import { Hono } from 'hono'; import { zValidator } from '@hono/zod-validator'; import { z } from 'zod'; import { db, dbGet, dbAll, users, tickets, events, payments } from '../db/index.js'; import { eq, desc, sql } from 'drizzle-orm'; import { requireAuth } from '../lib/auth.js'; import { getNow } from '../lib/utils.js'; interface UserContext { id: string; email: string; name: string; role: string; } const usersRouter = new Hono<{ Variables: { user: UserContext } }>(); const updateUserSchema = z.object({ name: z.string().min(2).optional(), phone: z.string().optional(), role: z.enum(['admin', 'organizer', 'staff', 'marketing', 'user']).optional(), languagePreference: z.enum(['en', 'es']).optional(), }); // Get all users (admin only) usersRouter.get('/', requireAuth(['admin']), async (c) => { const role = c.req.query('role'); let query = (db as any).select({ id: (users as any).id, email: (users as any).email, name: (users as any).name, phone: (users as any).phone, role: (users as any).role, languagePreference: (users as any).languagePreference, createdAt: (users as any).createdAt, }).from(users); if (role) { query = query.where(eq((users as any).role, role)); } const result = await dbAll(query.orderBy(desc((users as any).createdAt))); return c.json({ users: result }); }); // Get user by ID (admin or self) usersRouter.get('/:id', requireAuth(['admin', 'organizer', 'staff', 'marketing', 'user']), async (c) => { const id = c.req.param('id'); const currentUser = c.get('user'); // Users can only view their own profile unless admin if (currentUser.role !== 'admin' && currentUser.id !== id) { return c.json({ error: 'Forbidden' }, 403); } const user = await dbGet( (db as any) .select({ id: (users as any).id, email: (users as any).email, name: (users as any).name, phone: (users as any).phone, role: (users as any).role, languagePreference: (users as any).languagePreference, createdAt: (users as any).createdAt, }) .from(users) .where(eq((users as any).id, id)) ); if (!user) { return c.json({ error: 'User not found' }, 404); } return c.json({ user }); }); // Update user (admin or self) usersRouter.put('/:id', requireAuth(['admin', 'organizer', 'staff', 'marketing', 'user']), zValidator('json', updateUserSchema), async (c) => { const id = c.req.param('id'); const data = c.req.valid('json'); const currentUser = c.get('user'); // Users can only update their own profile unless admin if (currentUser.role !== 'admin' && currentUser.id !== id) { return c.json({ error: 'Forbidden' }, 403); } // Only admin can change roles if (data.role && currentUser.role !== 'admin') { delete data.role; } const existing = await dbGet( (db as any).select().from(users).where(eq((users as any).id, id)) ); if (!existing) { return c.json({ error: 'User not found' }, 404); } await (db as any) .update(users) .set({ ...data, updatedAt: getNow() }) .where(eq((users as any).id, id)); const updated = await dbGet( (db as any) .select({ id: (users as any).id, email: (users as any).email, name: (users as any).name, phone: (users as any).phone, role: (users as any).role, languagePreference: (users as any).languagePreference, }) .from(users) .where(eq((users as any).id, id)) ); return c.json({ user: updated }); }); // Get user's ticket history usersRouter.get('/:id/history', requireAuth(['admin', 'organizer', 'staff', 'marketing', 'user']), async (c) => { const id = c.req.param('id'); const currentUser = c.get('user'); // Users can only view their own history unless admin/organizer if (!['admin', 'organizer'].includes(currentUser.role) && currentUser.id !== id) { return c.json({ error: 'Forbidden' }, 403); } const userTickets = await dbAll( (db as any) .select() .from(tickets) .where(eq((tickets as any).userId, id)) .orderBy(desc((tickets as any).createdAt)) ); // Get event details for each ticket const history = await Promise.all( userTickets.map(async (ticket: any) => { const event = await dbGet( (db as any) .select() .from(events) .where(eq((events as any).id, ticket.eventId)) ); return { ...ticket, event, }; }) ); return c.json({ history }); }); // Delete user (admin only) usersRouter.delete('/:id', requireAuth(['admin']), async (c) => { const id = c.req.param('id'); const currentUser = c.get('user'); // Prevent self-deletion if (currentUser.id === id) { return c.json({ error: 'Cannot delete your own account' }, 400); } const existing = await dbGet( (db as any).select().from(users).where(eq((users as any).id, id)) ); if (!existing) { return c.json({ error: 'User not found' }, 404); } // Prevent deleting admin users if (existing.role === 'admin') { return c.json({ error: 'Cannot delete admin users' }, 400); } try { // Get all tickets for this user const userTickets = await dbAll( (db as any) .select() .from(tickets) .where(eq((tickets as any).userId, id)) ); // Delete payments associated with user's tickets for (const ticket of userTickets) { await (db as any).delete(payments).where(eq((payments as any).ticketId, ticket.id)); } // Delete user's tickets await (db as any).delete(tickets).where(eq((tickets as any).userId, id)); // Delete the user await (db as any).delete(users).where(eq((users as any).id, id)); return c.json({ message: 'User deleted successfully' }); } catch (error) { console.error('Error deleting user:', error); return c.json({ error: 'Failed to delete user. They may have related records.' }, 500); } }); // Get user statistics (admin) usersRouter.get('/stats/overview', requireAuth(['admin']), async (c) => { const totalUsers = await dbGet( (db as any) .select({ count: sql`count(*)` }) .from(users) ); const adminCount = await dbGet( (db as any) .select({ count: sql`count(*)` }) .from(users) .where(eq((users as any).role, 'admin')) ); return c.json({ stats: { total: totalUsers?.count || 0, admins: adminCount?.count || 0, }, }); }); export default usersRouter;