npm - @intranefr/superbackend - Versions diffs - 1.4.3 - Mend

@intranefr/superbackend 1.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (188) hide show

package/.commiat +4 -0
package/.env.example +47 -0
package/README.md +110 -0
package/index.js +94 -0
package/package.json +67 -0
package/public/css/styles.css +139 -0
package/public/js/animations.js +41 -0
package/sdk/error-tracking/browser/package.json +16 -0
package/sdk/error-tracking/browser/src/core.js +270 -0
package/sdk/error-tracking/browser/src/embed.js +18 -0
package/sdk/error-tracking/browser/src/index.js +1 -0
package/server.js +5 -0
package/src/admin/endpointRegistry.js +300 -0
package/src/controllers/admin.controller.js +321 -0
package/src/controllers/adminAssets.controller.js +530 -0
package/src/controllers/adminAssetsStorage.controller.js +260 -0
package/src/controllers/adminEjsVirtual.controller.js +354 -0
package/src/controllers/adminFeatureFlags.controller.js +155 -0
package/src/controllers/adminHeadless.controller.js +1071 -0
package/src/controllers/adminI18n.controller.js +604 -0
package/src/controllers/adminJsonConfigs.controller.js +97 -0
package/src/controllers/adminLlm.controller.js +273 -0
package/src/controllers/adminMigration.controller.js +257 -0
package/src/controllers/adminSeoConfig.controller.js +515 -0
package/src/controllers/adminStats.controller.js +121 -0
package/src/controllers/adminUploadNamespaces.controller.js +208 -0
package/src/controllers/assets.controller.js +248 -0
package/src/controllers/auth.controller.js +93 -0
package/src/controllers/billing.controller.js +223 -0
package/src/controllers/featureFlags.controller.js +35 -0
package/src/controllers/forms.controller.js +217 -0
package/src/controllers/globalSettings.controller.js +252 -0
package/src/controllers/headlessCrud.controller.js +126 -0
package/src/controllers/i18n.controller.js +12 -0
package/src/controllers/invite.controller.js +249 -0
package/src/controllers/jsonConfigs.controller.js +19 -0
package/src/controllers/metrics.controller.js +149 -0
package/src/controllers/notificationAdmin.controller.js +264 -0
package/src/controllers/notifications.controller.js +131 -0
package/src/controllers/org.controller.js +357 -0
package/src/controllers/orgAdmin.controller.js +491 -0
package/src/controllers/stripeAdmin.controller.js +410 -0
package/src/controllers/user.controller.js +361 -0
package/src/controllers/userAdmin.controller.js +277 -0
package/src/controllers/waitingList.controller.js +167 -0
package/src/controllers/webhook.controller.js +200 -0
package/src/middleware/auth.js +66 -0
package/src/middleware/errorCapture.js +170 -0
package/src/middleware/headlessApiTokenAuth.js +57 -0
package/src/middleware/org.js +108 -0
package/src/middleware.js +901 -0
package/src/models/ActionEvent.js +31 -0
package/src/models/ActivityLog.js +41 -0
package/src/models/Asset.js +84 -0
package/src/models/AuditEvent.js +93 -0
package/src/models/EmailLog.js +28 -0
package/src/models/ErrorAggregate.js +72 -0
package/src/models/FormSubmission.js +41 -0
package/src/models/GlobalSetting.js +38 -0
package/src/models/HeadlessApiToken.js +24 -0
package/src/models/HeadlessModelDefinition.js +41 -0
package/src/models/I18nEntry.js +77 -0
package/src/models/I18nLocale.js +33 -0
package/src/models/Invite.js +70 -0
package/src/models/JsonConfig.js +46 -0
package/src/models/Notification.js +60 -0
package/src/models/Organization.js +57 -0
package/src/models/OrganizationMember.js +43 -0
package/src/models/StripeCatalogItem.js +77 -0
package/src/models/StripeWebhookEvent.js +57 -0
package/src/models/User.js +89 -0
package/src/models/VirtualEjsFile.js +60 -0
package/src/models/VirtualEjsFileVersion.js +43 -0
package/src/models/VirtualEjsGroupChange.js +32 -0
package/src/models/WaitingList.js +41 -0
package/src/models/Webhook.js +63 -0
package/src/models/Workflow.js +29 -0
package/src/models/WorkflowExecution.js +12 -0
package/src/routes/admin.routes.js +26 -0
package/src/routes/adminAssets.routes.js +28 -0
package/src/routes/adminAssetsStorage.routes.js +13 -0
package/src/routes/adminAudit.routes.js +196 -0
package/src/routes/adminEjsVirtual.routes.js +17 -0
package/src/routes/adminErrors.routes.js +164 -0
package/src/routes/adminFeatureFlags.routes.js +12 -0
package/src/routes/adminHeadless.routes.js +38 -0
package/src/routes/adminI18n.routes.js +22 -0
package/src/routes/adminJsonConfigs.routes.js +15 -0
package/src/routes/adminLlm.routes.js +12 -0
