馃 distributed transcription service
thistle.dunkirk.sh
dunkirk.sh
1import db from "../db/schema";
2
3const SESSION_DURATION = 7 * 24 * 60 * 60; // 7 days in seconds
4
5export type UserRole = "user" | "admin";
6
7export interface User {
8 id: number;
9 email: string;
10 name: string | null;
11 avatar: string;
12 created_at: number;
13 role: UserRole;
14 last_login: number | null;
15}
16
17export interface Session {
18 id: string;
19 user_id: number;
20 ip_address: string | null;
21 user_agent: string | null;
22 created_at: number;
23 expires_at: number;
24}
25
26export function createSession(
27 userId: number,
28 ipAddress?: string,
29 userAgent?: string,
30): string {
31 const sessionId = crypto.randomUUID();
32 const expiresAt = Math.floor(Date.now() / 1000) + SESSION_DURATION;
33
34 db.run(
35 "INSERT INTO sessions (id, user_id, ip_address, user_agent, expires_at) VALUES (?, ?, ?, ?, ?)",
36 [sessionId, userId, ipAddress ?? null, userAgent ?? null, expiresAt],
37 );
38
39 return sessionId;
40}
41
42export function getSession(sessionId: string): Session | null {
43 const now = Math.floor(Date.now() / 1000);
44
45 const session = db
46 .query<Session, [string, number]>(
47 "SELECT id, user_id, ip_address, user_agent, created_at, expires_at FROM sessions WHERE id = ? AND expires_at > ?",
48 )
49 .get(sessionId, now);
50
51 return session ?? null;
52}
53
54export function getUserBySession(sessionId: string): User | null {
55 const session = getSession(sessionId);
56 if (!session) return null;
57
58 const user = db
59 .query<User, [number]>(
60 "SELECT id, email, name, avatar, created_at, role, last_login FROM users WHERE id = ?",
61 )
62 .get(session.user_id);
63
64 return user ?? null;
65}
66
67export function getUserByEmail(email: string): User | null {
68 const user = db
69 .query<User, [string]>(
70 "SELECT id, email, name, avatar, created_at, role, last_login FROM users WHERE email = ?",
71 )
72 .get(email);
73
74 return user ?? null;
75}
76
77export function deleteSession(sessionId: string): void {
78 db.run("DELETE FROM sessions WHERE id = ?", [sessionId]);
79}
80
81export function cleanupExpiredSessions(): void {
82 const now = Math.floor(Date.now() / 1000);
83 db.run("DELETE FROM sessions WHERE expires_at <= ?", [now]);
84}
85
86export async function createUser(
87 email: string,
88 password: string,
89 name?: string,
90): Promise<User> {
91 // Generate deterministic avatar from email
92 const encoder = new TextEncoder();
93 const data = encoder.encode(email.toLowerCase());
94 const hashBuffer = await crypto.subtle.digest("SHA-256", data);
95 const hashArray = Array.from(new Uint8Array(hashBuffer));
96 const avatar = hashArray
97 .map((b) => b.toString(16).padStart(2, "0"))
98 .join("")
99 .substring(0, 16);
100
101 const result = db.run(
102 "INSERT INTO users (email, password_hash, name, avatar) VALUES (?, ?, ?, ?)",
103 [email, password, name ?? null, avatar],
104 );
105
106 const user = db
107 .query<User, [number]>(
108 "SELECT id, email, name, avatar, created_at, role, last_login FROM users WHERE id = ?",
109 )
110 .get(Number(result.lastInsertRowid));
111
112 if (!user) {
113 throw new Error("Failed to create user");
114 }
115
116 return user;
117}
118
119export async function authenticateUser(
120 email: string,
121 password: string,
122): Promise<User | null> {
123 const result = db
124 .query<
125 {
126 id: number;
127 email: string;
128 name: string | null;
129 avatar: string;
130 password_hash: string;
131 created_at: number;
132 role: UserRole;
133 last_login: number | null;
134 },
135 [string]
136 >(
137 "SELECT id, email, name, avatar, password_hash, created_at, role, last_login FROM users WHERE email = ?",
138 )
139 .get(email);
