import { json, error } from '@sveltejs/kit'; import { getDb } from '$lib/server/db'; import { requireAuth, hashPassword } from '$lib/server/auth'; export async function GET({ request, params }) { const u = await requireAuth(request); const db = getDb(); const row = db.prepare( 'SELECT id, verein_id, email, name, rolle, created FROM users WHERE id = ? AND verein_id = ?' ).get(params.id, u.verein_id); if (!row) throw error(404, 'User nicht gefunden'); return json(row); } export async function PUT({ request, params }) { const u = await requireAuth(request); const db = getDb(); const body = await request.json(); const existing = db.prepare('SELECT id FROM users WHERE id = ? AND verein_id = ?').get(params.id, u.verein_id); if (!existing) throw error(404, 'User nicht gefunden'); const fields: string[] = []; const vals: unknown[] = []; if (body.name !== undefined) { fields.push('name = ?'); vals.push(body.name); } if (body.email !== undefined) { fields.push('email = ?'); vals.push(body.email.toLowerCase()); } if (body.rolle !== undefined) { fields.push('rolle = ?'); vals.push(body.rolle || null); } if (body.password) { fields.push('password_hash = ?'); vals.push(await hashPassword(body.password)); } if (!fields.length) throw error(400, 'Keine Felder zum Aktualisieren'); fields.push("updated = strftime('%Y-%m-%dT%H:%M:%SZ','now')"); vals.push(params.id, u.verein_id); db.prepare(`UPDATE users SET ${fields.join(', ')} WHERE id = ? AND verein_id = ?`).run(...vals); const row = db.prepare('SELECT id, verein_id, email, name, rolle, created FROM users WHERE id = ?').get(params.id); return json(row); } export async function DELETE({ request, params }) { const u = await requireAuth(request); if (u.sub === params.id) throw error(400, 'Eigenen Account nicht löschbar'); const db = getDb(); const result = db.prepare('DELETE FROM users WHERE id = ? AND verein_id = ?').run(params.id, u.verein_id); if (result.changes === 0) throw error(404, 'User nicht gefunden'); return new Response(null, { status: 204 }); }