feat: implement auth system, passkeys, and user management

Add PostgreSQL and Redis integration for users and sessions Implement password and WebAuthn passkey login flows Add Docker stack, super-admin seeding, and protected routes
2026-04-12 20:16:43 +08:00
parent a649c509c2
commit 377a9617be
45 changed files with 3620 additions and 104 deletions
--- a/server/api/admin/users.post.ts
+++ b/server/api/admin/users.post.ts
@@ -0,0 +1,74 @@
+import {
+  DEFAULT_USER_PASSWORD,
+  USERNAME_PATTERN,
+  isValidPhoneNumber,
+  normalizePhoneNumber,
+  type UserRole
+} from '~~/shared/auth'
+
+import { normalizeUsername, requireRole } from '../../utils/auth'
+import { hashPassword } from '../../utils/password'
+import { createUser } from '../../utils/user-repository'
+
+export default defineEventHandler(async (event) => {
+  const auth = await requireRole(event, 'super_admin')
+  const body = await readBody<{
+    username?: string
+    fullName?: string
+    phoneNumber?: string
+    role?: UserRole
+  }>(event)
+
+  const username = normalizeUsername(body.username || '')
+  const fullName = body.fullName?.trim() || ''
+  const phoneNumber = normalizePhoneNumber(body.phoneNumber || '')
+  const role = body.role === 'super_admin' ? 'super_admin' : 'staff'
+
+  if (!USERNAME_PATTERN.test(username)) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'Username must be 3 to 32 characters using lowercase letters, numbers, dot, dash, or underscore'
+    })
+  }
+
+  if (fullName.length < 2) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'Full name must be at least 2 characters'
+    })
+  }
+
+  if (!isValidPhoneNumber(phoneNumber)) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'Phone number must contain 8 to 15 digits'
+    })
+  }
+
+  const passwordHash = await hashPassword(DEFAULT_USER_PASSWORD)
+
+  try {
+    const user = await createUser({
+      username,
+      fullName,
+      phoneNumber,
+      role,
+      passwordHash,
+      createdBy: auth.user.id
+    })
+
+    return {
+      user,
+      defaultPassword: DEFAULT_USER_PASSWORD
+    }
+  } catch (error: any) {
+    if (error?.code === '23505') {
+      throw createError({
+        statusCode: 409,
+        statusMessage: 'Username already exists'
+      })
+    }
+
+    throw error
+  }
+})