initial commit

server/api/auth/config.get.js

@@ -0,0 +1,3 @@
+import { getAuthConfig } from '../../utils/authConfig.js'
+
+export default defineEventHandler(() => getAuthConfig())

server/api/auth/login.post.js

@@ -0,0 +1,34 @@
+import { setCookie } from 'h3'
+import { getDb } from '../../utils/db.js'
+import { verifyPassword } from '../../utils/password.js'
+import { getSessionMaxAgeDays } from '../../utils/session.js'
+
+export default defineEventHandler(async (event) => {
+  const body = await readBody(event)
+  const identifier = body?.identifier?.trim()
+  const password = body?.password
+  if (!identifier || typeof password !== 'string') {
+    throw createError({ statusCode: 400, message: 'identifier and password required' })
+  }
+  const { get, run } = await getDb()
+  const user = await get('SELECT id, identifier, role, password_hash FROM users WHERE identifier = ?', [identifier])
+  if (!user || !user.password_hash || !verifyPassword(password, user.password_hash)) {
+    throw createError({ statusCode: 401, message: 'Invalid credentials' })
+  }
+  const sessionDays = getSessionMaxAgeDays()
+  const sid = crypto.randomUUID()
+  const now = new Date()
+  const expires = new Date(now.getTime() + sessionDays * 24 * 60 * 60 * 1000)
+  await run(
+    'INSERT INTO sessions (id, user_id, created_at, expires_at) VALUES (?, ?, ?, ?)',
+    [sid, user.id, now.toISOString(), expires.toISOString()],
+  )
+  setCookie(event, 'session_id', sid, {
+    httpOnly: true,
+    sameSite: 'strict',
+    path: '/',
+    maxAge: sessionDays * 24 * 60 * 60,
+    secure: process.env.NODE_ENV === 'production',
+  })
+  return { user: { id: user.id, identifier: user.identifier, role: user.role } }
+})

server/api/auth/logout.post.js

@@ -0,0 +1,18 @@
+import { deleteCookie, getCookie } from 'h3'
+import { getDb } from '../../utils/db.js'
+
+export default defineEventHandler(async (event) => {
+  const sid = getCookie(event, 'session_id')
+  if (sid) {
+    try {
+      const { run } = await getDb()
+      await run('DELETE FROM sessions WHERE id = ?', [sid])
+    }
+    catch {
+      // ignore
+    }
+    deleteCookie(event, 'session_id', { path: '/' })
+  }
+  setResponseStatus(event, 204)
+  return null
+})

server/api/auth/oidc/authorize.get.js

@@ -0,0 +1,41 @@
+import { getAuthConfig } from '../../../utils/authConfig.js'
+import {
+  getOidcConfig,
+  getOidcRedirectUri,
+  createOidcParams,
+  getCodeChallenge,
+  buildAuthorizeUrl,
+} from '../../../utils/oidc.js'
+
+const SCOPES = process.env.OIDC_SCOPES || 'openid profile email'
+
+export default defineEventHandler(async (event) => {
+  const { oidc: { enabled } } = getAuthConfig()
+  if (!enabled) throw createError({ statusCode: 400, message: 'OIDC not enabled' })
+
+  const config = await getOidcConfig()
+  if (!config) throw createError({ statusCode: 500, message: 'OIDC not configured' })
+
+  const redirectUri = getOidcRedirectUri()
+  const { state, nonce, codeVerifier } = createOidcParams()
+  const codeChallenge = await getCodeChallenge(codeVerifier)
+
+  const params = {
+    redirect_uri: redirectUri,
+    scope: SCOPES,
+    state,
+    nonce,
+    code_challenge: codeChallenge,
+    code_challenge_method: 'S256',
+  }
+
+  const url = buildAuthorizeUrl(config, params)
+  setCookie(event, 'oidc_state', JSON.stringify({ state, nonce, codeVerifier }), {
+    httpOnly: true,
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 600,
+    secure: process.env.NODE_ENV === 'production',
+  })
+  return sendRedirect(event, url.href, 302)
+})

