Initial commit

Created from https://vercel.com/new

pages/api/account/[id].js

@@ -0,0 +1,29 @@
+import { getAccountById, deleteAccount } from 'lib/queries';
+import { useAuth } from 'lib/middleware';
+import { methodNotAllowed, ok, unauthorized } from 'lib/response';
+
+export default async (req, res) => {
+  await useAuth(req, res);
+
+  const { is_admin } = req.auth;
+  const { id } = req.query;
+  const user_id = +id;
+
+  if (!is_admin) {
+    return unauthorized(res);
+  }
+
+  if (req.method === 'GET') {
+    const account = await getAccountById(user_id);
+
+    return ok(res, account);
+  }
+
+  if (req.method === 'DELETE') {
+    await deleteAccount(user_id);
+
+    return ok(res);
+  }
+
+  return methodNotAllowed(res);
+};

pages/api/account/index.js

@@ -0,0 +1,61 @@
+import { getAccountById, getAccountByUsername, updateAccount, createAccount } from 'lib/queries';
+import { useAuth } from 'lib/middleware';
+import { hashPassword } from 'lib/crypto';
+import { ok, unauthorized, methodNotAllowed, badRequest } from 'lib/response';
+
+export default async (req, res) => {
+  await useAuth(req, res);
+
+  const { user_id: current_user_id, is_admin: current_user_is_admin } = req.auth;
+
+  if (req.method === 'POST') {
+    const { user_id, username, password, is_admin } = req.body;
+
+    if (user_id) {
+      const account = await getAccountById(user_id);
+
+      if (account.user_id === current_user_id || current_user_is_admin) {
+        const data = {};
+
+        if (password) {
+          data.password = hashPassword(password);
+        }
+
+        // Only admin can change these fields
+        if (current_user_is_admin) {
+          // Cannot change username of admin
+          if (username !== 'admin') {
+            data.username = username;
+          }
+          data.is_admin = is_admin;
+        }
+
+        if (data.username && account.username !== data.username) {
+          const accountByUsername = await getAccountByUsername(username);
+
+          if (accountByUsername) {
+            return badRequest(res, 'Account already exists');
+          }
+        }
+
+        const updated = await updateAccount(user_id, data);
+
+        return ok(res, updated);
+      }
+
+      return unauthorized(res);
+    } else {
+      const accountByUsername = await getAccountByUsername(username);
+
+      if (accountByUsername) {
+        return badRequest(res, 'Account already exists');
+      }
+
+      const created = await createAccount({ username, password: hashPassword(password) });
+
+      return ok(res, created);
+    }
+  }
+
+  return methodNotAllowed(res);
+};

pages/api/account/password.js

@@ -0,0 +1,32 @@
+import { getAccountById, updateAccount } from 'lib/queries';
+import { useAuth } from 'lib/middleware';
+import { badRequest, methodNotAllowed, ok, unauthorized } from 'lib/response';
+import { checkPassword, hashPassword } from 'lib/crypto';
+
+export default async (req, res) => {
+  await useAuth(req, res);
+
+  const { user_id: auth_user_id, is_admin } = req.auth;
+  const { user_id, current_password, new_password } = req.body;
+
+  if (!is_admin && user_id !== auth_user_id) {
+    return unauthorized(res);
+  }
+
+  if (req.method === 'POST') {
+    const account = await getAccountById(user_id);
+    const valid = checkPassword(current_password, account.password);
+
+    if (!valid) {
+      return badRequest(res, 'Current password is incorrect');
+    }
+
+    const password = hashPassword(new_password);
+
+    const updated = await updateAccount(user_id, { password });
+
+    return ok(res, updated);
+  }
+
+  return methodNotAllowed(res);
+};