feat: new api endpoint for user edit own data is added

Author: rrd108

docs/api/index.md

@@ -204,6 +204,30 @@ Get the current user's profile information.
 **Error Responses:**
 - `401 Unauthorized`: No authentication token or invalid token
 
+### Update Profile
+
+**Endpoint:** `PATCH /api/nuxt-users/me`
+
+Update the current user's profile information (e.g., name, email).
+
+**Request Body:**
+```json
+{
+  "name": "Johnathan Doe",
+  "email": "john.doe@new-email.com"
+}
+```
+
+**Notes:**
+- Users cannot change their own `role` using this endpoint.
+
+**Response:**
+Returns the updated user object.
+
+**Error Responses:**
+- `400 Bad Request`: Invalid data, such as an email that is already taken.
+- `401 Unauthorized`: No authentication token or invalid token
+
 ### Update Password
 
 **Endpoint:** `PATCH /api/nuxt-users/password`

src/module.ts

@@ -130,6 +130,12 @@ export default defineNuxtModule<RuntimeModuleOptions>({
       handler: resolver.resolve('./runtime/server/api/nuxt-users/me.get')
     })
 
+    addServerHandler({
+      route: `${base}/me`,
+      method: 'patch',
+      handler: resolver.resolve('./runtime/server/api/nuxt-users/me.patch')
+    })
+
     // Password
     addServerHandler({
       route: `${base}/password`,

src/runtime/server/api/nuxt-users/me.patch.ts

@@ -0,0 +1,43 @@
+import { createError, defineEventHandler, readBody } from 'h3'
+import type { ModuleOptions } from '../../../../types'
+import { useRuntimeConfig } from '#imports'
+import { updateUser } from '../../utils/user'
+
+export default defineEventHandler(async (event) => {
+  const { nuxtUsers } = useRuntimeConfig()
+  const options = nuxtUsers as ModuleOptions
+
+  // The user is authenticated by the server middleware and available in the event context.
+  const user = event.context.user
+
+  if (!user) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Unauthorized'
+    })
+  }
+
+  const body = await readBody(event)
+
+  // Users should not be able to change their role via this endpoint.
+  if (body.role) {
+    delete body.role
+  }
+
+  try {
+    const updatedUser = await updateUser(user.id, body, options)
+    return { user: updatedUser }
+  }
+  catch (error: unknown) {
+    if (error instanceof Error) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: error.message
+      })
+    }
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'An unknown error occurred'
+    })
+  }
+})

src/runtime/server/api/nuxt-users/password/forgot.post.ts

@@ -1,5 +1,5 @@
 import { defineEventHandler, readBody, createError } from 'h3'
-import { sendPasswordResetLink } from '../../../services/password' // Adjusted path
+import { sendPasswordResetLink } from '../../../services/password'
 
 export default defineEventHandler(async (event) => {
   const body = await readBody(event)

src/runtime/server/utils/user.ts

@@ -124,34 +124,37 @@ export const updateUser = async (id: number, userData: Partial<User>, options: M
   const db = await useDb(options)
   const usersTable = options.tables.users
 
-  const currentUser = await findUserById(id, options)
-  if (!currentUser) {
-    throw new Error('User not found.')
+  // Explicitly define which fields are allowed to be updated.
+  // This prevents mass-assignment vulnerabilities.
+  const allowedFields: (keyof User)[] = ['name', 'email', 'role']
+  const updates: string[] = []
+  const values: (string | number)[] = []
+
+  for (const field of allowedFields) {
+    if (userData[field] !== undefined) {
+      updates.push(`${field} = ?`)
+      values.push(userData[field])
+    }
   }
 
-  const fieldsToUpdate = { ...userData }
+  // If no valid fields are provided, there's nothing to update.
+  if (updates.length === 0) {
+    const currentUser = await findUserById(id, options)
+    if (!currentUser) {
+      throw new Error('User not found.')
+    }
+    return currentUser
+  }
 
-  // remove from update list
-  delete fieldsToUpdate.id
-  delete fieldsToUpdate.created_at
-  delete fieldsToUpdate.updated_at
-  delete fieldsToUpdate.last_login_at
-  delete fieldsToUpdate.password // TODO: handle password update
+  // Add the updated_at timestamp and the user ID for the WHERE clause
+  updates.push('updated_at = CURRENT_TIMESTAMP')
+  values.push(id)
 
-  if (Object.keys(fieldsToUpdate).length === 0) {
-    return currentUser as UserWithoutPassword
-  }
+  // Use db.sql with template parts for dynamic column names
+  const setClause = updates.map(update => update.replace(' = ?', '')).join(', ')
 
-  const dirtyFields = Object.keys(fieldsToUpdate).filter(key => currentUser[key as keyof UserWithoutPassword] != fieldsToUpdate[key as keyof typeof fieldsToUpdate])
+  await db.sql`UPDATE {${usersTable}} SET {${setClause}} WHERE id = ${id}`
 
-  // Update each field individually for security
-  for (const key of dirtyFields) {
-    await db.sql`
-      UPDATE {${usersTable}}
-      SET {${key}} = ${fieldsToUpdate[key as keyof typeof fieldsToUpdate]}, updated_at = CURRENT_TIMESTAMP
-      WHERE id = ${id}
-    `
-  }
   const updatedUser = await findUserById(id, options)
 
   if (!updatedUser) {