import express from 'express'; import pool from '../db/pool.js'; import { validateUuid } from '../middleware/errors.js'; import { requireAdmin } from '../middleware/auth.js'; import { accessibleProjectIds, assertProjectAccess } from '../auth/authz.js'; import { v4 as uuidv4 } from 'uuid'; const router = express.Router(); router.param('id', (req, res, next) => validateUuid('id')(req, res, next)); // Helper function to slugify const slugify = (str) => { return str .toLowerCase() .trim() .replace(/[^\w\s-]/g, '') .replace(/\s+/g, '-') .replace(/-+/g, '-'); }; // GET / - List projects the caller can access (admins see all). router.get('/', async (req, res, next) => { try { const access = await accessibleProjectIds(req.user); if (access.all) { const result = await pool.query('SELECT * FROM projects ORDER BY created_at DESC'); return res.json(result.rows); } if (access.ids.size === 0) return res.json([]); const ids = [...access.ids]; const result = await pool.query( `SELECT * FROM projects WHERE id = ANY($1::uuid[]) ORDER BY created_at DESC`, [ids] ); res.json(result.rows); } catch (err) { next(err); } }); // POST / - Create project (admin only; new projects have no grants, so a // scoped user could never reach one they just made). router.post('/', requireAdmin, async (req, res, next) => { try { const { name, description } = req.body; if (!name) { return res.status(400).json({ error: 'Name is required' }); } const id = uuidv4(); const s3_prefix = slugify(name); const result = await pool.query( `INSERT INTO projects (id, name, description, s3_prefix, created_at, updated_at) VALUES ($1, $2, $3, $4, NOW(), NOW()) RETURNING *`, [id, name, description || null, s3_prefix] ); res.status(201).json(result.rows[0]); } catch (err) { next(err); } }); // GET /:id - Single project with asset count (requires view access). router.get('/:id', async (req, res, next) => { try { const { id } = req.params; await assertProjectAccess(req.user, id, 'view'); const result = await pool.query( `SELECT p.*, COUNT(a.id) AS asset_count FROM projects p LEFT JOIN assets a ON a.project_id = p.id AND a.status != 'archived' WHERE p.id = $1 GROUP BY p.id`, [id] ); if (result.rows.length === 0) { return res.status(404).json({ error: 'Project not found' }); } res.json(result.rows[0]); } catch (err) { next(err); } }); // PATCH /:id - Update project (requires edit access). router.patch('/:id', async (req, res, next) => { try { const { id } = req.params; await assertProjectAccess(req.user, id, 'edit'); const { name, description } = req.body; const updates = []; const params = []; let paramCount = 1; if (name !== undefined) { updates.push(`name = $${paramCount++}`); params.push(name); } if (description !== undefined) { updates.push(`description = $${paramCount++}`); params.push(description); } if (updates.length === 0) { return res.status(400).json({ error: 'No fields to update' }); } updates.push(`updated_at = NOW()`); params.push(id); const query = ` UPDATE projects SET ${updates.join(', ')} WHERE id = $${paramCount} RETURNING * `; const result = await pool.query(query, params); if (result.rows.length === 0) { return res.status(404).json({ error: 'Project not found' }); } res.json(result.rows[0]); } catch (err) { next(err); } }); // DELETE /:id - Delete project and cascade (admin only — destructive, wipes // every asset/bin/recorder under it). router.delete('/:id', requireAdmin, async (req, res, next) => { try { const { id } = req.params; // Delete project (cascade should handle related records) const result = await pool.query( 'DELETE FROM projects WHERE id = $1 RETURNING *', [id] ); if (result.rows.length === 0) { return res.status(404).json({ error: 'Project not found' }); } res.json({ message: 'Project deleted', project: result.rows[0] }); } catch (err) { next(err); } }); // ── Per-project access grants (admin only) ────────────────────────────────── // GET /:id/access — list grants with resolved user/group display names. router.get('/:id/access', requireAdmin, async (req, res, next) => { try { const { rows } = await pool.query( `SELECT pa.subject_type, pa.subject_id, pa.level, pa.granted_at, CASE pa.subject_type WHEN 'user' THEN u.display_name WHEN 'group' THEN g.name END AS subject_name, CASE pa.subject_type WHEN 'user' THEN u.username ELSE NULL END AS username FROM project_access pa LEFT JOIN users u ON pa.subject_type = 'user' AND u.id = pa.subject_id LEFT JOIN groups g ON pa.subject_type = 'group' AND g.id = pa.subject_id WHERE pa.project_id = $1 ORDER BY pa.subject_type, subject_name`, [req.params.id] ); res.json(rows); } catch (err) { next(err); } }); // POST /:id/access { subject_type, subject_id, level } — grant or update. router.post('/:id/access', requireAdmin, async (req, res, next) => { try { const { subject_type, subject_id, level } = req.body || {}; if (!['user', 'group'].includes(subject_type)) { return res.status(400).json({ error: "subject_type must be 'user' or 'group'" }); } if (!subject_id) return res.status(400).json({ error: 'subject_id required' }); const lvl = level || 'view'; if (!['view', 'edit'].includes(lvl)) { return res.status(400).json({ error: "level must be 'view' or 'edit'" }); } // Validate the subject actually exists so we don't create dead grants. const tbl = subject_type === 'user' ? 'users' : 'groups'; const exists = await pool.query(`SELECT 1 FROM ${tbl} WHERE id = $1`, [subject_id]); if (exists.rows.length === 0) { return res.status(404).json({ error: subject_type + ' not found' }); } const { rows } = await pool.query( `INSERT INTO project_access (project_id, subject_type, subject_id, level, granted_by) VALUES ($1, $2, $3, $4, $5) ON CONFLICT (project_id, subject_type, subject_id) DO UPDATE SET level = EXCLUDED.level, granted_by = EXCLUDED.granted_by, granted_at = NOW() RETURNING project_id, subject_type, subject_id, level, granted_at`, [req.params.id, subject_type, subject_id, lvl, req.user?.id || null] ); res.status(201).json(rows[0]); } catch (err) { next(err); } }); // DELETE /:id/access/:subjectType/:subjectId — revoke a grant. router.delete('/:id/access/:subjectType/:subjectId', requireAdmin, async (req, res, next) => { try { const { id, subjectType, subjectId } = req.params; if (!['user', 'group'].includes(subjectType)) { return res.status(400).json({ error: "subjectType must be 'user' or 'group'" }); } const { rowCount } = await pool.query( `DELETE FROM project_access WHERE project_id = $1 AND subject_type = $2 AND subject_id = $3`, [id, subjectType, subjectId] ); if (rowCount === 0) return res.status(404).json({ error: 'grant not found' }); res.status(204).end(); } catch (err) { next(err); } }); export default router;