makiolaj/GearBox
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 10 Wiki Activity

feat(16-02): add userId scoping to thread, setup, and auth services

Browse Source 
- All functions accept userId, no more prodDb defaults
- Thread operations verify ownership via and(eq(id), eq(userId))
- Candidate operations verify parent thread ownership before proceeding
- resolveThread includes userId in new item insert and verifies category ownership
- Setup operations use and() for composite id+userId conditions
- syncSetupItems validates both setup and item ownership via inArray
- updateItemClassification and removeSetupItem verify setup ownership
- Auth service: reordered createApiKey params to (db, userId, name)
- verifyApiKey unchanged (already returns { userId } from Plan 01)
This commit is contained in:
Jean-Luc Makiola
2026-04-05 10:43:38 +02:00
parent 8d85d2839e
commit 242cacea7c
3 changed files with 169 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/server/services/auth.service.ts
View File

@@ -25,9 +25,9 @@ export async function getOrCreateUser(
// ── API Key Management ─────────────────────────────────────────────── // ── API Key Management ───────────────────────────────────────────────
export async function createApiKey( export async function createApiKey(
db: Db = prodDb, db: Db,
name: string,
userId: number, userId: number,
name: string,
) { ) {
const rawKey = randomBytes(32).toString("hex"); const rawKey = randomBytes(32).toString("hex");
const keyHash = await Bun.password.hash(rawKey); const keyHash = await Bun.password.hash(rawKey);
@@ -42,7 +42,7 @@ export async function createApiKey(
} }
export async function verifyApiKey( export async function verifyApiKey(
db: Db = prodDb, db: Db,
rawKey: string, rawKey: string,
): Promise<{ userId: number } | null> { ): Promise<{ userId: number } | null> {
const prefix = rawKey.slice(0, 8); const prefix = rawKey.slice(0, 8);
@@ -59,7 +59,7 @@ export async function verifyApiKey(
return null; return null;
} }
export async function listApiKeys(db: Db = prodDb, userId: number) { export async function listApiKeys(db: Db, userId: number) {
return db return db
.select({ .select({
id: apiKeys.id, id: apiKeys.id,
@@ -71,11 +71,7 @@ export async function listApiKeys(db: Db = prodDb, userId: number) {
.where(eq(apiKeys.userId, userId)); .where(eq(apiKeys.userId, userId));
} }
export async function deleteApiKey( export async function deleteApiKey(db: Db, userId: number, id: number) {
db: Db = prodDb,
id: number,
userId: number,
) {
await db await db
.delete(apiKeys) .delete(apiKeys)
.where(and(eq(apiKeys.id, id), eq(apiKeys.userId, userId))); .where(and(eq(apiKeys.id, id), eq(apiKeys.userId, userId)));

97
src/server/services/setup.service.ts
View File

@@ -1,17 +1,24 @@
import { eq, sql } from "drizzle-orm"; import { and, eq, inArray, sql } from "drizzle-orm";
import { db as prodDb } from "../../db/index.ts"; import { db as prodDb } from "../../db/index.ts";
import { categories, items, setupItems, setups } from "../../db/schema.ts"; import { categories, items, setupItems, setups } from "../../db/schema.ts";
import type { CreateSetup, UpdateSetup } from "../../shared/types.ts"; import type { CreateSetup, UpdateSetup } from "../../shared/types.ts";
type Db = typeof prodDb; type Db = typeof prodDb;
export async function createSetup(db: Db = prodDb, data: CreateSetup) { export async function createSetup(
const [row] = await db.insert(setups).values({ name: data.name }).returning(); db: Db,
userId: number,
data: CreateSetup,
) {
const [row] = await db
.insert(setups)
.values({ name: data.name, userId })
.returning();
return row; return row;
} }
export async function getAllSetups(db: Db = prodDb) { export async function getAllSetups(db: Db, userId: number) {
return db return db
.select({ .select({
id: setups.id, id: setups.id,
@@ -33,11 +40,19 @@ export async function getAllSetups(db: Db = prodDb) {
