From b2f48e98e0b9a590baf6dff69e5f7e672876ecaf Mon Sep 17 00:00:00 2001
From: Hornwitser <code@hornwitser.no>
Date: Sat, 28 Jun 2025 00:55:26 +0200
Subject: [PATCH] Add API utility for requiring an admin session

---
 server/api/admin/delete-database.post.ts |  9 +--------
 server/api/admin/user.patch.ts           |  8 +-------
 server/utils/session.ts                  | 11 +++++++++++
 3 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/server/api/admin/delete-database.post.ts b/server/api/admin/delete-database.post.ts
index 4eb481a..7da35ec 100644
--- a/server/api/admin/delete-database.post.ts
+++ b/server/api/admin/delete-database.post.ts
@@ -1,13 +1,6 @@
 import { deleteDatabase } from "~/server/database";
 
 export default defineEventHandler(async (event) => {
-	const session = await requireServerSession(event);
-	if (session.account.type !== "admin") {
-		throw createError({
-			statusCode: 403,
-			statusMessage: "Forbidden",
-		});
-	}
-
+	await requireServerSessionWithAdmin(event);
 	await deleteDatabase();
 })
diff --git a/server/api/admin/user.patch.ts b/server/api/admin/user.patch.ts
index 6e13e4f..6054aad 100644
--- a/server/api/admin/user.patch.ts
+++ b/server/api/admin/user.patch.ts
@@ -4,13 +4,7 @@ import { z } from "zod/v4-mini";
 import { broadcastEvent } from "~/server/streams";
 
 export default defineEventHandler(async (event) => {
-	const session = await requireServerSession(event);
-	if (session.account.type !== "admin") {
-		throw createError({
-			statusCode: 403,
-			statusMessage: "Forbidden",
-		});
-	}
+	await requireServerSessionWithAdmin(event);
 	const { success, error, data: patch } = apiUserPatchSchema.safeParse(await readBody(event));
 	if (!success) {
 		throw createError({
diff --git a/server/utils/session.ts b/server/utils/session.ts
index 919f57d..b7e63df 100644
--- a/server/utils/session.ts
+++ b/server/utils/session.ts
@@ -70,3 +70,14 @@ export async function requireServerSession(event: H3Event) {
 		});
 	return session;
 }
+
+export async function requireServerSessionWithAdmin(event: H3Event) {
+	const session = await requireServerSession(event);
+	if (session.account.type !== "admin") {
+		throw createError({
+			statusCode: 403,
+			statusMessage: "Forbidden",
+		});
+	}
+	return session;
+}