feature: signup and login work

2025-06-25 20:51:29 -07:00 · 2025-06-25 20:51:29 -07:00 · 3d42591ee5
commit 3d42591ee5
parent a4a750b35c
18 changed files with 956 additions and 65 deletions
--- a/public/api/users/:id/index.ts
+++ b/public/api/users/:id/index.ts
@ -1,19 +1,24 @@
+import { get_session, get_user, PRECHECK_TABLE, require_user } from '../../../../utils/prechecks.ts';
 import { PASSWORD_ENTRIES, PASSWORD_ENTRY } from '../../../../models/password_entry.ts';
 import { SESSIONS } from '../../../../models/session.ts';
 import { USER, USERS } from '../../../../models/user.ts';
 import { PERMISSIONS_STORE, USER_PERMISSIONS } from '../../../../models/user_permissions.ts';
 import parse_body from '../../../../utils/bodyparser.ts';
+import { CANNED_RESPONSES } from '../../../../utils/canned_responses.ts';

-export const PERMISSIONS: Record<string, (req: Request, meta: Record<string, any>) => Promise<boolean>> = {};
+export const PRECHECKS: PRECHECK_TABLE = {};

 // GET /api/users/:id - Get single user
-PERMISSIONS.GET = (_req: Request, meta: Record<string, any>): Promise<boolean> => {
+PRECHECKS.GET = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
 	const user_is_self = !!meta.user && !!meta.params && meta.user.id === meta.params.id;
 	const can_read_self = meta.user_permissions?.permissions.includes('self.read');
 	const can_read_others = meta.user_permissions?.permissions?.includes('users.read');

-	return can_read_others || (can_read_self && user_is_self);
-};
+	const has_permission = can_read_others || (can_read_self && user_is_self);
+	if (!has_permission) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
 export async function GET(_req: Request, meta: Record<string, any>): Promise<Response> {
 	const user_id: string = meta.params?.id?.toLowerCase().trim() ?? '';
 	const user: USER | null = user_id.length === 49 ? await USERS.get(user_id) : null; // lurid is 49 chars as we use them, eg: "also-play-flow-want-form-wide-thus-work-burn-same"
@ -29,34 +34,22 @@ export async function GET(_req: Request, meta: Record<string, any>): Promise<Res
 		});
 	}

-	const user_is_self = meta.user?.id === user.id;
-	const has_permission_to_read = (user_is_self && meta.user_permissions?.permissions?.includes('self.read')) ||
-		(meta.user_permissions?.permissions?.includes('users.read'));
-
-	if (!has_permission_to_read) {
-		return Response.json({
-			error: {
-				message: 'Permission denied.',
-				cause: 'permission_denied'
-			}
-		}, {
-			status: 400
-		});
-	}
-
 	return Response.json(user, {
 		status: 200
 	});
 }

 // PUT /api/users/:id - Update user
-PERMISSIONS.PUT = (_req: Request, meta: Record<string, any>): Promise<boolean> => {
+PRECHECKS.PUT = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
 	const user_is_self = !!meta.user && !!meta.params && meta.user.id === meta.params.id;
 	const can_write_self = meta.user_permissions?.permissions.includes('self.write');
 	const can_write_others = meta.user_permissions?.permissions?.includes('users.write');

-	return can_write_others || (can_write_self && user_is_self);
-};
+	const has_permission = can_write_others || (can_write_self && user_is_self);
+	if (!has_permission) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
 export async function PUT(req: Request, meta: { params: Record<string, any> }): Promise<Response> {
 	const now = new Date().toISOString();
 	const id: string = meta.params.id ?? '';
@ -101,13 +94,16 @@ export async function PUT(req: Request, meta: { params: Record<string, any> }):
 }

