owltide/server/api/auth/account.post.ts

/*
	SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
	SPDX-License-Identifier: AGPL-3.0-or-later
*/
import { readUsers, writeUsers, nextUserId, type ServerUser, readAuthenticationMethods, nextAuthenticationMethodId, writeAuthenticationMethods } from "~/server/database";
import { broadcastEvent } from "~/server/streams";
import type { ApiSession } from "~/shared/types/api";

export default defineEventHandler(async (event): Promise<ApiSession> => {
	let session = await getServerSession(event, false);
	if (session?.accountId !== undefined) {
		throw createError({
			status: 409,
			message: "Cannot create account while logged in to an account."
		});
	}

	const body = await readBody(event);
	const name = body?.name;

	const users = await readUsers();
	let user: ServerUser;
	if (typeof name === "string") {
		if (name === "") {
			throw createError({
				status: 400,
				message: "Name cannot be blank",
			});
		}
		if (users.some(user => user.name && user.name.toLowerCase() === name.toLowerCase())) {
			throw createError({
				status: 409,
				message: "User already exists",
			});
		}

		const firstUser = users.every(user => user.type === "anonymous");
		user = {
			id: await nextUserId(),
			updatedAt: new Date().toISOString(),
			type: firstUser ? "admin" : "regular",
			name,
		};

	} else if (name === undefined) {
		user = {
			id: await nextUserId(),
			updatedAt: new Date().toISOString(),
			type: "anonymous",
		};
	} else {
		throw createError({
			status: 400,
			message: "Invalid name",
		});
	}

	if (user.type !== "anonymous") {
		if (!session?.authenticationProvider) {
			throw createError({
				statusCode: 409,
				statusMessage: "Conflict",
				message: "User account need an authentication method associated with it.",
			});
		}
		const authMethods = await readAuthenticationMethods();
		const method = authMethods.find(method => (
			method.provider === session.authenticationProvider
			&& method.slug === session.authenticationSlug
		));
		if (method) {
			throw createError({
				statusCode: 409,
				statusMessage: "Conflict",
				message: "A user is already associated with the authentication method",
			});
		}
		authMethods.push({
			id: await nextAuthenticationMethodId(),
			userId: user.id,
			provider: session.authenticationProvider,
			slug: session.authenticationSlug!,
			name: session.authenticationName!,
		})
		await writeAuthenticationMethods(authMethods);
	}

	users.push(user);
	await writeUsers(users);
	await broadcastEvent({
		type: "user-update",
		data: user,
	});
	const newSession = await setServerSession(event, user);
	return await serverSessionToApi(event, newSession);
})
License under AGPL version 3 or later I firmly believe in free software. The application I'm making here have capabilities that I've not seen in any system. It presents itself as an opportunity to collaborate on a tool that serves the people rather than corporations. Whose incentives are to help people rather, not make the most money. And whose terms ensure that these freedoms and incentives cannot be taken back or subverted. I license this software under the AGPL. 2025-06-30 18:58:24 +02:00			`/*`
			`SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>`
			`SPDX-License-Identifier: AGPL-3.0-or-later`
			`*/`
Implement register and login with Telegram Add the concept of authentication methods that authenticate an account where using the telegram login widget is one such method. If a login is done with an authentication method that's not associated with any account the session ends up with the data from the authentication method in order to allow registering a new account with the authentication method. This has to be stored on the session as otherwise it wouldn't be possible to implement authentication methods such as OAuth2 that takes the user to a third-party site and then redirects the browser back. 2025-07-09 15:21:39 +02:00			`import { readUsers, writeUsers, nextUserId, type ServerUser, readAuthenticationMethods, nextAuthenticationMethodId, writeAuthenticationMethods } from "~/server/database";`
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream. 2025-06-23 00:17:22 +02:00			`import { broadcastEvent } from "~/server/streams";`
Set verbatimModuleSyntax for server code The nuxi typecheck command complains about type only imports that are not declared as such, but the VsCode environment does not. There's probably a missmatch somewhere in the configuration for Nuxt that I'm not going to dig into. Workaround this issue for now by setting the option in the tsconfig.json file for the server. 2025-07-09 18:08:39 +02:00			`import type { ApiSession } from "~/shared/types/api";`
Add create account functionality 2025-03-07 23:53:57 +01:00
Implement register and login with Telegram Add the concept of authentication methods that authenticate an account where using the telegram login widget is one such method. If a login is done with an authentication method that's not associated with any account the session ends up with the data from the authentication method in order to allow registering a new account with the authentication method. This has to be stored on the session as otherwise it wouldn't be possible to implement authentication methods such as OAuth2 that takes the user to a third-party site and then redirects the browser back. 2025-07-09 15:21:39 +02:00			`export default defineEventHandler(async (event): Promise<ApiSession> => {`
Refactor sessions to frequently rotate In order to minimise the window of opportunity to steal a session, automatically rotate it onto a new session on a frequent basis. This makes a session cookie older than the automatic rollover time less likely to grant access and more likely to be detected. Should a stolen session cookie get rotated while the attacker is using it, the user will be notificed that their session has been taken the next time they open the app if the user re-visits the website before the session is discarded. 2025-07-07 22:42:49 +02:00			`let session = await getServerSession(event, false);`
Implement register and login with Telegram Add the concept of authentication methods that authenticate an account where using the telegram login widget is one such method. If a login is done with an authentication method that's not associated with any account the session ends up with the data from the authentication method in order to allow registering a new account with the authentication method. This has to be stored on the session as otherwise it wouldn't be possible to implement authentication methods such as OAuth2 that takes the user to a third-party site and then redirects the browser back. 2025-07-09 15:21:39 +02:00			`if (session?.accountId !== undefined) {`
Add create account functionality 2025-03-07 23:53:57 +01:00			`throw createError({`
			`status: 409,`
Implement register and login with Telegram Add the concept of authentication methods that authenticate an account where using the telegram login widget is one such method. If a login is done with an authentication method that's not associated with any account the session ends up with the data from the authentication method in order to allow registering a new account with the authentication method. This has to be stored on the session as otherwise it wouldn't be possible to implement authentication methods such as OAuth2 that takes the user to a third-party site and then redirects the browser back. 2025-07-09 15:21:39 +02:00			`message: "Cannot create account while logged in to an account."`
Add create account functionality 2025-03-07 23:53:57 +01:00			`});`
			`}`

