backmanager-server/routes/users.js

// routes/users.js —— 用户登录 / 信息 / CRUD
const jwt = require('jsonwebtoken')
const bcrypt = require('bcryptjs')
const { pool } = require('../db')

// 安全字段：不返回密码哈希
const SAFE_FIELDS = 'id, username, real_name, role, status, created_at, updated_at'

function pagination(query) {
  const page = Math.max(Number(query.page) || 1, 1)
  const pageSize = Math.min(Math.max(Number(query.pageSize) || 10, 1), 100)
  const offset = (page - 1) * pageSize
  return { page, pageSize, offset }
}

// ========== 登录 / 登出 / 个人信息 ==========

// POST /api/user/login —— 登录（无需 token）
async function login(req, res) {
  const { username, password } = req.body || {}
  if (!username || !password) {
    return res.status(400).json({ code: 400, message: '用户名和密码必填' })
  }

  try {
    const [rows] = await pool.query(
      'SELECT id, username, password, real_name, role, status FROM users WHERE username = ?',
      [username]
    )

    // 用户不存在或密码错，统一提示避免枚举
    if (rows.length === 0) {
      return res.status(400).json({ code: 400, message: '账号或密码错误' })
    }
    const user = rows[0]

    // 检查账号是否被禁用
    if (user.status === 0) {
      return res.status(403).json({ code: 403, message: '账号已被禁用，请联系管理员' })
    }

    const ok = await bcrypt.compare(password, user.password)
    if (!ok) {
      return res.status(400).json({ code: 400, message: '账号或密码错误' })
    }

    const token = jwt.sign(
      { id: user.id, username: user.username, role: user.role },
      process.env.JWT_SECRET,
      { expiresIn: process.env.JWT_EXPIRES_IN || '2h' }
    )

    res.status(200).json({
      code: 200,
      message: 'ok',
      data: {
        token,
        userInfo: {
          id: user.id,
          username: user.username,
          real_name: user.real_name,
          role: user.role,
        },
      },
    })
  } catch (e) {
    console.error('[login] error:', e)
    res.status(500).json({ code: 500, message: e.message })
  }
}

// GET /api/user/info —— 获取当前登录用户信息（需要 token）
async function info(req, res) {
  try {
    const [rows] = await pool.query(
      `SELECT ${SAFE_FIELDS} FROM users WHERE id = ?`,
      [req.user.id]
    )
    if (rows.length === 0) {
      return res.status(404).json({ code: 404, message: '用户不存在' })
    }
    res.json({ code: 0, message: 'ok', data: rows[0] })
  } catch (e) {
    console.error('[info] error:', e)
    res.status(500).json({ code: 500, message: e.message })
  }
}

// POST /api/user/logout —— 登出（需要 token，仅做应答）
async function logout(req, res) {
  res.json({ code: 0, message: 'ok' })
}

// PUT /api/user/password —— 当前用户修改自己的密码（需要 token）
async function changePassword(req, res) {
  const { oldPassword, newPassword } = req.body || {}
  if (!oldPassword || !newPassword) {
    return res.status(400).json({ code: 400, message: '旧密码和新密码必填' })
  }
  if (typeof newPassword !== 'string' || newPassword.length < 6) {
    return res.status(400).json({ code: 400, message: '新密码至少 6 位' })
  }
  if (oldPassword === newPassword) {
    return res.status(400).json({ code: 400, message: '新密码不能与旧密码相同' })
  }

  try {
    const [rows] = await pool.query('SELECT password FROM users WHERE id = ?', [req.user.id])
    if (rows.length === 0) {
      return res.status(404).json({ code: 404, message: '用户不存在' })
    }

    const ok = await bcrypt.compare(oldPassword, rows[0].password)
    if (!ok) {
      return res.status(400).json({ code: 400, message: '旧密码错误' })
    }

    const hash = await bcrypt.hash(newPassword, 10)
    await pool.query('UPDATE users SET password = ? WHERE id = ?', [hash, req.user.id])
    res.json({ code: 0, message: '密码修改成功' })
  } catch (e) {
    console.error('[changePassword] error:', e)
    res.status(500).json({ code: 500, message: e.message })
  }
}

// ========== 用户管理 CRUD（管理员） ==========

// GET /api/users —— 用户列表（管理员）
async function list(req, res) {
  try {
    const { page, pageSize, offset } = pagination(req.query)
    const { username, role, status } = req.query

    let where = 'WHERE 1=1'
    const params = []

    if (username) {
      where += ' AND username LIKE ?'
      params.push(`%${username}%`)
    }
    if (role) {
      where += ' AND role = ?'
      params.push(role)
    }
    if (status !== undefined && status !== '') {
      where += ' AND status = ?'
      params.push(Number(status))
    }

    const [[{ total }]] = await pool.query(
      `SELECT COUNT(*) AS total FROM users ${where}`,
      params
    )

    const [rows] = await pool.query(
      `SELECT ${SAFE_FIELDS} FROM users ${where} ORDER BY id DESC LIMIT ? OFFSET ?`,
      [...params, pageSize, offset]
    )

    res.json({
      code: 0,
      message: 'ok',
      data: {
        list: rows,
        total,
        page,
        pageSize,
        totalPages: Math.ceil(total / pageSize),
      },
    })
  } catch (e) {
    console.error('[users list] error:', e)
    res.status(500).json({ code: 500, message: e.message })
  }
}