server/api/auth/oidc/callback.get.js

@@ -0,0 +1,96 @@
+import { getCookie, deleteCookie, setCookie, getRequestURL } from 'h3'
+import {
+  getOidcConfig,
+  constantTimeCompare,
+  validateRedirectPath,
+  exchangeCode,
+} from '../../../utils/oidc.js'
+import { getDb } from '../../../utils/db.js'
+import { getSessionMaxAgeDays } from '../../../utils/session.js'
+
+const DEFAULT_ROLE = process.env.OIDC_DEFAULT_ROLE || 'member'
+
+function getIdentifier(claims) {
+  return claims?.email ?? claims?.preferred_username ?? claims?.name ?? claims?.sub ?? 'oidc-user'
+}
+
+export default defineEventHandler(async (event) => {
+  const query = getQuery(event)
+  const code = query?.code
+  const state = query?.state
+  if (!code || !state) throw createError({ statusCode: 400, message: 'Invalid request' })
+
+  const cookieRaw = getCookie(event, 'oidc_state')
+  if (!cookieRaw) throw createError({ statusCode: 400, message: 'Invalid request' })
+  let stored
+  try {
+    stored = JSON.parse(cookieRaw)
+  }
+  catch {
+    throw createError({ statusCode: 400, message: 'Invalid request' })
+  }
+  if (!stored?.state || !constantTimeCompare(state, stored.state)) {
+    throw createError({ statusCode: 400, message: 'Invalid request' })
+  }
+
+  const config = await getOidcConfig()
+  if (!config) throw createError({ statusCode: 500, message: 'OIDC not configured' })
+
+  const currentUrl = getRequestURL(event)
+  const checks = {
+    expectedState: state,
+    expectedNonce: stored.nonce,
+    pkceCodeVerifier: stored.codeVerifier,
+  }
+
+  let tokens
+  try {
+    tokens = await exchangeCode(config, currentUrl, checks)
+  }
+  catch {
+    deleteCookie(event, 'oidc_state', { path: '/' })
+    throw createError({ statusCode: 401, message: 'Authentication failed' })
+  }
+
+  deleteCookie(event, 'oidc_state', { path: '/' })
+
+  const claims = tokens.claims?.()
+  if (!claims?.sub) throw createError({ statusCode: 401, message: 'Authentication failed' })
+
+  const issuer = process.env.OIDC_ISSUER ?? ''
+  const { get, run } = await getDb()
+  let user = await get(
+    'SELECT id, identifier, role FROM users WHERE oidc_issuer = ? AND oidc_sub = ?',
+    [issuer, claims.sub],
+  )
+  if (!user) {
+    const id = crypto.randomUUID()
+    const now = new Date().toISOString()
+    const identifier = getIdentifier(claims)
+    await run(
+      'INSERT INTO users (id, identifier, password_hash, role, created_at, auth_provider, oidc_issuer, oidc_sub) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
+      [id, identifier, null, DEFAULT_ROLE, now, 'oidc', issuer, claims.sub],
+    )
+    user = await get('SELECT id, identifier, role FROM users WHERE id = ?', [id])
+  }
+
+  const sessionDays = getSessionMaxAgeDays()
+  const sid = crypto.randomUUID()
+  const now = new Date()
+  const expires = new Date(now.getTime() + sessionDays * 24 * 60 * 60 * 1000)
+  await run(
+    'INSERT INTO sessions (id, user_id, created_at, expires_at) VALUES (?, ?, ?, ?)',
+    [sid, user.id, now.toISOString(), expires.toISOString()],
+  )
+  setCookie(event, 'session_id', sid, {
+    httpOnly: true,
+    sameSite: 'strict',
+    path: '/',
+    maxAge: sessionDays * 24 * 60 * 60,
+    secure: process.env.NODE_ENV === 'production',
+  })
+
+  const redirectParam = query?.redirect
+  const path = validateRedirectPath(redirectParam)
+  return sendRedirect(event, path.startsWith('http') ? path : new URL(path, getRequestURL(event).origin).href, 302)
+})

server/api/cameras.get.js

@@ -0,0 +1,12 @@
+import { getDb } from '../utils/db.js'
+import { requireAuth } from '../utils/authHelpers.js'
+import { getActiveSessions } from '../utils/liveSessions.js'
+import { rowToDevice, sanitizeDeviceForResponse } from '../utils/deviceUtils.js'
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event)
+  const [db, sessions] = await Promise.all([getDb(), getActiveSessions()])
+  const rows = await db.all('SELECT id, name, device_type, vendor, lat, lng, stream_url, source_type, config FROM devices ORDER BY id')
+  const devices = rows.map(r => rowToDevice(r)).filter(Boolean).map(sanitizeDeviceForResponse)
+  return { devices, liveSessions: sessions }
+})

server/api/devices.get.js

@@ -0,0 +1,13 @@
+import { getDb } from '../utils/db.js'
+import { requireAuth } from '../utils/authHelpers.js'
+import { rowToDevice, sanitizeDeviceForResponse } from '../utils/deviceUtils.js'
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event)
+  const { all } = await getDb()
+  const rows = await all(
+    'SELECT id, name, device_type, vendor, lat, lng, stream_url, source_type, config FROM devices ORDER BY id',
+  )
+  const devices = rows.map(r => rowToDevice(r)).filter(Boolean)
+  return devices.map(sanitizeDeviceForResponse)
+})

