initial commit

server/api/users/[id].delete.js

@@ -0,0 +1,24 @@
+import { getDb } from '../../utils/db.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+
+export default defineEventHandler(async (event) => {
+  const currentUser = requireAuth(event, { role: 'admin' })
+  const id = event.context.params?.id
+  if (!id) throw createError({ statusCode: 400, message: 'id required' })
+
+  if (id === currentUser.id) {
+    throw createError({ statusCode: 400, message: 'Cannot delete your own account' })
+  }
+
+  const { run, get } = await getDb()
+  const user = await get('SELECT id, auth_provider FROM users WHERE id = ?', [id])
+  if (!user) throw createError({ statusCode: 404, message: 'User not found' })
+  if (user.auth_provider !== 'local') {
+    throw createError({ statusCode: 403, message: 'Only local users can be deleted' })
+  }
+
+  await run('DELETE FROM sessions WHERE user_id = ?', [id])
+  await run('DELETE FROM users WHERE id = ?', [id])
+  setResponseStatus(event, 204)
+  return null
+})