WHERE setup_items.setup_id = setups.id WHERE setup_items.setup_id = setups.id
), 0)`.as("total_cost"), ), 0)`.as("total_cost"),
}) })
.from(setups); .from(setups)
.where(eq(setups.userId, userId));
} }
export async function getSetupWithItems(db: Db = prodDb, setupId: number) { export async function getSetupWithItems(
const [setup] = await db.select().from(setups).where(eq(setups.id, setupId)); db: Db,
userId: number,
setupId: number,
) {
const [setup] = await db
.select()
.from(setups)
.where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
if (!setup) return null; if (!setup) return null;
const itemList = await db const itemList = await db
@@ -66,42 +81,68 @@ export async function getSetupWithItems(db: Db = prodDb, setupId: number) {
} }
export async function updateSetup( export async function updateSetup(
db: Db = prodDb, db: Db,
userId: number,
setupId: number, setupId: number,
data: UpdateSetup, data: UpdateSetup,
) { ) {
const [existing] = await db const [existing] = await db
.select({ id: setups.id }) .select({ id: setups.id })
.from(setups) .from(setups)
.where(eq(setups.id, setupId)); .where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
if (!existing) return null; if (!existing) return null;
const [row] = await db const [row] = await db
.update(setups) .update(setups)
.set({ name: data.name, updatedAt: new Date() }) .set({ name: data.name, updatedAt: new Date() })
.where(eq(setups.id, setupId)) .where(and(eq(setups.id, setupId), eq(setups.userId, userId)))
.returning(); .returning();
return row; return row;
} }
export async function deleteSetup(db: Db = prodDb, setupId: number) { export async function deleteSetup(
db: Db,
userId: number,
setupId: number,
) {
const [existing] = await db const [existing] = await db
.select({ id: setups.id }) .select({ id: setups.id })
.from(setups) .from(setups)
.where(eq(setups.id, setupId)); .where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
if (!existing) return false; if (!existing) return false;
await db.delete(setups).where(eq(setups.id, setupId)); await db
.delete(setups)
.where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
return true; return true;
} }
export async function syncSetupItems( export async function syncSetupItems(
db: Db = prodDb, db: Db,
userId: number,
setupId: number, setupId: number,
itemIds: number[], itemIds: number[],
) { ) {
return await db.transaction(async (tx) => { return await db.transaction(async (tx) => {
// Verify the setup belongs to this user
const [setup] = await tx
.select({ id: setups.id })
.from(setups)
.where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
if (!setup) return null;
// Verify all itemIds belong to this user
const validItems =
itemIds.length > 0
? await tx
.select({ id: items.id })
.from(items)
.where(and(eq(items.userId, userId), inArray(items.id, itemIds)))
: [];
const validItemIds = new Set(validItems.map((i) => i.id));
const filteredItemIds = itemIds.filter((id) => validItemIds.has(id));
// Save existing classifications before deleting // Save existing classifications before deleting
const existing = await tx const existing = await tx
.select({ .select({
@@ -119,8 +160,8 @@ export async function syncSetupItems(
// Delete all existing items for this setup // Delete all existing items for this setup
await tx.delete(setupItems).where(eq(setupItems.setupId, setupId)); await tx.delete(setupItems).where(eq(setupItems.setupId, setupId));
// Re-insert new items, preserving classifications for retained items // Re-insert only user-owned items, preserving classifications
for (const itemId of itemIds) { for (const itemId of filteredItemIds) {
await tx.insert(setupItems).values({ await tx.insert(setupItems).values({
setupId, setupId,
itemId, itemId,
@@ -131,27 +172,43 @@ export async function syncSetupItems(
} }
export async function updateItemClassification( export async function updateItemClassification(
db: Db = prodDb, db: Db,