server/api/devices.post.js

@@ -0,0 +1,19 @@
+import { getDb } from '../utils/db.js'
+import { requireAuth } from '../utils/authHelpers.js'
+import { validateDeviceBody, rowToDevice, sanitizeDeviceForResponse } from '../utils/deviceUtils.js'
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event, { role: 'adminOrLeader' })
+  const body = await readBody(event).catch(() => ({}))
+  const { name, device_type, vendor, lat, lng, stream_url, source_type, config } = validateDeviceBody(body)
+  const id = crypto.randomUUID()
+  const { run, get } = await getDb()
+  await run(
+    'INSERT INTO devices (id, name, device_type, vendor, lat, lng, stream_url, source_type, config) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
+    [id, name, device_type, vendor, lat, lng, stream_url, source_type, config],
+  )
+  const row = await get('SELECT id, name, device_type, vendor, lat, lng, stream_url, source_type, config FROM devices WHERE id = ?', [id])
+  const device = rowToDevice(row)
+  if (!device) throw createError({ statusCode: 500, message: 'Device not found after insert' })
+  return sanitizeDeviceForResponse(device)
+})

server/api/devices/[id].delete.js

@@ -0,0 +1,12 @@
+import { getDb } from '../../utils/db.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event, { role: 'adminOrLeader' })
+  const id = event.context.params?.id
+  if (!id) throw createError({ statusCode: 400, message: 'id required' })
+  const { run } = await getDb()
+  await run('DELETE FROM devices WHERE id = ?', [id])
+  setResponseStatus(event, 204)
+  return null
+})

server/api/devices/[id].get.js

@@ -0,0 +1,15 @@
+import { getDb } from '../../utils/db.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+import { rowToDevice, sanitizeDeviceForResponse } from '../../utils/deviceUtils.js'
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event)
+  const id = event.context.params?.id
+  if (!id) throw createError({ statusCode: 400, message: 'id required' })
+  const { get } = await getDb()
+  const row = await get('SELECT id, name, device_type, vendor, lat, lng, stream_url, source_type, config FROM devices WHERE id = ?', [id])
+  if (!row) throw createError({ statusCode: 404, message: 'Device not found' })
+  const device = rowToDevice(row)
+  if (!device) throw createError({ statusCode: 500, message: 'Invalid device row' })
+  return sanitizeDeviceForResponse(device)
+})

server/api/devices/[id].patch.js

@@ -0,0 +1,57 @@
+import { getDb } from '../../utils/db.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+import { rowToDevice, sanitizeDeviceForResponse, DEVICE_TYPES, SOURCE_TYPES } from '../../utils/deviceUtils.js'
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event, { role: 'adminOrLeader' })
+  const id = event.context.params?.id
+  if (!id) throw createError({ statusCode: 400, message: 'id required' })
+  const body = (await readBody(event).catch(() => ({}))) || {}
+  const updates = []
+  const params = []
+  if (typeof body.name === 'string') {
+    updates.push('name = ?')
+    params.push(body.name.trim())
+  }
+  if (DEVICE_TYPES.includes(body.device_type)) {
+    updates.push('device_type = ?')
+    params.push(body.device_type)
+  }
+  if (body.vendor !== undefined) {
+    updates.push('vendor = ?')
+    params.push(typeof body.vendor === 'string' && body.vendor.trim() ? body.vendor.trim() : null)
+  }
+  if (Number.isFinite(body.lat)) {
+    updates.push('lat = ?')
+    params.push(body.lat)
+  }
+  if (Number.isFinite(body.lng)) {
+    updates.push('lng = ?')
+    params.push(body.lng)
+  }
+  if (typeof body.stream_url === 'string') {
+    updates.push('stream_url = ?')
+    params.push(body.stream_url.trim())
+  }
+  if (SOURCE_TYPES.includes(body.source_type)) {
+    updates.push('source_type = ?')
+    params.push(body.source_type)
+  }
+  if (body.config !== undefined) {
+    updates.push('config = ?')
+    params.push(typeof body.config === 'string' ? body.config : (body.config != null ? JSON.stringify(body.config) : null))
+  }
+  const { run, get } = await getDb()
+  if (updates.length === 0) {
+    const row = await get('SELECT id, name, device_type, vendor, lat, lng, stream_url, source_type, config FROM devices WHERE id = ?', [id])
+    if (!row) throw createError({ statusCode: 404, message: 'Device not found' })
+    const device = rowToDevice(row)
+    return device ? sanitizeDeviceForResponse(device) : row
+  }
+  params.push(id)
+  await run(`UPDATE devices SET ${updates.join(', ')} WHERE id = ?`, params)
+  const row = await get('SELECT id, name, device_type, vendor, lat, lng, stream_url, source_type, config FROM devices WHERE id = ?', [id])
+  if (!row) throw createError({ statusCode: 404, message: 'Device not found' })
+  const device = rowToDevice(row)
+  return device ? sanitizeDeviceForResponse(device) : row
+})

