User management

2026-03-03 23:15:04 +02:00
parent 667fa25525
commit 2d1923d68d
17 changed files with 1046 additions and 74 deletions
--- a/api/App/Endpoints/AuthEndpoints.cs
+++ b/api/App/Endpoints/AuthEndpoints.cs
@@ -4,12 +4,13 @@ using System.Text;
 using Microsoft.Extensions.Options;
 using Microsoft.IdentityModel.Tokens;

-public record AuthTokenRequest(string Email, string Password);
+public record AuthTokenRequest(string? Username, string Password);

-public class AuthUser
+public class AuthAdminOptions
 {
-  public string Email { get; set; } = string.Empty;
+  public string Username { get; set; } = string.Empty;
  public string Password { get; set; } = string.Empty;
+  public string DisplayName { get; set; } = string.Empty;
 }

 public class AuthOptions
@@ -18,28 +19,28 @@ public class AuthOptions
  public string Audience { get; set; } = "klapi-ui";
  public string SigningKey { get; set; } = string.Empty;
  public List<string> AllowedOrigins { get; set; } = [];
-  public List<AuthUser> Users { get; set; } = [];
+  public AuthAdminOptions Admin { get; set; } = new();
 }

 public static class AuthEndpoints
 {
  public static void MapAuthEndpoints(WebApplication app)
  {
-    app.MapPost("/auth/token", (
+    app.MapPost("/auth/token", async (
      HttpContext httpContext,
      IOptions<AuthOptions> authOptions,
+      UserService userService,
      AuthTokenRequest request) =>
    {
-      if (string.IsNullOrWhiteSpace(request.Email) || string.IsNullOrWhiteSpace(request.Password))
+      if (string.IsNullOrWhiteSpace(request.Username) || string.IsNullOrWhiteSpace(request.Password))
      {
-        return Results.BadRequest(new { Message = "Email and password are required." });
+        return Results.BadRequest(new { Message = "Username and password are required." });
      }

      var options = authOptions.Value;
-      var user = options.Users.FirstOrDefault(item =>
-        string.Equals(item.Email, request.Email.Trim(), StringComparison.OrdinalIgnoreCase));
+      var authenticatedUser = await userService.Authenticate(request.Username, request.Password);

-      if (user is null || !string.Equals(user.Password, request.Password, StringComparison.Ordinal))
+      if (authenticatedUser is null)
      {
        return Results.Unauthorized();
      }
@@ -48,9 +49,11 @@ public static class AuthEndpoints
      var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
      var claims = new List<Claim>
      {
-        new(JwtRegisteredClaimNames.Sub, user.Email),
-        new(JwtRegisteredClaimNames.Email, user.Email),
-        new(ClaimTypes.Name, user.Email),
+        new(JwtRegisteredClaimNames.Sub, authenticatedUser.Username),
+        new(ClaimTypes.Name, authenticatedUser.Username),
+        new("username", authenticatedUser.Username),
+        new("display_name", authenticatedUser.DisplayName),
+        new("is_admin", authenticatedUser.IsAdmin ? "true" : "false"),
        new("scope", "openhours:write")
      };

