From abb14a49e0982f8492bad87d222c90508bcfe327 Mon Sep 17 00:00:00 2001
From: Kirill <mpak8501@yandex.ru>
Date: Fri, 22 May 2026 11:47:46 +0500
Subject: [PATCH] feat(server): add auth-methods, set-password, unlink-oauth
 endpoints

---
 server/src/routes/auth.js | 69 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)

diff --git a/server/src/routes/auth.js b/server/src/routes/auth.js
index 5d44129..4b2a2e5 100644
--- a/server/src/routes/auth.js
+++ b/server/src/routes/auth.js
@@ -145,6 +145,75 @@ export async function registerAuthRoutes(fastify) {
     return { user: mapUserForClient(user) }
   })
 
+  fastify.get('/api/me/auth-methods', { preHandler: [fastify.authenticate] }, async (request) => {
+    const userId = request.user.sub
+    const user = await prisma.user.findUnique({
+      where: { id: userId },
+      include: { oauthAccounts: { select: { provider: true } } },
+    })
+    if (!user) return { methods: [] }
+
+    const providers = user.oauthAccounts.map((a) => a.provider)
+    return {
+      methods: [
+        { type: 'password', active: Boolean(user.passwordHash) },
+        { type: 'vk', active: providers.includes('vk') },
+        { type: 'yandex', active: providers.includes('yandex') },
+      ],
+    }
+  })
+
+  fastify.post('/api/me/password', { preHandler: [fastify.authenticate] }, async (request, reply) => {
+    const userId = request.user.sub
+    if (isAdminEmail(request.user.email)) {
+      return reply.code(403).send({ error: 'Администратор не может устанавливать пароль' })
+    }
+
+    const user = await prisma.user.findUnique({ where: { id: userId } })
+    if (!user) return reply.code(404).send({ error: 'Пользователь не найден' })
+    if (user.passwordHash) return reply.code(409).send({ error: 'Пароль уже установлен' })
+
+    const password = String(request.body?.password || '')
+    const passwordErr = validatePassword(password)
+    if (passwordErr) return reply.code(400).send({ error: passwordErr })
+
+    const passwordHash = await hashPassword(password)
+    await prisma.user.update({ where: { id: userId }, data: { passwordHash } })
+
+    return { ok: true }
+  })
+
+  fastify.delete('/api/me/oauth/:provider', { preHandler: [fastify.authenticate] }, async (request, reply) => {
+    const userId = request.user.sub
+    const provider = request.params?.provider
+
+    if (isAdminEmail(request.user.email)) {
+      return reply.code(403).send({ error: 'Администратор не может отвязывать OAuth' })
+    }
+    if (provider !== 'vk' && provider !== 'yandex') {
+      return reply.code(400).send({ error: 'Неизвестный провайдер' })
+    }
+
+    const oauth = await prisma.oAuthAccount.findFirst({
+      where: { userId, provider },
+    })
+    if (!oauth) return reply.code(404).send({ error: 'Аккаунт не привязан' })
+
+    const remainingOAuth = await prisma.oAuthAccount.count({
+      where: { userId, provider: { not: provider } },
+    })
+    const currentUser = await prisma.user.findUnique({
+      where: { id: userId },
+      select: { passwordHash: true },
+    })
+    if (!currentUser?.passwordHash && remainingOAuth === 0) {
+      return reply.code(400).send({ error: 'Нельзя удалить последний метод входа' })
+    }
+
+    await prisma.oAuthAccount.delete({ where: { id: oauth.id } })
+    return { ok: true }
+  })
+
   fastify.post('/api/me/change-email/request-code', { preHandler: [fastify.authenticate] }, async (request, reply) => {
     const userId = request.user.sub
     const newEmail = normalizeEmail(request.body?.newEmail)