package/src/routes/adminMigration.routes.js +81 -0
package/src/routes/adminSeoConfig.routes.js +20 -0
package/src/routes/adminUploadNamespaces.routes.js +13 -0
package/src/routes/assets.routes.js +21 -0
package/src/routes/auth.routes.js +12 -0
package/src/routes/billing.routes.js +11 -0
package/src/routes/errorTracking.routes.js +31 -0
package/src/routes/featureFlags.routes.js +9 -0
package/src/routes/forms.routes.js +9 -0
package/src/routes/formsAdmin.routes.js +13 -0
package/src/routes/globalSettings.routes.js +18 -0
package/src/routes/headless.routes.js +15 -0
package/src/routes/i18n.routes.js +8 -0
package/src/routes/invite.routes.js +9 -0
package/src/routes/jsonConfigs.routes.js +8 -0
package/src/routes/log.routes.js +111 -0
package/src/routes/metrics.routes.js +9 -0
package/src/routes/notificationAdmin.routes.js +15 -0
package/src/routes/notifications.routes.js +12 -0
package/src/routes/org.routes.js +31 -0
package/src/routes/orgAdmin.routes.js +20 -0
package/src/routes/publicAssets.routes.js +7 -0
package/src/routes/stripeAdmin.routes.js +20 -0
package/src/routes/user.routes.js +22 -0
package/src/routes/userAdmin.routes.js +15 -0
package/src/routes/waitingList.routes.js +13 -0
package/src/routes/waitingListAdmin.routes.js +9 -0
package/src/routes/webhook.routes.js +32 -0
package/src/routes/workflowWebhook.routes.js +54 -0
package/src/routes/workflows.routes.js +110 -0
package/src/services/assets.service.js +110 -0
package/src/services/audit.service.js +62 -0
package/src/services/auditLogger.js +165 -0
package/src/services/ejsVirtual.service.js +614 -0
package/src/services/email.service.js +351 -0
package/src/services/errorLogger.js +221 -0
package/src/services/featureFlags.service.js +202 -0
package/src/services/forms.service.js +214 -0
package/src/services/globalSettings.service.js +49 -0
package/src/services/headlessApiTokens.service.js +158 -0
package/src/services/headlessCrypto.service.js +31 -0
package/src/services/headlessModels.service.js +356 -0
package/src/services/i18n.service.js +314 -0
package/src/services/i18nInferredKeys.service.js +337 -0
package/src/services/jsonConfigs.service.js +392 -0
package/src/services/llm.service.js +749 -0
package/src/services/migration.service.js +581 -0
package/src/services/migrationAssets/fsLocal.js +58 -0
package/src/services/migrationAssets/index.js +134 -0
package/src/services/migrationAssets/s3.js +75 -0
package/src/services/migrationAssets/sftp.js +92 -0
package/src/services/notification.service.js +212 -0
package/src/services/objectStorage.service.js +514 -0
package/src/services/seoConfig.service.js +402 -0
package/src/services/storage.js +150 -0
package/src/services/stripe.service.js +185 -0
package/src/services/stripeHelper.service.js +264 -0
package/src/services/uploadNamespaces.service.js +326 -0
package/src/services/webhook.service.js +157 -0
package/src/services/workflow.service.js +271 -0
package/src/utils/asyncHandler.js +5 -0
package/src/utils/encryption.js +80 -0
package/src/utils/jwt.js +40 -0
package/src/utils/orgRoles.js +156 -0
package/src/utils/validation.js +26 -0
package/src/utils/webhookRetry.js +93 -0
package/views/admin-assets.ejs +444 -0
package/views/admin-audit.ejs +283 -0
package/views/admin-coolify-deploy.ejs +207 -0
package/views/admin-dashboard-home.ejs +291 -0
package/views/admin-dashboard.ejs +397 -0
package/views/admin-ejs-virtual.ejs +280 -0
package/views/admin-errors.ejs +368 -0
package/views/admin-feature-flags.ejs +390 -0
package/views/admin-forms.ejs +526 -0
package/views/admin-global-settings.ejs +436 -0
package/views/admin-headless.ejs +2020 -0
package/views/admin-i18n-locales.ejs +221 -0
package/views/admin-i18n.ejs +728 -0
package/views/admin-json-configs.ejs +410 -0
package/views/admin-llm.ejs +884 -0
package/views/admin-metrics.ejs +274 -0
package/views/admin-migration.ejs +814 -0
package/views/admin-notifications.ejs +430 -0
package/views/admin-organizations.ejs +984 -0
package/views/admin-seo-config.ejs +673 -0
package/views/admin-stripe-pricing.ejs +558 -0
package/views/admin-test.ejs +342 -0
package/views/admin-users.ejs +452 -0
package/views/admin-waiting-list.ejs +547 -0
package/views/admin-webhooks.ejs +329 -0
package/views/admin-workflows.ejs +310 -0
package/views/partials/admin-assets-script.ejs +2022 -0
package/views/partials/admin-test-sidebar.ejs +14 -0
package/views/partials/dashboard/nav-items.ejs +66 -0
package/views/partials/dashboard/palette.ejs +63 -0
