feat(18-03): add profile routes, public setup endpoint, and auth middleware updates

- GET /api/users/:id/profile: public profile with public setups (no auth) - PUT /api/auth/profile: update own profile (requires auth) - GET /api/setups/:id/public: public setup view with items (no auth) - Auth middleware skips public profile and public setup GET endpoints - Register profileRoutes at /api/users in index.ts - Add getOrCreateUncategorized to category service (Rule 3 fix) - 10 route tests covering auth, public access, and 404 cases
2026-04-05 13:10:13 +02:00
parent 854811dd6b
commit eb8f4b7cb2
6 changed files with 326 additions and 2 deletions
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -16,6 +16,7 @@ import { imageRoutes } from "./routes/images.ts";
 import { itemRoutes } from "./routes/items.ts";
 import { oauthRoutes, wellKnownRoute } from "./routes/oauth.ts";
 import { settingsRoutes } from "./routes/settings.ts";
+import { profileRoutes } from "./routes/profiles.ts";
 import { setupRoutes } from "./routes/setups.ts";
 import { threadRoutes } from "./routes/threads.ts";
 import { totalRoutes } from "./routes/totals.ts";
@@ -73,7 +74,13 @@ app.use("/api/*", async (c, next) => {
 	if (c.req.path.startsWith("/api/auth")) return next();
 	// Skip health check
 	if (c.req.path === "/api/health") return next();
-	// All methods require auth for userId resolution
+	// Skip public profile endpoint (GET /api/users/:id/profile)
+	if (/^\/api\/users\/\d+\/profile$/.test(c.req.path) && c.req.method === "GET")
+		return next();
+	// Skip public setup view (GET /api/setups/:id/public)
+	if (/^\/api\/setups\/\d+\/public$/.test(c.req.path) && c.req.method === "GET")
+		return next();
+	// All other methods require auth for userId resolution
 	return requireAuth(c, next);
 });

@@ -85,6 +92,7 @@ app.route("/api/totals", totalRoutes);
 app.route("/api/images", imageRoutes);
 app.route("/api/settings", settingsRoutes);
 app.route("/api/threads", threadRoutes);
+app.route("/api/users", profileRoutes);
 app.route("/api/setups", setupRoutes);

 // MCP server (conditionally mounted)
--- a/src/server/routes/auth.ts
+++ b/src/server/routes/auth.ts
@@ -9,6 +9,8 @@ import {
 	deleteApiKey,
 	listApiKeys,
 } from "../services/auth.service.ts";
+import { updateProfile } from "../services/profile.service.ts";
+import { updateProfileSchema } from "../../shared/schemas.ts";

 type Env = { Variables: { db?: any; userId?: number } };

@@ -69,4 +71,20 @@ app.delete("/keys/:id", requireAuth, async (c) => {
 	return c.json({ ok: true });
 });

+// ── Profile Update (protected) ──────────────────────────────────────
+
+app.put(
+	"/profile",
+	requireAuth,
+	zValidator("json", updateProfileSchema),
+	async (c) => {
+		const db = c.get("db");
+		const userId = c.get("userId")!;
+		const data = c.req.valid("json");
+		const updated = await updateProfile(db, userId, data);
+		if (!updated) return c.json({ error: "User not found" }, 404);
+		return c.json(updated);
+	},
+);
+
 export const authRoutes = app;
--- a/src/server/routes/profiles.ts
+++ b/src/server/routes/profiles.ts
@@ -0,0 +1,21 @@
+import { Hono } from "hono";
+import { parseId } from "../lib/params.ts";
+import { getPublicProfile } from "../services/profile.service.ts";
+
+type Env = { Variables: { db?: any; userId?: number } };
+
+const app = new Hono<Env>();
+
+// GET /:id/profile — Public profile (no auth required)
+app.get("/:id/profile", async (c) => {
+	const db = c.get("db");
+	const id = parseId(c.req.param("id"));
+	if (!id) return c.json({ error: "Invalid user ID" }, 400);
+
+	const profile = await getPublicProfile(db, id);
+	if (!profile) return c.json({ error: "User not found" }, 404);
+
+	return c.json(profile);
+});
+
+export { app as profileRoutes };
--- a/src/server/routes/setups.ts
+++ b/src/server/routes/setups.ts
@@ -8,6 +8,7 @@ import {
 } from "../../shared/schemas.ts";
 import { parseId } from "../lib/params.ts";
 import { withImageUrls } from "../services/storage.service.ts";
+import { getPublicSetupWithItems } from "../services/profile.service.ts";
 import {
 	createSetup,
 	deleteSetup,
@@ -40,6 +41,16 @@ app.post("/", zValidator("json", createSetupSchema), async (c) => {
 	return c.json(setup, 201);
 });

+// Public setup view (no auth required — skipped in index.ts middleware)
+app.get("/:id/public", async (c) => {
+	const db = c.get("db");
+	const id = parseId(c.req.param("id"));
+	if (!id) return c.json({ error: "Invalid setup ID" }, 400);
+	const setup = await getPublicSetupWithItems(db, id);
+	if (!setup) return c.json({ error: "Setup not found" }, 404);
+	return c.json(setup);
+});
+
 app.get("/:id", async (c) => {
 	const db = c.get("db");
 	const userId = c.get("userId")!;
--- a/src/server/services/category.service.ts
+++ b/src/server/services/category.service.ts
@@ -1,9 +1,25 @@
-import { asc, eq } from "drizzle-orm";
+import { and, asc, eq } from "drizzle-orm";
 import { db as prodDb } from "../../db/index.ts";
 import { categories, items } from "../../db/schema.ts";

 type Db = typeof prodDb;

+export async function getOrCreateUncategorized(db: Db, userId: number) {
+	const [existing] = await db
+		.select()
+		.from(categories)
+		.where(
+			and(eq(categories.userId, userId), eq(categories.name, "Uncategorized")),
+		);
+	if (existing) return existing;
+
+	const [created] = await db
+		.insert(categories)
+		.values({ name: "Uncategorized", icon: "package", userId })
+		.returning();
+	return created;
+}
+
 export function getAllCategories(db: Db = prodDb) {
 	return db.select().from(categories).orderBy(asc(categories.name)).all();
 }