From cc131d45e030abd3d78e78d7b46bad1c2093e1e9 Mon Sep 17 00:00:00 2001
From: Stephan Richter <s.richter@srsoftware.de>
Date: Sat, 10 Aug 2024 20:44:55 +0200
Subject: [PATCH] implemented removal of user

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
---
 .../de/srsoftware/oidc/api/Constants.java     |  1 +
 .../oidc/backend/UserController.java          | 30 +++++++++++++++--
 .../oidc/datastore/file/FileStore.java        |  4 ++-
 .../src/main/resources/en/scripts/common.js   | 13 ++++++--
 .../src/main/resources/en/scripts/users.js    | 33 +++++++++++++------
 .../src/main/resources/en/todo.html           |  1 -
 .../src/main/resources/en/users.html          |  5 ++-
 7 files changed, 70 insertions(+), 17 deletions(-)

diff --git a/de.srsoftware.oidc.api/src/main/java/de/srsoftware/oidc/api/Constants.java b/de.srsoftware.oidc.api/src/main/java/de/srsoftware/oidc/api/Constants.java
index 9f06884..2218114 100644
--- a/de.srsoftware.oidc.api/src/main/java/de/srsoftware/oidc/api/Constants.java
+++ b/de.srsoftware.oidc.api/src/main/java/de/srsoftware/oidc/api/Constants.java
@@ -48,4 +48,5 @@ public class Constants {
 	public static final String TOKEN_TYPE	  = "token_type";
 	public static final String UNAUTHORIZED_CLIENT	  = "unauthorized_client";
 	public static final String USER		  = "user";
+	public static final String USER_ID	  = "user_id";
 }
diff --git a/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/UserController.java b/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/UserController.java
index aaa043c..65a20e2 100644
--- a/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/UserController.java
+++ b/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/UserController.java
@@ -1,8 +1,7 @@
 /* © SRSoftware 2024 */
 package de.srsoftware.oidc.backend;
 
-import static de.srsoftware.oidc.api.Constants.APP_NAME;
-import static de.srsoftware.oidc.api.Constants.TOKEN;
+import static de.srsoftware.oidc.api.Constants.*;
 import static de.srsoftware.oidc.api.data.Permission.MANAGE_USERS;
 import static de.srsoftware.oidc.api.data.User.*;
 import static de.srsoftware.utils.Strings.uuid;
@@ -44,6 +43,33 @@ public class UserController extends Controller {
 		return sendContent(ex, newID);
 	}
 
+	@Override
+	public boolean doDelete(String path, HttpExchange ex) throws IOException {
+		var optSession = getSession(ex);
+		if (optSession.isEmpty()) return sendEmptyResponse(HTTP_UNAUTHORIZED, ex);
+
+		// post-login paths
+		var session = optSession.get();
+		switch (path) {
+			case "/delete":
+				return deleteUser(ex, session);
+		}
+		return badRequest(ex, "%s not found".formatted(path));
+	}
+
+	private boolean deleteUser(HttpExchange ex, Session session) throws IOException {
+		var json = json(ex);
+		if (!json.has(USER_ID)) return badRequest(ex, "missing_user_id");
+		var uuid = json.getString(USER_ID);
+		if (uuid == null || uuid.isBlank()) return badRequest(ex, "missing_user_id");
+		if (session.user().uuid().equals(uuid)) return badRequest(ex, "must_not_delete_self");
+		if (!json.has(CONFIRMED) || !json.getBoolean(CONFIRMED)) return badRequest(ex, "missing_confirmation");
+		Optional<User> targetUser = users.load(uuid);
+		if (targetUser.isEmpty()) return badRequest(ex, "unknown_user");
+		users.delete(targetUser.get());
+		return sendEmptyResponse(HTTP_OK, ex);
+	}
+
 	@Override
 	public boolean doGet(String path, HttpExchange ex) throws IOException {
 		switch (path) {
diff --git a/de.srsoftware.oidc.datastore.file/src/main/java/de/srsoftware/oidc/datastore/file/FileStore.java b/de.srsoftware.oidc.datastore.file/src/main/java/de/srsoftware/oidc/datastore/file/FileStore.java
index e3ed137..1ab4b8c 100644
--- a/de.srsoftware.oidc.datastore.file/src/main/java/de/srsoftware/oidc/datastore/file/FileStore.java
+++ b/de.srsoftware.oidc.datastore.file/src/main/java/de/srsoftware/oidc/datastore/file/FileStore.java
@@ -76,7 +76,9 @@ public class FileStore implements AuthorizationService, ClientService, SessionSe
 
 	@Override
 	public UserService delete(User user) {
-		return null;
+		var users = json.getJSONObject(USERS);
+		users.remove(user.uuid());
+		return save();
 	}
 
