a414f03a59
- Configure tailscale serve automatically for each instance on Windows userspace networking. - Add local UI buttons: start/stop/reset/delete instances (stop/start preserve volumes). - Clean shutdown: stop tailscaled and instances, notify server with instance_stopped. - Restart tailscaled on agent boot using persisted state when pre-auth key is absent. - Sync instance stopped/deleted status to dashboard (server/lib/websocket.ts). - Security: include prior authz/scoping changes across API routes, ephemeral pre-auth keys, ACL policy, internal API key. - Update SUIVI_VPN_ONDEMAND.md and docs/ONBOARDING_CLIENT.md. - Bump agent version to 0.3.5.
86 lines
2.7 KiB
TypeScript
86 lines
2.7 KiB
TypeScript
import { NextRequest, NextResponse } from "next/server";
|
|
import { prisma } from "@/lib/prisma";
|
|
import { hashPassword } from "@/lib/auth";
|
|
import { requireAuth, requireRole, forbidden } from "@/lib/api-auth";
|
|
|
|
export async function GET(req: NextRequest) {
|
|
const user = await requireAuth();
|
|
if (user instanceof NextResponse) return user;
|
|
|
|
const { searchParams } = new URL(req.url);
|
|
const establishmentId = searchParams.get("establishmentId");
|
|
const role = searchParams.get("role");
|
|
|
|
if (user.role !== "superadmin") {
|
|
if (establishmentId && establishmentId !== user.establishmentId) {
|
|
return forbidden();
|
|
}
|
|
}
|
|
|
|
const where: any = {};
|
|
if (establishmentId) where.establishmentId = establishmentId;
|
|
else if (user.role !== "superadmin") where.establishmentId = user.establishmentId;
|
|
if (role) where.role = role;
|
|
|
|
const users = await prisma.user.findMany({
|
|
where,
|
|
orderBy: { createdAt: "desc" },
|
|
});
|
|
return NextResponse.json(users);
|
|
}
|
|
|
|
export async function POST(req: NextRequest) {
|
|
const user = await requireAuth();
|
|
if (user instanceof NextResponse) return user;
|
|
|
|
const denied = requireRole(user, "superadmin", "admin");
|
|
if (denied) return denied;
|
|
|
|
const body = await req.json();
|
|
const { email, password, role, establishmentId } = body;
|
|
|
|
if (!email || !password || !role) {
|
|
return NextResponse.json({ error: "Missing email, password or role" }, { status: 400 });
|
|
}
|
|
|
|
if (user.role === "admin") {
|
|
if (role === "superadmin") return forbidden();
|
|
if (establishmentId && establishmentId !== user.establishmentId) return forbidden();
|
|
}
|
|
|
|
const finalEstablishmentId = user.role === "superadmin" ? establishmentId : user.establishmentId;
|
|
|
|
const newUser = await prisma.user.create({
|
|
data: {
|
|
email,
|
|
password: await hashPassword(password),
|
|
role,
|
|
establishmentId: finalEstablishmentId,
|
|
},
|
|
});
|
|
return NextResponse.json(newUser, { status: 201 });
|
|
}
|
|
|
|
export async function DELETE(req: NextRequest) {
|
|
const user = await requireAuth();
|
|
if (user instanceof NextResponse) return user;
|
|
|
|
const denied = requireRole(user, "superadmin", "admin");
|
|
if (denied) return denied;
|
|
|
|
const { searchParams } = new URL(req.url);
|
|
const id = searchParams.get("id");
|
|
if (!id) return NextResponse.json({ error: "Missing id" }, { status: 400 });
|
|
|
|
const target = await prisma.user.findUnique({ where: { id } });
|
|
if (!target) return NextResponse.json({ error: "Not found" }, { status: 404 });
|
|
|
|
if (user.role === "admin") {
|
|
if (target.role === "superadmin") return forbidden();
|
|
if (target.establishmentId !== user.establishmentId) return forbidden();
|
|
}
|
|
|
|
await prisma.user.delete({ where: { id } });
|
|
return NextResponse.json({ ok: true });
|
|
}
|