acebase-server
Version:
AceBase realtime database server (webserver endpoint to allow remote connections)
39 lines • 1.9 kB
JavaScript
import { isAdmin } from '../shared/admin.js';
import { sendNotAuthenticatedError, sendUnauthorizedError, sendUnexpectedError } from '../shared/error.js';
export class DeleteError extends Error {
constructor(code, message) {
super(message);
this.code = code;
}
}
export const addRoute = (env) => {
env.router.post(`/auth/${env.db.name}/delete`, async (req, res) => {
const details = req.body;
const LOG_ACTION = 'auth.delete';
const LOG_DETAILS = { ip: req.ip, uid: req.user?.uid ?? null, delete_uid: details.uid };
if (!req.user) {
env.log.error(LOG_ACTION, 'unauthenticated_delete', LOG_DETAILS);
return sendNotAuthenticatedError(res, 'unauthenticated_delete', 'You are not authorized to perform this operation, your attempt has been logged');
}
if (!isAdmin(req.user) && details.uid !== req.user.uid) {
env.log.error(LOG_ACTION, 'unauthorized_delete', LOG_DETAILS);
return sendUnauthorizedError(res, 'unauthorized_delete', 'You are not authorized to perform this operation, your attempt has been logged');
}
const uid = details.uid ?? req.user.uid;
if (uid === 'admin') {
env.log.error(LOG_ACTION, 'unauthorized_delete', LOG_DETAILS);
return sendUnauthorizedError(res, 'unauthorized_delete', 'The default admin account cannot be deleted, your attempt has been logged');
}
try {
await env.authRef.child(uid).remove();
env.log.event(LOG_ACTION, LOG_DETAILS);
res.send('Farewell');
}
catch (err) {
env.log.error(LOG_ACTION, 'unexpected', { ...LOG_DETAILS, message: (err instanceof Error && err.message) ?? err.toString() });
sendUnexpectedError(res, err);
}
});
};
export default addRoute;
//# sourceMappingURL=auth-delete.js.map