dragonflight/services/mam-api/src/routes/projects.js

import express from 'express';
import pool from '../db/pool.js';
import { validateUuid } from '../middleware/errors.js';
import { requireAdmin } from '../middleware/auth.js';
import { accessibleProjectIds, assertProjectAccess } from '../auth/authz.js';
import { v4 as uuidv4 } from 'uuid';

const router = express.Router();
router.param('id', (req, res, next) => validateUuid('id')(req, res, next));

// Helper function to slugify
const slugify = (str) => {
  return str
    .toLowerCase()
    .trim()
    .replace(/[^\w\s-]/g, '')
    .replace(/\s+/g, '-')
    .replace(/-+/g, '-');
};

// GET / - List projects the caller can access (admins see all).
router.get('/', async (req, res, next) => {
  try {
    const access = await accessibleProjectIds(req.user);
    if (access.all) {
      const result = await pool.query('SELECT * FROM projects ORDER BY created_at DESC');
      return res.json(result.rows);
    }
    if (access.ids.size === 0) return res.json([]);
    const ids = [...access.ids];
    const result = await pool.query(
      `SELECT * FROM projects WHERE id = ANY($1::uuid[]) ORDER BY created_at DESC`,
      [ids]
    );
    res.json(result.rows);
  } catch (err) {
    next(err);
  }
});

// POST / - Create project (admin only; new projects have no grants, so a
// scoped user could never reach one they just made).
router.post('/', requireAdmin, async (req, res, next) => {
  try {
    const { name, description } = req.body;

    if (!name) {
      return res.status(400).json({ error: 'Name is required' });
    }

    const id = uuidv4();
    const s3_prefix = slugify(name);

    const result = await pool.query(
      `INSERT INTO projects (id, name, description, s3_prefix, created_at, updated_at)
       VALUES ($1, $2, $3, $4, NOW(), NOW())
       RETURNING *`,
      [id, name, description || null, s3_prefix]
    );

    res.status(201).json(result.rows[0]);
  } catch (err) {
    next(err);
  }
});

// GET /:id - Single project with asset count (requires view access).
router.get('/:id', async (req, res, next) => {
  try {
    const { id } = req.params;
    await assertProjectAccess(req.user, id, 'view');

    const result = await pool.query(
      `SELECT p.*,
              COUNT(a.id) AS asset_count
       FROM projects p
       LEFT JOIN assets a ON a.project_id = p.id AND a.status != 'archived'
       WHERE p.id = $1
       GROUP BY p.id`,
      [id]
    );

    if (result.rows.length === 0) {
      return res.status(404).json({ error: 'Project not found' });
    }

    res.json(result.rows[0]);
  } catch (err) {
    next(err);
  }
});

// PATCH /:id - Update project (requires edit access).
router.patch('/:id', async (req, res, next) => {
  try {
    const { id } = req.params;
    await assertProjectAccess(req.user, id, 'edit');
    const { name, description } = req.body;

    const updates = [];
    const params = [];
    let paramCount = 1;

    if (name !== undefined) {
      updates.push(`name = $${paramCount++}`);
      params.push(name);
    }

    if (description !== undefined) {
      updates.push(`description = $${paramCount++}`);
      params.push(description);
    }

    if (updates.length === 0) {
      return res.status(400).json({ error: 'No fields to update' });
    }

    updates.push(`updated_at = NOW()`);
    params.push(id);

    const query = `
      UPDATE projects
      SET ${updates.join(', ')}
      WHERE id = $${paramCount}
      RETURNING *
    `;

    const result = await pool.query(query, params);

    if (result.rows.length === 0) {
      return res.status(404).json({ error: 'Project not found' });
    }

    res.json(result.rows[0]);
  } catch (err) {
    next(err);
  }
});

// DELETE /:id - Delete project and cascade (admin only — destructive, wipes
// every asset/bin/recorder under it).
router.delete('/:id', requireAdmin, async (req, res, next) => {
  try {
    const { id } = req.params;

    // Delete project (cascade should handle related records)
    const result = await pool.query(
      'DELETE FROM projects WHERE id = $1 RETURNING *',
      [id]
    );

    if (result.rows.length === 0) {
      return res.status(404).json({ error: 'Project not found' });
    }

    res.json({ message: 'Project deleted', project: result.rows[0] });
  } catch (err) {
    next(err);
  }
});

// ── Per-project access grants (admin only) ──────────────────────────────────
// GET /:id/access — list grants with resolved user/group display names.
router.get('/:id/access', requireAdmin, async (req, res, next) => {
  try {
    const { rows } = await pool.query(
      `SELECT pa.subject_type, pa.subject_id, pa.level, pa.granted_at,
              CASE pa.subject_type
                WHEN 'user'  THEN u.display_name
                WHEN 'group' THEN g.name
              END AS subject_name,
              CASE pa.subject_type
                WHEN 'user'  THEN u.username
                ELSE NULL
              END AS username
         FROM project_access pa
         LEFT JOIN users  u ON pa.subject_type = 'user'  AND u.id = pa.subject_id
         LEFT JOIN groups g ON pa.subject_type = 'group' AND g.id = pa.subject_id
        WHERE pa.project_id = $1
        ORDER BY pa.subject_type, subject_name`,
      [req.params.id]
    );
    res.json(rows);
  } catch (err) { next(err); }
});

// POST /:id/access { subject_type, subject_id, level } — grant or update.
router.post('/:id/access', requireAdmin, async (req, res, next) => {
  try {
    const { subject_type, subject_id, level } = req.body || {};
    if (!['user', 'group'].includes(subject_type)) {
      return res.status(400).json({ error: "subject_type must be 'user' or 'group'" });
    }
    if (!subject_id) return res.status(400).json({ error: 'subject_id required' });
    const lvl = level || 'view';
    if (!['view', 'edit'].includes(lvl)) {
      return res.status(400).json({ error: "level must be 'view' or 'edit'" });
    }

    // Validate the subject actually exists so we don't create dead grants.
    const tbl = subject_type === 'user' ? 'users' : 'groups';
    const exists = await pool.query(`SELECT 1 FROM ${tbl} WHERE id = $1`, [subject_id]);
    if (exists.rows.length === 0) {
      return res.status(404).json({ error: subject_type + ' not found' });
    }

    const { rows } = await pool.query(
      `INSERT INTO project_access (project_id, subject_type, subject_id, level, granted_by)
       VALUES ($1, $2, $3, $4, $5)
       ON CONFLICT (project_id, subject_type, subject_id)
       DO UPDATE SET level = EXCLUDED.level, granted_by = EXCLUDED.granted_by, granted_at = NOW()
       RETURNING project_id, subject_type, subject_id, level, granted_at`,
      [req.params.id, subject_type, subject_id, lvl, req.user?.id || null]
    );
    res.status(201).json(rows[0]);
  } catch (err) { next(err); }
});

// DELETE /:id/access/:subjectType/:subjectId — revoke a grant.
router.delete('/:id/access/:subjectType/:subjectId', requireAdmin, async (req, res, next) => {
  try {
    const { id, subjectType, subjectId } = req.params;
    if (!['user', 'group'].includes(subjectType)) {
      return res.status(400).json({ error: "subjectType must be 'user' or 'group'" });
    }
    const { rowCount } = await pool.query(
      `DELETE FROM project_access
        WHERE project_id = $1 AND subject_type = $2 AND subject_id = $3`,
      [id, subjectType, subjectId]
    );
    if (rowCount === 0) return res.status(404).json({ error: 'grant not found' });
    res.status(204).end();
  } catch (err) { next(err); }
});

export default router;