setup-node` from 4 to 6 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the prod-minor-updates group across 1 directory with 5 updates (#916) Bumps the prod-minor-updates group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [axios](https://github.com/axios/axios) | `1.17.0` | `1.18.0` | | [better-sqlite3](https://github.com/WiseLibs/better-sqlite3) | `12.10.0` | `12.11.1` | | [body-parser](https://github.com/expressjs/body-parser) | `2.2.2` | `2.3.0` | | [multer](https://github.com/expressjs/multer) | `2.1.1` | `2.2.0` | | [undici](https://github.com/nodejs/undici) | `8.4.0` | `8.5.0` | Updates `axios` from 1.17.0 to 1.18.0 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](https://github.com/axios/axios/compare/v1.17.0...v1.18.0) Updates `better-sqlite3` from 12.10.0 to 12.11.1 - [Release notes](https://github.com/WiseLibs/better-sqlite3/releases) - [Commits](https://github.com/WiseLibs/better-sqlite3/compare/v12.10.0...v12.11.1) Updates `body-parser` from 2.2.2 to 2.3.0 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](https://github.com/expressjs/body-parser/compare/v2.2.2...v2.3.0) Updates `multer` from 2.1.1 to 2.2.0 - [Release notes](https://github.com/expressjs/multer/releases) - [Changelog](https://github.com/expressjs/multer/blob/main/CHANGELOG.md) - [Commits](https://github.com/expressjs/multer/compare/v2.1.1...v2.2.0) Updates `undici` from 8.4.0 to 8.5.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](https://github.com/nodejs/undici/compare/v8.4.0...v8.5.0) --- updated-dependencies: - dependency-name: axios dependency-version: 1.18.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: better-sqlite3 dependency-version: 12.11.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: body-parser dependency-version: 2.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: multer dependency-version: 2.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: undici dependency-version: 8.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: add unlink button for dual auth * fix: general bug fixes * fix: general qol/small feature additions * fix: 100mb max upload size * fix: terminal syntax not handling carriage returns or shell prompt lines properly * feat: continued general improvements * fix: terminal outputting success right after folder path * chore: update release notes * feat: continued fixes and improvements * chore: lint, format, and bump version to 2.4.1 * chore: sync Crowdin translations for 2.4.1 * fix: rebase dev branch onto main before Crowdin download * fix: use merge instead of rebase to sync main before Crowdin --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
600 lines
17 KiB
TypeScript
600 lines
17 KiB
TypeScript
import type { AuthenticatedRequest } from "../../../types/index.js";
|
|
import type { RequestHandler, Router } from "express";
|
|
import { eq, and } from "drizzle-orm";
|
|
import { authLogger } from "../../utils/logger.js";
|
|
import { db } from "../db/index.js";
|
|
import { users, roles, userRoles } from "../db/schema.js";
|
|
import { logAudit, getRequestMeta } from "../../utils/audit-logger.js";
|
|
import bcrypt from "bcryptjs";
|
|
import { nanoid } from "nanoid";
|
|
import { AuthManager } from "../../utils/auth-manager.js";
|
|
|
|
function isNonEmptyString(val: unknown): val is string {
|
|
return typeof val === "string" && val.trim().length > 0;
|
|
}
|
|
|
|
export function registerUserAdminRoutes(
|
|
router: Router,
|
|
authenticateJWT: RequestHandler,
|
|
): void {
|
|
/**
|
|
* @openapi
|
|
* /users/list:
|
|
* get:
|
|
* summary: List all users
|
|
* description: Retrieves a list of all users in the system.
|
|
* tags:
|
|
* - Users
|
|
* responses:
|
|
* 200:
|
|
* description: A list of users.
|
|
* 403:
|
|
* description: Not authorized.
|
|
* 500:
|
|
* description: Failed to list users.
|
|
*/
|
|
router.get("/list", authenticateJWT, async (req, res) => {
|
|
try {
|
|
const allUsers = await db
|
|
.select({
|
|
id: users.id,
|
|
username: users.username,
|
|
isAdmin: users.isAdmin,
|
|
isOidc: users.isOidc,
|
|
passwordHash: users.passwordHash,
|
|
})
|
|
.from(users);
|
|
|
|
res.json({
|
|
users: allUsers.map((u) => ({
|
|
userId: u.id,
|
|
username: u.username,
|
|
is_admin: u.isAdmin,
|
|
is_oidc: u.isOidc,
|
|
password_hash: u.passwordHash ? "set" : null,
|
|
})),
|
|
});
|
|
} catch (err) {
|
|
authLogger.error("Failed to list users", err);
|
|
res.status(500).json({ error: "Failed to list users" });
|
|
}
|
|
});
|
|
|
|
/**
|
|
* @openapi
|
|
* /users/make-admin:
|
|
* post:
|
|
* summary: Make user admin
|
|
* description: Grants admin privileges to a user.
