Convert /api/users.

umami-software · Jan 22, 2025 · baa3851 · baa3851
1 parent 090abcf
commit baa3851
Show file tree

Hide file tree

Showing 61 changed files with 1,064 additions and 70 deletions.
diff --git a/next-env.d.ts b/next-env.d.ts
@@ -3,4 +3,4 @@
 /// <reference types="next/navigation-types/compat/navigation" />
 
 // NOTE: This file should not be edited
-// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.
+// see https://nextjs.org/docs/app/building-your-application/configuring/typescript for more information.
diff --git a/next.config.js b/next.config.js
@@ -8,6 +8,7 @@ const basePath = process.env.BASE_PATH;
 const collectApiEndpoint = process.env.COLLECT_API_ENDPOINT;
 const cloudMode = process.env.CLOUD_MODE;
 const cloudUrl = process.env.CLOUD_URL;
+const corsMaxAge = process.env.CORS_MAX_AGE;
 const defaultLocale = process.env.DEFAULT_LOCALE;
 const disableLogin = process.env.DISABLE_LOGIN;
 const disableUI = process.env.DISABLE_UI;
@@ -59,6 +60,16 @@ const trackerHeaders = [
 ];
 
 const headers = [
+  {
+    source: '/api/:path*',
+    headers: [
+      { key: 'Access-Control-Allow-Credentials', value: 'true' },
+      { key: 'Access-Control-Allow-Origin', value: '*' },
+      { key: 'Access-Control-Allow-Headers', value: '*' },
+      { key: 'Access-Control-Allow-Methods', value: 'GET, DELETE, POST, PUT' },
+      { key: 'Access-Control-Max-Age', value: corsMaxAge || '86400' },
+    ],
+  },
   {
     source: '/:path*',
     headers: defaultHeaders,

diff --git a/package.json b/package.json
@@ -10,7 +10,7 @@
     "url": "https://github.com/umami-software/umami.git"
   },
   "scripts": {
-    "dev": "next dev -p 3000",
+    "dev": "next dev -p 3000 --turbo",
     "build": "npm-run-all check-env build-db check-db build-tracker build-geo build-app",
     "start": "next start",
     "build-docker": "npm-run-all build-db build-tracker build-geo build-app",
@@ -119,6 +119,7 @@
     "thenby": "^1.3.4",
     "uuid": "^9.0.0",
     "yup": "^0.32.11",
+    "zod": "^3.24.1",
     "zustand": "^4.5.5"
   },
   "devDependencies": {

diff --git a/src/app/(main)/App.tsx b/src/app/(main)/App.tsx
@@ -22,6 +22,10 @@ export function App({ children }) {
     return null;
   }
 
+  if (config.uiDisabled) {
+    return null;
+  }
+
   return (
     <>
       {children}

diff --git a/src/app/(main)/layout.tsx b/src/app/(main)/layout.tsx
@@ -4,11 +4,7 @@ import NavBar from './NavBar';
 import Page from 'components/layout/Page';
 import styles from './layout.module.css';
 
-export default function ({ children }) {
-  if (process.env.DISABLE_UI) {
-    return null;
-  }
-
+export default async function ({ children }) {
   return (
     <App>
       <main className={styles.layout}>

