Add settings page with profile, notifications, and admin sections

- Add sidebar navigation to settings page - Add profile section for name management and password change - Add admin section for user management and registration toggle - Add profile API endpoints (GET/PUT /profile, PUT /profile/password) - Add admin API endpoints (users CRUD, system settings) - Add system_settings table for registration control - Add name and is_admin columns to users table - First registered user automatically becomes admin - Check registration status on register/login page Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-05-10 16:22:39 +02:00 · 2026-01-21 07:58:11 -05:00 · 2026-01-21 07:58:11 -05:00 · f46c6ad9d4
commit f46c6ad9d4
parent 0c8ce22cc1
8 changed files with 1129 additions and 133 deletions
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@ -6,6 +6,8 @@ import authRoutes from './routes/auth';
 import productRoutes from './routes/products';
 import priceRoutes from './routes/prices';
 import settingsRoutes from './routes/settings';
+import profileRoutes from './routes/profile';
+import adminRoutes from './routes/admin';
 import { startScheduler } from './services/scheduler';

 // Load environment variables
@ -28,6 +30,8 @@ app.use('/api/auth', authRoutes);
 app.use('/api/products', productRoutes);
 app.use('/api/products', priceRoutes);
 app.use('/api/settings', settingsRoutes);
+app.use('/api/profile', profileRoutes);
+app.use('/api/admin', adminRoutes);

 // Error handling middleware
 app.use(
--- a/backend/src/models/index.ts
+++ b/backend/src/models/index.ts
@ -5,12 +5,22 @@ export interface User {
  id: number;
  email: string;
  password_hash: string;
+  name: string | null;
+  is_admin: boolean;
  telegram_bot_token: string | null;
  telegram_chat_id: string | null;
  discord_webhook_url: string | null;
  created_at: Date;
 }

+export interface UserProfile {
+  id: number;
+  email: string;
+  name: string | null;
+  is_admin: boolean;
+  created_at: Date;
+}
+
 export interface NotificationSettings {
  telegram_bot_token: string | null;
  telegram_chat_id: string | null;
@ -81,6 +91,99 @@ export const userQueries = {
    );
    return result.rows[0] || null;
  },
+
+  getProfile: async (id: number): Promise<UserProfile | null> => {
+    const result = await pool.query(
+      'SELECT id, email, name, is_admin, created_at FROM users WHERE id = $1',
+      [id]
+    );
+    return result.rows[0] || null;
+  },
+
+  updateProfile: async (
+    id: number,
+    updates: { name?: string }
+  ): Promise<UserProfile | null> => {
+    const fields: string[] = [];
+    const values: (string | number)[] = [];
+    let paramIndex = 1;
+
+    if (updates.name !== undefined) {
+      fields.push(`name = $${paramIndex++}`);
+      values.push(updates.name);
+    }
+
+    if (fields.length === 0) return null;
+
+    values.push(id);
+    const result = await pool.query(
+      `UPDATE users SET ${fields.join(', ')} WHERE id = $${paramIndex}
+       RETURNING id, email, name, is_admin, created_at`,
+      values
+    );
+    return result.rows[0] || null;
+  },
+
+  updatePassword: async (id: number, passwordHash: string): Promise<boolean> => {
+    const result = await pool.query(
+      'UPDATE users SET password_hash = $1 WHERE id = $2',
+      [passwordHash, id]
+    );
+    return (result.rowCount ?? 0) > 0;
+  },
+
+  // Admin queries
+  findAll: async (): Promise<UserProfile[]> => {
+    const result = await pool.query(
+      'SELECT id, email, name, is_admin, created_at FROM users ORDER BY created_at ASC'
+    );
+    return result.rows;
+  },
+
+  delete: async (id: number): Promise<boolean> => {
+    const result = await pool.query(
+      'DELETE FROM users WHERE id = $1',
+      [id]
+    );
+    return (result.rowCount ?? 0) > 0;
+  },
+
+  setAdmin: async (id: number, isAdmin: boolean): Promise<boolean> => {
+    const result = await pool.query(
+      'UPDATE users SET is_admin = $1 WHERE id = $2',
+      [isAdmin, id]
+    );
+    return (result.rowCount ?? 0) > 0;
+  },
+};
+
+// System settings queries
+export const systemSettingsQueries = {
+  get: async (key: string): Promise<string | null> => {
+    const result = await pool.query(
+      'SELECT value FROM system_settings WHERE key = $1',
+      [key]
+    );
+    return result.rows[0]?.value || null;
+  },
+
+  set: async (key: string, value: string): Promise<void> => {
+    await pool.query(
+      `INSERT INTO system_settings (key, value, updated_at)
+       VALUES ($1, $2, CURRENT_TIMESTAMP)
+       ON CONFLICT (key) DO UPDATE SET value = $2, updated_at = CURRENT_TIMESTAMP`,
+      [key, value]
+    );
+  },
+
+  getAll: async (): Promise<Record<string, string>> => {
+    const result = await pool.query('SELECT key, value FROM system_settings');
+    const settings: Record<string, string> = {};
+    for (const row of result.rows) {
+      settings[row.key] = row.value;
+    }
+    return settings;
+  },
 };