package/views/partials/dashboard/sidebar.ejs +21 -0
package/views/partials/dashboard/tab-bar.ejs +26 -0
package/views/partials/footer.ejs +3 -0

package/src/controllers/user.controller.js ADDED Viewed

@@ -0,0 +1,361 @@
+const User = require('../models/User');
+const ActivityLog = require('../models/ActivityLog');
+const bcrypt = require('bcryptjs');
+const crypto = require('crypto');
+const emailService = require('../services/email.service');
+// Helper function to log activity
+const logActivity = async (userId, action, category, description, metadata = {}, req) => {
+  try {
+    await ActivityLog.create({
+      userId,
+      action,
+      category,
+      description,
+      ipAddress: req.ip || req.connection.remoteAddress,
+      userAgent: req.get('user-agent'),
+      metadata
+    });
+  } catch (error) {
+    console.error('Failed to log activity:', error);
+    // Don't throw - activity logging should not break the main flow
+  }
+};
+// PUT /api/user/profile - Update user profile
+exports.updateProfile = async (req, res) => {
+  try {
+    const { name, email } = req.body;
+    const userId = req.user._id;
+    const updates = {};
+    const changedFields = [];
+    if (name !== undefined) {
+      updates.name = name;
+      changedFields.push('name');
+    }
+    if (email !== undefined) {
+      // Check if email is already taken by another user
+      const existingUser = await User.findOne({ email, _id: { $ne: userId } });
+      if (existingUser) {
+        return res.status(400).json({ error: 'Email already in use' });
+      }
+      updates.email = email;
+      changedFields.push('email');
+    }
+    const user = await User.findByIdAndUpdate(
+      userId,
+      updates,
+      { new: true, runValidators: true }
+    );
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    // Log activity
+    await logActivity(
+      userId,
+      'update_profile',
+      'settings',
+      `Updated profile: ${changedFields.join(', ')}`,
+      { updatedFields: changedFields },
+      req
+    );
+    res.json({
+      message: 'Profile updated successfully',
+      user
+    });
+  } catch (error) {
+    console.error('Error updating profile:', error);
+    res.status(500).json({ error: 'Failed to update profile' });
+  }
+};
+// PUT /api/user/password - Change password
+exports.changePassword = async (req, res) => {
+  try {
+    const { currentPassword, newPassword } = req.body;
+    const userId = req.user._id;
+    if (!currentPassword || !newPassword) {
+      return res.status(400).json({
+        error: 'Current password and new password are required'
+      });
+    }
+    // Validate new password strength
+    if (newPassword.length < 8) {
+      return res.status(400).json({
+        error: 'New password must be at least 8 characters long'
+      });
+    }
+    const user = await User.findById(userId);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    // Verify current password
+    const isMatch = await user.comparePassword(currentPassword);
+    if (!isMatch) {
+      return res.status(401).json({ error: 'Current password is incorrect' });
+    }
+    // Update password (will be hashed by pre-save hook)
+    user.passwordHash = newPassword;
+    await user.save();
+    // Log activity
+    await logActivity(
+      userId,
+      'change_password',
+      'auth',
+      'User changed their password',
+      {},
+      req
+    );
+    // Send confirmation email
+    try {
+      await emailService.sendPasswordChangedEmail(user.email);
+    } catch (emailError) {
+      console.error('Failed to send password change email:', emailError);
+      // Don't fail the request if email fails
+    }
+    res.json({ message: 'Password changed successfully' });
+  } catch (error) {
+    console.error('Error changing password:', error);
+    res.status(500).json({ error: 'Failed to change password' });
+  }
+};
+// POST /api/user/password-reset-request - Request password reset
+exports.requestPasswordReset = async (req, res) => {
+  try {
+    const { email } = req.body;
+    if (!email) {
+      return res.status(400).json({ error: 'Email is required' });
+    }
+    // Always return success message to prevent email enumeration
+    const successMessage = 'If an account with that email exists, a password reset link has been sent.';
+    const user = await User.findOne({ email: email.toLowerCase() });
+    if (user) {
