matt
/
monacousa-portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
monacousa-portal/server/api/admin/recaptcha-config.post.ts

80 lines
2.7 KiB
TypeScript
Raw Normal View History

fixes
2025-08-08 21:52:21 +02:00
import { createSessionManager } from '~/server/utils/session';
#### __1. Role-Based Security Architecture__ - Replaces group-based tiers with proper Keycloak realm roles - `monaco-user`, `monaco-board`, `monaco-admin` roles - Backward compatibility with existing group system #### __2. Advanced User Management__ - Comprehensive user profile synchronization - Membership data stored in Keycloak user attributes - Bidirectional sync between NocoDB and Keycloak #### __3. Session Security & Monitoring__ - Real-time session tracking and management - Administrative session control capabilities - Enhanced security analytics foundation #### __4. Email Workflow System__ - Multiple email types: DUES_REMINDER, MEMBERSHIP_RENEWAL, WELCOME, VERIFICATION - Customizable email parameters and lifespans - Advanced email template support #### __5. Seamless Migration Path__ - All existing functionality continues to work - New users automatically get realm roles - Gradual migration from groups to roles - Zero breaking changes ### 🔧 __What You Can Do Now__ #### __For New Users:__ - Public registrations automatically assign `monaco-user` role - Portal account creation syncs member data to Keycloak attributes - Enhanced email verification and welcome workflows #### __For Administrators:__ - Session management and monitoring capabilities - Advanced user profile management with member data sync - Comprehensive role assignment and management - Enhanced email communication workflows #### __For Developers:__ - Use `hasRole('monaco-admin')` for role-based checks - Access `getAllRoles()` for debugging and analytics - Enhanced `useAuth()` composable with backward compatibility - Comprehensive TypeScript support throughout ### 🛡️ __Security & Reliability__ - __Backward Compatibility__: Existing users continue to work seamlessly - __Enhanced Security__: Proper realm role-based authorization - __Error Handling__: Comprehensive error handling and fallbacks - __Type Safety__: Full TypeScript support throughout the system
2025-08-08 19:40:13 +02:00
export default defineEventHandler(async (event) => {
console.log('[api/admin/recaptcha-config.post] =========================');
console.log('[api/admin/recaptcha-config.post] POST /api/admin/recaptcha-config - Save reCAPTCHA configuration');
try {
// Validate session and require admin privileges
const sessionManager = createSessionManager();
const cookieHeader = getCookie(event, 'monacousa-session') ? getHeader(event, 'cookie') : undefined;
const session = sessionManager.getSession(cookieHeader);
if (!session?.user) {
throw createError({
statusCode: 401,
statusMessage: 'Authentication required'
});
}
if (session.user.tier !== 'admin') {
throw createError({
statusCode: 403,
statusMessage: 'Admin privileges required'
});
}
console.log('[api/admin/recaptcha-config.post] Authorized admin:', session.user.email);
// Get and validate request body
const body = await readBody(event);
console.log('[api/admin/recaptcha-config.post] Request body fields:', Object.keys(body));
// Validate required fields
if (!body.siteKey || typeof body.siteKey !== 'string') {
throw createError({
statusCode: 400,
statusMessage: 'Site Key is required'
});
}
if (!body.secretKey || typeof body.secretKey !== 'string') {
throw createError({
statusCode: 400,
statusMessage: 'Secret Key is required'
});
}
Preserve masked credentials in admin config updates Handle masked sensitive fields (passwords/secrets) in reCAPTCHA and SMTP configuration endpoints. When the frontend sends masked values (bullets), preserve existing credentials instead of overwriting them. This prevents accidental credential loss when updating other configuration fields. - Check for masked placeholder values ('••••••••••••••••') - Preserve existing secretKey/password when masked - Add logging to track credential update actions
2025-08-09 16:41:33 +02:00
// Get existing configuration to preserve secretKey if not changed
const { getRecaptchaConfig, saveRecaptchaConfig } = await import('~/server/utils/admin-config');
const existingConfig = getRecaptchaConfig();
// Check if secretKey is the masked value
const isMaskedSecretKey = body.secretKey === '••••••••••••••••';
#### __1. Role-Based Security Architecture__ - Replaces group-based tiers with proper Keycloak realm roles - `monaco-user`, `monaco-board`, `monaco-admin` roles - Backward compatibility with existing group system #### __2. Advanced User Management__ - Comprehensive user profile synchronization - Membership data stored in Keycloak user attributes - Bidirectional sync between NocoDB and Keycloak #### __3. Session Security & Monitoring__ - Real-time session tracking and management - Administrative session control capabilities - Enhanced security analytics foundation #### __4. Email Workflow System__ - Multiple email types: DUES_REMINDER, MEMBERSHIP_RENEWAL, WELCOME, VERIFICATION - Customizable email parameters and lifespans - Advanced email template support #### __5. Seamless Migration Path__ - All existing functionality continues to work - New users automatically get realm roles - Gradual migration from groups to roles - Zero breaking changes ### 🔧 __What You Can Do Now__ #### __For New Users:__ - Public registrations automatically assign `monaco-user` role - Portal account creation syncs member data to Keycloak attributes - Enhanced email verification and welcome workflows #### __For Administrators:__ - Session management and monitoring capabilities - Advanced user profile management with member data sync - Comprehensive role assignment and management - Enhanced email communication workflows #### __For Developers:__ - Use `hasRole('monaco-admin')` for role-based checks - Access `getAllRoles()` for debugging and analytics - Enhanced `useAuth()` composable with backward compatibility - Comprehensive TypeScript support throughout ### 🛡️ __Security & Reliability__ - __Backward Compatibility__: Existing users continue to work seamlessly - __Enhanced Security__: Proper realm role-based authorization - __Error Handling__: Comprehensive error handling and fallbacks - __Type Safety__: Full TypeScript support throughout the system
2025-08-08 19:40:13 +02:00
