Add /user endpoints to API

lib/www/server/api/index.js

@@ -330,17 +330,17 @@ app.map({
 	},
 	'/rss/': {
 		get: [ mw.rss.get ]
-	}
+	},
 //
-// 	'/user': {
-// 		get: [ mw.user.get ],
-// 		post: [  mw.user.put ]
-// 	},
-// 	'/user/:user': {
-// 		get: [ mw.user.get ],
-// 		put: [  mw.user.put ],
-// // 		delete: [ mw.user.delete ]
-// 	},
+	'/user': {
+		get: [ mw.auth.access.read, mw.etag.noSave, mw.user.list ],
+		post: [  mw.auth.access.edit, mw.etag.noSave, mw.user.post ],
+	},
+	'/user/:user_id': {
+		get: [ mw.user.get ],
+		put: [  mw.user.put ],
+		delete: [ mw.user.delete ]
+	},
 //
 });
 

lib/www/server/api/middleware/user/delete.js

@@ -0,0 +1,32 @@
+
+// const { user } = require('../../../lib/db');
+// const organisations = require('../../../lib/organisations');
+const ServerUser = require('../../../lib/db/user/User');
+
+module.exports = async function (req, res, next) {
+
+	try {
+		if (req.params.user_id == req.user?.id) {
+			throw {status: 403, message: "Cannot self-delete"};
+		} else {
+			const requestor = new ServerUser(req.user);
+			const target = await ServerUser.fromSQL(null, req.params.user_id);
+
+			if (requestor.canEdit(target)) {
+				if (await target.remove()) {
+					res.status(204).send();
+				} else {
+					// Delete did not return a successful response. We assume this
+					// is because the user did not exist in the first place so we
+					// still return a success response
+					res.status(202).send();
+				}
+			} else {
+				throw {status: 403, message: "Access denied"};
+			}
+		}
+	} catch (err) {
+		next(err);
+	}
+
+};

lib/www/server/api/middleware/user/get.js

@@ -0,0 +1,18 @@
+const ServerUser = require('../../../lib/db/user/User');
+
+module.exports = async function (req, res, next) {
+
+	try {
+		const user = new ServerUser(req.user);
+		const target = await ServerUser.fromSQL(null, req.params.user_id);
+
+		if (requestor.canSee(target)) {
+			res.status(200).send(target.toJSON());
+		} else {
+			throw {status: 403, message: "Access denied"};
+		}
+	} catch (err) {
+		next(err);
+	}
+
+};

lib/www/server/api/middleware/user/index.js

@@ -1,3 +1,10 @@
 
-exports.login = require('./login');
-exports.logout = require('./logout');
+module.exports = {
+	login: require('./login'),
+	logout: require('./logout'),
+	list: require('./list'),
+	get: require('./get'),
+	post: require('./post'),
+	put: require('./put'),
+	delete: require('./delete'),
+}

lib/www/server/api/middleware/user/list.js

@@ -0,0 +1,27 @@
+
+const ServerUser = require('../../../lib/db/user/User');
+const { pool } = require('../../../lib/db/connection');
+
+module.exports = async function (req, res, next) {
+
+	try {
+		const requestor = new ServerUser(req.user, pool);
+		console.log("REQUESTOR", requestor.toJSON());
+		if (requestor.name) {
+			const allUsers = await ServerUser.fromSQL(); // Get all users
+			const listableUsers = requestor.editablePeers(allUsers);
+			res.status(200).send(listableUsers.map(u => u.toJSON()));
+		}
+
+		// const userOrgs = organisations.extract(req.user?.organisations ?? {}, [ "write", "edit" ]);
+		// const users = await user.list(userOrgs.includes("*") ? null : userOrgs); // null: list all
+		// console.log("user", JSON.stringify(req.user, null, 4));
+		// console.log("userOrgs", userOrgs);
+		// console.log("users", users);
+		// res.status(200).send(users);
+		next();
+	} catch (err) {
+		next(err);
+	}
+
+};

lib/www/server/api/middleware/user/post.js

@@ -0,0 +1,27 @@
+
+const ServerUser = require('../../../lib/db/user/User');
+const { pool } = require('../../../lib/db/connection');
+
+module.exports = async function (req, res, next) {
+
+	try {
+		// const data = await user.create(req.body, req.user?.organisations);
+		// res.status(203).send(data);
+		const requestor = new ServerUser(req.user, pool);
+		if (requestor.name) {
+			const newUser = new ServerUser(req.body);
+			newUser.filter(requestor);
+			newUser.client = pool;
+			console.log("newUser", newUser.toJSON());
+			const asSaved = await newUser.save();
+			console.log("asSaved", asSaved);
+			if (asSaved instanceof ServerUser) {
+				res.status(200).send(asSaved.toJSON());
+			}
+		}
+		next();
+	} catch (err) {
+		next(err);
+	}
+
+};

lib/www/server/api/middleware/user/put.js

@@ -0,0 +1,38 @@
+
+const ServerUser = require('../../../lib/db/user/User');
+
+module.exports = async function (req, res, next) {
+
+	try {
+		// const data = await user.create(req.body, req.user?.organisations);
+		// res.status(203).send(data);
+		const requestor = new ServerUser(req.user);
+		if (requestor.name) {
+			const target = await ServerUser.fromSQL(null, req.params.user_id);
+			const changes = req.body;
+
+			if (requestor.id == target.id || requestor.canEdit(target)) {
+
+				if (requestor.id == target.id) {
+					// User cannot self-deactivate
+					newUser.active = requestor.active;
+				}
+
+				const edited = await requestor.edit(target).to(changes).save();
+
+				if (edited instanceof ServerUser) {
+					res.status(200).send(edited.toJSON());
+				} else {
+					console.log("Unexpected result", edited);
+					throw({status: 500, message: "Unexpected response when editing user"});
+				}
+			} else {
+				next({status: 403, message: "Access denied"});
+			}
+		}
+		next();
+	} catch (err) {
+		next(err);
+	}
+
+};