feat: blocklist table with registration check endpoint
- is_blocked BOOLEAN (default true), INET type for IP validation - Indexes on email/username/phone/ip for fast registration checks - POST /api/blocklist/check — checks all fields in one request, returns 403 if blocked - Auto-timestamps on block/unblock, email stored lowercase Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
112
src/routes/blocklist.js
Normal file
112
src/routes/blocklist.js
Normal file
@@ -0,0 +1,112 @@
|
||||
const router = require('express').Router();
|
||||
const { query } = require('../db');
|
||||
|
||||
// GET /api/blocklist
|
||||
router.get('/', async (req, res, next) => {
|
||||
try {
|
||||
const { is_blocked, limit = 50, offset = 0 } = req.query;
|
||||
const params = [Math.min(parseInt(limit), 500), parseInt(offset)];
|
||||
const where = is_blocked !== undefined ? `WHERE is_blocked = $3` : '';
|
||||
if (is_blocked !== undefined) params.push(is_blocked === 'true');
|
||||
const result = await query(
|
||||
`SELECT * FROM blocklist ${where} ORDER BY created_at DESC LIMIT $1 OFFSET $2`,
|
||||
params
|
||||
);
|
||||
res.json(result.rows);
|
||||
} catch (err) { next(err); }
|
||||
});
|
||||
|
||||
// GET /api/blocklist/:id
|
||||
router.get('/:id', async (req, res, next) => {
|
||||
try {
|
||||
const result = await query('SELECT * FROM blocklist WHERE id = $1', [req.params.id]);
|
||||
if (!result.rows.length) return res.status(404).json({ error: 'Not found' });
|
||||
res.json(result.rows[0]);
|
||||
} catch (err) { next(err); }
|
||||
});
|
||||
|
||||
// POST /api/blocklist/check — Registrierungs-Check
|
||||
router.post('/check', async (req, res, next) => {
|
||||
try {
|
||||
const { username, email, phone, ip } = req.body;
|
||||
if (!username && !email && !phone && !ip)
|
||||
return res.status(400).json({ error: 'Provide at least one field to check' });
|
||||
|
||||
const conditions = [];
|
||||
const params = [];
|
||||
if (email) { params.push(email.toLowerCase()); conditions.push(`lower(email) = $${params.length}`); }
|
||||
if (username) { params.push(username.toLowerCase()); conditions.push(`lower(username) = $${params.length}`); }
|
||||
if (phone) { params.push(phone); conditions.push(`phone = $${params.length}`); }
|
||||
if (ip) { params.push(ip); conditions.push(`ip = $${params.length}`); }
|
||||
|
||||
const result = await query(
|
||||
`SELECT id, is_blocked, username, email, phone, ip FROM blocklist
|
||||
WHERE is_blocked = true AND (${conditions.join(' OR ')})
|
||||
LIMIT 1`,
|
||||
params
|
||||
);
|
||||
|
||||
if (result.rows.length) {
|
||||
return res.status(403).json({ blocked: true, matched: result.rows[0] });
|
||||
}
|
||||
res.json({ blocked: false });
|
||||
} catch (err) { next(err); }
|
||||
});
|
||||
|
||||
// POST /api/blocklist — Eintrag anlegen
|
||||
router.post('/', async (req, res, next) => {
|
||||
try {
|
||||
const { username, email, phone, ip } = req.body;
|
||||
if (!username && !email && !phone && !ip)
|
||||
return res.status(400).json({ error: 'Provide at least one of: username, email, phone, ip' });
|
||||
|
||||
const result = await query(
|
||||
`INSERT INTO blocklist (username, email, phone, ip, blocked_at)
|
||||
VALUES ($1, $2, $3, $4, NOW()) RETURNING *`,
|
||||
[username || null, email ? email.toLowerCase() : null, phone || null, ip || null]
|
||||
);
|
||||
res.status(201).json(result.rows[0]);
|
||||
} catch (err) { next(err); }
|
||||
});
|
||||
|
||||
// PATCH /api/blocklist/:id — blockieren / entsperren
|
||||
router.patch('/:id', async (req, res, next) => {
|
||||
try {
|
||||
const allowed = ['is_blocked', 'username', 'email', 'phone', 'ip', 'blocked_at', 'unblocked_at'];
|
||||
const fields = Object.keys(req.body).filter(k => allowed.includes(k));
|
||||
if (!fields.length) return res.status(400).json({ error: 'No valid fields provided' });
|
||||
|
||||
// Auto-timestamps bei is_blocked Wechsel
|
||||
if (req.body.is_blocked === true && !req.body.blocked_at) {
|
||||
fields.push('blocked_at');
|
||||
req.body.blocked_at = new Date().toISOString();
|
||||
}
|
||||
if (req.body.is_blocked === false && !req.body.unblocked_at) {
|
||||
fields.push('unblocked_at');
|
||||
req.body.unblocked_at = new Date().toISOString();
|
||||
}
|
||||
|
||||
// Email normalisieren
|
||||
if (req.body.email) req.body.email = req.body.email.toLowerCase();
|
||||
|
||||
const setClauses = fields.map((f, i) => `${f} = $${i + 1}`).join(', ');
|
||||
const values = [...fields.map(f => req.body[f]), req.params.id];
|
||||
const result = await query(
|
||||
`UPDATE blocklist SET ${setClauses} WHERE id = $${fields.length + 1} RETURNING *`,
|
||||
values
|
||||
);
|
||||
if (!result.rows.length) return res.status(404).json({ error: 'Not found' });
|
||||
res.json(result.rows[0]);
|
||||
} catch (err) { next(err); }
|
||||
});
|
||||
|
||||
// DELETE /api/blocklist/:id
|
||||
router.delete('/:id', async (req, res, next) => {
|
||||
try {
|
||||
const result = await query('DELETE FROM blocklist WHERE id = $1 RETURNING id', [req.params.id]);
|
||||
if (!result.rows.length) return res.status(404).json({ error: 'Not found' });
|
||||
res.status(204).end();
|
||||
} catch (err) { next(err); }
|
||||
});
|
||||
|
||||
module.exports = router;
|
||||
Reference in New Issue
Block a user