+      // Generate secure reset token
+      const resetToken = crypto.randomBytes(32).toString('hex');
+      const hashedToken = crypto.createHash('sha256').update(resetToken).digest('hex');
+      // Set token and expiry (1 hour)
+      user.passwordResetToken = hashedToken;
+      user.passwordResetExpiry = new Date(Date.now() + 60 * 60 * 1000);
+      await user.save();
+      // Log activity
+      await logActivity(
+        user._id,
+        'password_reset_request',
+        'auth',
+        'User requested password reset',
+        { email: user.email },
+        req
+      );
+      // Send reset email with plain token
+      try {
+        await emailService.sendPasswordResetEmail(user.email, resetToken);
+      } catch (emailError) {
+        console.error('Failed to send password reset email:', emailError);
+        // Still return success to user
+      }
+    }
+    res.json({ message: successMessage });
+  } catch (error) {
+    console.error('Error requesting password reset:', error);
+    res.status(500).json({ error: 'Failed to process password reset request' });
+  }
+};
+// POST /api/user/password-reset-confirm - Confirm password reset
+exports.confirmPasswordReset = async (req, res) => {
+  try {
+    const { token, newPassword } = req.body;
+    if (!token || !newPassword) {
+      return res.status(400).json({
+        error: 'Token and new password are required'
+      });
+    }
+    // Validate new password strength
+    if (newPassword.length < 8) {
+      return res.status(400).json({
+        error: 'Password must be at least 8 characters long'
+      });
+    }
+    // Hash the token to compare with stored hash
+    const hashedToken = crypto.createHash('sha256').update(token).digest('hex');
+    // Find user with valid token
+    const user = await User.findOne({
+      passwordResetToken: hashedToken,
+      passwordResetExpiry: { $gt: Date.now() }
+    });
+    if (!user) {
+      return res.status(400).json({
+        error: 'Invalid or expired password reset token'
+      });
+    }
+    // Update password (will be hashed by pre-save hook)
+    user.passwordHash = newPassword;
+    user.passwordResetToken = undefined;
+    user.passwordResetExpiry = undefined;
+    await user.save();
+    // Log activity
+    await logActivity(
+      user._id,
+      'password_reset_confirm',
+      'auth',
+      'User completed password reset',
+      {},
+      req
+    );
+    // Send confirmation email
+    try {
+      await emailService.sendPasswordChangedEmail(user.email);
+    } catch (emailError) {
+      console.error('Failed to send password change email:', emailError);
+    }
+    res.json({ message: 'Your password has been successfully reset' });
+  } catch (error) {
+    console.error('Error confirming password reset:', error);
+    res.status(500).json({ error: 'Failed to reset password' });
+  }
+};
+// DELETE /api/user/account - Delete user account
+exports.deleteAccount = async (req, res) => {
+  try {
+    const { password } = req.body;
+    const userId = req.user._id;
+    if (!password) {
+      return res.status(400).json({
+        error: 'Password is required for account deletion'
+      });
+    }
+    const user = await User.findById(userId);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    // Verify password for re-authentication
+    const isMatch = await user.comparePassword(password);
+    if (!isMatch) {
+      return res.status(401).json({ error: 'Incorrect password' });
+    }
+    const userEmail = user.email;
+    // Log activity before deletion
+    await logActivity(
+      userId,
+      'delete_account',
+      'auth',
+      'User deleted their account',
+      { email: userEmail },
+      req
+    );
+    // Delete the user
+    await User.findByIdAndDelete(userId);
+    // Send confirmation email
+    try {
+      await emailService.sendAccountDeletionEmail(userEmail);
+    } catch (emailError) {
+      console.error('Failed to send account deletion email:', emailError);
+    }
+    res.json({ message: 'Account deleted successfully' });
+  } catch (error) {
+    console.error('Error deleting account:', error);
+    res.status(500).json({ error: 'Failed to delete account' });
+  }
+};
+// GET /api/user/settings - Get user settings
+exports.getSettings = async (req, res) => {
+  try {
+    const userId = req.user._id;
+    const user = await User.findById(userId);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    res.json({