 	@Override
diff --git a/de.srsoftware.oidc.web/src/main/resources/en/scripts/common.js b/de.srsoftware.oidc.web/src/main/resources/en/scripts/common.js
index 2e9f374..996c748 100644
--- a/de.srsoftware.oidc.web/src/main/resources/en/scripts/common.js
+++ b/de.srsoftware.oidc.web/src/main/resources/en/scripts/common.js
@@ -22,7 +22,15 @@ function getValue(id){
 }
 
 function hide(id){
-    get(id).style.display = 'none';
+    var elem = get(id);
+    if (elem) elem.style.display = 'none';
+}
+
+function hideAll(clazz){
+    var elems = document.getElementsByTagName('*'), i;
+    for (i in elems) {
+        if((' ' + elems[i].className + ' ').indexOf(' ' + clazz + ' ') > -1)  elems[i].style.display = 'none';
+    }
 }
 
 function isChecked(id){
@@ -48,5 +56,6 @@ function setValue(id,newVal){
 }
 
 function show(id){
-    get(id).style.display = '';
+    var elem = get(id);
+    if (elem) elem.style.display = '';
 }
\ No newline at end of file
diff --git a/de.srsoftware.oidc.web/src/main/resources/en/scripts/users.js b/de.srsoftware.oidc.web/src/main/resources/en/scripts/users.js
index 98451fe..42a677e 100644
--- a/de.srsoftware.oidc.web/src/main/resources/en/scripts/users.js
+++ b/de.srsoftware.oidc.web/src/main/resources/en/scripts/users.js
@@ -29,29 +29,42 @@ async function handleUsers(response){
     var bottom = document.getElementById('bottom');
     for (let id in users){
         var row = document.createElement("tr");
-        var user = users[id];
-        row.innerHTML = `<td>${user.username}</td>
-        <td>${user.realname}</td>
-        <td>${user.email}</td>
+        var u = users[id];
+        row.innerHTML = `<td>${u.username}</td>
+        <td>${u.realname}</td>
+        <td>${u.email}</td>
         <td>${id}</td>
         <td>
             <button type="button" onclick="reset_password('${id}')" id="reset-${id}">Reset password</button>
-            <button class="danger" onclick="remove('${id}')" type="button">Remove</button>
+            <button id="remove-${u.uuid}" class="danger" onclick="remove('${id}','${u.realname}')" type="button">Remove</button>
         </td>`;
         bottom.parentNode.insertBefore(row,bottom);
     }
 }
 
-function handleRemove(response){
-    redirect("users.html");
+async function handleRemove(response){
+    if (response.ok){
+        redirect("users.html");
+    } else {
+        var info = await response.text();
+        console.log(info);
+        show(info);
+    }
+
 }
 
-function remove(userId){
+function remove(userId,name){
+    disable(`remove-${userId}`);
+    if (userId == user.uuid) {
+        //return;
+    }
+    setText(`remove-${userId}`,"sent…");
+    hideAll('error');
     var message = document.getElementById('message').innerHTML;
-    if (confirm(message.replace("{}",userId))) {
+    if (confirm(message.replace("{}",name))) {
         fetch(user_controller+"/delete",{
             method: 'DELETE',
-            body : JSON.stringify({ userId : userId })
+            body : JSON.stringify({ user_id : userId, confirmed : true })
         }).then(handleRemove);
     }
 }
diff --git a/de.srsoftware.oidc.web/src/main/resources/en/todo.html b/de.srsoftware.oidc.web/src/main/resources/en/todo.html
index 700a417..f3f2f10 100644
--- a/de.srsoftware.oidc.web/src/main/resources/en/todo.html
+++ b/de.srsoftware.oidc.web/src/main/resources/en/todo.html
@@ -12,7 +12,6 @@
         <div id="content">
             <h1>to do…</h1>
             <ul>
-                <li><a href="users.html">Users: remove</a></li>
                 <li><a href="login.html">Login: "remember me" option</a></li>
                 <li>at_hash in ID Token</li>
                 <li>drop outdated sessions</li>
diff --git a/de.srsoftware.oidc.web/src/main/resources/en/users.html b/de.srsoftware.oidc.web/src/main/resources/en/users.html
index 794f823..4ed3211 100644
--- a/de.srsoftware.oidc.web/src/main/resources/en/users.html
+++ b/de.srsoftware.oidc.web/src/main/resources/en/users.html
@@ -41,7 +41,10 @@
             </tr>
 
         </table>
-        <span class="error" style="display: none" id="pw-mismatch">Passwords do not match!</span>
+        <span class="hidden" id="message">Really remove client "{}"?</span>
+        <span class="error" style="display: none" id="missing_user_id">Server did not receive a valid user_id for removal!</span>
+        <span class="error" style="display: none" id="missing_confirmation">Server did not receive confirmation for this request!</span>
+        <span class="error" style="display: none" id="unknown_user">The backend does not know this user!</span>
     </fieldset>
 </div>
 </body>