makiolaj/GearBox
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 10 Wiki Activity

feat(16-02): add userId scoping to thread, setup, and auth services

Browse Source 
- All functions accept userId, no more prodDb defaults
- Thread operations verify ownership via and(eq(id), eq(userId))
- Candidate operations verify parent thread ownership before proceeding
- resolveThread includes userId in new item insert and verifies category ownership
- Setup operations use and() for composite id+userId conditions
- syncSetupItems validates both setup and item ownership via inArray
- updateItemClassification and removeSetupItem verify setup ownership
- Auth service: reordered createApiKey params to (db, userId, name)
- verifyApiKey unchanged (already returns { userId } from Plan 01)
This commit is contained in:
Jean-Luc Makiola
2026-04-05 10:43:38 +02:00
parent 8d85d2839e
commit 242cacea7c
3 changed files with 169 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
src/server/services/setup.service.ts
View File

@@ -1,17 +1,24 @@
import { eq, sql } from "drizzle-orm";
import { and, eq, inArray, sql } from "drizzle-orm";
import { db as prodDb } from "../../db/index.ts";
import { categories, items, setupItems, setups } from "../../db/schema.ts";
import type { CreateSetup, UpdateSetup } from "../../shared/types.ts";
type Db = typeof prodDb;
export async function createSetup(db: Db = prodDb, data: CreateSetup) {
const [row] = await db.insert(setups).values({ name: data.name }).returning();
export async function createSetup(
db: Db,
userId: number,
data: CreateSetup,
) {
const [row] = await db
.insert(setups)
.values({ name: data.name, userId })
.returning();
return row;
}
export async function getAllSetups(db: Db = prodDb) {
export async function getAllSetups(db: Db, userId: number) {
return db
.select({
id: setups.id,
@@ -33,11 +40,19 @@ export async function getAllSetups(db: Db = prodDb) {
WHERE setup_items.setup_id = setups.id
), 0)`.as("total_cost"),
})
.from(setups);
.from(setups)
.where(eq(setups.userId, userId));
}
export async function getSetupWithItems(db: Db = prodDb, setupId: number) {
const [setup] = await db.select().from(setups).where(eq(setups.id, setupId));
export async function getSetupWithItems(
db: Db,
userId: number,
setupId: number,
) {
const [setup] = await db
.select()
.from(setups)
.where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
if (!setup) return null;
const itemList = await db
@@ -66,42 +81,68 @@ export async function getSetupWithItems(db: Db = prodDb, setupId: number) {
}
export async function updateSetup(
db: Db = prodDb,
db: Db,
userId: number,
setupId: number,
data: UpdateSetup,
) {
const [existing] = await db
.select({ id: setups.id })
.from(setups)
.where(eq(setups.id, setupId));
.where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
if (!existing) return null;
const [row] = await db
.update(setups)
.set({ name: data.name, updatedAt: new Date() })
.where(eq(setups.id, setupId))
.where(and(eq(setups.id, setupId), eq(setups.userId, userId)))
.returning();
return row;
}
export async function deleteSetup(db: Db = prodDb, setupId: number) {
export async function deleteSetup(
db: Db,
userId: number,
setupId: number,
) {
const [existing] = await db
.select({ id: setups.id })
.from(setups)
.where(eq(setups.id, setupId));
.where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
if (!existing) return false;
await db.delete(setups).where(eq(setups.id, setupId));
await db
.delete(setups)
.where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
return true;
}
export async function syncSetupItems(
db: Db = prodDb,
db: Db,
userId: number,
setupId: number,
itemIds: number[],
) {
return await db.transaction(async (tx) => {
// Verify the setup belongs to this user
const [setup] = await tx
.select({ id: setups.id })
.from(setups)
.where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
if (!setup) return null;
// Verify all itemIds belong to this user
const validItems =
itemIds.length > 0
? await tx
.select({ id: items.id })
.from(items)
.where(and(eq(items.userId, userId), inArray(items.id, itemIds)))
: [];
const validItemIds = new Set(validItems.map((i) => i.id));
const filteredItemIds = itemIds.filter((id) => validItemIds.has(id));
// Save existing classifications before deleting
const existing = await tx
.select({
@@ -119,8 +160,8 @@ export async function syncSetupItems(
// Delete all existing items for this setup
await tx.delete(setupItems).where(eq(setupItems.setupId, setupId));
// Re-insert new items, preserving classifications for retained items
for (const itemId of itemIds) {
// Re-insert only user-owned items, preserving classifications
for (const itemId of filteredItemIds) {
await tx.insert(setupItems).values({
setupId,
itemId,
@@ -131,27 +172,43 @@ export async function syncSetupItems(
}
export async function updateItemClassification(
db: Db = prodDb,
db: Db,
userId: number,
setupId: number,
itemId: number,
classification: string,
) {
// Verify setup belongs to user
const [setup] = await db
.select({ id: setups.id })
.from(setups)
.where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
if (!setup) return null;
await db
.update(setupItems)
.set({ classification })
.where(
sql`${setupItems.setupId} = ${setupId} AND ${setupItems.itemId} = ${itemId}`,
and(eq(setupItems.setupId, setupId), eq(setupItems.itemId, itemId)),
);
}
export async function removeSetupItem(
db: Db = prodDb,
db: Db,
userId: number,
setupId: number,
itemId: number,
) {
// Verify setup belongs to user
const [setup] = await db
.select({ id: setups.id })
.from(setups)
.where(and(eq(setups.id, setupId), eq(setups.userId, userId)));
if (!setup) return null;
await db
.delete(setupItems)
.where(
sql`${setupItems.setupId} = ${setupId} AND ${setupItems.itemId} = ${itemId}`,
and(eq(setupItems.setupId, setupId), eq(setupItems.itemId, itemId)),
);
}