// Save reCAPTCHA configuration
await saveRecaptchaConfig({
siteKey: body.siteKey.trim(),
Preserve masked credentials in admin config updates Handle masked sensitive fields (passwords/secrets) in reCAPTCHA and SMTP configuration endpoints. When the frontend sends masked values (bullets), preserve existing credentials instead of overwriting them. This prevents accidental credential loss when updating other configuration fields. - Check for masked placeholder values ('••••••••••••••••') - Preserve existing secretKey/password when masked - Add logging to track credential update actions
2025-08-09 16:41:33 +02:00
// If secretKey is masked bullets, preserve existing secretKey
// Otherwise, use the new secretKey
secretKey: isMaskedSecretKey
? (existingConfig.secretKey || '')
: body.secretKey.trim()
#### __1. Role-Based Security Architecture__ - Replaces group-based tiers with proper Keycloak realm roles - `monaco-user`, `monaco-board`, `monaco-admin` roles - Backward compatibility with existing group system #### __2. Advanced User Management__ - Comprehensive user profile synchronization - Membership data stored in Keycloak user attributes - Bidirectional sync between NocoDB and Keycloak #### __3. Session Security & Monitoring__ - Real-time session tracking and management - Administrative session control capabilities - Enhanced security analytics foundation #### __4. Email Workflow System__ - Multiple email types: DUES_REMINDER, MEMBERSHIP_RENEWAL, WELCOME, VERIFICATION - Customizable email parameters and lifespans - Advanced email template support #### __5. Seamless Migration Path__ - All existing functionality continues to work - New users automatically get realm roles - Gradual migration from groups to roles - Zero breaking changes ### 🔧 __What You Can Do Now__ #### __For New Users:__ - Public registrations automatically assign `monaco-user` role - Portal account creation syncs member data to Keycloak attributes - Enhanced email verification and welcome workflows #### __For Administrators:__ - Session management and monitoring capabilities - Advanced user profile management with member data sync - Comprehensive role assignment and management - Enhanced email communication workflows #### __For Developers:__ - Use `hasRole('monaco-admin')` for role-based checks - Access `getAllRoles()` for debugging and analytics - Enhanced `useAuth()` composable with backward compatibility - Comprehensive TypeScript support throughout ### 🛡️ __Security & Reliability__ - __Backward Compatibility__: Existing users continue to work seamlessly - __Enhanced Security__: Proper realm role-based authorization - __Error Handling__: Comprehensive error handling and fallbacks - __Type Safety__: Full TypeScript support throughout the system
2025-08-08 19:40:13 +02:00
}, session.user.email);
Preserve masked credentials in admin config updates Handle masked sensitive fields (passwords/secrets) in reCAPTCHA and SMTP configuration endpoints. When the frontend sends masked values (bullets), preserve existing credentials instead of overwriting them. This prevents accidental credential loss when updating other configuration fields. - Check for masked placeholder values ('••••••••••••••••') - Preserve existing secretKey/password when masked - Add logging to track credential update actions
2025-08-09 16:41:33 +02:00
console.log('[api/admin/recaptcha-config.post] Secret key action:',
isMaskedSecretKey ? 'preserved' : 'updated');
#### __1. Role-Based Security Architecture__ - Replaces group-based tiers with proper Keycloak realm roles - `monaco-user`, `monaco-board`, `monaco-admin` roles - Backward compatibility with existing group system #### __2. Advanced User Management__ - Comprehensive user profile synchronization - Membership data stored in Keycloak user attributes - Bidirectional sync between NocoDB and Keycloak #### __3. Session Security & Monitoring__ - Real-time session tracking and management - Administrative session control capabilities - Enhanced security analytics foundation #### __4. Email Workflow System__ - Multiple email types: DUES_REMINDER, MEMBERSHIP_RENEWAL, WELCOME, VERIFICATION - Customizable email parameters and lifespans - Advanced email template support #### __5. Seamless Migration Path__ - All existing functionality continues to work - New users automatically get realm roles - Gradual migration from groups to roles - Zero breaking changes ### 🔧 __What You Can Do Now__ #### __For New Users:__ - Public registrations automatically assign `monaco-user` role - Portal account creation syncs member data to Keycloak attributes - Enhanced email verification and welcome workflows #### __For Administrators:__ - Session management and monitoring capabilities - Advanced user profile management with member data sync - Comprehensive role assignment and management - Enhanced email communication workflows #### __For Developers:__ - Use `hasRole('monaco-admin')` for role-based checks - Access `getAllRoles()` for debugging and analytics - Enhanced `useAuth()` composable with backward compatibility - Comprehensive TypeScript support throughout ### 🛡️ __Security & Reliability__ - __Backward Compatibility__: Existing users continue to work seamlessly - __Enhanced Security__: Proper realm role-based authorization - __Error Handling__: Comprehensive error handling and fallbacks - __Type Safety__: Full TypeScript support throughout the system
2025-08-08 19:40:13 +02:00
console.log('[api/admin/recaptcha-config.post] ✅ reCAPTCHA configuration saved successfully');
return {
success: true,
message: 'reCAPTCHA configuration saved successfully'
};
} catch (error: any) {
console.error('[api/admin/recaptcha-config.post] ❌ Error saving reCAPTCHA config:', error);
throw error;
}
});