From c8311ce1fb919f86bcca609fbb4b7dcf7eb58591 Mon Sep 17 00:00:00 2001
From: Jules Neny <transformationsresilientes@gmail.com>
Date: Thu, 7 May 2026 00:22:44 +0200
Subject: [PATCH] feat(codev): retire Surprise + QR public + mode admin suppr
 fiches
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- carto.vue : retire bouton Surprise (Alliance seul reste), ajoute isAdmin + deleteFiche + colonne supprimer annuaire
- middleware : /codev/qr exempté d'authentification
- auth.post.ts : détecte mdp admin → pose cookie codev_admin
- DELETE /api/codev/fiches/[id] : vérifie cookie admin avant suppression NocoDB
- GET /api/codev/me : retourne { admin, session }
- nuxt.config.ts : codevAdminPassword ajouté

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 nuxt.config.ts                         |  7 +++--
 pages/codev/carto.vue                  | 43 ++++++++++++++++++++------
 server/api/codev/auth.post.ts          | 19 ++++++++++--
 server/api/codev/fiches/[id].delete.ts | 25 +++++++++++++++
 server/api/codev/me.get.ts             |  5 +++
 server/middleware/codev-auth.ts        |  3 +-
 6 files changed, 86 insertions(+), 16 deletions(-)
 create mode 100644 server/api/codev/fiches/[id].delete.ts
 create mode 100644 server/api/codev/me.get.ts

diff --git a/nuxt.config.ts b/nuxt.config.ts
index f91f43a..7c38360 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -14,9 +14,10 @@ export default defineNuxtConfig({
     redisUrl: process.env.REDIS_URL || 'redis://127.0.0.1:6379',
     resendApiKey: process.env.RESEND_API_KEY,
     emailJules: process.env.EMAIL_JULES || 'jules@trans-former.fr',
-    codevTableId: '',       // NUXT_CODEV_TABLE_ID
-    codevPassword: 'merci', // NUXT_CODEV_PASSWORD - défaut "merci", overridable
-    codevBaseId: '',        // NUXT_CODEV_BASE_ID - base NocoDB (ex: pipilvsi7dibo80)
+    codevTableId: '',            // NUXT_CODEV_TABLE_ID
+    codevPassword: 'merci',      // NUXT_CODEV_PASSWORD - défaut "merci", overridable
+    codevBaseId: '',             // NUXT_CODEV_BASE_ID - base NocoDB (ex: pipilvsi7dibo80)
+    codevAdminPassword: 'admin2026', // NUXT_CODEV_ADMIN_PASSWORD
   },
 
   // Leaflet ne fonctionne pas en SSR — forcer le rendu côté client
diff --git a/pages/codev/carto.vue b/pages/codev/carto.vue
index 3529ddf..4b1bb02 100644
--- a/pages/codev/carto.vue
+++ b/pages/codev/carto.vue
@@ -61,15 +61,6 @@
           Alliance
           <span class="hint">besoins partages</span>
         </button>
-        <button
-          :class="{ active: mode === 'surprise' }"
-          style="--mode-color: #3b82f6"
-          @click="setMode('surprise')"
-          type="button"
-        >
-          Surprise
-          <span class="hint">offres partagees</span>
-        </button>
         <button
           v-if="mode !== 'none'"
           class="reset"
@@ -94,6 +85,7 @@
               <th class="col-nom">Prénom</th>
               <th class="col-besoin">Besoin</th>
               <th class="col-offre">Ce que j'offre</th>
+              <th v-if="isAdmin" class="col-actions"></th>
             </tr>
           </thead>
           <tbody>
@@ -101,6 +93,9 @@
               <td class="col-nom">{{ f.nom }}</td>
               <td class="col-besoin">{{ f.besoin }}</td>
               <td class="col-offre">{{ f.offre }}</td>
+              <td v-if="isAdmin" class="col-actions">
+                <button @click.stop="deleteFiche(f.id)" class="delete-btn" type="button" title="Supprimer">✕</button>
+              </td>
             </tr>
           </tbody>
         </table>
@@ -145,7 +140,7 @@ import { computeMatches } from '~/utils/codev/matching'
 
 useHead({ title: 'Carto - Co-developpement' })
 
-const { data, pending } = await useFetch<{ list: CodevFiche[] }>('/api/codev/fiches')
+const { data, pending, refresh } = await useFetch<{ list: CodevFiche[] }>('/api/codev/fiches')
 const fiches = computed(() => data.value?.list ?? [])
 
 const matches = ref<CodevMatch[]>([])
@@ -155,6 +150,15 @@ const tab = ref<'carto' | 'annuaire'>('carto')
 const selectedFiche = ref<CodevFiche | null>(null)
 const isMobileView = typeof window !== 'undefined' ? window.innerWidth < 600 : false
 
