Admin: Letzte Aktivität pro User (nur echte Aktionen, kein Polling)
This commit is contained in:
@@ -250,6 +250,8 @@ if (msgCols2.length && !msgCols2.includes('read_by_recipient')) {
|
||||
const userCols2 = db.prepare("PRAGMA table_info(users)").all().map(r => r.name);
|
||||
if (!userCols2.includes('preferences'))
|
||||
db.exec("ALTER TABLE users ADD COLUMN preferences TEXT DEFAULT NULL");
|
||||
if (!userCols2.includes('last_active_at'))
|
||||
db.exec("ALTER TABLE users ADD COLUMN last_active_at DATETIME DEFAULT NULL");
|
||||
|
||||
// ── Login-Sicherheit ──────────────────────────────────────────────────────────
|
||||
// Spalten für Account-Lockout in users-Tabelle
|
||||
|
||||
@@ -7,6 +7,23 @@ require('./db');
|
||||
const app = express();
|
||||
app.use(express.json({ limit: '10mb' }));
|
||||
|
||||
// ── Aktivitäts-Tracking: nur bei echten Aktionen (POST/PUT/DELETE) ─────────────
|
||||
app.use((req, res, next) => {
|
||||
if (['POST','PUT','DELETE'].includes(req.method)) {
|
||||
const auth = req.headers.authorization;
|
||||
if (auth?.startsWith('Bearer ')) {
|
||||
try {
|
||||
const jwt = require('jsonwebtoken');
|
||||
const p = jwt.verify(auth.slice(7), process.env.JWT_SECRET || 'dev-secret');
|
||||
if (p?.id) {
|
||||
db.prepare("UPDATE users SET last_active_at=datetime('now','localtime') WHERE id=?").run(p.id);
|
||||
}
|
||||
} catch {}
|
||||
}
|
||||
}
|
||||
next();
|
||||
});
|
||||
|
||||
// ── Security Headers ──────────────────────────────────────────────────────────
|
||||
app.use((_req, res, next) => {
|
||||
res.setHeader('Content-Security-Policy', [
|
||||
|
||||
@@ -31,7 +31,7 @@ router.post('/restore', authenticate, requireAdmin, upload.single('database'), (
|
||||
|
||||
// GET /api/admin/users – alle Benutzer mit Statistiken
|
||||
router.get('/users', authenticate, requireAdmin, (req, res) => {
|
||||
const users = db.prepare("SELECT id, username, role, created_at FROM users ORDER BY role DESC, username").all();
|
||||
const users = db.prepare("SELECT id, username, role, created_at, last_active_at FROM users ORDER BY role DESC, username").all();
|
||||
const stats = users.map(u => {
|
||||
const archiv = db.prepare('SELECT COUNT(*) c FROM calculations WHERE user_id=?').get(u.id).c;
|
||||
const bestellung = db.prepare('SELECT COUNT(*) c FROM orders WHERE user_id=?').get(u.id).c;
|
||||
|
||||
Reference in New Issue
Block a user