 // Product types and queries
--- a/backend/src/routes/admin.ts
+++ b/backend/src/routes/admin.ts
@ -0,0 +1,132 @@
+import { Router, Response, NextFunction } from 'express';
+import { AuthRequest, authMiddleware } from '../middleware/auth';
+import { userQueries, systemSettingsQueries } from '../models';
+
+const router = Router();
+
+// All routes require authentication
+router.use(authMiddleware);
+
+// Admin middleware - checks if user is admin
+const adminMiddleware = async (req: AuthRequest, res: Response, next: NextFunction) => {
+  try {
+    const userId = req.userId!;
+    const user = await userQueries.findById(userId);
+
+    if (!user || !user.is_admin) {
+      res.status(403).json({ error: 'Admin access required' });
+      return;
+    }
+
+    next();
+  } catch (error) {
+    console.error('Admin middleware error:', error);
+    res.status(500).json({ error: 'Failed to verify admin status' });
+  }
+};
+
+router.use(adminMiddleware);
+
+// Get all users
+router.get('/users', async (_req: AuthRequest, res: Response) => {
+  try {
+    const users = await userQueries.findAll();
+    res.json(users);
+  } catch (error) {
+    console.error('Error fetching users:', error);
+    res.status(500).json({ error: 'Failed to fetch users' });
+  }
+});
+
+// Delete a user
+router.delete('/users/:id', async (req: AuthRequest, res: Response) => {
+  try {
+    const userId = req.userId!;
+    const targetId = parseInt(req.params.id, 10);
+
+    if (isNaN(targetId)) {
+      res.status(400).json({ error: 'Invalid user ID' });
+      return;
+    }
+
+    // Prevent deleting yourself
+    if (targetId === userId) {
+      res.status(400).json({ error: 'Cannot delete your own account' });
+      return;
+    }
+
+    const deleted = await userQueries.delete(targetId);
+
+    if (!deleted) {
+      res.status(404).json({ error: 'User not found' });
+      return;
+    }
+
+    res.json({ message: 'User deleted successfully' });
+  } catch (error) {
+    console.error('Error deleting user:', error);
+    res.status(500).json({ error: 'Failed to delete user' });
+  }
+});
+
+// Toggle admin status for a user
+router.put('/users/:id/admin', async (req: AuthRequest, res: Response) => {
+  try {
+    const userId = req.userId!;
+    const targetId = parseInt(req.params.id, 10);
+    const { is_admin } = req.body;
+
+    if (isNaN(targetId)) {
+      res.status(400).json({ error: 'Invalid user ID' });
+      return;
+    }
+
+    // Prevent removing your own admin status
+    if (targetId === userId && !is_admin) {
+      res.status(400).json({ error: 'Cannot remove your own admin status' });
+      return;
+    }
+
+    const updated = await userQueries.setAdmin(targetId, is_admin);
+
+    if (!updated) {
+      res.status(404).json({ error: 'User not found' });
+      return;
+    }
+
+    res.json({ message: `Admin status ${is_admin ? 'granted' : 'revoked'} successfully` });
+  } catch (error) {
+    console.error('Error updating admin status:', error);
+    res.status(500).json({ error: 'Failed to update admin status' });
+  }
+});
+
+// Get system settings
+router.get('/settings', async (_req: AuthRequest, res: Response) => {
+  try {
+    const settings = await systemSettingsQueries.getAll();
+    res.json(settings);
+  } catch (error) {
+    console.error('Error fetching system settings:', error);
+    res.status(500).json({ error: 'Failed to fetch system settings' });
+  }
+});
+
+// Update system settings
+router.put('/settings', async (req: AuthRequest, res: Response) => {
+  try {
+    const { registration_enabled } = req.body;
+
+    if (registration_enabled !== undefined) {
+      await systemSettingsQueries.set('registration_enabled', String(registration_enabled));
+    }
+
+    const settings = await systemSettingsQueries.getAll();
+    res.json(settings);
+  } catch (error) {
+    console.error('Error updating system settings:', error);
+    res.status(500).json({ error: 'Failed to update system settings' });
+  }
+});
+
+export default router;
--- a/backend/src/routes/auth.ts
+++ b/backend/src/routes/auth.ts
@ -1,15 +1,33 @@
 import { Router, Request, Response } from 'express';
 import bcrypt from 'bcrypt';
-import { userQueries } from '../models';
+import { userQueries, systemSettingsQueries } from '../models';
 import { generateToken } from '../middleware/auth';

 const router = Router();