server/api/live.get.js

@@ -0,0 +1,7 @@
+import { getActiveSessions } from '../utils/liveSessions.js'
+
+export default defineEventHandler(async (event) => {
+  if (!event.context.user) return []
+  const sessions = await getActiveSessions()
+  return sessions
+})

server/api/live/[id].delete.js

@@ -0,0 +1,35 @@
+import { requireAuth } from '../../utils/authHelpers.js'
+import { getLiveSession, deleteLiveSession } from '../../utils/liveSessions.js'
+import { closeRouter, getProducer, getTransport } from '../../utils/mediasoup.js'
+
+export default defineEventHandler(async (event) => {
+  const user = requireAuth(event)
+  const id = event.context.params?.id
+  if (!id) throw createError({ statusCode: 400, message: 'id required' })
+
+  const session = getLiveSession(id)
+  if (!session) throw createError({ statusCode: 404, message: 'Live session not found' })
+  if (session.userId !== user.id) throw createError({ statusCode: 403, message: 'Forbidden' })
+
+  // Clean up producer if it exists
+  if (session.producerId) {
+    const producer = getProducer(session.producerId)
+    if (producer) {
+      producer.close()
+    }
+  }
+
+  // Clean up transport if it exists
+  if (session.transportId) {
+    const transport = getTransport(session.transportId)
+    if (transport) {
+      transport.close()
+    }
+  }
+
+  // Clean up router
+  await closeRouter(id)
+
+  deleteLiveSession(id)
+  return { ok: true }
+})

server/api/live/[id].patch.js

@@ -0,0 +1,31 @@
+import { requireAuth } from '../../utils/authHelpers.js'
+import { getLiveSession, updateLiveSession } from '../../utils/liveSessions.js'
+
+export default defineEventHandler(async (event) => {
+  const user = requireAuth(event)
+  const id = event.context.params?.id
+  if (!id) throw createError({ statusCode: 400, message: 'id required' })
+
+  const session = getLiveSession(id)
+  if (!session) throw createError({ statusCode: 404, message: 'Live session not found' })
+  if (session.userId !== user.id) throw createError({ statusCode: 403, message: 'Forbidden' })
+
+  const body = await readBody(event).catch(() => ({}))
+  const lat = Number(body?.lat)
+  const lng = Number(body?.lng)
+  const updates = {}
+  if (Number.isFinite(lat)) updates.lat = lat
+  if (Number.isFinite(lng)) updates.lng = lng
+  if (Object.keys(updates).length) {
+    updateLiveSession(id, updates)
+  }
+
+  const updated = getLiveSession(id)
+  return {
+    id: updated.id,
+    label: updated.label,
+    lat: updated.lat,
+    lng: updated.lng,
+    updatedAt: updated.updatedAt,
+  }
+})

server/api/live/debug-request-host.get.js

@@ -0,0 +1,15 @@
+import { getRequestHost, getRequestURL } from 'h3'
+import { requireAuth } from '../../utils/authHelpers.js'
+
+/**
+ * Diagnostic: returns the host the server sees for this request.
+ * Use from the phone or laptop to verify the server receives the expected hostname (e.g. LAN IP).
+ * Auth required.
+ */
+export default defineEventHandler((event) => {
+  requireAuth(event)
+  return {
+    host: getRequestHost(event),
+    hostname: getRequestURL(event).hostname,
+  }
+})

server/api/live/start.post.js

@@ -0,0 +1,40 @@
+import { requireAuth } from '../../utils/authHelpers.js'
+import {
+  createSession,
+  getActiveSessionByUserId,
+  deleteLiveSession,
+} from '../../utils/liveSessions.js'
+import { closeRouter, getProducer, getTransport } from '../../utils/mediasoup.js'
+
+export default defineEventHandler(async (event) => {
+  const user = requireAuth(event, { role: 'adminOrLeader' })
+  const body = await readBody(event).catch(() => ({}))
+  const label = typeof body?.label === 'string' ? body.label.trim() : ''
+
+  // Replace any existing live session for this user (one session per user)
+  const existing = getActiveSessionByUserId(user.id)
+  if (existing) {
+    if (existing.producerId) {
+      const producer = getProducer(existing.producerId)
+      if (producer) producer.close()
+    }
+    if (existing.transportId) {
+      const transport = getTransport(existing.transportId)
+      if (transport) transport.close()
+    }
+    if (existing.routerId) {
+      await closeRouter(existing.id).catch((err) => {
+        console.error('[live.start] Error closing previous router:', err)
+      })
+    }
+    deleteLiveSession(existing.id)
+    console.log('[live.start] Replaced previous session:', existing.id)
+  }
+
+  const session = createSession(user.id, label || `Live: ${user.identifier || 'User'}`)
+  console.log('[live.start] Session created:', { id: session.id, userId: user.id, label: session.label })
+  return {
+    id: session.id,
+    label: session.label,
+  }
+})

