feat: implement auth system, passkeys, and user management

Add PostgreSQL and Redis integration for users and sessions Implement password and WebAuthn passkey login flows Add Docker stack, super-admin seeding, and protected routes
2026-04-12 20:16:43 +08:00
parent a649c509c2
commit 377a9617be
45 changed files with 3620 additions and 104 deletions
--- a/server/api/admin/users/[id].patch.ts
+++ b/server/api/admin/users/[id].patch.ts
@@ -0,0 +1,78 @@
+import {
+  isValidPhoneNumber,
+  normalizePhoneNumber,
+  type UserRole
+} from '~~/shared/auth'
+
+import { requireRole } from '../../../utils/auth'
+import { getUserById, updateUserProfile } from '../../../utils/user-repository'
+
+export default defineEventHandler(async (event) => {
+  const auth = await requireRole(event, 'super_admin')
+  const userId = getRouterParam(event, 'id')
+
+  if (!userId) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'User id is required'
+    })
+  }
+
+  const body = await readBody<{
+    fullName?: string
+    phoneNumber?: string
+    role?: UserRole
+  }>(event)
+
+  const fullName = body.fullName?.trim() || ''
+  const phoneNumber = normalizePhoneNumber(body.phoneNumber || '')
+  const role = body.role
+
+  if (fullName.length < 2) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'Display name must be at least 2 characters'
+    })
+  }
+
+  if (!isValidPhoneNumber(phoneNumber)) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'Phone number must contain 8 to 15 digits'
+    })
+  }
+
+  if (role !== 'super_admin' && role !== 'staff') {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'Role is invalid'
+    })
+  }
+
+  const user = await getUserById(userId)
+
+  if (!user) {
+    throw createError({
+      statusCode: 404,
+      statusMessage: 'User not found'
+    })
+  }
+
+  if (auth.user.id === userId && role !== 'super_admin') {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'You cannot remove your own super admin access'
+    })
+  }
+
+  const updatedUser = await updateUserProfile({
+    userId,
+    fullName,
+    phoneNumber,
+    role
+  })
+
+  return {
+    user: updatedUser
+  }
+})
--- a/server/api/admin/users/[id]/reset-password.post.ts
+++ b/server/api/admin/users/[id]/reset-password.post.ts
@@ -0,0 +1,42 @@
+import { DEFAULT_USER_PASSWORD } from '~~/shared/auth'
+
+import { requireRole } from '../../../../utils/auth'
+import { hashPassword } from '../../../../utils/password'
+import { getUserById, updateUserPassword } from '../../../../utils/user-repository'
+
+export default defineEventHandler(async (event) => {
+  await requireRole(event, 'super_admin')
+
+  const userId = getRouterParam(event, 'id')
+
+  if (!userId) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'User id is required'
+    })
+  }
+
+  const user = await getUserById(userId)
+
+  if (!user) {
+    throw createError({
+      statusCode: 404,
+      statusMessage: 'User not found'
+    })
+  }
+
+  const passwordHash = await hashPassword(DEFAULT_USER_PASSWORD)
+
+  await updateUserPassword({
+    userId,
+    passwordHash,
+    mustChangePassword: true
+  })
+
+  const updatedUser = await getUserById(userId)
+
+  return {
+    user: updatedUser,
+    defaultPassword: DEFAULT_USER_PASSWORD
+  }
+})