owltide/server/api/admin/user.patch.ts

/*
	SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
	SPDX-License-Identifier: AGPL-3.0-or-later
*/
import { readSessions, readUsers, writeSessions, writeUsers } from "~/server/database";
import { apiUserPatchSchema } from "~/shared/types/api";
import { z } from "zod/v4-mini";
import { broadcastEvent } from "~/server/streams";

export default defineEventHandler(async (event) => {
	await requireServerSessionWithAdmin(event);
	const { success, error, data: patch } = apiUserPatchSchema.safeParse(await readBody(event));
	if (!success) {
		throw createError({
			status: 400,
			statusText: "Bad Request",
			message: z.prettifyError(error),
		});
	}

	const users = await readUsers();
	const user = users.find(user => user.id === patch.id);
	if (!user || user.deleted) {
		throw createError({
			status: 409,
			statusText: "Conflict",
			message: "User does not exist",
		});

	}

	let accessChanged = false;
	if (patch.type && patch.type !== user.type) {
		if (patch.type === "anonymous" || user.type === "anonymous") {
			throw createError({
				status: 409,
				statusText: "Conflict",
				message: "Anonymous user type cannot be changed.",
			});
		}
		user.type = patch.type;
		accessChanged = true;
	}
	if (patch.name) {
		if (user.type === "anonymous") {
			throw createError({
				status: 409,
				statusText: "Conflict",
				message: "Anonymous user cannot have name set.",
			});
		}
		user.name = patch.name;
	}
	user.updatedAt = new Date().toISOString();
	await writeUsers(users);
	broadcastEvent({
		type: "user-update",
		data: serverUserToApi(user),
	});

	// Expire sessions with the user in it if the access changed
	if (accessChanged) {
		const sessions = await readSessions();
		for (const session of sessions) {
			if (session.accountId === user.id) {
				session.expiresAtMs = 0;
				broadcastEvent({
					type: "session-expired",
					sessionId: session.id,
				});
			}
		}
		await writeSessions(sessions);
	}

	// Update Schedule counts.
	await updateScheduleInterestedCounts(users);
})
License under AGPL version 3 or later I firmly believe in free software. The application I'm making here have capabilities that I've not seen in any system. It presents itself as an opportunity to collaborate on a tool that serves the people rather than corporations. Whose incentives are to help people rather, not make the most money. And whose terms ensure that these freedoms and incentives cannot be taken back or subverted. I license this software under the AGPL. 2025-06-30 18:58:24 +02:00			`/*`
			`SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>`
			`SPDX-License-Identifier: AGPL-3.0-or-later`
			`*/`
Refactor sessions to frequently rotate In order to minimise the window of opportunity to steal a session, automatically rotate it onto a new session on a frequent basis. This makes a session cookie older than the automatic rollover time less likely to grant access and more likely to be detected. Should a stolen session cookie get rotated while the attacker is using it, the user will be notificed that their session has been taken the next time they open the app if the user re-visits the website before the session is discarded. 2025-07-07 22:42:49 +02:00			`import { readSessions, readUsers, writeSessions, writeUsers } from "~/server/database";`
De-duplicate serverUserToApi 2025-06-24 15:31:47 +02:00			`import { apiUserPatchSchema } from "~/shared/types/api";`
Add admin page that can edit users Add admin page that's only accessible to admins with a listing of users and the ability to edit the access types of those users. 2025-06-23 00:20:33 +02:00			`import { z } from "zod/v4-mini";`
			`import { broadcastEvent } from "~/server/streams";`

			`export default defineEventHandler(async (event) => {`
Add API utility for requiring an admin session 2025-06-28 00:55:26 +02:00			`await requireServerSessionWithAdmin(event);`
Add admin page that can edit users Add admin page that's only accessible to admins with a listing of users and the ability to edit the access types of those users. 2025-06-23 00:20:33 +02:00			`const { success, error, data: patch } = apiUserPatchSchema.safeParse(await readBody(event));`
			`if (!success) {`
			`throw createError({`
			`status: 400,`
			`statusText: "Bad Request",`
			`message: z.prettifyError(error),`
			`});`
			`}`

