hammer/hammer-queue
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

feat: session-based auth, admin roles, user management

Browse Source 
- All logged-in users can create/edit/manage tasks (no bearer token needed)
- Added user role system (user/admin)
- Donovan's account auto-promoted to admin on startup
- Admin page: view users, change roles, delete users
- /api/me endpoint returns current user info + role
- /api/admin/* routes (admin-only)
- Removed bearer token UI from frontend
- Bearer token still works for API/bot access
This commit is contained in:
Hammer
2026-01-29 01:33:18 +00:00
parent 210fba6027
commit 93746f0f71
8 changed files with 401 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
backend/src/db/schema.ts
View File

@@ -64,6 +64,7 @@ export const users = pgTable("users", {
email: text("email").notNull().unique(),
emailVerified: boolean("email_verified").notNull().default(false),
image: text("image"),
role: text("role").notNull().default("user"),
createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow(),
});

40
backend/src/index.ts
View File

@@ -1,10 +1,11 @@
import { Elysia } from "elysia";
import { cors } from "@elysiajs/cors";
import { taskRoutes } from "./routes/tasks";
import { adminRoutes } from "./routes/admin";
import { auth } from "./lib/auth";
import { db } from "./db";
import { tasks } from "./db/schema";
import { isNull, asc, sql } from "drizzle-orm";
import { tasks, users } from "./db/schema";
import { isNull, asc, sql, eq } from "drizzle-orm";
const PORT = process.env.PORT || 3100;
@@ -34,6 +35,20 @@ async function backfillTaskNumbers() {
backfillTaskNumbers().catch(console.error);
// Ensure donovan@donovankelly.xyz is admin
async function ensureAdmin() {
const adminEmail = "donovan@donovankelly.xyz";
const result = await db
.update(users)
.set({ role: "admin" })
.where(eq(users.email, adminEmail))
.returning({ id: users.id, email: users.email, role: users.role });
if (result.length) {
console.log(`Admin role ensured for ${adminEmail}`);
}
}
ensureAdmin().catch(console.error);
const app = new Elysia()
.use(
cors({
@@ -98,6 +113,27 @@ const app = new Elysia()
})
.use(taskRoutes)
.use(adminRoutes)
// Current user info (role, etc.)
.get("/api/me", async ({ request }) => {
try {
const session = await auth.api.getSession({ headers: request.headers });
if (!session?.user) return { authenticated: false };
return {
authenticated: true,
user: {
id: session.user.id,
name: session.user.name,
email: session.user.email,
role: (session.user as any).role || "user",
},
};
} catch {
return { authenticated: false };
}
})
.get("/health", () => ({ status: "ok", service: "hammer-queue" }))
.onError(({ error, set }) => {
const msg = error?.message || String(error);

89
backend/src/routes/admin.ts Normal file
View File

@@ -0,0 +1,89 @@
import { Elysia, t } from "elysia";
import { db } from "../db";
import { users } from "../db/schema";
import { eq } from "drizzle-orm";
import { auth } from "../lib/auth";
const BEARER_TOKEN = process.env.API_BEARER_TOKEN || "hammer-dev-token";
async function requireAdmin(request: Request, headers: Record<string, string | undefined>) {
const authHeader = headers["authorization"];
if (authHeader === `Bearer ${BEARER_TOKEN}`) return;
try {
const session = await auth.api.getSession({ headers: request.headers });
if (session?.user && (session.user as any).role === "admin") return;
} catch {}
throw new Error("Unauthorized");
}
export const adminRoutes = new Elysia({ prefix: "/api/admin" })
.onError(({ error, set }) => {
const msg = error?.message || String(error);
if (msg === "Unauthorized") {
set.status = 401;
return { error: "Unauthorized" };
}
console.error("Admin route error:", msg);
set.status = 500;
return { error: "Internal server error" };
})
// GET all users
.get("/users", async ({ request, headers }) => {
await requireAdmin(request, headers);
const allUsers = await db.select({
id: users.id,
name: users.name,
email: users.email,
role: users.role,
createdAt: users.createdAt,
}).from(users);
return allUsers;
})
// PATCH update user role
.patch(
"/users/:id/role",
async ({ params, body, request, headers }) => {
await requireAdmin(request, headers);
const updated = await db
.update(users)
.set({ role: body.role })
.where(eq(users.id, params.id))
.returning({
id: users.id,
name: users.name,
email: users.email,
role: users.role,
});
if (!updated.length) throw new Error("User not found");
return updated[0];
},
{
params: t.Object({ id: t.String() }),
body: t.Object({ role: t.String() }),
}
)
// DELETE user
.delete(
"/users/:id",
async ({ params, request, headers }) => {
await requireAdmin(request, headers);
// Don't allow deleting yourself
const session = await auth.api.getSession({ headers: request.headers });
if (session?.user?.id === params.id) {
throw new Error("Cannot delete yourself");
}
const deleted = await db
.delete(users)
.where(eq(users.id, params.id))
.returning();
if (!deleted.length) throw new Error("User not found");
return { success: true };
},
{
params: t.Object({ id: t.String() }),
}
);

