3a16d6e9b1
- Replace next-auth v5 beta with better-auth v1.6.2 (stable releases)
- Add multi-provider OAuth support with admin UI configuration
- New oauthProviders table with encrypted secrets (AES-256-GCM)
- Env var bootstrap (OAUTH_*) syncs to DB, UI-created providers fully editable
- OAuth provider REST API: GET/POST/PUT/DELETE /api/v1/oauth-providers
- Settings page "Authentication Providers" section for admin management
- Account linking uses new accounts table (multi-provider per user)
- Username plugin for credentials sign-in (replaces email@localhost pattern)
- bcrypt password compatibility (existing hashes work)
- Database-backed sessions via Kysely adapter (bun:sqlite direct)
- Configurable rate limiting via AUTH_RATE_LIMIT_* env vars
- All DB columns migrated from snake_case to camelCase
- All TypeScript types/models migrated to camelCase properties
- Removed casing: "snake_case" from Drizzle config
- Callback URL format: {baseUrl}/api/auth/oauth2/callback/{providerId}
- package-lock.json removed and gitignored (using bun.lock)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
104 lines
3.3 KiB
TypeScript
104 lines
3.3 KiB
TypeScript
import { NextRequest, NextResponse } from "next/server";
|
|
import { requireApiUser, requireApiAdmin, apiErrorResponse, ApiAuthError } from "@/src/lib/api-auth";
|
|
import { getUserById, updateUserProfile, updateUserRole, updateUserStatus, deleteUser } from "@/src/lib/models/user";
|
|
|
|
function stripPasswordHash(user: Record<string, unknown>) {
|
|
const { passwordHash: _, ...rest } = user;
|
|
void _;
|
|
return rest;
|
|
}
|
|
|
|
export async function GET(
|
|
request: NextRequest,
|
|
{ params }: { params: Promise<{ id: string }> }
|
|
) {
|
|
try {
|
|
const auth = await requireApiUser(request);
|
|
const { id } = await params;
|
|
const targetId = Number(id);
|
|
|
|
// Non-admins can only view themselves
|
|
if (auth.role !== "admin" && auth.userId !== targetId) {
|
|
throw new ApiAuthError("Forbidden", 403);
|
|
}
|
|
|
|
const user = await getUserById(targetId);
|
|
if (!user) {
|
|
return NextResponse.json({ error: "Not found" }, { status: 404 });
|
|
}
|
|
return NextResponse.json(stripPasswordHash(user as unknown as Record<string, unknown>));
|
|
} catch (error) {
|
|
return apiErrorResponse(error);
|
|
}
|
|
}
|
|
|
|
export async function PUT(
|
|
request: NextRequest,
|
|
{ params }: { params: Promise<{ id: string }> }
|
|
) {
|
|
try {
|
|
const auth = await requireApiAdmin(request);
|
|
const { id } = await params;
|
|
const targetId = Number(id);
|
|
const body = await request.json();
|
|
|
|
// Handle role change
|
|
if (body.role && ["admin", "user", "viewer"].includes(body.role)) {
|
|
if (auth.userId === targetId) {
|
|
return NextResponse.json({ error: "Cannot change your own role" }, { status: 400 });
|
|
}
|
|
await updateUserRole(targetId, body.role);
|
|
}
|
|
|
|
// Handle status change
|
|
if (body.status && ["active", "disabled"].includes(body.status)) {
|
|
if (auth.userId === targetId) {
|
|
return NextResponse.json({ error: "Cannot change your own status" }, { status: 400 });
|
|
}
|
|
await updateUserStatus(targetId, body.status);
|
|
}
|
|
|
|
// Handle profile update
|
|
const profileFields: Record<string, unknown> = {};
|
|
if (body.email !== undefined) profileFields.email = body.email;
|
|
if (body.name !== undefined) profileFields.name = body.name;
|
|
if (body.avatarUrl !== undefined) profileFields.avatarUrl = body.avatarUrl;
|
|
if (Object.keys(profileFields).length > 0) {
|
|
await updateUserProfile(targetId, profileFields as { email?: string; name?: string | null; avatarUrl?: string | null });
|
|
}
|
|
|
|
const user = await getUserById(targetId);
|
|
if (!user) {
|
|
return NextResponse.json({ error: "Not found" }, { status: 404 });
|
|
}
|
|
return NextResponse.json(stripPasswordHash(user as unknown as Record<string, unknown>));
|
|
} catch (error) {
|
|
return apiErrorResponse(error);
|
|
}
|
|
}
|
|
|
|
export async function DELETE(
|
|
request: NextRequest,
|
|
{ params }: { params: Promise<{ id: string }> }
|
|
) {
|
|
try {
|
|
const auth = await requireApiAdmin(request);
|
|
const { id } = await params;
|
|
const targetId = Number(id);
|
|
|
|
if (auth.userId === targetId) {
|
|
return NextResponse.json({ error: "Cannot delete your own account" }, { status: 400 });
|
|
}
|
|
|
|
const user = await getUserById(targetId);
|
|
if (!user) {
|
|
return NextResponse.json({ error: "Not found" }, { status: 404 });
|
|
}
|
|
|
|
await deleteUser(targetId);
|
|
return new NextResponse(null, { status: 204 });
|
|
} catch (error) {
|
|
return apiErrorResponse(error);
|
|
}
|
|
}
|