Add success and error message feedback for user profile operations (#8716)

* mws authentication

* add more tests and permission checkers

* add logic to ensure that only authenticated users' requests are handled

* add custom login page

* Implement user authentication as well as session handling

* work on user operations authorization

* add middleware to route handlers for bags & tiddlers routes

* add feature that only returns the tiddlers and bags which the user has permission to access on index page

* refactor auth routes & added user management page

* fix Ci Test failure issue

* fix users list page, add manage roles page

* add commands and scripts to create new user & assign roles and permissions

* resolved ci-test failure

* add ACL permissions to bags & tiddlers on creation

* fix comments and access control list bug

* fix indentation issues

* working on user profile edit

* remove list users command & added support for database in server options

* implement user profile update and password change feature

* update plugin readme

* implement command which triggers protected mode on the server

* revert server-wide auth flag. Implement selective authorization

* ACL management feature

* Complete Access control list implementation

* Added support to manage users' assigned role by admin

* fix comments

* fix comment

* Add user profile management and account deletion functionality

* add success and error message feedback for user profile operations

* fix indentation issues

* Add command to create admin user if none exists when the start command is executed

* refactor annonymous user flow with create admin implementation

* remove mws-add-user from start command

plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/post-user.js

@@ -8,56 +8,79 @@ POST /admin/post-user
 \*/
 (function() {
 
-  /*jslint node: true, browser: true */
-  /*global $tw: false */
-  "use strict";
+/*jslint node: true, browser: true */
+/*global $tw: false */
+"use strict";
+if($tw.node) {
+	var crypto = require("crypto");
+}
+exports.method = "POST";
 
-  exports.method = "POST";
+exports.path = /^\/admin\/post-user\/?$/;
 
-  exports.path = /^\/admin\/post-user\/?$/;
+exports.bodyFormat = "www-form-urlencoded";
 
-  exports.bodyFormat = "www-form-urlencoded";
+exports.csrfDisable = true;
 
-  exports.csrfDisable = true;
+exports.handler = function(request, response, state) {
+  var sqlTiddlerDatabase = state.server.sqlTiddlerDatabase;
+  var username = state.data.username;
+  var email = state.data.email;
+  var password = state.data.password;
+  var confirmPassword = state.data.confirmPassword;
 
-  exports.handler = function(request, response, state) {
-    var sqlTiddlerDatabase = state.server.sqlTiddlerDatabase;
-    var username = state.data.username;
-    var email = state.data.email;
-    var password = state.data.password;
-    var confirmPassword = state.data.confirmPassword;
+  if(!state.authenticatedUser && !state.firstGuestUser) {
+    response.writeHead(401, "Unauthorized", { "Content-Type": "text/plain" });
+    response.end("Unauthorized");
+    return;
+  }
 
-    if(!state.authenticatedUser) {
-      response.writeHead(401, "Unauthorized", { "Content-Type": "text/plain" });
-      response.end("Unauthorized");
-      return;
-    }
+  if(!username || !email || !password || !confirmPassword) {
+    response.writeHead(400, {"Content-Type": "application/json"});
+    response.end(JSON.stringify({error: "All fields are required"}));
+    return;
+  }
 
-    if(!username || !email || !password || !confirmPassword) {
-      response.writeHead(400, {"Content-Type": "application/json"});
-      response.end(JSON.stringify({error: "All fields are required"}));
-      return;
-    }
+  if(password !== confirmPassword) {
+    response.writeHead(400, {"Content-Type": "application/json"});
+    response.end(JSON.stringify({error: "Passwords do not match"}));
+    return;
+  }
 
-    if(password !== confirmPassword) {
-      response.writeHead(400, {"Content-Type": "application/json"});
-      response.end(JSON.stringify({error: "Passwords do not match"}));
-      return;
-    }
+  // Check if user already exists
+  var existingUser = sqlTiddlerDatabase.getUser(username);
+  if(existingUser) {
+    response.writeHead(400, {"Content-Type": "application/json"});
+    response.end(JSON.stringify({error: "Username already exists"}));
+    return;
+  }
 
-    // Check if user already exists
-    var existingUser = sqlTiddlerDatabase.getUser(username);
-    if(existingUser) {
-      response.writeHead(400, {"Content-Type": "application/json"});
-      response.end(JSON.stringify({error: "Username already exists"}));
-      return;
-    }
+  var hasUsers = sqlTiddlerDatabase.listUsers().length > 0;
+	var hashedPassword = crypto.createHash("sha256").update(password).digest("hex");
 
-    // Create new user
-    var userId = sqlTiddlerDatabase.createUser(username, email, password);
+  // Create new user
+  var userId = sqlTiddlerDatabase.createUser(username, email, hashedPassword);
 
+  if(!hasUsers) {
+    // If this is the first guest user, assign admin privileges
+    sqlTiddlerDatabase.setUserAdmin(userId, true);
+    
+    // Create a session for the new admin user
+    var auth = require('$:/plugins/tiddlywiki/multiwikiserver/auth/authentication.js').Authenticator;
+    var authenticator = auth(sqlTiddlerDatabase);
+    var sessionId = authenticator.createSession(userId);
+    
+    // Set the session cookie and redirect
+    response.setHeader('Set-Cookie', `session=${sessionId}; HttpOnly; Path=/`);
+    response.writeHead(302, {
+        'Location': '/'
+    });
+    response.end();
+    return;
+  } else {
     response.writeHead(302, {"Location": "/admin/users/"+userId});
     response.end();
-  };
+  }
+};
 
 }());