|
|
* tags:
|
|
* - Users
|
|
* requestBody:
|
|
* required: true
|
|
* content:
|
|
* application/json:
|
|
* schema:
|
|
* type: object
|
|
* properties:
|
|
* userId:
|
|
* type: string
|
|
* description: Preferred unique user identifier.
|
|
* username:
|
|
* type: string
|
|
* description: Legacy fallback identifier.
|
|
* responses:
|
|
* 200:
|
|
* description: User is now an admin.
|
|
* 400:
|
|
* description: User ID or username is required, or the user is already an admin.
|
|
* 403:
|
|
* description: Not authorized.
|
|
* 404:
|
|
* description: User not found.
|
|
* 500:
|
|
* description: Failed to make user admin.
|
|
*/
|
|
router.post("/make-admin", authenticateJWT, async (req, res) => {
|
|
const userId = (req as AuthenticatedRequest).userId;
|
|
const { userId: targetUserId, username } = req.body;
|
|
const resolvedUserId = isNonEmptyString(targetUserId)
|
|
? targetUserId.trim()
|
|
: null;
|
|
const resolvedUsername = isNonEmptyString(username)
|
|
? username.trim()
|
|
: null;
|
|
|
|
if (!resolvedUserId && !resolvedUsername) {
|
|
return res.status(400).json({ error: "User ID or username is required" });
|
|
}
|
|
|
|
try {
|
|
const adminUser = await db
|
|
.select()
|
|
.from(users)
|
|
.where(eq(users.id, userId));
|
|
if (!adminUser || adminUser.length === 0 || !adminUser[0].isAdmin) {
|
|
return res.status(403).json({ error: "Not authorized" });
|
|
}
|
|
|
|
const targetUser = await db
|
|
.select()
|
|
.from(users)
|
|
.where(
|
|
resolvedUserId
|
|
? eq(users.id, resolvedUserId)
|
|
: eq(users.username, resolvedUsername!),
|
|
)
|
|
.limit(1);
|
|
if (!targetUser || targetUser.length === 0) {
|
|
return res.status(404).json({ error: "User not found" });
|
|
}
|
|
|
|
if (targetUser[0].isAdmin) {
|
|
return res.status(400).json({ error: "User is already an admin" });
|
|
}
|
|
|
|
await db
|
|
.update(users)
|
|
.set({ isAdmin: true })
|
|
.where(
|
|
resolvedUserId
|
|
? eq(users.id, resolvedUserId)
|
|
: eq(users.username, resolvedUsername!),
|
|
);
|
|
|
|
try {
|
|
const targetId = targetUser[0].id;
|
|
const adminRole = await db
|
|
.select({ id: roles.id })
|
|
.from(roles)
|
|
.where(eq(roles.name, "admin"))
|
|
.limit(1);
|
|
const userRole = await db
|
|
.select({ id: roles.id })
|
|
.from(roles)
|
|
.where(eq(roles.name, "user"))
|
|
.limit(1);
|
|
if (adminRole.length > 0) {
|
|
await db
|
|
.delete(userRoles)
|
|
.where(
|
|
and(
|
|
eq(userRoles.userId, targetId),
|
|
eq(userRoles.roleId, adminRole[0].id),
|
|
),
|
|
);
|
|
await db.insert(userRoles).values({
|
|
userId: targetId,
|
|
roleId: adminRole[0].id,
|
|
grantedBy: userId,
|
|
});
|
|
}
|
|
if (userRole.length > 0) {
|
|
await db
|
|
.delete(userRoles)
|
|
.where(
|
|
and(
|
|
eq(userRoles.userId, targetId),
|
|
eq(userRoles.roleId, userRole[0].id),
|
|
),
|
|
);
|
|
}
|
|
} catch (roleError) {
|
|
authLogger.error("Failed to sync admin role on make-admin", roleError, {
|
|
operation: "make_admin_role_sync",
|
|
userId: targetUser[0].id,
|
|
});
|
|
}
|
|
|
|
try {
|
|
const { saveMemoryDatabaseToFile } = await import("../db/index.js");
|
|
await saveMemoryDatabaseToFile();
|
|
} catch (saveError) {
|
|
authLogger.error(
|
|
"Failed to persist admin promotion to disk",
|
|
saveError,
|
|
{
|