server/api/live/webrtc/connect-transport.post.js

@@ -0,0 +1,34 @@
+import { requireAuth } from '../../../utils/authHelpers.js'
+import { getLiveSession } from '../../../utils/liveSessions.js'
+import { getTransport } from '../../../utils/mediasoup.js'
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event) // Verify authentication
+  const body = await readBody(event).catch(() => ({}))
+  const { sessionId, transportId, dtlsParameters } = body
+
+  if (!sessionId || !transportId || !dtlsParameters) {
+    throw createError({ statusCode: 400, message: 'sessionId, transportId, and dtlsParameters required' })
+  }
+
+  const session = getLiveSession(sessionId)
+  if (!session) {
+    throw createError({ statusCode: 404, message: 'Session not found' })
+  }
+  // Note: Both publisher and viewers can connect their own transports
+  // The transportId ensures they can only connect transports they created
+
+  const transport = getTransport(transportId)
+  if (!transport) {
+    throw createError({ statusCode: 404, message: 'Transport not found' })
+  }
+
+  try {
+    await transport.connect({ dtlsParameters })
+    return { connected: true }
+  }
+  catch (err) {
+    console.error('[connect-transport] Transport connect failed:', transportId, err.message || err)
+    throw createError({ statusCode: 500, message: err.message || 'Transport connect failed' })
+  }
+})

server/api/live/webrtc/create-consumer.post.js

@@ -0,0 +1,55 @@
+import { requireAuth } from '../../../utils/authHelpers.js'
+import { getLiveSession } from '../../../utils/liveSessions.js'
+import { getRouter, getTransport, getProducer, createConsumer } from '../../../utils/mediasoup.js'
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event) // Verify authentication
+  const body = await readBody(event).catch(() => ({}))
+  const { sessionId, transportId, rtpCapabilities } = body
+
+  if (!sessionId || !transportId || !rtpCapabilities) {
+    throw createError({ statusCode: 400, message: 'sessionId, transportId, and rtpCapabilities required' })
+  }
+
+  const session = getLiveSession(sessionId)
+  if (!session) {
+    throw createError({ statusCode: 404, message: `Session not found: ${sessionId}` })
+  }
+  if (!session.producerId) {
+    throw createError({ statusCode: 404, message: 'No producer available for this session' })
+  }
+
+  const transport = getTransport(transportId)
+  if (!transport) {
+    throw createError({ statusCode: 404, message: `Transport not found: ${transportId}` })
+  }
+
+  const producer = getProducer(session.producerId)
+  if (!producer) {
+    console.error('[create-consumer] Producer not found:', session.producerId)
+    throw createError({ statusCode: 404, message: `Producer not found: ${session.producerId}` })
+  }
+
+  if (producer.paused) {
+    await producer.resume()
+  }
+
+  if (producer.closed) {
+    throw createError({ statusCode: 404, message: 'Producer is closed' })
+  }
+
+  const router = await getRouter(sessionId)
+  const canConsume = router.canConsume({ producerId: producer.id, rtpCapabilities })
+  if (!canConsume) {
+    throw createError({ statusCode: 400, message: 'Cannot consume this producer' })
+  }
+
+  try {
+    const { params } = await createConsumer(transport, producer, rtpCapabilities)
+    return params
+  }
+  catch (err) {
+    console.error('[create-consumer] Error creating consumer:', err)
+    throw createError({ statusCode: 500, message: `Failed to create consumer: ${err.message || String(err)}` })
+  }
+})

server/api/live/webrtc/create-producer.post.js

@@ -0,0 +1,43 @@
+import { requireAuth } from '../../../utils/authHelpers.js'
+import { getLiveSession, updateLiveSession } from '../../../utils/liveSessions.js'
+import { getTransport, producers } from '../../../utils/mediasoup.js'
+
+export default defineEventHandler(async (event) => {
+  const user = requireAuth(event)
+  const body = await readBody(event).catch(() => ({}))
+  const { sessionId, transportId, kind, rtpParameters } = body
+
+  if (!sessionId || !transportId || !kind || !rtpParameters) {
+    throw createError({ statusCode: 400, message: 'sessionId, transportId, kind, and rtpParameters required' })
+  }
+
+  const session = getLiveSession(sessionId)
+  if (!session) {
+    throw createError({ statusCode: 404, message: 'Session not found' })
+  }
+  if (session.userId !== user.id) {
+    throw createError({ statusCode: 403, message: 'Forbidden' })
+  }
+
+  const transport = getTransport(transportId)
+  if (!transport) {
+    throw createError({ statusCode: 404, message: 'Transport not found' })
+  }
+
+  const producer = await transport.produce({ kind, rtpParameters })
+  producers.set(producer.id, producer)
+  producer.on('close', () => {
+    producers.delete(producer.id)
+    const s = getLiveSession(sessionId)
+    if (s && s.producerId === producer.id) {
+      updateLiveSession(sessionId, { producerId: null })
+    }
+  })
+
+  updateLiveSession(sessionId, { producerId: producer.id })
+
+  return {
+    id: producer.id,
+    kind: producer.kind,
+  }
+})

