initial commit

server/api/users.post.js

@@ -0,0 +1,38 @@
+import { getDb } from '../utils/db.js'
+import { requireAuth } from '../utils/authHelpers.js'
+import { hashPassword } from '../utils/password.js'
+
+const ROLES = ['admin', 'leader', 'member']
+
+export default defineEventHandler(async (event) => {
+  requireAuth(event, { role: 'admin' })
+  const body = await readBody(event)
+  const identifier = body?.identifier?.trim()
+  const password = body?.password
+  const role = body?.role
+
+  if (!identifier || identifier.length < 1) {
+    throw createError({ statusCode: 400, message: 'identifier required' })
+  }
+  if (typeof password !== 'string' || password.length < 1) {
+    throw createError({ statusCode: 400, message: 'password required' })
+  }
+  if (!role || !ROLES.includes(role)) {
+    throw createError({ statusCode: 400, message: 'role must be admin, leader, or member' })
+  }
+
+  const { run, get } = await getDb()
+  const existing = await get('SELECT id FROM users WHERE identifier = ?', [identifier])
+  if (existing) {
+    throw createError({ statusCode: 409, message: 'Identifier already in use' })
+  }
+
+  const id = crypto.randomUUID()
+  const now = new Date().toISOString()
+  await run(
+    'INSERT INTO users (id, identifier, password_hash, role, created_at, auth_provider, oidc_issuer, oidc_sub) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
+    [id, identifier, hashPassword(password), role, now, 'local', null, null],
+  )
+  const user = await get('SELECT id, identifier, role, auth_provider FROM users WHERE id = ?', [id])
+  return user
+})