|
operation: "make_admin_save_failed",
|
|
userId: targetUser[0].id,
|
|
username: targetUser[0].username,
|
|
},
|
|
);
|
|
}
|
|
|
|
authLogger.info("Admin privileges granted", {
|
|
operation: "admin_grant",
|
|
adminId: userId,
|
|
targetUserId: targetUser[0].id,
|
|
targetUsername: targetUser[0].username,
|
|
});
|
|
|
|
const { ipAddress, userAgent } = getRequestMeta(req);
|
|
const adminUserRecord = await db
|
|
.select({ username: users.username })
|
|
.from(users)
|
|
.where(eq(users.id, userId))
|
|
.limit(1);
|
|
await logAudit({
|
|
userId,
|
|
username: adminUserRecord[0]?.username ?? userId,
|
|
action: "make_admin",
|
|
resourceType: "user",
|
|
resourceId: targetUser[0].id,
|
|
resourceName: targetUser[0].username,
|
|
ipAddress,
|
|
userAgent,
|
|
success: true,
|
|
});
|
|
|
|
res.json({ message: `User ${targetUser[0].username} is now an admin` });
|
|
} catch (err) {
|
|
authLogger.error("Failed to make user admin", err);
|
|
res.status(500).json({ error: "Failed to make user admin" });
|
|
}
|
|
});
|
|
|
|
/**
|
|
* @openapi
|
|
* /users/remove-admin:
|
|
* post:
|
|
* summary: Remove admin status
|
|
* description: Revokes admin privileges from a user.
|
|
* tags:
|
|
* - Users
|
|
* requestBody:
|
|
* required: true
|
|
* content:
|
|
* application/json:
|
|
* schema:
|
|
* type: object
|
|
* properties:
|
|
* userId:
|
|
* type: string
|
|
* description: Preferred unique user identifier.
|
|
* username:
|
|
* type: string
|
|
* description: Legacy fallback identifier.
|
|
* responses:
|
|
* 200:
|
|
* description: Admin status removed from user.
|
|
* 400:
|
|
* description: User ID or username is required, or cannot remove your own admin status.
|
|
* 403:
|
|
* description: Not authorized.
|
|
* 404:
|
|
* description: User not found.
|
|
* 500:
|
|
* description: Failed to remove admin status.
|
|
*/
|
|
router.post("/remove-admin", authenticateJWT, async (req, res) => {
|
|
const userId = (req as AuthenticatedRequest).userId;
|
|
const { userId: targetUserId, username } = req.body;
|
|
const resolvedUserId = isNonEmptyString(targetUserId)
|
|
? targetUserId.trim()
|
|
: null;
|
|
const resolvedUsername = isNonEmptyString(username)
|
|
? username.trim()
|
|
: null;
|
|
|
|
if (!resolvedUserId && !resolvedUsername) {
|
|
return res.status(400).json({ error: "User ID or username is required" });
|
|
}
|
|
|
|
try {
|
|
const adminUser = await db
|
|
.select()
|
|
.from(users)
|
|
.where(eq(users.id, userId));
|
|
if (!adminUser || adminUser.length === 0 || !adminUser[0].isAdmin) {
|
|
return res.status(403).json({ error: "Not authorized" });
|
|
}
|
|
|
|
if (
|
|
(resolvedUserId && adminUser[0].id === resolvedUserId) ||
|
|
(resolvedUsername && adminUser[0].username === resolvedUsername)
|
|
) {
|
|
return res
|
|
.status(400)
|
|
.json({ error: "Cannot remove your own admin status" });
|
|
}
|
|
|
|
const targetUser = await db
|
|
.select()
|
|
.from(users)
|
|
.where(
|
|
resolvedUserId
|
|
? eq(users.id, resolvedUserId)
|
|
: eq(users.username, resolvedUsername!),
|
|
)
|
|
.limit(1);
|
|
if (!targetUser || targetUser.length === 0) {
|
|
return res.status(404).json({ error: "User not found" });
|
|
}
|
|
|
|
if (!targetUser[0].isAdmin) {
|
|
