feat: Introduce admin user management API with user listing, retrieval, account activation/deactivation, and case-insensitive role validation.

Backend/src/controllers/UsermanagementController.ts

@@ -0,0 +1,31 @@
+import { Get, Body, Post, Route, Tags, SuccessResponse, Response, Example, Controller, Security, Request, Put,Path } from 'tsoa';
+import { UserManagementService } from '../services/usermanagement.service';
+import { ValidationError } from '../middleware/errorHandler';
+import { ListUsersResponse, GetUserResponse, ActivateAccountResponse } from '../types/usersmanagement.types';
+import { getUserByIdValidator } from '../validators/usermanagement.validator';
+
+@Route('api/admin/usermanagement')
+@Tags('Usermanagement')
+export class UserManagementController {
+
+    private userManagementService = new UserManagementService();
+
+    @Get('users')
+    @Security('jwt' , ['admin'])
+    @SuccessResponse('200', 'Users fetched successfully')
+    @Response('401', 'Invalid or expired token')
+    public async listUsers(): Promise<ListUsersResponse> {
+        return await this.userManagementService.listUsers();
+    }
+
+    @Get('users/{id}')
+    @Security('jwt' , ['admin'])
+    @SuccessResponse('200', 'User fetched successfully')
+    @Response('401', 'Invalid or expired token')
+    public async getUserById(@Path() id: number): Promise<GetUserResponse> {
+        const { error, value } = getUserByIdValidator.validate({ id });
+        if (error) throw new ValidationError(error.details[0].message);
+        return await this.userManagementService.getUserById(value.id);
+    }
+}
+

Backend/src/middleware/authentication.ts

@@ -23,9 +23,11 @@ export async function expressAuthentication(
         try {
             const decoded = jwt.verify(token, config.jwt.secret) as JWTPayload;
 
-            // Check if user has required role
+            // Check if user has required role (case-insensitive)
             if (scopes && scopes.length > 0) {
-                if (!scopes.includes(decoded.roleCode)) {
+                const userRole = decoded.roleCode.toUpperCase();
+                const requiredRoles = scopes.map(scope => scope.toUpperCase());
+                if (!requiredRoles.includes(userRole)) {
                     throw new Error('Insufficient permissions');
                 }
             }

