From af052fd81b399cafc578b009ebe2edf28669924d Mon Sep 17 00:00:00 2001
From: Bernd Storath <999999bst@gmail.com>
Date: Wed, 11 Sep 2024 07:36:13 +0200
Subject: [PATCH] add admin panel

---
 src/app/layouts/Header.vue     |  2 +-
 src/app/pages/admin/index.vue  |  5 +++++
 src/app/stores/auth.ts         | 14 ++++----------
 src/app/utils/api.ts           |  3 +--
 src/server/api/session.get.ts  | 19 ++++++++++++++++---
 src/server/api/session.post.ts |  3 +--
 src/server/middleware/auth.ts  | 22 ++++++++++++++++++++--
 src/server/utils/session.ts    |  2 +-
 8 files changed, 49 insertions(+), 21 deletions(-)
 create mode 100644 src/app/pages/admin/index.vue

diff --git a/src/app/layouts/Header.vue b/src/app/layouts/Header.vue
index ccca6357..d1e5827b 100644
--- a/src/app/layouts/Header.vue
+++ b/src/app/layouts/Header.vue
@@ -52,7 +52,7 @@
           />
         </label>
         <span
-          v-if="authStore.requiresPassword && !isLoginPage"
+          v-if="!isLoginPage"
           class="text-sm text-gray-400 dark:text-neutral-400 cursor-pointer hover:underline"
           @click="logout"
         >
diff --git a/src/app/pages/admin/index.vue b/src/app/pages/admin/index.vue
new file mode 100644
index 00000000..041fe622
--- /dev/null
+++ b/src/app/pages/admin/index.vue
@@ -0,0 +1,5 @@
+<template>
+  <div>Admin Area</div>
+</template>
+
+<script setup lang="ts"></script>
diff --git a/src/app/stores/auth.ts b/src/app/stores/auth.ts
index 403cb542..e9bf3a31 100644
--- a/src/app/stores/auth.ts
+++ b/src/app/stores/auth.ts
@@ -1,6 +1,4 @@
 export const useAuthStore = defineStore('Auth', () => {
-  const requiresPassword = ref<boolean>(true);
-
   /**
    * @throws if unsuccessful
    */
@@ -13,8 +11,7 @@ export const useAuthStore = defineStore('Auth', () => {
    * @throws if unsuccessful
    */
   async function login(username: string, password: string, remember: boolean) {
-    const response = await api.createSession({ username, password, remember });
-    requiresPassword.value = response.requiresPassword;
+    await api.createSession({ username, password, remember });
     return true as const;
   }
 
@@ -26,13 +23,10 @@ export const useAuthStore = defineStore('Auth', () => {
     return response.success;
   }
 
-  /**
-   * @throws if unsuccessful
-   */
   async function update() {
-    const session = await api.getSession();
-    requiresPassword.value = session.requiresPassword;
+    // store role etc
+    await api.getSession();
   }
 
-  return { requiresPassword, login, logout, update, signup };
+  return { login, logout, update, signup };
 });
diff --git a/src/app/utils/api.ts b/src/app/utils/api.ts
index fcfa99a1..feb21bc7 100644
--- a/src/app/utils/api.ts
+++ b/src/app/utils/api.ts
@@ -12,8 +12,7 @@ class API {
   }
 
   async getSession() {
-    // TODO?: use useFetch
-    return $fetch('/api/session', {
+    return useFetch('/api/session', {
       method: 'get',
     });
   }
diff --git a/src/server/api/session.get.ts b/src/server/api/session.get.ts
index 9aa91658..7a97cc73 100644
--- a/src/server/api/session.get.ts
+++ b/src/server/api/session.get.ts
@@ -1,9 +1,22 @@
 export default defineEventHandler(async (event) => {
   const session = await useWGSession(event);
-  const authenticated = session.data.authenticated;
+
+  if (!session.data.userId) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Not logged in',
+    });
+  }
+  const user = await Database.user.findById(session.data.userId);
+  if (!user) {
+    throw createError({
+      statusCode: 404,
+      statusMessage: 'Not found in Database',
+    });
+  }
 
   return {
-    requiresPassword: true,
-    authenticated,
+    role: user.role,
+    username: user.username,
   };
 });
diff --git a/src/server/api/session.post.ts b/src/server/api/session.post.ts
index ea9e1a36..a15c9675 100644
--- a/src/server/api/session.post.ts
+++ b/src/server/api/session.post.ts
@@ -34,12 +34,11 @@ export default defineEventHandler(async (event) => {
     };
   }
 
-  const session = await useSession(event, {
+  const session = await useSession<WGSession>(event, {
     ...system.sessionConfig,
   });
 
   const data = await session.update({
-    authenticated: true,
     userId: user.id,
   });
 
diff --git a/src/server/middleware/auth.ts b/src/server/middleware/auth.ts
index ce90ece2..fe37d19b 100644
--- a/src/server/middleware/auth.ts
+++ b/src/server/middleware/auth.ts
@@ -1,14 +1,32 @@
 export default defineEventHandler(async (event) => {
   const url = getRequestURL(event);
   const session = await useWGSession(event);
+
   if (url.pathname === '/login') {
-    if (session.data.authenticated) {
+    if (session.data.userId) {
       return sendRedirect(event, '/', 302);
     }
   }
+
   if (url.pathname === '/') {
-    if (!session.data.authenticated) {
+    if (!session.data.userId) {
       return sendRedirect(event, '/login', 302);
     }
   }
+
+  if (url.pathname === '/admin') {
+    if (!session.data.userId) {
+      return sendRedirect(event, '/login', 302);
+    }
+    const user = await Database.user.findById(session.data.userId);
+    if (!user) {
+      return sendRedirect(event, '/login', 302);
+    }
+    if (!user.enabled || user.role !== 'ADMIN') {
+      throw createError({
+        statusCode: 403,
+        statusMessage: 'Not allowed to access Admin Panel',
+      });
+    }
+  }
 });
diff --git a/src/server/utils/session.ts b/src/server/utils/session.ts
index bb7e4aa0..bb0ec9c8 100644
--- a/src/server/utils/session.ts
+++ b/src/server/utils/session.ts
@@ -1,7 +1,7 @@
 import type { H3Event } from 'h3';
 
 export type WGSession = {
-  authenticated: boolean;
+  userId: string;
 };
 
 export async function useWGSession(event: H3Event) {