server/api/live/webrtc/create-transport.post.js

@@ -0,0 +1,39 @@
+import { getRequestURL } from 'h3'
+import { requireAuth } from '../../../utils/authHelpers.js'
+import { getLiveSession, updateLiveSession } from '../../../utils/liveSessions.js'
+import { getRouter, createTransport } from '../../../utils/mediasoup.js'
+
+export default defineEventHandler(async (event) => {
+  const user = requireAuth(event)
+  const body = await readBody(event).catch(() => ({}))
+  const { sessionId, isProducer } = body
+
+  if (!sessionId) {
+    throw createError({ statusCode: 400, message: 'sessionId required' })
+  }
+
+  const session = getLiveSession(sessionId)
+  if (!session) {
+    throw createError({ statusCode: 404, message: 'Session not found' })
+  }
+
+  // Only publisher (session owner) can create producer transport
+  // Viewers can create consumer transports
+  if (isProducer && session.userId !== user.id) {
+    throw createError({ statusCode: 403, message: 'Forbidden' })
+  }
+
+  const url = getRequestURL(event)
+  const requestHost = url.hostname
+  const router = await getRouter(sessionId)
+  const { transport, params } = await createTransport(router, Boolean(isProducer), requestHost)
+
+  if (isProducer) {
+    updateLiveSession(sessionId, {
+      transportId: transport.id,
+      routerId: router.id,
+    })
+  }
+
+  return params
+})

server/api/live/webrtc/router-rtp-capabilities.get.js

@@ -0,0 +1,20 @@
+import { requireAuth } from '../../../utils/authHelpers.js'
+import { getLiveSession } from '../../../utils/liveSessions.js'
+import { getRouter } from '../../../utils/mediasoup.js'
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event)
+  const sessionId = getQuery(event).sessionId
+
+  if (!sessionId) {
+    throw createError({ statusCode: 400, message: 'sessionId required' })
+  }
+
+  const session = getLiveSession(sessionId)
+  if (!session) {
+    throw createError({ statusCode: 404, message: 'Session not found' })
+  }
+
+  const router = await getRouter(sessionId)
+  return router.rtpCapabilities
+})

server/api/log.post.js

@@ -0,0 +1,32 @@
+/**
+ * Client-side logging endpoint.
+ * Accepts log messages from the browser and outputs them server-side.
+ */
+export default defineEventHandler(async (event) => {
+  // Note: Auth is optional - we rely on session cookie validation if needed
+
+  const body = await readBody(event).catch(() => ({}))
+  const { level, message, data, sessionId, userId } = body
+
+  const logPrefix = `[CLIENT${sessionId ? `:${sessionId}` : ''}${userId ? `:${userId.slice(0, 8)}` : ''}]`
+  const logMessage = data ? `${message} ${JSON.stringify(data)}` : message
+
+  switch (level) {
+    case 'error':
+      console.error(logPrefix, logMessage)
+      break
+    case 'warn':
+      console.warn(logPrefix, logMessage)
+      break
+    case 'info':
+      console.log(logPrefix, logMessage)
+      break
+    case 'debug':
+      console.log(logPrefix, logMessage)
+      break
+    default:
+      console.log(logPrefix, logMessage)
+  }
+
+  return { ok: true }
+})

server/api/me.get.js

@@ -0,0 +1,5 @@
+export default defineEventHandler((event) => {
+  const user = event.context.user
+  if (!user) throw createError({ statusCode: 401, message: 'Unauthorized' })
+  return { id: user.id, identifier: user.identifier, role: user.role, auth_provider: user.auth_provider ?? 'local' }
+})

server/api/me/password.put.js

@@ -0,0 +1,40 @@
+import { getDb } from '../../utils/db.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+import { hashPassword, verifyPassword } from '../../utils/password.js'
+
+export default defineEventHandler(async (event) => {
+  const currentUser = requireAuth(event)
+  const body = await readBody(event).catch(() => ({}))
+  const currentPassword = body?.currentPassword
+  const newPassword = body?.newPassword
+
+  if (typeof currentPassword !== 'string' || currentPassword.length < 1) {
+    throw createError({ statusCode: 400, message: 'Current password is required' })
+  }
+  if (typeof newPassword !== 'string' || newPassword.length < 1) {
+    throw createError({ statusCode: 400, message: 'New password cannot be empty' })
+  }
+
+  const { get, run } = await getDb()
+  const user = await get(
+    'SELECT id, password_hash, auth_provider FROM users WHERE id = ?',
+    [currentUser.id],
+  )
+  if (!user) {
+    throw createError({ statusCode: 404, message: 'User not found' })
+  }
+  const authProvider = user.auth_provider ?? 'local'
+  if (authProvider !== 'local') {
+    throw createError({
+      statusCode: 400,
+      message: 'Password change is only for local accounts. Use your identity provider to change password.',
+    })
+  }
+  if (!verifyPassword(currentPassword, user.password_hash)) {
+    throw createError({ statusCode: 400, message: 'Current password is incorrect' })
+  }
+
+  const passwordHash = hashPassword(newPassword)
+  await run('UPDATE users SET password_hash = ? WHERE id = ?', [passwordHash, currentUser.id])
+  return { ok: true }
+})