+const isAdmin = ref(false)
+
+onMounted(async () => {
+  try {
+    const r = await $fetch<{ admin: boolean }>('/api/codev/me')
+    isAdmin.value = r.admin
+  } catch { isAdmin.value = false }
+})
+
 const MODE_LABELS: Record<string, string> = {
   solution: 'Solution',
   alliance: 'Alliance',
@@ -177,6 +181,12 @@ function onSelectFiche(id: number) {
     navigateTo(`/codev/fiche?id=${id}`)
   }
 }
+
+async function deleteFiche(id: number) {
+  if (!confirm('Supprimer la fiche ?')) return
+  await $fetch(`/api/codev/fiches/${id}`, { method: 'DELETE' })
+  await refresh()
+}
 </script>
 
 <style scoped>
@@ -503,6 +513,19 @@ thead tr .col-nom { background: #f9fafb; }
   margin: 0;
 }
 
+.col-actions { width: 40px; text-align: center; }
+.delete-btn {
+  background: transparent;
+  border: none;
+  cursor: pointer;
+  color: #ef4444;
+  font-size: 1rem;
+  padding: 4px 8px;
+  border-radius: 4px;
+  transition: background 0.1s;
+}
+.delete-btn:hover { background: #fef2f2; }
+
 /* ── Mobile ── */
 
 @media (max-width: 600px) {
diff --git a/server/api/codev/auth.post.ts b/server/api/codev/auth.post.ts
index f947db8..3524490 100644
--- a/server/api/codev/auth.post.ts
+++ b/server/api/codev/auth.post.ts
@@ -15,10 +15,14 @@ export default defineEventHandler(async (event) => {
   const config = useRuntimeConfig()
   const expected = config.codevPassword || 'merci'
 
-  if (parsed.data.password.trim().toLowerCase() !== expected.trim().toLowerCase()) {
+  const isAdmin = parsed.data.password.trim().toLowerCase() === (config.codevAdminPassword || 'admin2026').trim().toLowerCase()
+  const isUser = parsed.data.password.trim().toLowerCase() === expected.trim().toLowerCase()
+
+  if (!isAdmin && !isUser) {
     throw createError({ statusCode: 401, statusMessage: 'Mauvais mot de passe' })
   }
 
+  // Cookie session (user + admin)
   setCookie(event, 'codev_session', 'ok', {
     httpOnly: true,
     sameSite: 'lax',
@@ -27,5 +31,16 @@ export default defineEventHandler(async (event) => {
     path: '/',
   })
 
-  return { status: 200, ok: true }
+  // Cookie admin si mot de passe admin
+  if (isAdmin) {
+    setCookie(event, 'codev_admin', 'ok', {
+      httpOnly: true,
+      sameSite: 'lax',
+      secure: process.env.NODE_ENV === 'production',
+      maxAge: 60 * 60 * 24, // 24h
+      path: '/',
+    })
+  }
+
+  return { status: 200, ok: true, admin: isAdmin }
 })
diff --git a/server/api/codev/fiches/[id].delete.ts b/server/api/codev/fiches/[id].delete.ts
new file mode 100644
index 0000000..078804b
--- /dev/null
+++ b/server/api/codev/fiches/[id].delete.ts
@@ -0,0 +1,25 @@
+export default defineEventHandler(async (event) => {
+  // Vérif cookie admin
+  const adminCookie = getCookie(event, 'codev_admin')
+  if (adminCookie !== 'ok') {
+    throw createError({ statusCode: 403, statusMessage: 'Accès refusé' })
+  }
+
+  const config = useRuntimeConfig()
+  const tableId = config.codevTableId
+  const id = getRouterParam(event, 'id')
+
+  if (!tableId || !id) {
+    throw createError({ statusCode: 400, message: 'Parametre manquant' })
+  }
+
+  await $fetch(`${config.nocodbUrl}/api/v2/tables/${tableId}/records`, {
+    method: 'DELETE',
+    headers: { 'xc-token': config.nocodbToken, 'Content-Type': 'application/json' },
+    body: JSON.stringify({ Id: Number(id) }),
+  }).catch(() => {
+    throw createError({ statusCode: 502, statusMessage: 'Erreur suppression' })
+  })
+
+  return { status: 200, ok: true }
+})
diff --git a/server/api/codev/me.get.ts b/server/api/codev/me.get.ts
new file mode 100644
index 0000000..ea11412
--- /dev/null
+++ b/server/api/codev/me.get.ts
@@ -0,0 +1,5 @@
+export default defineEventHandler((event) => {
+  const admin = getCookie(event, 'codev_admin') === 'ok'
+  const session = getCookie(event, 'codev_session') === 'ok'
+  return { admin, session }
+})
diff --git a/server/middleware/codev-auth.ts b/server/middleware/codev-auth.ts
index dfab87b..d04a5cc 100644
--- a/server/middleware/codev-auth.ts
+++ b/server/middleware/codev-auth.ts
@@ -8,8 +8,9 @@ export default defineEventHandler((event) => {
   // Seulement les routes sous /codev/
   if (!path.startsWith('/codev/')) return
 
-  // Routes publiques : /codev/demo (et sous-routes éventuelles)
+  // Routes publiques : /codev/demo et /codev/qr (et sous-routes éventuelles)
   if (path === '/codev/demo' || path.startsWith('/codev/demo/')) return
+  if (path === '/codev/qr' || path.startsWith('/codev/qr/')) return
 
   // Vérification cookie
   const session = getCookie(event, 'codev_session')