social-reporting-tool/v2/server/routes/admin.ts

// Super-admin only endpoints.
import type { IncomingMessage, ServerResponse } from 'node:http';
import { requireAuth } from '../middleware/require-auth.js';
import { requireSuperAdmin } from '../middleware/require-super-admin.js';
import { listAllUsers, setSuperAdmin, getUserById } from '../db/users.js';
import { parseJSONBody, sendJSON } from '../lib/http.js';

export async function handleListAllUsers(req: IncomingMessage, res: ServerResponse): Promise<void> {
  const session = requireAuth(req, res);
  if (!session) return;
  if (!await requireSuperAdmin(res, session)) return;
  const users = await listAllUsers();
  sendJSON(res, 200, {
    users: users.map((u) => ({
      id: u.id, email: u.email, display_name: u.display_name,
      is_super_admin: u.is_super_admin,
      created_at: u.created_at, last_login_at: u.last_login_at,
    })),
  });
}

export async function handleToggleSuperAdmin(
  req: IncomingMessage, res: ServerResponse, userId: string,
): Promise<void> {
  const session = requireAuth(req, res);
  if (!session) return;
  if (!await requireSuperAdmin(res, session)) return;

  let is_super_admin: boolean | undefined;
  try {
    const body = await parseJSONBody<{ is_super_admin?: boolean }>(req);
    is_super_admin = body.is_super_admin;
  } catch { sendJSON(res, 400, { error: 'Invalid body' }); return; }
  if (typeof is_super_admin !== 'boolean') {
    sendJSON(res, 400, { error: 'is_super_admin must be a boolean' });
    return;
  }
  // Prevent self-demotion (avoid locking everyone out).
  if (session.user_id === userId && !is_super_admin) {
    sendJSON(res, 400, { error: 'Cannot remove your own super-admin role' });
    return;
  }
  const target = await getUserById(userId);
  if (!target) { sendJSON(res, 404, { error: 'User not found' }); return; }
  const updated = await setSuperAdmin(userId, is_super_admin);
  sendJSON(res, 200, { ok: true, user: { id: updated.id, email: updated.email, is_super_admin: updated.is_super_admin } });
}