13
backend/src/routes/tasks.ts
View File

@@ -68,6 +68,19 @@ async function requireSessionOrBearer(request: Request, headers: Record<string,
throw new Error("Unauthorized");
}
async function requireAdmin(request: Request, headers: Record<string, string | undefined>) {
// Bearer token = admin access
const authHeader = headers["authorization"];
if (authHeader === `Bearer ${BEARER_TOKEN}`) return;
// Check session + role
try {
const session = await auth.api.getSession({ headers: request.headers });
if (session?.user && (session.user as any).role === "admin") return;
} catch {}
throw new Error("Unauthorized");
}
// Resolve a task by UUID or sequential number (e.g. "5" or "HQ-5")
async function resolveTask(idOrNumber: string) {
// Strip "HQ-" prefix if present

134
frontend/src/App.tsx
View File

@@ -1,34 +1,26 @@
import { useState, useMemo } from "react";
import { useTasks } from "./hooks/useTasks";
import { useCurrentUser } from "./hooks/useCurrentUser";
import { TaskCard } from "./components/TaskCard";
import { TaskDetailPanel } from "./components/TaskDetailPanel";
import { CreateTaskModal } from "./components/CreateTaskModal";
import { AdminPage } from "./components/AdminPage";
import { LoginPage } from "./components/LoginPage";
import { useSession, signOut } from "./lib/auth-client";
import { updateTask, reorderTasks, createTask } from "./lib/api";
import type { Task, TaskStatus } from "./lib/types";
// Token stored in localStorage for bearer-token admin operations
function getToken(): string {
return localStorage.getItem("hammer-queue-token") || "";
}
import type { TaskStatus } from "./lib/types";
function Dashboard() {
const { tasks, loading, error, refresh } = useTasks(5000);
const { user, isAdmin, isAuthenticated } = useCurrentUser();
const [showCreate, setShowCreate] = useState(false);
const [showCompleted, setShowCompleted] = useState(false);
const [selectedTask, setSelectedTask] = useState<Task | null>(null);
const [tokenInput, setTokenInput] = useState("");
const [showTokenInput, setShowTokenInput] = useState(false);
const session = useSession();
const [selectedTask, setSelectedTask] = useState<string | null>(null);
const [showAdmin, setShowAdmin] = useState(false);
const token = getToken();
const hasToken = !!token;
// Keep selected task in sync with refreshed data
const selectedTaskData = useMemo(() => {
if (!selectedTask) return null;
return tasks.find((t) => t.id === selectedTask.id) || null;
return tasks.find((t) => t.id === selectedTask) || null;
}, [tasks, selectedTask]);
const activeTasks = useMemo(() => tasks.filter((t) => t.status === "active"), [tasks]);
@@ -40,31 +32,27 @@ function Dashboard() {
);
const handleStatusChange = async (id: string, status: TaskStatus) => {
if (!hasToken) {
setShowTokenInput(true);
return;
}
try {
await updateTask(id, { status }, token);
await updateTask(id, { status });
refresh();
} catch (e) {
alert("Failed to update task. Check your token.");
alert("Failed to update task.");
}
};
const handleMoveUp = async (index: number) => {
if (index === 0 || !hasToken) return;
if (index === 0) return;
const ids = queuedTasks.map((t) => t.id);
[ids[index - 1], ids[index]] = [ids[index], ids[index - 1]];
await reorderTasks(ids, token);
await reorderTasks(ids);
refresh();
};
const handleMoveDown = async (index: number) => {
if (index >= queuedTasks.length - 1 || !hasToken) return;
if (index >= queuedTasks.length - 1) return;
const ids = queuedTasks.map((t) => t.id);
[ids[index], ids[index + 1]] = [ids[index + 1], ids[index]];
await reorderTasks(ids, token);
await reorderTasks(ids);
refresh();
};
@@ -74,25 +62,19 @@ function Dashboard() {
source?: string;
priority?: string;
}) => {
if (!hasToken) {
setShowTokenInput(true);
return;
}
await createTask(task, token);
await createTask(task);
refresh();
};
const handleSetToken = () => {
localStorage.setItem("hammer-queue-token", tokenInput);
setTokenInput("");
setShowTokenInput(false);