return res.status(400).json({ error: "User is not an admin" });
|
|
}
|
|
|
|
await db
|
|
.update(users)
|
|
.set({ isAdmin: false })
|
|
.where(
|
|
resolvedUserId
|
|
? eq(users.id, resolvedUserId)
|
|
: eq(users.username, resolvedUsername!),
|
|
);
|
|
|
|
try {
|
|
const targetId = targetUser[0].id;
|
|
const adminRole = await db
|
|
.select({ id: roles.id })
|
|
.from(roles)
|
|
.where(eq(roles.name, "admin"))
|
|
.limit(1);
|
|
const userRole = await db
|
|
.select({ id: roles.id })
|
|
.from(roles)
|
|
.where(eq(roles.name, "user"))
|
|
.limit(1);
|
|
if (adminRole.length > 0) {
|
|
await db
|
|
.delete(userRoles)
|
|
.where(
|
|
and(
|
|
eq(userRoles.userId, targetId),
|
|
eq(userRoles.roleId, adminRole[0].id),
|
|
),
|
|
);
|
|
}
|
|
if (userRole.length > 0) {
|
|
await db
|
|
.delete(userRoles)
|
|
.where(
|
|
and(
|
|
eq(userRoles.userId, targetId),
|
|
eq(userRoles.roleId, userRole[0].id),
|
|
),
|
|
);
|
|
await db.insert(userRoles).values({
|
|
userId: targetId,
|
|
roleId: userRole[0].id,
|
|
grantedBy: userId,
|
|
});
|
|
}
|
|
} catch (roleError) {
|
|
authLogger.error(
|
|
"Failed to sync user role on remove-admin",
|
|
roleError,
|
|
{
|
|
operation: "remove_admin_role_sync",
|
|
userId: targetUser[0].id,
|
|
},
|
|
);
|
|
}
|
|
|
|
try {
|
|
const { saveMemoryDatabaseToFile } = await import("../db/index.js");
|
|
await saveMemoryDatabaseToFile();
|
|
} catch (saveError) {
|
|
authLogger.error("Failed to persist admin removal to disk", saveError, {
|
|
operation: "remove_admin_save_failed",
|
|
userId: targetUser[0].id,
|
|
username: targetUser[0].username,
|
|
});
|
|
}
|
|
|
|
authLogger.info("Admin privileges revoked", {
|
|
operation: "admin_revoke",
|
|
adminId: userId,
|
|
targetUserId: targetUser[0].id,
|
|
targetUsername: targetUser[0].username,
|
|
});
|
|
|
|
const { ipAddress, userAgent } = getRequestMeta(req);
|
|
const adminUserRecord = await db
|
|
.select({ username: users.username })
|
|
.from(users)
|
|
.where(eq(users.id, userId))
|
|
.limit(1);
|
|
await logAudit({
|
|
userId,
|
|
username: adminUserRecord[0]?.username ?? userId,
|
|
action: "remove_admin",
|
|
resourceType: "user",
|
|
resourceId: targetUser[0].id,
|
|
resourceName: targetUser[0].username,
|
|
ipAddress,
|
|
userAgent,
|
|
success: true,
|
|
});
|
|
|
|
res.json({
|
|
message: `Admin status removed from ${targetUser[0].username}`,
|
|
});
|
|
} catch (err) {
|
|
authLogger.error("Failed to remove admin status", err);
|
|
res.status(500).json({ error: "Failed to remove admin status" });
|
|
}
|
|
});
|
|
|
|
/**
|
|
* @openapi
|
|
* /users/admin-create:
|
|
* post:
|
|
* summary: Admin create user
|
|
* description: Allows an admin to create a new user regardless of whether public registration is enabled.
|
|
* tags:
|
|
* - Users
|
|
* requestBody:
|
|
* required: true
|
|
* content:
|
|
* application/json:
|
|
* schema:
|
|
* type: object
|
|
* properties:
|
|
* username:
|
|
* type: string
|
|
* password:
|
|
* type: string
|
|
* responses:
|
|
* 200:
|
|
* description: User created successfully.
|
|
* 400:
|
|
* description: Username and password are required.
|
|
* 403:
|
|
* description: Not authorized.
|
|
* 409:
|
|
* description: Username already exists.
|
|
* 500:
|
|
* description: Failed to create user.