server/api/pois.get.js

@@ -0,0 +1,7 @@
+import { getDb } from '../utils/db.js'
+
+export default defineEventHandler(async () => {
+  const { all } = await getDb()
+  const rows = await all('SELECT id, lat, lng, label, icon_type FROM pois ORDER BY id')
+  return rows
+})

server/api/pois.post.js

@@ -0,0 +1,23 @@
+import { getDb } from '../utils/db.js'
+import { requireAuth } from '../utils/authHelpers.js'
+
+const ICON_TYPES = ['pin', 'flag', 'waypoint']
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event, { role: 'adminOrLeader' })
+  const body = await readBody(event)
+  const lat = Number(body?.lat)
+  const lng = Number(body?.lng)
+  if (!Number.isFinite(lat) || !Number.isFinite(lng)) {
+    throw createError({ statusCode: 400, message: 'lat and lng required as numbers' })
+  }
+  const label = typeof body?.label === 'string' ? body.label.trim() : ''
+  const iconType = ICON_TYPES.includes(body?.iconType) ? body.iconType : 'pin'
+  const id = crypto.randomUUID()
+  const { run } = await getDb()
+  await run(
+    'INSERT INTO pois (id, lat, lng, label, icon_type) VALUES (?, ?, ?, ?, ?)',
+    [id, lat, lng, label, iconType],
+  )
+  return { id, lat, lng, label, icon_type: iconType }
+})

server/api/pois/[id].delete.js

@@ -0,0 +1,12 @@
+import { getDb } from '../../utils/db.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event, { role: 'adminOrLeader' })
+  const id = event.context.params?.id
+  if (!id) throw createError({ statusCode: 400, message: 'id required' })
+  const { run } = await getDb()
+  await run('DELETE FROM pois WHERE id = ?', [id])
+  setResponseStatus(event, 204)
+  return null
+})

server/api/pois/[id].patch.js

@@ -0,0 +1,41 @@
+import { getDb } from '../../utils/db.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+
+const ICON_TYPES = ['pin', 'flag', 'waypoint']
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event, { role: 'adminOrLeader' })
+  const id = event.context.params?.id
+  if (!id) throw createError({ statusCode: 400, message: 'id required' })
+  const body = await readBody(event) || {}
+  const updates = []
+  const params = []
+  if (typeof body.label === 'string') {
+    updates.push('label = ?')
+    params.push(body.label.trim())
+  }
+  if (ICON_TYPES.includes(body.iconType)) {
+    updates.push('icon_type = ?')
+    params.push(body.iconType)
+  }
+  if (Number.isFinite(body.lat)) {
+    updates.push('lat = ?')
+    params.push(body.lat)
+  }
+  if (Number.isFinite(body.lng)) {
+    updates.push('lng = ?')
+    params.push(body.lng)
+  }
+  if (updates.length === 0) {
+    const { get } = await getDb()
+    const row = await get('SELECT id, lat, lng, label, icon_type FROM pois WHERE id = ?', [id])
+    if (!row) throw createError({ statusCode: 404, message: 'POI not found' })
+    return row
+  }
+  params.push(id)
+  const { run, get } = await getDb()
+  await run(`UPDATE pois SET ${updates.join(', ')} WHERE id = ?`, params)
+  const row = await get('SELECT id, lat, lng, label, icon_type FROM pois WHERE id = ?', [id])
+  if (!row) throw createError({ statusCode: 404, message: 'POI not found' })
+  return row
+})

server/api/users.get.js

@@ -0,0 +1,12 @@
+import { getDb } from '../utils/db.js'
+import { requireAuth } from '../utils/authHelpers.js'
+
+export default defineEventHandler(async (event) => {
+  const user = requireAuth(event)
+  if (user.role !== 'admin' && user.role !== 'leader') {
+    throw createError({ statusCode: 403, message: 'Forbidden' })
+  }
+  const { all } = await getDb()
+  const rows = await all('SELECT id, identifier, role, auth_provider FROM users ORDER BY identifier')
+  return rows.map(r => ({ id: r.id, identifier: r.identifier, role: r.role, auth_provider: r.auth_provider ?? 'local' }))
+})