};
const handleLogout = async () => {
await signOut();
window.location.reload();
};
if (showAdmin) {
return <AdminPage onBack={() => setShowAdmin(false)} />;
}
return (
<div className="min-h-screen bg-gray-50">
{/* Header */}
@@ -104,25 +86,28 @@ function Dashboard() {
<span className="text-xs text-gray-400 mt-1">Task Dashboard</span>
</div>
<div className="flex items-center gap-3">
{hasToken && (
<button
onClick={() => setShowCreate(true)}
className="text-sm bg-amber-500 text-white px-3 py-1.5 rounded-lg hover:bg-amber-600 transition font-medium"
>
+ New Task
</button>
{isAdmin && (
<button
onClick={() => setShowCreate(true)}
className="text-sm bg-amber-500 text-white px-3 py-1.5 rounded-lg hover:bg-amber-600 transition font-medium"
onClick={() => setShowAdmin(true)}
className="text-xs text-purple-600 hover:text-purple-800 px-2 py-1 border border-purple-200 rounded-lg transition"
title="Admin panel"
>
+ New Task
</button>
)}
{!hasToken && (
<button
onClick={() => setShowTokenInput(true)}
className="text-xs text-gray-400 hover:text-gray-600 px-2 py-1 border border-gray-200 rounded-lg"
title="Set API token for admin actions"
>
🔑 Admin
Admin
</button>
)}
<div className="flex items-center gap-2 text-sm text-gray-500">
<span className="hidden sm:inline">{session.data?.user?.email}</span>
<span className="hidden sm:inline">{user?.email}</span>
{isAdmin && (
<span className="text-xs bg-purple-100 text-purple-700 px-1.5 py-0.5 rounded-full font-medium">
admin
</span>
)}
<button
onClick={handleLogout}
className="text-xs text-gray-400 hover:text-red-500 px-2 py-1 border border-gray-200 rounded-lg transition"
@@ -135,41 +120,6 @@ function Dashboard() {
</div>
</header>
{/* Token input modal */}
{showTokenInput && (
<div className="fixed inset-0 bg-black/40 flex items-center justify-center z-50">
<div className="bg-white rounded-xl shadow-2xl p-6 w-full max-w-sm mx-4">
<h2 className="text-lg font-bold mb-2">API Token</h2>
<p className="text-xs text-gray-500 mb-3">
Enter the bearer token for admin actions (create, update, delete tasks).
</p>
<input
type="password"
placeholder="Bearer token..."
value={tokenInput}
onChange={(e) => setTokenInput(e.target.value)}
onKeyDown={(e) => e.key === "Enter" && handleSetToken()}
className="w-full border rounded-lg px-3 py-2 text-sm mb-3 focus:outline-none focus:ring-2 focus:ring-amber-400"
autoFocus
/>
<div className="flex gap-2">
<button
onClick={handleSetToken}
className="flex-1 bg-amber-500 text-white rounded-lg py-2 text-sm font-medium hover:bg-amber-600"
>
Save
</button>
<button
onClick={() => setShowTokenInput(false)}
className="px-4 py-2 text-sm text-gray-600"
>
Cancel
</button>
</div>
</div>
</div>
)}
<CreateTaskModal
open={showCreate}
onClose={() => setShowCreate(false)}
@@ -203,7 +153,7 @@ function Dashboard() {
task={task}
onStatusChange={handleStatusChange}
isActive
onClick={() => setSelectedTask(task)}
onClick={() => setSelectedTask(task.id)}
/>
))}
</div>
@@ -222,7 +172,7 @@ function Dashboard() {
key={task.id}
task={task}
onStatusChange={handleStatusChange}
onClick={() => setSelectedTask(task)}
onClick={() => setSelectedTask(task.id)}
/>
))}
</div>
@@ -249,7 +199,7 @@ function Dashboard() {
onMoveDown={() => handleMoveDown(i)}
isFirst={i === 0}
isLast={i === queuedTasks.length - 1}
onClick={() => setSelectedTask(task)}
onClick={() => setSelectedTask(task.id)}
/>
))}
</div>
@@ -271,7 +221,7 @@ function Dashboard() {
key={task.id}
task={task}
onStatusChange={handleStatusChange}
onClick={() => setSelectedTask(task)}
onClick={() => setSelectedTask(task.id)}
/>
))}
</div>
@@ -289,14 +239,14 @@ function Dashboard() {
setSelectedTask(null);
}}
onTaskUpdated={refresh}
hasToken={hasToken}
token={token}
hasToken={isAuthenticated}
token=""
/>
)}
{/* Footer */}
<footer className="text-center text-xs text-gray-300 py-4">
Hammer Queue v0.1 · Auto-refreshes every 5s
Hammer Queue v0.2 · Auto-refreshes every 5s
</footer>
</div>
);