+      settings: user.settings || {}
+    });
+  } catch (error) {
+    console.error('Error fetching settings:', error);
+    res.status(500).json({ error: 'Failed to fetch settings' });
+  }
+};
+// PUT /api/user/settings - Update user settings
+exports.updateSettings = async (req, res) => {
+  try {
+    const userId = req.user._id;
+    const newSettings = req.body;
+    if (!newSettings || typeof newSettings !== 'object') {
+      return res.status(400).json({ error: 'Settings must be an object' });
+    }
+    const user = await User.findById(userId);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    // Merge new settings with existing settings
+    user.settings = {
+      ...user.settings,
+      ...newSettings
+    };
+    await user.save();
+    // Log activity
+    await logActivity(
+      userId,
+      'update_settings',
+      'settings',
+      'User updated their settings',
+      { updatedKeys: Object.keys(newSettings) },
+      req
+    );
+    res.json({
+      message: 'Settings updated successfully',
+      settings: user.settings
+    });
+  } catch (error) {
+    console.error('Error updating settings:', error);
+    res.status(500).json({ error: 'Failed to update settings' });
+  }
+};

package/src/controllers/userAdmin.controller.js ADDED Viewed

@@ -0,0 +1,277 @@
+const mongoose = require('mongoose');
+const User = require('../models/User');
+const Notification = require('../models/Notification');
+const OrganizationMember = require('../models/OrganizationMember');
+const { createAuditEvent, getBasicAuthActor } = require('../services/audit.service');
+const DEFAULT_LIMIT = 50;
+const MAX_LIMIT = 500;
+function parseLimit(value) {
+  const parsed = parseInt(value, 10);
+  if (!Number.isFinite(parsed)) return DEFAULT_LIMIT;
+  return Math.min(MAX_LIMIT, Math.max(1, parsed));
+}
+function parseOffset(value) {
+  const parsed = parseInt(value, 10);
+  if (!Number.isFinite(parsed)) return 0;
+  return Math.max(0, parsed);
+}
+function escapeRegex(str) {
+  return String(str).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+exports.listUsers = async (req, res) => {
+  try {
+    const { q, role, subscriptionStatus, currentPlan, disabled, limit, offset } = req.query;
+    const parsedLimit = parseLimit(limit);
+    const parsedOffset = parseOffset(offset);
+    const query = {};
+    if (q) {
+      const pattern = escapeRegex(String(q).trim());
+      query.$or = [
+        { email: { $regex: pattern, $options: 'i' } },
+        { name: { $regex: pattern, $options: 'i' } },
+      ];
+    }
+    if (role) {
+      query.role = String(role);
+    }
+    if (subscriptionStatus) {
+      query.subscriptionStatus = String(subscriptionStatus);
+    }
+    if (currentPlan) {
+      query.currentPlan = String(currentPlan);
+    }
+    if (disabled === 'true') {
+      query.disabled = true;
+    } else if (disabled === 'false') {
+      query.disabled = { $ne: true };
+    }
+    const users = await User.find(query)
+      .select('-passwordHash -passwordResetToken -passwordResetExpiry')
+      .sort({ createdAt: -1 })
+      .limit(parsedLimit)
+      .skip(parsedOffset)
+      .lean();
+    const total = await User.countDocuments(query);
+    return res.json({
+      users,
+      pagination: {
+        total,
+        limit: parsedLimit,
+        offset: parsedOffset,
+      },
+    });
+  } catch (error) {
+    console.error('Admin user list error:', error);
+    return res.status(500).json({ error: 'Failed to list users' });
+  }
+};
+exports.getUser = async (req, res) => {
+  try {
+    const { id } = req.params;
+    if (!id || !mongoose.Types.ObjectId.isValid(String(id))) {
+      return res.status(400).json({ error: 'Invalid user ID' });
+    }
+    const user = await User.findById(id)
+      .select('-passwordHash -passwordResetToken -passwordResetExpiry')
+      .lean();
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    const [notificationCount, orgMembershipCount] = await Promise.all([
+      Notification.countDocuments({ userId: user._id }),
+      OrganizationMember.countDocuments({ userId: user._id, status: 'active' }),
+    ]);
+    return res.json({
+      user,
+      counts: {
+        notifications: notificationCount,
+        organizations: orgMembershipCount,
+      },
+    });
+  } catch (error) {
+    console.error('Admin user get error:', error);