|
|
*/
|
|
router.post("/admin-create", authenticateJWT, async (req, res) => {
|
|
const adminId = (req as AuthenticatedRequest).userId;
|
|
|
|
try {
|
|
const adminUser = await db
|
|
.select()
|
|
.from(users)
|
|
.where(eq(users.id, adminId));
|
|
if (!adminUser || adminUser.length === 0 || !adminUser[0].isAdmin) {
|
|
return res.status(403).json({ error: "Not authorized" });
|
|
}
|
|
} catch (err) {
|
|
authLogger.error("Failed to verify admin status", err);
|
|
return res.status(500).json({ error: "Failed to verify admin status" });
|
|
}
|
|
|
|
const { username, password } = req.body;
|
|
|
|
if (!isNonEmptyString(username) || !isNonEmptyString(password)) {
|
|
return res
|
|
.status(400)
|
|
.json({ error: "Username and password are required" });
|
|
}
|
|
|
|
try {
|
|
const existing = await db
|
|
.select()
|
|
.from(users)
|
|
.where(eq(users.username, username));
|
|
if (existing && existing.length > 0) {
|
|
return res.status(409).json({ error: "Username already exists" });
|
|
}
|
|
|
|
const password_hash = await bcrypt.hash(password, 10);
|
|
const id = nanoid();
|
|
|
|
db.$client.transaction(() => {
|
|
db.$client
|
|
.prepare(
|
|
"INSERT INTO users (id, username, password_hash, is_admin, is_oidc, client_id, client_secret, issuer_url, authorization_url, token_url, identifier_path, name_path, scopes, totp_secret, totp_enabled, totp_backup_codes) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
|
|
)
|
|
.run(
|
|
id,
|
|
username,
|
|
password_hash,
|
|
0,
|
|
0,
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"",
|
|
"openid email profile",
|
|
null,
|
|
0,
|
|
null,
|
|
);
|
|
})();
|
|
|
|
try {
|
|
const userRole = await db
|
|
.select({ id: roles.id })
|
|
.from(roles)
|
|
.where(eq(roles.name, "user"))
|
|
.limit(1);
|
|
if (userRole.length > 0) {
|
|
await db.insert(userRoles).values({
|
|
userId: id,
|
|
roleId: userRole[0].id,
|
|
grantedBy: adminId,
|
|
});
|
|
}
|
|
} catch (roleError) {
|
|
authLogger.error(
|
|
"Failed to assign default role during admin create",
|
|
roleError,
|
|
{
|
|
operation: "admin_create_user_role",
|
|
userId: id,
|
|
},
|
|
);
|
|
}
|
|
|
|
const authManager = AuthManager.getInstance();
|
|
try {
|
|
await authManager.registerUser(id, password);
|
|
} catch (encryptionError) {
|
|
await db.delete(users).where(eq(users.id, id));
|
|
authLogger.error(
|
|
"Failed to setup user encryption during admin create, rolled back",
|
|
encryptionError,
|
|
{ operation: "admin_create_user_encryption_failed", userId: id },
|
|
);
|
|
return res.status(500).json({
|
|
error: "Failed to setup user security - user creation cancelled",
|
|
});
|
|
}
|
|
|
|
try {
|
|
const { saveMemoryDatabaseToFile } = await import("../db/index.js");
|
|
await saveMemoryDatabaseToFile();
|
|
} catch (saveError) {
|
|
authLogger.error(
|
|
"Failed to persist admin-created user to disk",
|
|
saveError,
|
|
{
|
|
operation: "admin_create_user_save_failed",
|
|
userId: id,
|
|
},
|
|
);
|
|
}
|
|
|
|
authLogger.success("User created by admin", {
|
|
operation: "admin_create_user_success",
|
|
adminId,
|
|
userId: id,
|
|
username,
|
|
});
|
|
|
|
const { ipAddress, userAgent } = getRequestMeta(req);
|
|
const adminRecord = await db
|
|
.select({ username: users.username })
|
|
.from(users)
|
|
.where(eq(users.id, adminId))
|
|
.limit(1);
|
|
await logAudit({
|
|
userId: adminId,
|
|
username: adminRecord[0]?.username ?? adminId,
|
|
action: "create_user",
|
|
resourceType: "user",
|
|
resourceId: id,
|
|
resourceName: username,
|
|
ipAddress,
|
|
userAgent,
|
|
success: true,
|
|
});
|
|
|
|
res.json({
|
|
message: "User created",
|
|
toast: { type: "success", message: `User created: ${username}` },
|
|
});
|
|
} catch (err) {
|
|
authLogger.error("Failed to admin-create user", err);
|
|
res.status(500).json({ error: "Failed to create user" });
|
|
}
|
|
});
|
|
}
|