diff --git a/src/app/actions/getConfig.ts b/src/app/actions/getConfig.ts
@@ -0,0 +1,10 @@
+'use server';
+
+export async function getConfig() {
+  return {
+    telemetryDisabled: !!process.env.DISABLE_TELEMETRY,
+    trackerScriptName: process.env.TRACKER_SCRIPT_NAME,
+    uiDisabled: !!process.env.DISABLE_UI,
+    updatesDisabled: !!process.env.DISABLE_UPDATES,
+  };
+}
diff --git a/src/app/api/heartbeat/route.ts b/src/app/api/heartbeat/route.ts
@@ -0,0 +1,3 @@
+export async function GET() {
+  return Response.json({ ok: true });
+}
diff --git a/src/app/api/users/[userId]/route.ts b/src/app/api/users/[userId]/route.ts
@@ -0,0 +1,72 @@
+import { z } from 'zod';
+import { canUpdateUser, canViewUser, checkAuth } from 'lib/auth';
+import { getUser, getUserByUsername, updateUser } from 'queries';
+import { json, unauthorized, badRequest } from 'lib/response';
+import { hashPassword } from 'next-basics';
+import { checkRequest } from 'lib/request';
+
+export async function GET(request: Request, { params }: { params: Promise<{ userId: string }> }) {
+  const { userId } = await params;
+  const auth = await checkAuth(request);
+
+  if (!auth || !(await canViewUser(auth, userId))) {
+    return unauthorized();
+  }
+
+  const user = await getUser(userId);
+
+  return json(user);
+}
+
+export async function POST(request: Request, { params }: { params: Promise<{ userId: string }> }) {
+  const schema = z.object({
+    username: z.string().max(255),
+    password: z.string().max(255),
+    role: z.string().regex(/admin|user|view-only/i),
+  });
+
+  const { body, error } = await checkRequest(request, schema);
+
+  if (error) {
+    return badRequest(error);
+  }
+
+  const { userId } = await params;
+  const auth = await checkAuth(request);
+
+  if (!auth || !(await canUpdateUser(auth, userId))) {
+    return unauthorized();
+  }
+
+  const { username, password, role } = body;
+
+  const user = await getUser(userId);
+
+  const data: any = {};
+
+  if (password) {
+    data.password = hashPassword(password);
+  }
+
+  // Only admin can change these fields
+  if (role && auth.user.isAdmin) {
+    data.role = role;
+  }
+
+  if (username && auth.user.isAdmin) {
+    data.username = username;
+  }
+
+  // Check when username changes
+  if (data.username && user.username !== data.username) {
+    const user = await getUserByUsername(username);
+
+    if (user) {
+      return badRequest('User already exists');
+    }
+  }
+
+  const updated = await updateUser(userId, data);
+
+  return json(updated);
+}
diff --git a/src/app/api/users/[userId]/teams/route.ts b/src/app/api/users/[userId]/teams/route.ts
@@ -0,0 +1,30 @@
+import { z } from 'zod';
+import { pagingParams } from 'lib/schema';
+import { getUserTeams } from 'queries';
+import { checkAuth } from 'lib/auth';
+import { unauthorized, badRequest, json } from 'lib/response';
+import { checkRequest } from 'lib/request';
+
+const schema = z.object({
+  ...pagingParams,
+});
+
+export async function GET(request: Request, { params }: { params: Promise<{ userId: string }> }) {
+  const { userId } = await params;
+
+  const { query, error } = await checkRequest(request, schema);
+
+  if (error) {
+    return badRequest(error);
+  }
+
+  const auth = await checkAuth(request);
+
+  if (!auth || (!auth.user.isAdmin && (!userId || auth.user.id !== userId))) {
+    return unauthorized();
+  }
+
+  const teams = await getUserTeams(userId, query);
+
+  return json(teams);
+}
diff --git a/src/app/api/users/[userId]/usage/route.ts b/src/app/api/users/[userId]/usage/route.ts
@@ -0,0 +1,66 @@
+import { z } from 'zod';
+import { json, unauthorized, badRequest } from 'lib/response';
+import { getAllUserWebsitesIncludingTeamOwner } from 'queries/prisma/website';
+import { getEventUsage } from 'queries/analytics/events/getEventUsage';
+import { getEventDataUsage } from 'queries/analytics/events/getEventDataUsage';
+import { checkAuth } from 'lib/auth';
+import { checkRequest } from 'lib/request';
+
+const schema = z.object({
+  startAt: z.coerce.number(),
+  endAt: z.coerce.number(),
+});
+
+export async function GET(request: Request, { params }: { params: Promise<{ userId: string }> }) {
+  const { query, error } = await checkRequest(request, schema);
+
+  if (error) {
+    return badRequest(error);
+  }
+
+  const auth = await checkAuth(request);
+
+  if (!auth || !auth.user.isAdmin) {
+    return unauthorized();
+  }
+
+  const { userId } = await params;
+  const { startAt, endAt } = query;
+
+  const startDate = new Date(+startAt);
+  const endDate = new Date(+endAt);
+
+  const websites = await getAllUserWebsitesIncludingTeamOwner(userId);
+
+  const websiteIds = websites.map(a => a.id);
+
+  const websiteEventUsage = await getEventUsage(websiteIds, startDate, endDate);