 // DELETE /api/users/:id - Delete user
-PERMISSIONS.DELETE = (_req: Request, meta: Record<string, any>): Promise<boolean> => {
+PRECHECKS.DELETE = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
 	const user_is_self = !!meta.user && !!meta.params && meta.user.id === meta.params.id;
 	const can_write_self = meta.user_permissions?.permissions.includes('self.write');
 	const can_write_others = meta.user_permissions?.permissions?.includes('users.write');

-	return can_write_others || (can_write_self && user_is_self);
-};
+	const has_permission = can_write_others || (can_write_self && user_is_self);
+	if (!has_permission) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
 export async function DELETE(_req: Request, meta: { params: Record<string, any> }): Promise<Response> {
 	const user_id: string = meta.params.id ?? '';

--- a/public/api/users/index.ts
+++ b/public/api/users/index.ts
@ -6,28 +6,27 @@ import { hash } from 'jsr:@stdext/crypto/hash';
 import lurid from 'jsr:@andyburke/lurid';
 import { encodeBase64 } from 'jsr:@std/encoding';
 import parse_body from '../../../utils/bodyparser.ts';
-import { get_session, SESSION_RESULT } from '../auth/index.ts';
+import { create_new_session, SESSION_RESULT } from '../auth/index.ts';
+import { PRECHECKS } from './me/index.ts';
+import { get_session, get_user, require_user } from '../../../utils/prechecks.ts';
+import { CANNED_RESPONSES } from '../../../utils/canned_responses.ts';

 // TODO: figure out a better solution for doling out permissions
 const DEFAULT_USER_PERMISSIONS: string[] = [
 	'self.read',
-	'self.write',
-	'checklists.read',
-	'checklists.write',
-	'checklists.events.read',
-	'checklists.events.write'
+	'self.write'
 ];

-export const PERMISSIONS: Record<string, (req: Request, meta: Record<string, any>) => Promise<boolean>> = {};
-
 // GET /api/users - get users
 // query parameters:
 //   partial_id: the partial id subset you would like to match (remember, lurids are lexigraphically sorted)
-PERMISSIONS.GET = (_req: Request, meta: Record<string, any>): Promise<boolean> => {
+PRECHECKS.GET = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
 	const can_read_others = meta.user_permissions?.permissions?.includes('users.read');

-	return can_read_others;
-};
+	if (!can_read_others) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
 export async function GET(_req: Request, meta: Record<string, any>): Promise<Response> {
 	const query: URLSearchParams = meta.query;
 	const partial_id: string | undefined = query.get('partial_id')?.toLowerCase().trim();
@ -132,7 +131,7 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res

 		await PERMISSIONS_STORE.create(user_permissions);

-		const session_result: SESSION_RESULT = await get_session({
+		const session_result: SESSION_RESULT = await create_new_session({
 			user,
 			expires: undefined
 		});
--- a/public/api/users/me/README.md
+++ b/public/api/users/me/README.md
@ -0,0 +1,7 @@
+# /api/users/me
+
+Get the current user.
+
+## GET /api/users/me
+
+Return the currently logged in user or an error.
--- a/public/api/users/me/index.ts
+++ b/public/api/users/me/index.ts
@ -0,0 +1,25 @@
+import { CANNED_RESPONSES } from '../../../../utils/canned_responses.ts';
+import { get_session, get_user, PRECHECK_TABLE, require_user } from '../../../../utils/prechecks.ts';
+
+export const PERMISSIONS: Record<string, (req: Request, meta: Record<string, any>) => Promise<boolean>> = {};
+export const PRECHECKS: PRECHECK_TABLE = {};
+
+// GET /api/users/me - Get the current user
+PRECHECKS.GET = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
+	const can_read_self = meta.user_permissions?.permissions.includes('self.read');
+
+	const has_permission = can_read_self;
+	console.dir({
+		meta,
+		can_read_self,
+		has_permission
+	});
+	if (!has_permission) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
+export function GET(_req: Request, meta: Record<string, any>): Response {
+	return Response.json(meta.user, {
+		status: 200
+	});
+}