server/api/users.post.js

@@ -0,0 +1,38 @@
+import { getDb } from '../utils/db.js'
+import { requireAuth } from '../utils/authHelpers.js'
+import { hashPassword } from '../utils/password.js'
+
+const ROLES = ['admin', 'leader', 'member']
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event, { role: 'admin' })
+  const body = await readBody(event)
+  const identifier = body?.identifier?.trim()
+  const password = body?.password
+  const role = body?.role
+
+  if (!identifier || identifier.length < 1) {
+    throw createError({ statusCode: 400, message: 'identifier required' })
+  }
+  if (typeof password !== 'string' || password.length < 1) {
+    throw createError({ statusCode: 400, message: 'password required' })
+  }
+  if (!role || !ROLES.includes(role)) {
+    throw createError({ statusCode: 400, message: 'role must be admin, leader, or member' })
+  }
+
+  const { run, get } = await getDb()
+  const existing = await get('SELECT id FROM users WHERE identifier = ?', [identifier])
+  if (existing) {
+    throw createError({ statusCode: 409, message: 'Identifier already in use' })
+  }
+
+  const id = crypto.randomUUID()
+  const now = new Date().toISOString()
+  await run(
+    'INSERT INTO users (id, identifier, password_hash, role, created_at, auth_provider, oidc_issuer, oidc_sub) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
+    [id, identifier, hashPassword(password), role, now, 'local', null, null],
+  )
+  const user = await get('SELECT id, identifier, role, auth_provider FROM users WHERE id = ?', [id])
+  return user
+})

server/api/users/[id].delete.js

@@ -0,0 +1,24 @@
+import { getDb } from '../../utils/db.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+
+export default defineEventHandler(async (event) => {
+  const currentUser = requireAuth(event, { role: 'admin' })
+  const id = event.context.params?.id
+  if (!id) throw createError({ statusCode: 400, message: 'id required' })
+
+  if (id === currentUser.id) {
+    throw createError({ statusCode: 400, message: 'Cannot delete your own account' })
+  }
+
+  const { run, get } = await getDb()
+  const user = await get('SELECT id, auth_provider FROM users WHERE id = ?', [id])
+  if (!user) throw createError({ statusCode: 404, message: 'User not found' })
+  if (user.auth_provider !== 'local') {
+    throw createError({ statusCode: 403, message: 'Only local users can be deleted' })
+  }
+
+  await run('DELETE FROM sessions WHERE user_id = ?', [id])
+  await run('DELETE FROM users WHERE id = ?', [id])
+  setResponseStatus(event, 204)
+  return null
+})

server/api/users/[id].patch.js

@@ -0,0 +1,60 @@
+import { getDb } from '../../utils/db.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+import { hashPassword } from '../../utils/password.js'
+
+const ROLES = ['admin', 'leader', 'member']
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event, { role: 'admin' })
+  const id = event.context.params?.id
+  if (!id) throw createError({ statusCode: 400, message: 'id required' })
+  const body = await readBody(event)
+  const { run, get } = await getDb()
+
+  const user = await get('SELECT id, identifier, role, auth_provider, password_hash FROM users WHERE id = ?', [id])
+  if (!user) throw createError({ statusCode: 404, message: 'User not found' })
+
+  const updates = []
+  const params = []
+
+  if (body?.role !== undefined) {
+    const role = body.role
+    if (!role || !ROLES.includes(role)) {
+      throw createError({ statusCode: 400, message: 'role must be admin, leader, or member' })
+    }
+    updates.push('role = ?')
+    params.push(role)
+  }
+
+  if (user.auth_provider === 'local') {
+    if (body?.identifier !== undefined) {
+      const identifier = body.identifier?.trim()
+      if (!identifier || identifier.length < 1) {
+        throw createError({ statusCode: 400, message: 'identifier cannot be empty' })
+      }
+      const existing = await get('SELECT id FROM users WHERE identifier = ? AND id != ?', [identifier, id])
+      if (existing) {
+        throw createError({ statusCode: 409, message: 'Identifier already in use' })
+      }
+      updates.push('identifier = ?')
+      params.push(identifier)
+    }
+    if (body?.password !== undefined && body.password !== '') {
+      const password = body.password
+      if (typeof password !== 'string' || password.length < 1) {
+        throw createError({ statusCode: 400, message: 'password cannot be empty' })
+      }
+      updates.push('password_hash = ?')
+      params.push(hashPassword(password))
+    }
+  }
+
+  if (updates.length === 0) {
+    return { id: user.id, identifier: user.identifier, role: user.role, auth_provider: user.auth_provider ?? 'local' }
+  }
+
+  params.push(id)
+  await run(`UPDATE users SET ${updates.join(', ')} WHERE id = ?`, params)
+  const updated = await get('SELECT id, identifier, role, auth_provider FROM users WHERE id = ?', [id])
+  return updated
+})