Backend/src/services/user.service.ts

@@ -171,6 +171,7 @@ export class UserService {
         }
     }
 
+    
 
     /**
          * Format user response

Backend/src/services/usermanagement.service.ts

@@ -0,0 +1,163 @@
+import { prisma } from '../config/database';
+import { Prisma } from '@prisma/client';
+import { config } from '../config';
+import { logger } from '../config/logger';
+import jwt from 'jsonwebtoken';
+import {
+    ListUsersResponse,
+    GetUserResponse,
+    ActivateAccount,
+    UpdateUser,
+    UpdateRoleResponse,
+    DeactivateAccountResponse,
+    ActivateAccountResponse,
+} from '../types/usersmanagement.types';
+import { UserResponse } from '../types/user.types';
+import { UnauthorizedError, ValidationError, ForbiddenError } from '../middleware/errorHandler';
+
+export class UserManagementService {
+    async listUsers(): Promise<ListUsersResponse> {
+        try {
+            const users = await prisma.user.findMany({
+                include: {
+                    profile: true,
+                    role: true
+                }
+            });
+
+            return {
+                code: 200,
+                message: 'Users fetched successfully',
+                data: users.map(user => this.formatUserResponse(user))
+            };
+        } catch (error) {
+            logger.error('Failed to fetch users', { error });
+            throw error;
+        }
+    }
+
+
+    async getUserById(id: number): Promise<GetUserResponse> {
+        try {
+            const user = await prisma.user.findUnique({
+                where: { id },
+                include: {
+                    role: true,
+                    profile: true
+                }
+            });
+            if (!user) throw new UnauthorizedError('User not found');
+            return {
+                code: 200,
+                message: 'User fetched successfully',
+                data: this.formatUserResponse(user)
+            };
+        } catch (error) {
+            logger.error('Failed to fetch user by ID', { error });
+            throw error;
+        }
+    }
+
+    async deactivateAccount(token: string): Promise<DeactivateAccountResponse> {
+        try {
+            // Decode JWT token to get user ID
+            const decoded = jwt.verify(token, config.jwt.secret) as { id: number; username: string; email: string; roleCode: string };
+
+            const user = await prisma.user.findUnique({ where: { id: decoded.id } });
+            if (!user) throw new UnauthorizedError('User not found');
+
+            // Check if account is already deactivated
+            if (user.is_deactivated) {
+                logger.warn('Deactivate attempt with deactivated account', { userId: user.id });
+                throw new ForbiddenError('This account has already been deactivated');
+            }
+
+            // Deactivate account
+            await prisma.user.update({
+                where: { id: user.id },
+                data: { is_deactivated: true }
+            });
+
+            logger.info('Account deactivated successfully', { userId: user.id });
+            return {
+                code: 200,
+                message: 'Account deactivated successfully'
+            };
+        } catch (error) {
+            if (error instanceof jwt.JsonWebTokenError) {
+                logger.error('Invalid JWT token:', error);
+                throw new UnauthorizedError('Invalid token');
+            }
+            if (error instanceof jwt.TokenExpiredError) {
+                logger.error('JWT token expired:', error);
+                throw new UnauthorizedError('Token expired');
+            }
+            logger.error('Failed to deactivate account', { error });
+            throw error;
+        }
+    }
+
+    async activateAccount(token: string): Promise<ActivateAccountResponse> {
+        try {
+            // Decode JWT token to get user ID
+            const decoded = jwt.verify(token, config.jwt.secret) as { id: number; username: string; email: string; roleCode: string };
+
+            const user = await prisma.user.findUnique({ where: { id: decoded.id } });
+            if (!user) throw new UnauthorizedError('User not found');
+
+            // Check if account is already activated
+            if (!user.is_deactivated) {
+                logger.warn('Activate attempt with activated account', { userId: user.id });
+                throw new ForbiddenError('This account has already been activated');
+            }
+
+            // Activate account
+            await prisma.user.update({
+                where: { id: user.id },
+                data: { is_deactivated: false }
+            });
+
+            logger.info('Account activated successfully', { userId: user.id });
+            return {
+                code: 200,
+                message: 'Account activated successfully'
+            };
+        } catch (error) {
+            if (error instanceof jwt.JsonWebTokenError) {
+                logger.error('Invalid JWT token:', error);
+                throw new UnauthorizedError('Invalid token');
+            }
+            if (error instanceof jwt.TokenExpiredError) {
+                logger.error('JWT token expired:', error);
+                throw new UnauthorizedError('Token expired');
+            }
+            logger.error('Failed to activate account', { error });
+            throw error;
+        }
+    }
+
+    /**
+     * Format user response
+     */
+    private formatUserResponse(user: any): UserResponse {
+        return {
+            id: user.id,
+            username: user.username,
+            email: user.email,
+            created_at: user.created_at,
+            updated_at: user.updated_at,
+            role: {
+                code: user.role.code,
+                name: user.role.name as { th: string; en: string }
+            },
+            profile: user.profile ? {
+                prefix: user.profile.prefix as { th?: string; en?: string } | undefined,
+                first_name: user.profile.first_name,
+                last_name: user.profile.last_name,
+                avatar_url: user.profile.avatar_url,
+                birth_date: user.profile.birth_date,
+                phone: user.profile.phone
+            } : undefined
+        };
+    }
+}

Backend/src/types/usersmanagement.types.ts

@@ -6,7 +6,7 @@ import { ProfileUpdate, UserResponse } from "./user.types";
 export interface ListUsersResponse {
     code: number;
     message: string;
-    data: UserResponse[];
+    data: UserResponse[] | null;
 }
     
 export interface GetUserResponse {
@@ -28,3 +28,22 @@ export interface UpdateRoleResponse {
     message: string;
     data: UserResponse;
 }
+
+export interface DeactivateAccountResponse {
+    code: number;
+    message: string;
+}
+
+export interface ActivateAccount {
+    id: number;
+}
+
+export interface ActivateAccountResponse {
+    code: number;
+    message: string;
+}
+
+export interface DeactivateAccount{
+    id: number;
+}
+

Backend/src/validators/usermanagement.validator.ts

@@ -0,0 +1,9 @@
+import Joi from "joi";
+
+export const getUserByIdValidator = Joi.object({
+    id: Joi.number().required().messages({
+        'number.base': 'ID must be a number',
+        'number.empty': 'ID is required',
+        'number.required': 'ID is required'
+    })
+})