+    return res.status(500).json({ error: 'Failed to get user' });
+  }
+};
+exports.updateUser = async (req, res) => {
+  try {
+    const { id } = req.params;
+    const { name, role, subscriptionStatus, currentPlan } = req.body;
+    if (!id || !mongoose.Types.ObjectId.isValid(String(id))) {
+      return res.status(400).json({ error: 'Invalid user ID' });
+    }
+    const user = await User.findById(id);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    const before = user.toJSON();
+    const actor = getBasicAuthActor(req);
+    if (name !== undefined) {
+      user.name = String(name).trim();
+    }
+    if (role !== undefined) {
+      if (!['user', 'admin'].includes(String(role))) {
+        return res.status(400).json({ error: 'Invalid role. Must be user or admin.' });
+      }
+      user.role = String(role);
+    }
+    if (subscriptionStatus !== undefined) {
+      const validStatuses = ['none', 'active', 'cancelled', 'past_due', 'incomplete', 'incomplete_expired', 'trialing', 'unpaid'];
+      if (!validStatuses.includes(String(subscriptionStatus))) {
+        return res.status(400).json({ error: 'Invalid subscription status' });
+      }
+      user.subscriptionStatus = String(subscriptionStatus);
+    }
+    if (currentPlan !== undefined) {
+      const planStr = String(currentPlan).trim();
+      if (planStr.length > 100) {
+        return res.status(400).json({ error: 'Plan name too long (max 100 chars)' });
+      }
+      user.currentPlan = planStr || 'free';
+    }
+    await user.save();
+    await createAuditEvent({
+      ...actor,
+      action: 'admin.user.update',
+      entityType: 'User',
+      entityId: String(user._id),
+      before,
+      after: user.toJSON(),
+      meta: null,
+    });
+    return res.json({ user: user.toJSON() });
+  } catch (error) {
+    console.error('Admin user update error:', error);
+    return res.status(500).json({ error: 'Failed to update user' });
+  }
+};
+exports.disableUser = async (req, res) => {
+  try {
+    const { id } = req.params;
+    if (!id || !mongoose.Types.ObjectId.isValid(String(id))) {
+      return res.status(400).json({ error: 'Invalid user ID' });
+    }
+    const user = await User.findById(id);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    const before = user.toJSON();
+    const actor = getBasicAuthActor(req);
+    user.disabled = true;
+    await user.save();
+    await createAuditEvent({
+      ...actor,
+      action: 'admin.user.disable',
+      entityType: 'User',
+      entityId: String(user._id),
+      before,
+      after: user.toJSON(),
+      meta: null,
+    });
+    return res.json({ message: 'User disabled successfully', user: user.toJSON() });
+  } catch (error) {
+    console.error('Admin user disable error:', error);
+    return res.status(500).json({ error: 'Failed to disable user' });
+  }
+};
+exports.enableUser = async (req, res) => {
+  try {
+    const { id } = req.params;
+    if (!id || !mongoose.Types.ObjectId.isValid(String(id))) {
+      return res.status(400).json({ error: 'Invalid user ID' });
+    }
+    const user = await User.findById(id);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    const before = user.toJSON();
+    const actor = getBasicAuthActor(req);
+    user.disabled = false;
+    await user.save();
+    await createAuditEvent({
+      ...actor,
+      action: 'admin.user.enable',
+      entityType: 'User',
+      entityId: String(user._id),
+      before,
+      after: user.toJSON(),
+      meta: null,
+    });
+    return res.json({ message: 'User enabled successfully', user: user.toJSON() });
+  } catch (error) {
+    console.error('Admin user enable error:', error);
+    return res.status(500).json({ error: 'Failed to enable user' });
+  }
+};
+exports.getUserStats = async (req, res) => {
+  try {
+    const [
+      totalUsers,
+      adminUsers,
+      activeSubscriptions,
+      disabledUsers,
+    ] = await Promise.all([
+      User.countDocuments({}),
+      User.countDocuments({ role: 'admin' }),
+      User.countDocuments({ subscriptionStatus: 'active' }),
+      User.countDocuments({ disabled: true }),
+    ]);
+    return res.json({
+      total: totalUsers,
+      admins: adminUsers,
+      activeSubscriptions,
+      disabled: disabledUsers,
+    });
+  } catch (error) {
+    console.error('Admin user stats error:', error);
+    return res.status(500).json({ error: 'Failed to get user stats' });
+  }
+};