feat: security and auditing

api/src/app/routes/users/index.ts

@@ -0,0 +1,92 @@
+/**
+ * @copyright 2026 NHCarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+
+import { FastifyPluginAsync } from "fastify";
+import { User, AuditAction, AuditCategory } from "@library/shared-types";
+import { UserService } from "../../services/user.service";
+import { AuditService } from "../../services/audit.service";
+import { adminGuard } from "../../middleware/admin-guard";
+
+const usersRoutes: FastifyPluginAsync = async (app) => {
+  const userService = new UserService();
+
+  app.get<{ Reply: User[] }>(
+    "/",
+    {
+      preValidation: [app.authenticate, adminGuard],
+    },
+    async () => {
+      return userService.getAllUsers();
+    }
+  );
+
+  app.get<{ Params: { id: string }; Reply: User | null }>(
+    "/:id",
+    {
+      preValidation: [app.authenticate, adminGuard],
+    },
+    async (request) => {
+      const { id } = request.params;
+      return userService.getUserById(id);
+    }
+  );
+
+  app.post<{ Params: { id: string }; Reply: User | { error: string } }>(
+    "/:id/ban",
+    {
+      preValidation: [app.authenticate, adminGuard],
+      preHandler: [app.csrfProtection],
+    },
+    async (request, reply) => {
+      const { id } = request.params;
+      const currentUser = request.user as { id: string };
+
+      if (currentUser.id === id) {
+        return reply.code(400).send({ error: "You cannot ban yourself" });
+      }
+
+      const user = await userService.banUser(id);
+      if (!user) {
+        return reply.code(404).send({ error: "User not found" });
+      }
+
+      await AuditService.logFromRequest(request, {
+        action: AuditAction.USER_BAN,
+        category: AuditCategory.ADMIN,
+        targetUserId: id,
+        details: `Banned user: ${user.username}`,
+      });
+
+      return user;
+    }
+  );
+
+  app.post<{ Params: { id: string }; Reply: User | { error: string } }>(
+    "/:id/unban",
+    {
+      preValidation: [app.authenticate, adminGuard],
+      preHandler: [app.csrfProtection],
+    },
+    async (request, reply) => {
+      const { id } = request.params;
+      const user = await userService.unbanUser(id);
+      if (!user) {
+        return reply.code(404).send({ error: "User not found" });
+      }
+
+      await AuditService.logFromRequest(request, {
+        action: AuditAction.USER_UNBAN,
+        category: AuditCategory.ADMIN,
+        targetUserId: id,
+        details: `Unbanned user: ${user.username}`,
+      });
+
+      return user;
+    }
+  );
+};
+
+export default usersRoutes;