140
141 if (!result) {
142 // Dummy comparison to prevent timing-based account enumeration
143 const dummyHash = "0".repeat(64);
144 password === dummyHash;
145 return null;
146 }
147
148 if (password !== result.password_hash) return null;
149
150 // Update last_login
151 const now = Math.floor(Date.now() / 1000);
152 db.run("UPDATE users SET last_login = ? WHERE id = ?", [now, result.id]);
153
154 return {
155 id: result.id,
156 email: result.email,
157 name: result.name,
158 avatar: result.avatar,
159 created_at: result.created_at,
160 role: result.role,
161 last_login: now,
162 };
163}
164
165export function getUserSessionsForUser(userId: number): Session[] {
166 const now = Math.floor(Date.now() / 1000);
167
168 const sessions = db
169 .query<Session, [number, number]>(
170 "SELECT id, user_id, ip_address, user_agent, created_at, expires_at FROM sessions WHERE user_id = ? AND expires_at > ? ORDER BY created_at DESC",
171 )
172 .all(userId, now);
173
174 return sessions;
175}
176
177export function getSessionFromRequest(req: Request): string | null {
178 const cookie = req.headers.get("cookie");
179 if (!cookie) return null;
180
181 const match = cookie.match(/session=([^;]+)/);
182 return match?.[1] ?? null;
183}
184
185export async function deleteUser(userId: number): Promise<void> {
186 // Prevent deleting the ghost user
187 if (userId === 0) {
188 throw new Error("Cannot delete ghost user account");
189 }
190
191 // Get user's subscription if they have one
192 const subscription = db
193 .query<{ id: string }, [number]>(
194 "SELECT id FROM subscriptions WHERE user_id = ? ORDER BY created_at DESC LIMIT 1",
195 )
196 .get(userId);
197
198 // Cancel subscription if it exists (soft cancel - keeps access until period end)
199 if (subscription) {
200 try {
201 const { polar } = await import("./polar");
202 await polar.subscriptions.update({
203 id: subscription.id,
204 subscriptionUpdate: { cancelAtPeriodEnd: true },
205 });
206 console.log(
207 `[User Delete] Canceled subscription ${subscription.id} for user ${userId}`,
208 );
209 } catch (error) {
210 console.error(
211 `[User Delete] Failed to cancel subscription ${subscription.id}:`,
212 error,
213 );
214 // Continue with user deletion even if subscription cancellation fails
215 }
216 }
217
218 // Reassign class transcriptions to ghost user (id=0)
219 // Delete personal transcriptions (no class_id)
220 db.run(
221 "UPDATE transcriptions SET user_id = 0 WHERE user_id = ? AND class_id IS NOT NULL",
222 [userId],
223 );
224 db.run(
225 "DELETE FROM transcriptions WHERE user_id = ? AND class_id IS NULL",
226 [userId],
227 );
228
229 // Delete user (CASCADE will handle sessions, passkeys, subscriptions, class_members)
230 db.run("DELETE FROM users WHERE id = ?", [userId]);
231}
232
233export function updateUserEmail(userId: number, newEmail: string): void {
234 db.run("UPDATE users SET email = ? WHERE id = ?", [newEmail, userId]);
235}
236
237export function updateUserName(userId: number, newName: string): void {
238 db.run("UPDATE users SET name = ? WHERE id = ?", [newName, userId]);
239}
240
241export function updateUserAvatar(userId: number, avatar: string): void {
242 db.run("UPDATE users SET avatar = ? WHERE id = ?", [avatar, userId]);
243}
244
245export async function updateUserPassword(
246 userId: number,
247 newPassword: string,
248): Promise<void> {
249 db.run("UPDATE users SET password_hash = ? WHERE id = ?", [
250 newPassword,
251 userId,
252 ]);
253 db.run("DELETE FROM sessions WHERE user_id = ?", [userId]);
254}
255
256export function isUserAdmin(userId: number): boolean {
257 const result = db
258 .query<{ role: UserRole }, [number]>("SELECT role FROM users WHERE id = ?")
