fabi/Mangalord
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b434c9b68d0692078be2186fe2c40f98a79dfeb6
Mangalord/frontend/src/lib/api/auth.ts
MechaCat02 b434c9b68d feat(frontend): /admin dashboard with users/mangas/system views (0.41.0) 
Adds the SvelteKit /admin route tree backed by the admin endpoints
landed in PR 1-4. Pages: Overview (alerts + summary cards), Users
(list / promote-demote / delete), Mangas (list with sync state +
expandable per-chapter state), System (live disk/mem/cpu bars,
refreshing every 5s).

Security model: the backend's RequireAdmin extractor is the actual
boundary. /admin/+layout.ts calls getSystemStats() at load and
translates the response — 401 → redirect to /login, 403 → throw
SvelteKit error(403) which renders the framework error page. The
header's "Admin" link is hidden unless `session.user?.is_admin`,
but that's UX only.

Carries `is_admin: boolean` through to the frontend User TS type so
the header check works and so admin tables can show role per row.

Vitest covers lib/api/admin.ts (10 tests: list/delete/PATCH for
users, sync-state filter for mangas, nested chapter route, system
disk-nullable case). Playwright is intentionally deferred until the
routes stabilise — admin UI is operator-only and changes shape often
in v0.
2026-05-30 21:49:39 +02:00

103 lines
2.9 KiB
TypeScript
Raw Blame History

import { ApiError, request } from './client';
export type User = {
id: string;
username: string;
created_at: string;
is_admin: boolean;
};
export type Credentials = {
username: string;
password: string;
};
type AuthResponse = { user: User };
export async function register(creds: Credentials): Promise<User> {
const r = await request<AuthResponse>('/v1/auth/register', {
method: 'POST',
headers: { 'content-type': 'application/json' },
body: JSON.stringify(creds)
});
return r.user;
}
export async function login(creds: Credentials): Promise<User> {
const r = await request<AuthResponse>('/v1/auth/login', {
method: 'POST',
headers: { 'content-type': 'application/json' },
body: JSON.stringify(creds)
});
return r.user;
}
export async function logout(): Promise<void> {
await request<void>('/v1/auth/logout', {
method: 'POST',
// Consistent with the other POST/PATCH helpers in this module.
// axum doesn't require it (no body), but keeping the header
// on every mutation request avoids the false-flag in logs and
// matches the project's style.
headers: { 'content-type': 'application/json' }
});
}
export type ChangePassword = {
current_password: string;
new_password: string;
};
/**
* Rotates the password. Backend signs out every other session for this
* user and mints a fresh cookie for the caller (returned as Set-Cookie,
* applied automatically by the browser). Bot tokens are left alone.
*
* Throws ApiError with `status=401, code='unauthenticated'` for wrong
* `current_password`; `status=400, code='invalid_input'` for a weak new
* password.
*/
export async function changePassword(input: ChangePassword): Promise<void> {
await request<void>('/v1/auth/me/password', {
method: 'PATCH',
headers: { 'content-type': 'application/json' },
body: JSON.stringify(input)
});
}
/**
* Returns the current user, or `null` if no valid session.
* Re-throws any non-401 error.
*/
export async function me(): Promise<User | null> {
try {
const r = await request<AuthResponse>('/v1/auth/me');
return r.user;
} catch (e) {
if (e instanceof ApiError && e.status === 401) return null;
throw e;
}
}
export type ApiToken = {
id: string;
user_id: string;
name: string;
created_at: string;
last_used_at: string | null;
};
export type CreatedToken = ApiToken & { bearer: string };
export async function createToken(name: string): Promise<CreatedToken> {
return request<CreatedToken>('/v1/auth/tokens', {
method: 'POST',
headers: { 'content-type': 'application/json' },
body: JSON.stringify({ name })
});
}
export async function deleteToken(id: string): Promise<void> {
await request<void>(`/v1/auth/tokens/${encodeURIComponent(id)}`, { method: 'DELETE' });
}
Reference in New Issue View Git Blame Copy Permalink