feat(codev): retire Surprise + QR public + mode admin suppr fiches

- carto.vue : retire bouton Surprise (Alliance seul reste), ajoute isAdmin + deleteFiche + colonne supprimer annuaire - middleware : /codev/qr exempté d'authentification - auth.post.ts : détecte mdp admin → pose cookie codev_admin - DELETE /api/codev/fiches/[id] : vérifie cookie admin avant suppression NocoDB - GET /api/codev/me : retourne { admin, session } - nuxt.config.ts : codevAdminPassword ajouté Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-07 00:22:44 +02:00
parent 142e5cf787
commit c8311ce1fb
6 changed files with 86 additions and 16 deletions
--- a/server/api/codev/auth.post.ts
+++ b/server/api/codev/auth.post.ts
@@ -15,10 +15,14 @@ export default defineEventHandler(async (event) => {
  const config = useRuntimeConfig()
  const expected = config.codevPassword || 'merci'

-  if (parsed.data.password.trim().toLowerCase() !== expected.trim().toLowerCase()) {
+  const isAdmin = parsed.data.password.trim().toLowerCase() === (config.codevAdminPassword || 'admin2026').trim().toLowerCase()
+  const isUser = parsed.data.password.trim().toLowerCase() === expected.trim().toLowerCase()
+
+  if (!isAdmin && !isUser) {
    throw createError({ statusCode: 401, statusMessage: 'Mauvais mot de passe' })
  }

+  // Cookie session (user + admin)
  setCookie(event, 'codev_session', 'ok', {
    httpOnly: true,
    sameSite: 'lax',
@@ -27,5 +31,16 @@ export default defineEventHandler(async (event) => {
    path: '/',
  })

-  return { status: 200, ok: true }
+  // Cookie admin si mot de passe admin
+  if (isAdmin) {
+    setCookie(event, 'codev_admin', 'ok', {
+      httpOnly: true,
+      sameSite: 'lax',
+      secure: process.env.NODE_ENV === 'production',
+      maxAge: 60 * 60 * 24, // 24h
+      path: '/',
+    })
+  }
+
+  return { status: 200, ok: true, admin: isAdmin }
 })
--- a/server/api/codev/fiches/[id].delete.ts
+++ b/server/api/codev/fiches/[id].delete.ts
@@ -0,0 +1,25 @@
+export default defineEventHandler(async (event) => {
+  // Vérif cookie admin
+  const adminCookie = getCookie(event, 'codev_admin')
+  if (adminCookie !== 'ok') {
+    throw createError({ statusCode: 403, statusMessage: 'Accès refusé' })
+  }
+
+  const config = useRuntimeConfig()
+  const tableId = config.codevTableId
+  const id = getRouterParam(event, 'id')
+
+  if (!tableId || !id) {
+    throw createError({ statusCode: 400, message: 'Parametre manquant' })
+  }
+
+  await $fetch(`${config.nocodbUrl}/api/v2/tables/${tableId}/records`, {
+    method: 'DELETE',
+    headers: { 'xc-token': config.nocodbToken, 'Content-Type': 'application/json' },
+    body: JSON.stringify({ Id: Number(id) }),
+  }).catch(() => {
+    throw createError({ statusCode: 502, statusMessage: 'Erreur suppression' })
+  })
+
+  return { status: 200, ok: true }
+})
--- a/server/api/codev/me.get.ts
+++ b/server/api/codev/me.get.ts
@@ -0,0 +1,5 @@
+export default defineEventHandler((event) => {
+  const admin = getCookie(event, 'codev_admin') === 'ok'
+  const session = getCookie(event, 'codev_session') === 'ok'
+  return { admin, session }
+})