259 .get(userId);
260
261 return result?.role === "admin";
262}
263
264export function updateUserRole(userId: number, role: UserRole): void {
265 db.run("UPDATE users SET role = ? WHERE id = ?", [role, userId]);
266}
267
268export function getAllUsers(): Array<{
269 id: number;
270 email: string;
271 name: string | null;
272 avatar: string;
273 created_at: number;
274 role: UserRole;
275}> {
276 return db
277 .query<
278 {
279 id: number;
280 email: string;
281 name: string | null;
282 avatar: string;
283 created_at: number;
284 role: UserRole;
285 last_login: number | null;
286 },
287 []
288 >(
289 "SELECT id, email, name, avatar, created_at, role, last_login FROM users ORDER BY created_at DESC",
290 )
291 .all();
292}
293
294export function getAllTranscriptions(): Array<{
295 id: string;
296 user_id: number;
297 user_email: string;
298 user_name: string | null;
299 original_filename: string;
300 status: string;
301 created_at: number;
302 error_message: string | null;
303}> {
304 return db
305 .query<
306 {
307 id: string;
308 user_id: number;
309 user_email: string;
310 user_name: string | null;
311 original_filename: string;
312 status: string;
313 created_at: number;
314 error_message: string | null;
315 },
316 []
317 >(
318 `SELECT
319 t.id,
320 t.user_id,
321 u.email as user_email,
322 u.name as user_name,
323 t.original_filename,
324 t.status,
325 t.created_at,
326 t.error_message
327 FROM transcriptions t
328 LEFT JOIN users u ON t.user_id = u.id
329 ORDER BY t.created_at DESC`,
330 )
331 .all();
332}
333
334export function deleteTranscription(transcriptionId: string): void {
335 const transcription = db
336 .query<{ id: string; filename: string }, [string]>(
337 "SELECT id, filename FROM transcriptions WHERE id = ?",
338 )
339 .get(transcriptionId);
340
341 if (!transcription) {
342 throw new Error("Transcription not found");
343 }
344
345 // Delete database record
346 db.run("DELETE FROM transcriptions WHERE id = ?", [transcriptionId]);
347
348 // Delete files (audio file and transcript files)
349 try {
350 const audioPath = `./uploads/${transcription.filename}`;
351 const transcriptPath = `./transcripts/${transcriptionId}.txt`;
352 const vttPath = `./transcripts/${transcriptionId}.vtt`;
353
354 if (Bun.file(audioPath).size) {
355 Bun.write(audioPath, "").then(() => {
356 // File deleted by overwriting with empty content, then unlink
357 import("node:fs").then((fs) => {
358 fs.unlinkSync(audioPath);
359 });
360 });
361 }
362
363 if (Bun.file(transcriptPath).size) {
364 import("node:fs").then((fs) => {
365 fs.unlinkSync(transcriptPath);
366 });
367 }
368
369 if (Bun.file(vttPath).size) {
370 import("node:fs").then((fs) => {
371 fs.unlinkSync(vttPath);
372 });
373 }
374 } catch {
375 // Files might not exist, ignore errors
376 }
377}
378
379export function getSessionsForUser(userId: number): Session[] {
380 const now = Math.floor(Date.now() / 1000);
381 return db
382 .query<Session, [number, number]>(
383 "SELECT id, user_id, ip_address, user_agent, created_at, expires_at FROM sessions WHERE user_id = ? AND expires_at > ? ORDER BY created_at DESC",
384 )
385 .all(userId, now);
386}
387
388export function deleteSessionById(sessionId: string, userId: number): boolean {
389 const result = db.run("DELETE FROM sessions WHERE id = ? AND user_id = ?", [
390 sessionId,
391 userId,
392 ]);
393 return result.changes > 0;
394}
395
396export function deleteAllUserSessions(userId: number): void {
397 db.run("DELETE FROM sessions WHERE user_id = ?", [userId]);
398}
399
400export function updateUserEmailAddress(userId: number, newEmail: string): void {
401 db.run("UPDATE users SET email = ? WHERE id = ?", [newEmail, userId]);
402}
403
404export interface UserWithStats {
405 id: number;
406 email: string;
407 name: string | null;
408 avatar: string;
409 created_at: number;
410 role: UserRole;
411 last_login: number | null;
412 transcription_count: number;
413 subscription_status: string | null;
414 subscription_id: string | null;
415}
416
417export function getAllUsersWithStats(): UserWithStats[] {
418 return db
419 .query<UserWithStats, []>(
420 `SELECT
421 u.id,
422 u.email,
423 u.name,
424 u.avatar,
425 u.created_at,
426 u.role,
427 u.last_login,
428 COUNT(DISTINCT t.id) as transcription_count,
429 s.status as subscription_status,
430 s.id as subscription_id
431 FROM users u
432 LEFT JOIN transcriptions t ON u.id = t.user_id
433 LEFT JOIN subscriptions s ON u.id = s.user_id AND s.status IN ('active', 'trialing', 'past_due')
434 GROUP BY u.id
435 ORDER BY u.created_at DESC`,
436 )
437 .all();
438}