+// Check if registration is enabled (public endpoint for login page)
+router.get('/registration-status', async (_req: Request, res: Response) => {
+  try {
+    const enabled = await systemSettingsQueries.get('registration_enabled');
+    res.json({ registration_enabled: enabled !== 'false' });
+  } catch (error) {
+    console.error('Error checking registration status:', error);
+    res.json({ registration_enabled: true }); // Default to true on error
+  }
+});
+
 // Register new user
 router.post('/register', async (req: Request, res: Response) => {
  try {
    const { email, password } = req.body;

+    // Check if registration is enabled
+    const registrationEnabled = await systemSettingsQueries.get('registration_enabled');
+    if (registrationEnabled === 'false') {
+      res.status(403).json({ error: 'Registration is currently disabled' });
+      return;
+    }
+
    if (!email || !password) {
      res.status(400).json({ error: 'Email and password are required' });
      return;
@ -36,6 +54,13 @@ router.post('/register', async (req: Request, res: Response) => {
    const passwordHash = await bcrypt.hash(password, saltRounds);

    const user = await userQueries.create(email, passwordHash);
+
+    // Make first user an admin
+    const allUsers = await userQueries.findAll();
+    if (allUsers.length === 1) {
+      await userQueries.setAdmin(user.id, true);
+    }
+
    const token = generateToken(user.id);

    res.status(201).json({
--- a/backend/src/routes/profile.ts
+++ b/backend/src/routes/profile.ts
@ -0,0 +1,89 @@
+import { Router, Response } from 'express';
+import bcrypt from 'bcrypt';
+import { AuthRequest, authMiddleware } from '../middleware/auth';
+import { userQueries } from '../models';
+
+const router = Router();
+
+// All routes require authentication
+router.use(authMiddleware);
+
+// Get current user profile
+router.get('/', async (req: AuthRequest, res: Response) => {
+  try {
+    const userId = req.userId!;
+    const profile = await userQueries.getProfile(userId);
+
+    if (!profile) {
+      res.status(404).json({ error: 'User not found' });
+      return;
+    }
+
+    res.json(profile);
+  } catch (error) {
+    console.error('Error fetching profile:', error);
+    res.status(500).json({ error: 'Failed to fetch profile' });
+  }
+});
+
+// Update profile (name)
+router.put('/', async (req: AuthRequest, res: Response) => {
+  try {
+    const userId = req.userId!;
+    const { name } = req.body;
+
+    const profile = await userQueries.updateProfile(userId, { name });
+
+    if (!profile) {
+      res.status(400).json({ error: 'No changes to save' });
+      return;
+    }
+
+    res.json(profile);
+  } catch (error) {
+    console.error('Error updating profile:', error);
+    res.status(500).json({ error: 'Failed to update profile' });
+  }
+});
+
+// Change password
+router.put('/password', async (req: AuthRequest, res: Response) => {
+  try {
+    const userId = req.userId!;
+    const { current_password, new_password } = req.body;
+
+    if (!current_password || !new_password) {
+      res.status(400).json({ error: 'Current password and new password are required' });
+      return;
+    }
+
+    if (new_password.length < 6) {
+      res.status(400).json({ error: 'New password must be at least 6 characters' });
+      return;
+    }
+
+    // Verify current password
+    const user = await userQueries.findById(userId);
+    if (!user) {
+      res.status(404).json({ error: 'User not found' });
+      return;
+    }
+
+    const isValidPassword = await bcrypt.compare(current_password, user.password_hash);
+    if (!isValidPassword) {
+      res.status(401).json({ error: 'Current password is incorrect' });
+      return;
+    }
+
+    // Hash new password and update
+    const newPasswordHash = await bcrypt.hash(new_password, 10);
+    await userQueries.updatePassword(userId, newPasswordHash);
+
+    res.json({ message: 'Password updated successfully' });
+  } catch (error) {
+    console.error('Error changing password:', error);
+    res.status(500).json({ error: 'Failed to change password' });
+  }
+});
+
+export default router;