userId: number,
setupId: number, setupId: number,
itemId: number, itemId: number,
classification: string, classification: string,
) { ) {
// Verify setup belongs to user
const [setup] = await db
.select({ id: setups.id })
.from(setups)
.where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
if (!setup) return null;
await db await db
.update(setupItems) .update(setupItems)
.set({ classification }) .set({ classification })
.where( .where(
sql`${setupItems.setupId} = ${setupId} AND ${setupItems.itemId} = ${itemId}`, and(eq(setupItems.setupId, setupId), eq(setupItems.itemId, itemId)),
); );
} }
export async function removeSetupItem( export async function removeSetupItem(
db: Db = prodDb, db: Db,
userId: number,
setupId: number, setupId: number,
itemId: number, itemId: number,
) { ) {
// Verify setup belongs to user
const [setup] = await db
.select({ id: setups.id })
.from(setups)
.where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
if (!setup) return null;
await db await db
.delete(setupItems) .delete(setupItems)
.where( .where(
sql`${setupItems.setupId} = ${setupId} AND ${setupItems.itemId} = ${itemId}`, and(eq(setupItems.setupId, setupId), eq(setupItems.itemId, itemId)),
); );
} }

118
src/server/services/thread.service.ts
View File

@@ -1,4 +1,4 @@
import { asc, desc, eq, max, sql } from "drizzle-orm"; import { and, asc, desc, eq, max, sql } from "drizzle-orm";
import { db as prodDb } from "../../db/index.ts"; import { db as prodDb } from "../../db/index.ts";
import { import {
categories, categories,
@@ -11,20 +11,34 @@ import type {
CreateThread, CreateThread,
ReorderCandidates, ReorderCandidates,
} from "../../shared/types.ts"; } from "../../shared/types.ts";
import { getOrCreateUncategorized } from "./category.service.ts";
type Db = typeof prodDb; type Db = typeof prodDb;
export async function createThread(db: Db = prodDb, data: CreateThread) { export async function createThread(
db: Db,
userId: number,
data: CreateThread,
) {
const [row] = await db const [row] = await db
.insert(threads) .insert(threads)
.values({ name: data.name, categoryId: data.categoryId }) .values({ name: data.name, categoryId: data.categoryId, userId })
.returning(); .returning();
return row; return row;
} }
export async function getAllThreads(db: Db = prodDb, includeResolved = false) { export async function getAllThreads(
const query = db db: Db,
userId: number,
includeResolved = false,
) {
const baseCondition = eq(threads.userId, userId);
const whereCondition = includeResolved
? baseCondition
: and(baseCondition, eq(threads.status, "active"));
return db
.select({ .select({
id: threads.id, id: threads.id,
name: threads.name, name: threads.name,
@@ -50,22 +64,19 @@ export async function getAllThreads(db: Db = prodDb, includeResolved = false) {
}) })
.from(threads) .from(threads)
.innerJoin(categories, eq(threads.categoryId, categories.id)) .innerJoin(categories, eq(threads.categoryId, categories.id))
.where(whereCondition)
.orderBy(desc(threads.createdAt)); .orderBy(desc(threads.createdAt));
if (!includeResolved) {
return query.where(eq(threads.status, "active"));
}
return query;
} }
export async function getThreadWithCandidates( export async function getThreadWithCandidates(
db: Db = prodDb, db: Db,
userId: number,
threadId: number, threadId: number,
) { ) {
const [thread] = await db const [thread] = await db
.select() .select()
.from(threads) .from(threads)
.where(eq(threads.id, threadId)); .where(and(eq(threads.id, threadId), eq(threads.userId, userId)));
if (!thread) return null; if (!thread) return null;
const candidateList = await db const candidateList = await db
@@ -97,30 +108,31 @@ export async function getThreadWithCandidates(
} }
export async function updateThread( export async function updateThread(
db: Db = prodDb, db: Db,
userId: number,
threadId: number, threadId: number,
data: Partial<{ name: string; categoryId: number }>, data: Partial<{ name: string; categoryId: number }>,