Refactor demo login as an authentication method Use the authentication method system for the demo login and the generated accounts. This makes it possible to toggle it off on production systems as these shouldn't have it enabled at all. 2025-07-09 17:57:49 +02:00			`const body = await readBody(event);`
			`const name = body?.name;`
Add create account functionality 2025-03-07 23:53:57 +01:00
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream. 2025-06-23 00:17:22 +02:00			`const users = await readUsers();`
			`let user: ServerUser;`
Add create account functionality 2025-03-07 23:53:57 +01:00			`if (typeof name === "string") {`
			`if (name === "") {`
			`throw createError({`
			`status: 400,`
			`message: "Name cannot be blank",`
			`});`
			`}`
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream. 2025-06-23 00:17:22 +02:00			`if (users.some(user => user.name && user.name.toLowerCase() === name.toLowerCase())) {`
Add create account functionality 2025-03-07 23:53:57 +01:00			`throw createError({`
			`status: 409,`
			`message: "User already exists",`
			`});`
			`}`

Make the first user created an admin To easily bootstrap of administration of the system make the first regular user account created into an admin account. 2025-06-28 01:25:43 +02:00			`const firstUser = users.every(user => user.type === "anonymous");`
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream. 2025-06-23 00:17:22 +02:00			`user = {`
			`id: await nextUserId(),`
			`updatedAt: new Date().toISOString(),`
Make the first user created an admin To easily bootstrap of administration of the system make the first regular user account created into an admin account. 2025-06-28 01:25:43 +02:00			`type: firstUser ? "admin" : "regular",`
Add create account functionality 2025-03-07 23:53:57 +01:00			`name,`
			`};`

Refactor demo login as an authentication method Use the authentication method system for the demo login and the generated accounts. This makes it possible to toggle it off on production systems as these shouldn't have it enabled at all. 2025-07-09 17:57:49 +02:00			`} else if (name === undefined) {`
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream. 2025-06-23 00:17:22 +02:00			`user = {`
			`id: await nextUserId(),`
			`updatedAt: new Date().toISOString(),`
Add create account functionality 2025-03-07 23:53:57 +01:00			`type: "anonymous",`
			`};`
			`} else {`
			`throw createError({`
			`status: 400,`
			`message: "Invalid name",`
			`});`
			`}`

Refactor demo login as an authentication method Use the authentication method system for the demo login and the generated accounts. This makes it possible to toggle it off on production systems as these shouldn't have it enabled at all. 2025-07-09 17:57:49 +02:00			`if (user.type !== "anonymous") {`
			`if (!session?.authenticationProvider) {`
			`throw createError({`
			`statusCode: 409,`
			`statusMessage: "Conflict",`
			`message: "User account need an authentication method associated with it.",`
			`});`
			`}`
Implement register and login with Telegram Add the concept of authentication methods that authenticate an account where using the telegram login widget is one such method. If a login is done with an authentication method that's not associated with any account the session ends up with the data from the authentication method in order to allow registering a new account with the authentication method. This has to be stored on the session as otherwise it wouldn't be possible to implement authentication methods such as OAuth2 that takes the user to a third-party site and then redirects the browser back. 2025-07-09 15:21:39 +02:00			`const authMethods = await readAuthenticationMethods();`
			`const method = authMethods.find(method => (`
			`method.provider === session.authenticationProvider`
			`&& method.slug === session.authenticationSlug`
			`));`
			`if (method) {`
			`throw createError({`
			`statusCode: 409,`
			`statusMessage: "Conflict",`
			`message: "A user is already associated with the authentication method",`
			`});`
			`}`
			`authMethods.push({`
			`id: await nextAuthenticationMethodId(),`
			`userId: user.id,`
			`provider: session.authenticationProvider,`
			`slug: session.authenticationSlug!,`
			`name: session.authenticationName!,`
			`})`
			`await writeAuthenticationMethods(authMethods);`
			`}`

Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream. 2025-06-23 00:17:22 +02:00			`users.push(user);`
			`await writeUsers(users);`
			`await broadcastEvent({`
			`type: "user-update",`
			`data: user,`
			`});`
Implement register and login with Telegram Add the concept of authentication methods that authenticate an account where using the telegram login widget is one such method. If a login is done with an authentication method that's not associated with any account the session ends up with the data from the authentication method in order to allow registering a new account with the authentication method. This has to be stored on the session as otherwise it wouldn't be possible to implement authentication methods such as OAuth2 that takes the user to a third-party site and then redirects the browser back. 2025-07-09 15:21:39 +02:00			`const newSession = await setServerSession(event, user);`
			`return await serverSessionToApi(event, newSession);`
Add create account functionality 2025-03-07 23:53:57 +01:00			`})`