			`const users = await readUsers();`
			`const user = users.find(user => user.id === patch.id);`
			`if (!user \|\| user.deleted) {`
			`throw createError({`
			`status: 409,`
			`statusText: "Conflict",`
			`message: "User does not exist",`
			`});`

			`}`

Refactor sessions to frequently rotate In order to minimise the window of opportunity to steal a session, automatically rotate it onto a new session on a frequent basis. This makes a session cookie older than the automatic rollover time less likely to grant access and more likely to be detected. Should a stolen session cookie get rotated while the attacker is using it, the user will be notificed that their session has been taken the next time they open the app if the user re-visits the website before the session is discarded. 2025-07-07 22:42:49 +02:00			`let accessChanged = false;`
			`if (patch.type && patch.type !== user.type) {`
Add admin page that can edit users Add admin page that's only accessible to admins with a listing of users and the ability to edit the access types of those users. 2025-06-23 00:20:33 +02:00			`if (patch.type === "anonymous" \|\| user.type === "anonymous") {`
			`throw createError({`
			`status: 409,`
			`statusText: "Conflict",`
			`message: "Anonymous user type cannot be changed.",`
			`});`
			`}`
			`user.type = patch.type;`
Refactor sessions to frequently rotate In order to minimise the window of opportunity to steal a session, automatically rotate it onto a new session on a frequent basis. This makes a session cookie older than the automatic rollover time less likely to grant access and more likely to be detected. Should a stolen session cookie get rotated while the attacker is using it, the user will be notificed that their session has been taken the next time they open the app if the user re-visits the website before the session is discarded. 2025-07-07 22:42:49 +02:00			`accessChanged = true;`
Add admin page that can edit users Add admin page that's only accessible to admins with a listing of users and the ability to edit the access types of those users. 2025-06-23 00:20:33 +02:00			`}`
			`if (patch.name) {`
			`if (user.type === "anonymous") {`
			`throw createError({`
			`status: 409,`
			`statusText: "Conflict",`
			`message: "Anonymous user cannot have name set.",`
			`});`
			`}`
			`user.name = patch.name;`
			`}`
			`user.updatedAt = new Date().toISOString();`
			`await writeUsers(users);`
			`broadcastEvent({`
			`type: "user-update",`
			`data: serverUserToApi(user),`
Refactor sessions to frequently rotate In order to minimise the window of opportunity to steal a session, automatically rotate it onto a new session on a frequent basis. This makes a session cookie older than the automatic rollover time less likely to grant access and more likely to be detected. Should a stolen session cookie get rotated while the attacker is using it, the user will be notificed that their session has been taken the next time they open the app if the user re-visits the website before the session is discarded. 2025-07-07 22:42:49 +02:00			`});`

			`// Expire sessions with the user in it if the access changed`
			`if (accessChanged) {`
			`const sessions = await readSessions();`
			`for (const session of sessions) {`
			`if (session.accountId === user.id) {`
			`session.expiresAtMs = 0;`
Close event streams for expired sessions When a session expires close any event streams that have been opened with that session. This prevents an attacker with a leaked session cookie from opening a stream and receiving updates indefinitely without being detected. By sending the session the event stream is opened with when the stream is established this closure on session expiry also serves as a way for a user agent to be notified whenever its own access level changes. 2025-07-08 15:43:14 +02:00			`broadcastEvent({`
			`type: "session-expired",`
			`sessionId: session.id,`
			`});`
Refactor sessions to frequently rotate In order to minimise the window of opportunity to steal a session, automatically rotate it onto a new session on a frequent basis. This makes a session cookie older than the automatic rollover time less likely to grant access and more likely to be detected. Should a stolen session cookie get rotated while the attacker is using it, the user will be notificed that their session has been taken the next time they open the app if the user re-visits the website before the session is discarded. 2025-07-07 22:42:49 +02:00			`}`
			`}`
			`await writeSessions(sessions);`
			`}`
Add admin page that can edit users Add admin page that's only accessible to admins with a listing of users and the ability to edit the access types of those users. 2025-06-23 00:20:33 +02:00
			`// Update Schedule counts.`
			`await updateScheduleInterestedCounts(users);`
			`})`