+  const eventDataUsage = await getEventDataUsage(websiteIds, startDate, endDate);
+
+  const websiteUsage = websites.map(a => ({
+    websiteId: a.id,
+    websiteName: a.name,
+    websiteEventUsage: websiteEventUsage.find(b => a.id === b.websiteId)?.count || 0,
+    eventDataUsage: eventDataUsage.find(b => a.id === b.websiteId)?.count || 0,
+    deletedAt: a.deletedAt,
+  }));
+
+  const usage = websiteUsage.reduce(
+    (acc, cv) => {
+      acc.websiteEventUsage += cv.websiteEventUsage;
+      acc.eventDataUsage += cv.eventDataUsage;
+
+      return acc;
+    },
+    { websiteEventUsage: 0, eventDataUsage: 0 },
+  );
+
+  const filteredWebsiteUsage = websiteUsage.filter(
+    a => !a.deletedAt && (a.websiteEventUsage > 0 || a.eventDataUsage > 0),
+  );
+
+  return json({
+    ...usage,
+    websites: filteredWebsiteUsage,
+  });
+}
diff --git a/src/app/api/users/[userId]/websites/route.ts b/src/app/api/users/[userId]/websites/route.ts
@@ -0,0 +1,29 @@
+import { z } from 'zod';
+import { unauthorized, json, badRequest } from 'lib/response';
+import { getUserWebsites } from 'queries/prisma/website';
+import { pagingParams } from 'lib/schema';
+import { checkRequest } from 'lib/request';
+import { checkAuth } from 'lib/auth';
+
+const schema = z.object({
+  ...pagingParams,
+});
+
+export async function GET(request: Request, { params }: { params: Promise<{ userId: string }> }) {
+  const { query, error } = await checkRequest(request, schema);
+
+  if (error) {
+    return badRequest(error);
+  }
+
+  const { userId } = await params;
+  const auth = await checkAuth(request);
+
+  if (!auth || (!auth.user.isAdmin && auth.user.id !== userId)) {
+    return unauthorized();
+  }
+
+  const websites = await getUserWebsites(userId, query);
+
+  return json(websites);
+}
diff --git a/src/app/api/users/route.ts b/src/app/api/users/route.ts
@@ -0,0 +1,46 @@
+import { z } from 'zod';
+import { hashPassword } from 'next-basics';
+import { canCreateUser, checkAuth } from 'lib/auth';
+import { ROLES } from 'lib/constants';
+import { uuid } from 'lib/crypto';
+import { checkRequest } from 'lib/request';
+import { unauthorized, json, badRequest } from 'lib/response';
+import { createUser, getUserByUsername } from 'queries';
+
+const schema = z.object({
+  username: z.string().max(255),
+  password: z.string(),
+  id: z.string().uuid(),
+  role: z.string().regex(/admin|user|view-only/i),
+});
+
+export async function POST(request: Request) {
+  const { body, error } = await checkRequest(request, schema);
+
+  if (error) {
+    return badRequest(error);
+  }
+
+  const auth = await checkAuth(request);
+
+  if (!auth || !(await canCreateUser(auth))) {
+    return unauthorized();
+  }
+
+  const { username, password, role, id } = body;
+
+  const existingUser = await getUserByUsername(username, { showDeleted: true });
+
+  if (existingUser) {
+    return badRequest('User already exists');
+  }
+
+  const user = await createUser({
+    id: id || uuid(),
+    username,
+    password: hashPassword(password),
+    role: role ?? ROLES.user,
+  });
+
+  return json(user);
+}
diff --git a/src/app/api/version/route.ts b/src/app/api/version/route.ts
@@ -0,0 +1,6 @@
+import { json } from 'lib/response';
+import { CURRENT_VERSION } from 'lib/constants';
+
+export async function GET() {
+  return json({ version: CURRENT_VERSION });
+}
diff --git a/src/app/api/websites/[websiteId]/active/route.ts b/src/app/api/websites/[websiteId]/active/route.ts
@@ -0,0 +1,24 @@
+import { canViewWebsite, checkAuth } from 'lib/auth';
+import { json, unauthorized } from 'lib/response';
+import { getActiveVisitors } from 'queries';
+
+export async function GET(
+  request: Request,
+  { params }: { params: Promise<{ websiteId: string }> },
+) {
+  const auth = await checkAuth(request);
+
+  if (!auth) {
+    return unauthorized();
+  }
+
+  const { websiteId } = await params;
+
+  if (!(await canViewWebsite(auth, websiteId))) {
+    return unauthorized();
+  }
+
+  const result = await getActiveVisitors(websiteId);
+
+  return json(result);
+}
diff --git a/src/app/api/websites/[websiteId]/daterange/route.ts b/src/app/api/websites/[websiteId]/daterange/route.ts
@@ -0,0 +1,19 @@
+import { canViewWebsite, checkAuth } from 'lib/auth';
+import { getWebsiteDateRange } from 'queries';
+import { json, unauthorized } from 'lib/response';
+
+export async function GET(
+  request: Request,
+  { params }: { params: Promise<{ websiteId: string }> },
+) {
+  const auth = await checkAuth(request);
+  const { websiteId } = await params;
+
+  if (!auth || !(await canViewWebsite(auth, websiteId))) {
+    return unauthorized();
+  }
+
+  const result = await getWebsiteDateRange(websiteId);
+
+  return json(result);
+}