// GET /api/users/:id —— 用户详情（管理员）
async function detail(req, res) {
  try {
    const [rows] = await pool.query(
      `SELECT ${SAFE_FIELDS} FROM users WHERE id = ?`,
      [req.params.id]
    )
    if (rows.length === 0) {
      return res.status(404).json({ code: 404, message: '用户不存在' })
    }
    res.json({ code: 0, message: 'ok', data: rows[0] })
  } catch (e) {
    console.error('[users detail] error:', e)
    res.status(500).json({ code: 500, message: e.message })
  }
}

// POST /api/users —— 创建用户（管理员）
async function create(req, res) {
  const { username, password, real_name = null, role = 'user', status = 1 } = req.body || {}

  if (!username || !password) {
    return res.status(400).json({ code: 400, message: '用户名和密码必填' })
  }
  if (typeof username !== 'string' || username.length < 3 || username.length > 50) {
    return res.status(400).json({ code: 400, message: '用户名长度需在 3-50 之间' })
  }
  if (typeof password !== 'string' || password.length < 6) {
    return res.status(400).json({ code: 400, message: '密码至少 6 位' })
  }
  if (!['admin', 'user'].includes(role)) {
    return res.status(400).json({ code: 400, message: '角色只能为 admin 或 user' })
  }

  try {
    const hash = await bcrypt.hash(password, 10)
    const [result] = await pool.query(
      'INSERT INTO users (username, password, real_name, role, status) VALUES (?, ?, ?, ?, ?)',
      [username, hash, real_name, role, status]
    )

    const [rows] = await pool.query(
      `SELECT ${SAFE_FIELDS} FROM users WHERE id = ?`,
      [result.insertId]
    )
    res.json({ code: 0, message: 'ok', data: rows[0] })
  } catch (e) {
    if (e.code === 'ER_DUP_ENTRY') {
      return res.status(409).json({ code: 409, message: '用户名已存在' })
    }
    console.error('[users create] error:', e)
    res.status(500).json({ code: 500, message: e.message })
  }
}

// PUT /api/users/:id —— 更新用户（管理员）
async function update(req, res) {
  const { id } = req.params
  const fields = ['username', 'real_name', 'role', 'status']

  try {
    const [existing] = await pool.query('SELECT id, role FROM users WHERE id = ?', [id])
    if (existing.length === 0) {
      return res.status(404).json({ code: 404, message: '用户不存在' })
    }

    const targetUser = existing[0]

    // 不允许修改自己的角色或禁用自己
    if (Number(id) === req.user.id) {
      if (req.body.role !== undefined && req.body.role !== req.user.role) {
        return res.status(400).json({ code: 400, message: '不能修改自己的角色' })
      }
      if (req.body.status === 0) {
        return res.status(400).json({ code: 400, message: '不能禁用自己' })
      }
    }

    const sets = []
    const params = []

    for (const f of fields) {
      if (req.body[f] !== undefined) {
        // role 字段只允许 admin / user
        if (f === 'role' && !['admin', 'user'].includes(req.body[f])) {
          return res.status(400).json({ code: 400, message: '角色只能为 admin 或 user' })
        }
        sets.push(`${f} = ?`)
        params.push(req.body[f])
      }
    }

    // 密码单独处理
    if (req.body.password !== undefined) {
      if (typeof req.body.password !== 'string' || req.body.password.length < 6) {
        return res.status(400).json({ code: 400, message: '密码至少 6 位' })
      }
      const hash = await bcrypt.hash(req.body.password, 10)
      sets.push('password = ?')
      params.push(hash)
    }

    if (sets.length === 0) {
      return res.status(400).json({ code: 400, message: '没有需要更新的字段' })
    }

    params.push(id)
    await pool.query(`UPDATE users SET ${sets.join(', ')} WHERE id = ?`, params)

    const [rows] = await pool.query(
      `SELECT ${SAFE_FIELDS} FROM users WHERE id = ?`,
      [id]
    )
    res.json({ code: 0, message: 'ok', data: rows[0] })
  } catch (e) {
    if (e.code === 'ER_DUP_ENTRY') {
      return res.status(409).json({ code: 409, message: '用户名已存在' })
    }
    console.error('[users update] error:', e)
    res.status(500).json({ code: 500, message: e.message })
  }
}

// DELETE /api/users/:id —— 删除用户（管理员）
async function remove(req, res) {
  const { id } = req.params
  try {
    if (Number(id) === req.user.id) {
      return res.status(400).json({ code: 400, message: '不能删除自己' })
    }

    const [existing] = await pool.query('SELECT id FROM users WHERE id = ?', [id])
    if (existing.length === 0) {
      return res.status(404).json({ code: 404, message: '用户不存在' })
    }

    await pool.query('DELETE FROM users WHERE id = ?', [id])
    res.json({ code: 0, message: 'ok' })
  } catch (e) {
    console.error('[users delete] error:', e)
    res.status(500).json({ code: 500, message: e.message })
  }
}

module.exports = { login, info, logout, changePassword, list, detail, create, update, remove }