125
frontend/src/components/AdminPage.tsx Normal file
View File

@@ -0,0 +1,125 @@
import { useState, useEffect } from "react";
import { fetchUsers, updateUserRole, deleteUser } from "../lib/api";
interface User {
id: string;
name: string;
email: string;
role: string;
createdAt: string;
}
export function AdminPage({ onBack }: { onBack: () => void }) {
const [users, setUsers] = useState<User[]>([]);
const [loading, setLoading] = useState(true);
const [error, setError] = useState<string | null>(null);
const loadUsers = async () => {
try {
setLoading(true);
const data = await fetchUsers();
setUsers(data);
setError(null);
} catch (e: any) {
setError(e.message);
} finally {
setLoading(false);
}
};
useEffect(() => { loadUsers(); }, []);
const handleRoleChange = async (userId: string, newRole: string) => {
try {
await updateUserRole(userId, newRole);
loadUsers();
} catch (e: any) {
alert(`Failed to update role: ${e.message}`);
}
};
const handleDelete = async (userId: string, userName: string) => {
if (!confirm(`Delete user "${userName}"? This cannot be undone.`)) return;
try {
await deleteUser(userId);
loadUsers();
} catch (e: any) {
alert(`Failed to delete user: ${e.message}`);
}
};
return (
<div className="max-w-4xl mx-auto p-6">
<div className="flex items-center justify-between mb-6">
<div>
<h1 className="text-2xl font-bold text-gray-900">Admin</h1>
<p className="text-sm text-gray-500 mt-1">Manage users and roles</p>
</div>
<button
onClick={onBack}
className="text-sm px-4 py-2 rounded-lg border border-gray-200 hover:bg-gray-50 font-medium text-gray-600"
>
Back to Queue
</button>
</div>
{error && (
<div className="bg-red-50 border border-red-200 text-red-700 px-4 py-3 rounded-lg mb-4">
{error}
</div>
)}
<div className="bg-white rounded-xl border border-gray-200 shadow-sm overflow-hidden">
<div className="px-6 py-4 border-b border-gray-100 bg-gray-50">
<h2 className="font-semibold text-gray-700">Users ({users.length})</h2>
</div>
{loading ? (
<div className="p-8 text-center text-gray-400">Loading...</div>
) : (
<div className="divide-y divide-gray-100">
{users.map((user) => (
<div key={user.id} className="px-6 py-4 flex items-center justify-between gap-4">
<div className="flex-1 min-w-0">
<div className="flex items-center gap-2">
<span className="font-medium text-gray-900">{user.name}</span>
<span className={`text-xs px-2 py-0.5 rounded-full font-medium ${
user.role === "admin"
? "bg-purple-100 text-purple-700"
: "bg-gray-100 text-gray-600"
}`}>
{user.role}
</span>
</div>
<p className="text-sm text-gray-500 truncate">{user.email}</p>
<p className="text-xs text-gray-400">
Joined {new Date(user.createdAt).toLocaleDateString()}
</p>
</div>
<div className="flex items-center gap-2 shrink-0">
<select
value={user.role}
onChange={(e) => handleRoleChange(user.id, e.target.value)}
className="text-sm border border-gray-200 rounded-lg px-3 py-1.5 bg-white hover:border-gray-300 focus:outline-none focus:ring-2 focus:ring-blue-200"
>
<option value="user">User</option>
<option value="admin">Admin</option>
</select>
<button
onClick={() => handleDelete(user.id, user.name)}
className="text-sm px-3 py-1.5 rounded-lg border border-red-200 text-red-600 hover:bg-red-50 transition"
title="Delete user"
>
🗑
</button>
</div>
</div>
))}
</div>
)}
</div>
</div>
);
}

