fix: user patch sql error

Author: rrd108

scripts/test-sqlite.sh

@@ -20,4 +20,4 @@ if [ $# -eq 0 ]; then
     vitest run --exclude="test/unit/"
 else
     vitest run "$@"
-fi 
+fi

src/runtime/server/utils/user.ts

@@ -127,41 +127,27 @@ export const updateUser = async (id: number, userData: Partial<User>, options: M
   const db = await useDb(options)
   const usersTable = options.tables.users
 
-  // Explicitly define which fields are allowed to be updated.
-  // This prevents mass-assignment vulnerabilities.
   const allowedFields: (keyof User)[] = ['name', 'email', 'role', 'active']
-  const updates: string[] = []
-  const values: (string | number | boolean)[] = []
-
-  for (const field of allowedFields) {
-    if (userData[field] !== undefined) {
-      updates.push(`${field} = ?`)
-      values.push(userData[field])
-    }
-  }
-
-  // If the user is being deactivated, revoke their tokens
-  if (userData.active === false) {
-    await revokeUserTokens(id, options)
-  }
+  const fieldsToUpdate = allowedFields.filter(field => userData[field] !== undefined)
 
   // If no valid fields are provided, there's nothing to update.
-  if (updates.length === 0) {
+  if (fieldsToUpdate.length === 0) {
     const currentUser = await findUserById(id, options)
     if (!currentUser) {
       throw new Error('User not found.')
     }
     return currentUser
   }
 
-  // Add the updated_at timestamp and the user ID for the WHERE clause
-  updates.push('updated_at = CURRENT_TIMESTAMP')
-  values.push(id)
-
-  // Use db.sql with template parts for dynamic column names
-  const setClause = updates.map(update => update.replace(' = ?', '')).join(', ')
+  // If the user is being deactivated, revoke their tokens
+  if (userData.active === false) {
+    await revokeUserTokens(id, options)
+  }
 
-  await db.sql`UPDATE {${usersTable}} SET {${setClause}} WHERE id = ${id}`
+  for (const field of fieldsToUpdate) {
+    await db.sql`UPDATE {${usersTable}} SET {${field}} = ${userData[field]} WHERE id = ${id}`
+  }
+  await db.sql`UPDATE {${usersTable}} SET updated_at = CURRENT_TIMESTAMP WHERE id = ${id}`
 
   const updatedUser = await findUserById(id, options)
 

test/utils.user.test.ts

@@ -4,7 +4,7 @@ import type { DatabaseType, DatabaseConfig, ModuleOptions } from '../src/types'
 import { cleanupTestSetup, createTestSetup } from './test-setup'
 import { createUsersTable } from '../src/runtime/server/utils/create-users-table'
 import { createPersonalAccessTokensTable } from '../src/runtime/server/utils/create-personal-access-tokens-table'
-import { createUser, findUserByEmail, updateUserPassword, getLastLoginTime, getCurrentUserFromToken } from '../src/runtime/server/utils/user'
+import { createUser, findUserByEmail, updateUser, updateUserPassword, getLastLoginTime, getCurrentUserFromToken } from '../src/runtime/server/utils/user'
 import { addActiveToUsers } from '../src/runtime/server/utils/add-active-to-users'
 
 describe('User Utilities (src/utils/user.ts)', () => {
@@ -161,6 +161,26 @@ describe('User Utilities (src/utils/user.ts)', () => {
     })
   })
 
+  describe('updateUser', () => {
+    it('should update user details in the database', async () => {
+      // 1. Create a user
+      const userData = { email: 'update@example.com', name: 'Original Name', password: 'password123' }
+      const createdUser = await createUser(userData, testOptions)
+
+      // 2. Update the user's name and role
+      const updates = { name: 'Updated Name', role: 'admin' }
+      await updateUser(createdUser.id, updates, testOptions)
+
+      // 3. Fetch the user directly from the database to verify the update
+      const result = await db.sql`SELECT * FROM {${testOptions.tables.users}} WHERE id = ${createdUser.id}`
+      const dbUser = result.rows![0]
+
+      // 4. Assert that the details are updated
+      expect(dbUser.name).toBe(updates.name)
+      expect(dbUser.role).toBe(updates.role)
+    })
+  })
+
   describe('Integration tests', () => {
     it('should work together: create user, find user, update password', async () => {
       const userData = { email: 'integration@webmania.cc', name: 'Integration User', password: 'initialpassword' }