@@ -66,7 +69,9 @@ public static class AuthEndpoints
      return Results.Ok(new
      {
        AccessToken = tokenValue,
-        Email = user.Email,
+        Username = authenticatedUser.Username,
+        DisplayName = authenticatedUser.DisplayName,
+        IsAdmin = authenticatedUser.IsAdmin,
        TokenType = "Bearer",
        ExpiresIn = 43200
      });
--- a/api/App/Endpoints/UserEndpoints.cs
+++ b/api/App/Endpoints/UserEndpoints.cs
@@ -0,0 +1,186 @@
+using Microsoft.Data.Sqlite;
+
+public static class UserEndpoints
+{
+  public static void MapUserEndpoints(WebApplication app)
+  {
+    app.MapGet("/users", async (HttpContext httpContext) =>
+    {
+      var userService = httpContext.RequestServices.GetRequiredService<UserService>();
+      var users = await userService.GetUsers();
+      await httpContext.Response.WriteAsJsonAsync(users);
+    })
+    .RequireCors("FrontendWriteCors")
+    .RequireAuthorization("AdminOnly")
+    .WithName("GetUsers");
+
+    app.MapPost("/users", async (HttpContext httpContext) =>
+    {
+      var userService = httpContext.RequestServices.GetRequiredService<UserService>();
+      var request = await httpContext.Request.ReadFromJsonAsync<AppUserCreateRequest>();
+
+      if (request is null)
+      {
+        httpContext.Response.StatusCode = StatusCodes.Status400BadRequest;
+        await httpContext.Response.WriteAsJsonAsync(new
+        {
+          Message = "Request body is required."
+        });
+        return;
+      }
+
+      if (string.IsNullOrWhiteSpace(request.Username) || string.IsNullOrWhiteSpace(request.Password) || string.IsNullOrWhiteSpace(request.DisplayName))
+      {
+        httpContext.Response.StatusCode = StatusCodes.Status400BadRequest;
+        await httpContext.Response.WriteAsJsonAsync(new
+        {
+          Message = "Username, password and display name are required."
+        });
+        return;
+      }
+
+      try
+      {
+        var createdUser = await userService.CreateUser(request);
+        httpContext.Response.StatusCode = StatusCodes.Status201Created;
+        httpContext.Response.Headers.Location = $"/users/{createdUser.Username}";
+        await httpContext.Response.WriteAsJsonAsync(createdUser);
+      }
+      catch (SqliteException)
+      {
+        httpContext.Response.StatusCode = StatusCodes.Status409Conflict;
+        await httpContext.Response.WriteAsJsonAsync(new
+        {
+          Message = "User with the same username already exists."
+        });
+      }
+    })
+    .RequireCors("FrontendWriteCors")
+    .RequireAuthorization("AdminOnly")
+    .WithName("CreateUser");
+
+    app.MapPut("/users/{username}", async (HttpContext httpContext, string username) =>
+    {
+      var userService = httpContext.RequestServices.GetRequiredService<UserService>();
+      var request = await httpContext.Request.ReadFromJsonAsync<AppUserUpdateRequest>();
+
+      if (request is null)
+      {
+        httpContext.Response.StatusCode = StatusCodes.Status400BadRequest;
+        await httpContext.Response.WriteAsJsonAsync(new
+        {
+          Message = "Request body is required."
+        });
+        return;
+      }
+
+      if (string.IsNullOrWhiteSpace(request.DisplayName))
+      {
+        httpContext.Response.StatusCode = StatusCodes.Status400BadRequest;
+        await httpContext.Response.WriteAsJsonAsync(new
+        {
+          Message = "Display name is required."
+        });
+        return;
+      }
+
+      var normalizedTargetUsername = username.Trim().ToLowerInvariant();
+      var existingUser = await userService.GetUser(normalizedTargetUsername);
+
+      if (existingUser is null)
+      {
+        httpContext.Response.StatusCode = StatusCodes.Status404NotFound;
+        await httpContext.Response.WriteAsJsonAsync(new
+        {
+          Message = "User not found."
+        });
+        return;
+      }
+
+      var adminCount = await userService.GetAdminCount();
+
+      if (existingUser.IsAdmin && !request.IsAdmin && adminCount <= 1)
+      {
+        httpContext.Response.StatusCode = StatusCodes.Status400BadRequest;
+        await httpContext.Response.WriteAsJsonAsync(new
+        {
+          Message = "Cannot remove admin role from the last admin user."
+        });
+        return;
+      }
+
+      var updatedUser = await userService.UpdateUser(username, request);
+
+      if (updatedUser is null)
+      {
+        httpContext.Response.StatusCode = StatusCodes.Status404NotFound;
+        await httpContext.Response.WriteAsJsonAsync(new
+        {
+          Message = "User not found."
+        });
+        return;
+      }
+
+      await httpContext.Response.WriteAsJsonAsync(updatedUser);
+    })
+    .RequireCors("FrontendWriteCors")
+    .RequireAuthorization("AdminOnly")
+    .WithName("UpdateUser");
+
+    app.MapDelete("/users/{username}", async (HttpContext httpContext, string username) =>
+    {
+      var userService = httpContext.RequestServices.GetRequiredService<UserService>();
+      var currentUsername = httpContext.User.Identity?.Name?.Trim().ToLowerInvariant() ?? string.Empty;
+      var normalizedTargetUsername = username.Trim().ToLowerInvariant();
+
+      var existingUser = await userService.GetUser(normalizedTargetUsername);
+      if (existingUser is null)
+      {
+        httpContext.Response.StatusCode = StatusCodes.Status404NotFound;
+        await httpContext.Response.WriteAsJsonAsync(new
+        {
+          Message = "User not found."
+        });
+        return;
+      }
+
+      if (currentUsername == normalizedTargetUsername)
+      {
+        httpContext.Response.StatusCode = StatusCodes.Status400BadRequest;
+        await httpContext.Response.WriteAsJsonAsync(new
+        {
+          Message = "You cannot delete your own user account."
+        });
+        return;
+      }
+
+      var adminCount = await userService.GetAdminCount();
+      if (existingUser.IsAdmin && adminCount <= 1)
+      {
+        httpContext.Response.StatusCode = StatusCodes.Status400BadRequest;
+        await httpContext.Response.WriteAsJsonAsync(new
+        {
+          Message = "Cannot delete the last admin user."
+        });
+        return;
+      }
+
+      var deleted = await userService.DeleteUser(username);
+
+      if (!deleted)
+      {
+        httpContext.Response.StatusCode = StatusCodes.Status404NotFound;
+        await httpContext.Response.WriteAsJsonAsync(new
+        {
+          Message = "User not found."
+        });
+        return;
+      }
+
+      httpContext.Response.StatusCode = StatusCodes.Status204NoContent;
+    })
+    .RequireCors("FrontendWriteCors")
+    .RequireAuthorization("AdminOnly")
+    .WithName("DeleteUser");
+  }
+}