) { ) {
const [existing] = await db const [existing] = await db
.select({ id: threads.id }) .select({ id: threads.id })
.from(threads) .from(threads)
.where(eq(threads.id, threadId)); .where(and(eq(threads.id, threadId), eq(threads.userId, userId)));
if (!existing) return null; if (!existing) return null;
const [row] = await db const [row] = await db
.update(threads) .update(threads)
.set({ ...data, updatedAt: new Date() }) .set({ ...data, updatedAt: new Date() })
.where(eq(threads.id, threadId)) .where(and(eq(threads.id, threadId), eq(threads.userId, userId)))
.returning(); .returning();
return row; return row;
} }
export async function deleteThread(db: Db = prodDb, threadId: number) { export async function deleteThread(db: Db, userId: number, threadId: number) {
const [thread] = await db const [thread] = await db
.select() .select()
.from(threads) .from(threads)
.where(eq(threads.id, threadId)); .where(and(eq(threads.id, threadId), eq(threads.userId, userId)));
if (!thread) return null; if (!thread) return null;
// Collect candidate image filenames for cleanup // Collect candidate image filenames for cleanup
@@ -131,7 +143,9 @@ export async function deleteThread(db: Db = prodDb, threadId: number) {
.where(eq(threadCandidates.threadId, threadId)) .where(eq(threadCandidates.threadId, threadId))
).filter((c) => c.imageFilename != null); ).filter((c) => c.imageFilename != null);
await db.delete(threads).where(eq(threads.id, threadId)); await db
.delete(threads)
.where(and(eq(threads.id, threadId), eq(threads.userId, userId)));
return { return {
...thread, ...thread,
@@ -140,7 +154,8 @@ export async function deleteThread(db: Db = prodDb, threadId: number) {
} }
export async function createCandidate( export async function createCandidate(
db: Db = prodDb, db: Db,
userId: number,
threadId: number, threadId: number,
data: Partial<CreateCandidate> & { data: Partial<CreateCandidate> & {
name: string; name: string;
@@ -149,6 +164,13 @@ export async function createCandidate(
imageSourceUrl?: string; imageSourceUrl?: string;
}, },
) { ) {
// Verify the parent thread belongs to this user
const [thread] = await db
.select({ id: threads.id })
.from(threads)
.where(and(eq(threads.id, threadId), eq(threads.userId, userId)));
if (!thread) return null;
const [maxRow] = await db const [maxRow] = await db
.select({ maxOrder: max(threadCandidates.sortOrder) }) .select({ maxOrder: max(threadCandidates.sortOrder) })
.from(threadCandidates) .from(threadCandidates)
@@ -179,7 +201,8 @@ export async function createCandidate(
} }
export async function updateCandidate( export async function updateCandidate(
db: Db = prodDb, db: Db,
userId: number,
candidateId: number, candidateId: number,
data: Partial<{ data: Partial<{
name: string; name: string;
@@ -195,12 +218,22 @@ export async function updateCandidate(
cons: string; cons: string;
}>, }>,
) { ) {
// Verify the candidate's parent thread belongs to this user
const [existing] = await db const [existing] = await db
.select({ id: threadCandidates.id }) .select({
id: threadCandidates.id,
threadId: threadCandidates.threadId,
})
.from(threadCandidates) .from(threadCandidates)
.where(eq(threadCandidates.id, candidateId)); .where(eq(threadCandidates.id, candidateId));
if (!existing) return null; if (!existing) return null;
const [thread] = await db
.select({ id: threads.id })
.from(threads)
.where(and(eq(threads.id, existing.threadId), eq(threads.userId, userId)));
if (!thread) return null;
const [row] = await db const [row] = await db
.update(threadCandidates) .update(threadCandidates)
.set({ ...data, updatedAt: new Date() }) .set({ ...data, updatedAt: new Date() })
@@ -210,19 +243,33 @@ export async function updateCandidate(
return row; return row;
} }
export async function deleteCandidate(db: Db = prodDb, candidateId: number) { export async function deleteCandidate(
db: Db,
userId: number,
