Require admin password for destructive admin actions

2026-02-08 15:05:10 +01:00
parent 96a47020d8
commit e666e7c603
13 changed files with 197 additions and 43 deletions
--- a/wwwroot/js/app-admin-handlers.js
+++ b/wwwroot/js/app-admin-handlers.js
@@ -8,14 +8,23 @@ import {
    renderPhasePill,
 } from "./ui.js";

-async function adminAction(fn, successMessage, runSerializedRefresh) {
-    try {
-        await fn();
-        toast(successMessage);
-        await runSerializedRefresh();
-    } catch (err) {
-        toast(err.message, true);
-    }
+function openAdminPasswordModal({ title, body, confirmLabel, onConfirm }) {
+    openConfirmModal({
+        title,
+        body,
+        confirmLabel,
+        confirmClass: "danger",
+        requirePassword: true,
+        passwordLabel: t("admin.confirmPasswordLabel"),
+        onConfirm: async (close, payload) => {
+            const password = (payload?.password || "").trim();
+            if (!password) {
+                toast(t("admin.confirmPasswordRequired"), true);
+                return;
+            }
+            await onConfirm(password, close);
+        },
+    });
 }

 function setupAdminPanelToggle() {
@@ -32,16 +41,40 @@ function setupAdminPanelToggle() {
 }

 function setupResetButtons(runSerializedRefresh) {
-    $("reset").addEventListener("click", () =>
-        adminAction(adminApi.reset, t("admin.resetDone"), runSerializedRefresh),
-    );
-    $("factory-reset").addEventListener("click", () =>
-        adminAction(
-            adminApi.factoryReset,
-            t("admin.factoryResetDone"),
-            runSerializedRefresh,
-        ),
-    );
+    $("reset").addEventListener("click", () => {
+        openAdminPasswordModal({
+            title: t("admin.resetConfirmTitle"),
+            body: t("admin.resetConfirmBody"),
+            confirmLabel: t("admin.reset"),
+            onConfirm: async (password, close) => {
+                try {
+                    await adminApi.reset(password);
+                    toast(t("admin.resetDone"));
+                    close();
+                    await runSerializedRefresh();
+                } catch (err) {
+                    toast(err.message, true);
+                }
+            },
+        });
+    });
+    $("factory-reset").addEventListener("click", () => {
+        openAdminPasswordModal({
+            title: t("admin.factoryResetConfirmTitle"),
+            body: t("admin.factoryResetConfirmBody"),
+            confirmLabel: t("admin.factoryReset"),
+            onConfirm: async (password, close) => {
+                try {
+                    await adminApi.factoryReset(password);
+                    toast(t("admin.factoryResetDone"));
+                    close();
+                    await runSerializedRefresh();
+                } catch (err) {
+                    toast(err.message, true);
+                }
+            },
+        });
+    });
 }

 function setupResultsToggle(runSerializedRefresh) {
@@ -145,13 +178,13 @@ function setupPlayerTableActions(runSerializedRefresh) {
        } else if (deleteBtn) {
            const playerId = deleteBtn.dataset.deletePlayer;
            const name = deleteBtn.dataset.name || "";
-            openConfirmModal({
+            openAdminPasswordModal({
                title: t("admin.deleteTitle"),
                body: t("admin.deleteBody", { name }),
                confirmLabel: t("admin.deleteConfirm"),
-                onConfirm: async (close) => {
+                onConfirm: async (password, close) => {
                    try {
-                        await adminApi.deletePlayer(playerId);
+                        await adminApi.deletePlayer(playerId, password);
                        toast(t("admin.deleteDone"));
                        close();
                        await runSerializedRefresh();