Add authentication system and admin panel

- Implement JWT-based authentication with login/logout - Add user management routes and middleware - Create admin panel for managing words and categories - Add authentication store and API client - Update database schema with User model - Configure CORS and authentication middleware - Add login page and protected routes
2026-01-17 14:30:22 +01:00
parent a11e2acb23
commit 3275bc4a4f
24 changed files with 1551 additions and 73 deletions
--- a/packages/backend/src/routes/auth.ts
+++ b/packages/backend/src/routes/auth.ts
@@ -0,0 +1,82 @@
+import { Router, Request, Response, NextFunction } from 'express';
+import passport from '../lib/passport.js';
+import { isAuthenticated } from '../middleware/auth.js';
+
+const router = Router();
+
+/**
+ * POST /api/auth/login
+ * Login with email and password
+ */
+router.post('/login', (req: Request, res: Response, next: NextFunction) => {
+  passport.authenticate('local', (err: any, user: any, info: any) => {
+    if (err) {
+      return res.status(500).json({ error: 'Internal server error', message: err.message });
+    }
+
+    if (!user) {
+      return res.status(401).json({ 
+        error: 'Authentication failed', 
+        message: info?.message || 'Invalid credentials' 
+      });
+    }
+
+    req.logIn(user, (err) => {
+      if (err) {
+        return res.status(500).json({ error: 'Login failed', message: err.message });
+      }
+
+      // Return user data without sensitive fields
+      const { passwordHash, ...userWithoutPassword } = user;
+      res.json({ 
+        message: 'Login successful', 
+        user: userWithoutPassword 
+      });
+    });
+  })(req, res, next);
+});
+
+/**
+ * POST /api/auth/logout
+ * Logout current user
+ */
+router.post('/logout', (req: Request, res: Response) => {
+  req.logout((err) => {
+    if (err) {
+      return res.status(500).json({ error: 'Logout failed', message: err.message });
+    }
+    res.json({ message: 'Logout successful' });
+  });
+});
+
+/**
+ * GET /api/auth/me
+ * Get current authenticated user
+ */
+router.get('/me', isAuthenticated, (req: Request, res: Response) => {
+  if (!req.user) {
+    return res.status(401).json({ error: 'Not authenticated' });
+  }
+
+  // Return user data without sensitive fields
+  const user = req.user as any;
+  const { passwordHash, ...userWithoutPassword } = user;
+  res.json({ user: userWithoutPassword });
+});
+
+/**
+ * GET /api/auth/check
+ * Check if user is authenticated (public endpoint)
+ */
+router.get('/check', (req: Request, res: Response) => {
+  if (req.isAuthenticated() && req.user) {
+    const user = req.user as any;
+    const { passwordHash, ...userWithoutPassword } = user;
+    res.json({ authenticated: true, user: userWithoutPassword });
+  } else {
+    res.json({ authenticated: false, user: null });
+  }
+});
+
+export default router;
+
--- a/packages/backend/src/routes/users.ts
+++ b/packages/backend/src/routes/users.ts
@@ -0,0 +1,196 @@
+import { Router, Request, Response } from 'express';
+import bcrypt from 'bcrypt';
+import { prisma } from '../lib/prisma.js';
+import { isAuthenticated, isAdmin } from '../middleware/auth.js';
+
+const router = Router();
+
+// All routes require admin authentication
+router.use(isAuthenticated, isAdmin);
+
+/**
+ * GET /api/users
+ * Get all users (admin only)
+ */
+router.get('/', async (_req: Request, res: Response) => {
+  try {
+    const users = await prisma.user.findMany({
+      select: {
+        id: true,
+        email: true,
+        displayName: true,
+        role: true,
+        isActive: true,
+        authProvider: true,
+        createdAt: true,
+        updatedAt: true,
+      },
+      orderBy: {
+        createdAt: 'desc',
+      },
+    });
+
+    res.json({ users });
+  } catch (error: any) {
+    res.status(500).json({ error: 'Failed to fetch users', message: error.message });
+  }
+});
+
+/**
+ * GET /api/users/:id
+ * Get user by ID (admin only)
+ */