51
frontend/src/hooks/useCurrentUser.ts Normal file
View File

@@ -0,0 +1,51 @@
import { useState, useEffect } from "react";
interface CurrentUser {
id: string;
name: string;
email: string;
role: string;
}
interface UseCurrentUserResult {
user: CurrentUser | null;
loading: boolean;
isAdmin: boolean;
isAuthenticated: boolean;
refresh: () => void;
}
export function useCurrentUser(): UseCurrentUserResult {
const [user, setUser] = useState<CurrentUser | null>(null);
const [loading, setLoading] = useState(true);
const fetchUser = async () => {
try {
const res = await fetch("/api/me", { credentials: "include" });
if (!res.ok) {
setUser(null);
return;
}
const data = await res.json();
if (data.authenticated) {
setUser(data.user);
} else {
setUser(null);
}
} catch {
setUser(null);
} finally {
setLoading(false);
}
};
useEffect(() => { fetchUser(); }, []);
return {
user,
loading,
isAdmin: user?.role === "admin",
isAuthenticated: !!user,
refresh: fetchUser,
};
}

59
frontend/src/lib/api.ts
View File

@@ -11,29 +11,27 @@ export async function fetchTasks(): Promise<Task[]> {
export async function updateTask(
id: string,
updates: Record<string, any>,
token: string
token?: string
): Promise<Task> {
const headers: Record<string, string> = { "Content-Type": "application/json" };
if (token) headers["Authorization"] = `Bearer ${token}`;
const res = await fetch(`${BASE}/${id}`, {
method: "PATCH",
credentials: "include",
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${token}`,
},
headers,
body: JSON.stringify(updates),
});
if (!res.ok) throw new Error("Failed to update task");
return res.json();
}
export async function reorderTasks(ids: string[], token: string): Promise<void> {
export async function reorderTasks(ids: string[], token?: string): Promise<void> {
const headers: Record<string, string> = { "Content-Type": "application/json" };
if (token) headers["Authorization"] = `Bearer ${token}`;
const res = await fetch(`${BASE}/reorder`, {
method: "PATCH",
credentials: "include",
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${token}`,
},
headers,
body: JSON.stringify({ ids }),
});
if (!res.ok) throw new Error("Failed to reorder tasks");
@@ -41,26 +39,53 @@ export async function reorderTasks(ids: string[], token: string): Promise<void>
export async function createTask(
task: { title: string; description?: string; source?: string; priority?: string; status?: string },
token: string
token?: string
): Promise<Task> {
const headers: Record<string, string> = { "Content-Type": "application/json" };
if (token) headers["Authorization"] = `Bearer ${token}`;
const res = await fetch(BASE, {
method: "POST",
credentials: "include",
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${token}`,
},
headers,
body: JSON.stringify(task),
});
if (!res.ok) throw new Error("Failed to create task");
return res.json();
}
export async function deleteTask(id: string, token: string): Promise<void> {
export async function deleteTask(id: string, token?: string): Promise<void> {
const headers: Record<string, string> = {};
if (token) headers["Authorization"] = `Bearer ${token}`;
const res = await fetch(`${BASE}/${id}`, {
method: "DELETE",
credentials: "include",
headers: { Authorization: `Bearer ${token}` },
headers,
});
if (!res.ok) throw new Error("Failed to delete task");
}
// Admin API
export async function fetchUsers(): Promise<any[]> {
const res = await fetch("/api/admin/users", { credentials: "include" });
if (!res.ok) throw new Error("Failed to fetch users");
return res.json();
}
export async function updateUserRole(userId: string, role: string): Promise<any> {
const res = await fetch(`/api/admin/users/${userId}/role`, {
method: "PATCH",
credentials: "include",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ role }),
});
if (!res.ok) throw new Error("Failed to update user role");
return res.json();
}
export async function deleteUser(userId: string): Promise<void> {
const res = await fetch(`/api/admin/users/${userId}`, {
method: "DELETE",
credentials: "include",
});
if (!res.ok) throw new Error("Failed to delete user");
}