PTS/SkyArtShop
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
f3c1157d7ee92eccf6ee273fa120418285a40278
SkyArtShop/backend/routes/users.js

335 lines
8.4 KiB
JavaScript
Raw Normal View History

Fix admin route access and backend configuration - Added /admin redirect to login page in nginx config - Fixed backend server.js route ordering for proper admin handling - Updated authentication middleware and routes - Added user management routes - Configured PostgreSQL integration - Updated environment configuration
2025-12-13 22:34:11 -06:00
const express = require("express");
const bcrypt = require("bcrypt");
const { query } = require("../config/database");
const { requireAuth, requireRole } = require("../middleware/auth");
const router = express.Router();
// Require admin role for all routes
router.use(requireAuth);
router.use(requireRole("role-admin"));
// Get all users with roles
router.get("/", async (req, res) => {
try {
const result = await query(`
SELECT
u.id, u.username, u.email, u.role_id, u.isactive,
u.last_login, u.createdat, u.password_never_expires,
u.password_expires_at, u.last_password_change,
r.name as role_name, r.description as role_description
FROM adminusers u
LEFT JOIN roles r ON u.role_id = r.id
ORDER BY u.createdat DESC
`);
res.json({
success: true,
users: result.rows,
});
} catch (error) {
console.error("Get users error:", error);
res.status(500).json({ success: false, message: "Server error" });
}
});
// Get all roles
router.get("/roles", async (req, res) => {
try {
const result = await query(`
SELECT id, name, description, permissions
FROM roles
ORDER BY name
`);
res.json({
success: true,
roles: result.rows,
});
} catch (error) {
console.error("Get roles error:", error);
res.status(500).json({ success: false, message: "Server error" });
}
});
// Create new user
router.post("/", async (req, res) => {
try {
const { username, email, password, role_id, password_never_expires } =
req.body;
// Validate required fields
if (!username || !email || !password || !role_id) {
return res.status(400).json({
success: false,
message: "Username, email, password, and role are required",
});
}
// Check if user already exists
const existing = await query("SELECT id FROM adminusers WHERE email = $1", [
email,
]);
if (existing.rows.length > 0) {
return res.status(400).json({
success: false,
message: "User with this email already exists",
});
}
// Hash password
const hashedPassword = await bcrypt.hash(password, 10);
// Calculate password expiry (90 days from now if not never expires)
let passwordExpiresAt = null;
if (!password_never_expires) {
const expiryDate = new Date();
expiryDate.setDate(expiryDate.getDate() + 90);
passwordExpiresAt = expiryDate.toISOString();
}
// Insert new user
const result = await query(
`
INSERT INTO adminusers (
id, username, email, passwordhash, role_id,
password_never_expires, password_expires_at,
isactive, created_by, createdat, last_password_change
) VALUES (
'user-' || gen_random_uuid()::text,
$1, $2, $3, $4, $5, $6, true, $7, NOW(), NOW()
)
RETURNING id, username, email, role_id, isactive, createdat
`,
[
username,
email,
hashedPassword,
role_id,
password_never_expires || false,
passwordExpiresAt,
req.session.user.email,
]
);
res.json({
success: true,
message: "User created successfully",
user: result.rows[0],
});
} catch (error) {
console.error("Create user error:", error);
res.status(500).json({ success: false, message: "Server error" });
}
});
// Update user
router.put("/:id", async (req, res) => {
try {
const { id } = req.params;
const { username, email, role_id, isactive, password_never_expires } =
req.body;
// Build update query dynamically
const updates = [];
const values = [];
let paramCount = 1;
if (username !== undefined) {
updates.push(`username = $${paramCount++}`);
values.push(username);
}
if (email !== undefined) {
updates.push(`email = $${paramCount++}`);
values.push(email);
}
if (role_id !== undefined) {
updates.push(`role_id = $${paramCount++}`);
values.push(role_id);
}
if (isactive !== undefined) {
updates.push(`isactive = $${paramCount++}`);
values.push(isactive);
}
if (password_never_expires !== undefined) {
updates.push(`password_never_expires = $${paramCount++}`);
values.push(password_never_expires);
// If setting to never expire, clear expiry date
if (password_never_expires) {
updates.push(`password_expires_at = NULL`);
}
}
updates.push(`updated_at = NOW()`);
values.push(id);
const result = await query(
`
UPDATE adminusers
SET ${updates.join(", ")}
WHERE id = $${paramCount}
RETURNING id, username, email, role_id, isactive, password_never_expires
`,
values
);
if (result.rows.length === 0) {
return res.status(404).json({
success: false,
message: "User not found",
});
}
res.json({
success: true,
message: "User updated successfully",
user: result.rows[0],
});
} catch (error) {
console.error("Update user error:", error);
res.status(500).json({ success: false, message: "Server error" });
}
});
// Reset user password
router.post("/:id/reset-password", async (req, res) => {
try {
const { id } = req.params;
const { new_password } = req.body;
if (!new_password || new_password.length < 6) {
return res.status(400).json({
success: false,
message: "Password must be at least 6 characters long",
});
}
// Hash new password
const hashedPassword = await bcrypt.hash(new_password, 10);
// Get user's password expiry setting
const userResult = await query(
"SELECT password_never_expires FROM adminusers WHERE id = $1",
[id]
);
if (userResult.rows.length === 0) {
return res.status(404).json({
success: false,
message: "User not found",
});
}
// Calculate new expiry date (90 days from now if not never expires)
let passwordExpiresAt = null;
if (!userResult.rows[0].password_never_expires) {
const expiryDate = new Date();
expiryDate.setDate(expiryDate.getDate() + 90);
passwordExpiresAt = expiryDate.toISOString();
}
// Update password
await query(
`
UPDATE adminusers
SET passwordhash = $1,
password_expires_at = $2,
last_password_change = NOW(),
updated_at = NOW()
WHERE id = $3
`,
[hashedPassword, passwordExpiresAt, id]
);
res.json({
success: true,
message: "Password reset successfully",
});
} catch (error) {
console.error("Reset password error:", error);
res.status(500).json({ success: false, message: "Server error" });
}
});
// Delete user
router.delete("/:id", async (req, res) => {
try {
const { id } = req.params;
// Prevent deleting yourself
if (id === req.session.user.id) {
return res.status(400).json({
success: false,
message: "Cannot delete your own account",
});
}
const result = await query(
"DELETE FROM adminusers WHERE id = $1 RETURNING id",
[id]
);
if (result.rows.length === 0) {
return res.status(404).json({
success: false,
message: "User not found",
});
}
res.json({
success: true,
message: "User deleted successfully",
});
} catch (error) {
console.error("Delete user error:", error);
res.status(500).json({ success: false, message: "Server error" });
}
});
// Toggle user active status
router.post("/:id/toggle-status", async (req, res) => {
try {
const { id } = req.params;
// Prevent deactivating yourself
if (id === req.session.user.id) {
return res.status(400).json({
success: false,
message: "Cannot deactivate your own account",
});
}
const result = await query(
`
UPDATE adminusers
SET isactive = NOT isactive,
updated_at = NOW()
WHERE id = $1
RETURNING id, isactive
`,
[id]
);
if (result.rows.length === 0) {
return res.status(404).json({
success: false,
message: "User not found",
});
}
res.json({
success: true,
message: `User ${
result.rows[0].isactive ? "activated" : "deactivated"
} successfully`,
isactive: result.rows[0].isactive,
});
} catch (error) {
console.error("Toggle status error:", error);
res.status(500).json({ success: false, message: "Server error" });
}
});
module.exports = router;
Reference in New Issue Copy Permalink