+router.get('/:id', async (req: Request, res: Response) => {
+  try {
+    const { id } = req.params;
+
+    const user = await prisma.user.findUnique({
+      where: { id },
+      select: {
+        id: true,
+        email: true,
+        displayName: true,
+        role: true,
+        isActive: true,
+        authProvider: true,
+        createdAt: true,
+        updatedAt: true,
+      },
+    });
+
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+
+    res.json({ user });
+  } catch (error: any) {
+    res.status(500).json({ error: 'Failed to fetch user', message: error.message });
+  }
+});
+
+/**
+ * POST /api/users
+ * Create new user (admin only)
+ */
+router.post('/', async (req: Request, res: Response) => {
+  try {
+    const { email, displayName, password, role, isActive } = req.body;
+
+    // Validate required fields
+    if (!email || !password) {
+      return res.status(400).json({ error: 'Email and password are required' });
+    }
+
+    // Check if user already exists
+    const existingUser = await prisma.user.findUnique({
+      where: { email },
+    });
+
+    if (existingUser) {
+      return res.status(400).json({ error: 'User with this email already exists' });
+    }
+
+    // Hash password
+    const passwordHash = await bcrypt.hash(password, 10);
+
+    // Create user
+    const user = await prisma.user.create({
+      data: {
+        email,
+        displayName: displayName || null,
+        passwordHash,
+        role: role || 'USER',
+        isActive: isActive !== undefined ? isActive : true,
+        authProvider: 'local',
+      },
+      select: {
+        id: true,
+        email: true,
+        displayName: true,
+        role: true,
+        isActive: true,
+        authProvider: true,
+        createdAt: true,
+        updatedAt: true,
+      },
+    });
+
+    res.status(201).json({ message: 'User created successfully', user });
+  } catch (error: any) {
+    res.status(500).json({ error: 'Failed to create user', message: error.message });
+  }
+});
+
+/**
+ * PATCH /api/users/:id
+ * Update user (admin only)
+ */
+router.patch('/:id', async (req: Request, res: Response) => {
+  try {
+    const { id } = req.params;
+    const { email, displayName, role, isActive, password } = req.body;
+
+    const updateData: any = {};
+
+    if (email !== undefined) updateData.email = email;
+    if (displayName !== undefined) updateData.displayName = displayName;
+    if (role !== undefined) updateData.role = role;
+    if (isActive !== undefined) updateData.isActive = isActive;
+
+    // Hash new password if provided
+    if (password) {
+      updateData.passwordHash = await bcrypt.hash(password, 10);
+    }
+
+    const user = await prisma.user.update({
+      where: { id },
+      data: updateData,
+      select: {
+        id: true,
+        email: true,
+        displayName: true,
+        role: true,
+        isActive: true,
+        authProvider: true,
+        createdAt: true,
+        updatedAt: true,
+      },
+    });
+
+    res.json({ message: 'User updated successfully', user });
+  } catch (error: any) {
+    if (error.code === 'P2025') {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    res.status(500).json({ error: 'Failed to update user', message: error.message });
+  }
+});
+
+/**
+ * DELETE /api/users/:id
+ * Delete user (admin only)
+ */
+router.delete('/:id', async (req: Request, res: Response) => {
+  try {
+    const { id } = req.params;
+
+    // Prevent admin from deleting themselves
+    if (req.user?.id === id) {
+      return res.status(400).json({ error: 'Cannot delete your own account' });
+    }
+
+    await prisma.user.delete({
+      where: { id },
+    });
+
+    res.json({ message: 'User deleted successfully' });
+  } catch (error: any) {
+    if (error.code === 'P2025') {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    res.status(500).json({ error: 'Failed to delete user', message: error.message });
+  }
+});
+
+export default router;
+