candidateId: number,
) {
// Verify the candidate's parent thread belongs to this user
const [candidate] = await db const [candidate] = await db
.select() .select()
.from(threadCandidates) .from(threadCandidates)
.where(eq(threadCandidates.id, candidateId)); .where(eq(threadCandidates.id, candidateId));
if (!candidate) return null; if (!candidate) return null;
const [thread] = await db
.select({ id: threads.id })
.from(threads)
.where(
and(eq(threads.id, candidate.threadId), eq(threads.userId, userId)),
);
if (!thread) return null;
await db.delete(threadCandidates).where(eq(threadCandidates.id, candidateId)); await db.delete(threadCandidates).where(eq(threadCandidates.id, candidateId));
return candidate; return candidate;
} }
export async function reorderCandidates( export async function reorderCandidates(
db: Db = prodDb, db: Db,
userId: number,
threadId: number, threadId: number,
orderedIds: ReorderCandidates["orderedIds"], orderedIds: ReorderCandidates["orderedIds"],
): Promise<{ success: boolean; error?: string }> { ): Promise<{ success: boolean; error?: string }> {
@@ -230,7 +277,7 @@ export async function reorderCandidates(
const [thread] = await tx const [thread] = await tx
.select() .select()
.from(threads) .from(threads)
.where(eq(threads.id, threadId)); .where(and(eq(threads.id, threadId), eq(threads.userId, userId)));
if (!thread) { if (!thread) {
return { success: false, error: "Thread not found" }; return { success: false, error: "Thread not found" };
} }
@@ -250,16 +297,17 @@ export async function reorderCandidates(
} }
export async function resolveThread( export async function resolveThread(
db: Db = prodDb, db: Db,
userId: number,
threadId: number, threadId: number,
candidateId: number, candidateId: number,
): Promise<{ success: boolean; item?: any; error?: string }> { ): Promise<{ success: boolean; item?: any; error?: string }> {
return await db.transaction(async (tx) => { return await db.transaction(async (tx) => {
// 1. Check thread is active // 1. Check thread is active and belongs to user
const [thread] = await tx const [thread] = await tx
.select() .select()
.from(threads) .from(threads)
.where(eq(threads.id, threadId)); .where(and(eq(threads.id, threadId), eq(threads.userId, userId)));
if (!thread || thread.status !== "active") { if (!thread || thread.status !== "active") {
return { success: false, error: "Thread not active" }; return { success: false, error: "Thread not active" };
} }
@@ -276,14 +324,21 @@ export async function resolveThread(
return { success: false, error: "Candidate not in thread" }; return { success: false, error: "Candidate not in thread" };
} }
// 3. Verify categoryId still exists, fallback to Uncategorized (id=1) // 3. Verify categoryId belongs to user, fallback to Uncategorized
const [category] = await tx const [category] = await tx
.select({ id: categories.id }) .select({ id: categories.id })
.from(categories) .from(categories)
.where(eq(categories.id, candidate.categoryId)); .where(
const safeCategoryId = category ? candidate.categoryId : 1; and(
eq(categories.id, candidate.categoryId),
eq(categories.userId, userId),
),
);
const safeCategoryId = category
? candidate.categoryId
: await getOrCreateUncategorized(tx as unknown as Db, userId);
// 4. Create collection item from candidate data // 4. Create collection item from candidate data — with userId
const [newItem] = await tx const [newItem] = await tx
.insert(items) .insert(items)
.values({ .values({
@@ -291,6 +346,7 @@ export async function resolveThread(
weightGrams: candidate.weightGrams, weightGrams: candidate.weightGrams,
priceCents: candidate.priceCents, priceCents: candidate.priceCents,
categoryId: safeCategoryId, categoryId: safeCategoryId,
userId,
notes: candidate.notes, notes: candidate.notes,
productUrl: candidate.productUrl, productUrl: candidate.productUrl,
imageFilename: candidate.imageFilename, imageFilename: candidate.imageFilename,