Manage stakeholders implemented

app/api/rules/[id]/stakeholders/route.ts

@@ -0,0 +1,192 @@
+import { NextRequest, NextResponse } from "next/server";
+import { prisma } from "../../../../../lib/server/db";
+import {
+  getSessionPepper,
+  isDatabaseConfigured,
+} from "../../../../../lib/server/env";
+import { rateLimitKey } from "../../../../../lib/server/rateLimit";
+import { apiRoute } from "../../../../../lib/server/apiRoute";
+import { logRouteError } from "../../../../../lib/server/requestId";
+import { createRuleStakeholderInviteAndSendMail } from "../../../../../lib/server/ruleStakeholderInviteOps";
+import {
+  conflict,
+  dbUnavailable,
+  errorJson,
+  notFound,
+  rateLimited,
+  serverMisconfigured,
+  unauthorized,
+} from "../../../../../lib/server/responses";
+import { getSessionUser } from "../../../../../lib/server/session";
+import {
+  MAX_STAKEHOLDER_EMAILS,
+  postRuleStakeholderBodySchema,
+} from "../../../../../lib/server/validation/createFlowSchemas";
+import { readLimitedJson } from "../../../../../lib/server/validation/requestBody";
+import { jsonFromZodError } from "../../../../../lib/server/validation/zodHttp";
+
+type RouteContext = { params: Promise<{ id: string }> };
+
+async function ownedRuleMeta(ruleId: string, userId: string) {
+  return prisma.publishedRule.findFirst({
+    where: { id: ruleId, userId },
+    select: { id: true, title: true },
+  });
+}
+
+export const GET = apiRoute<RouteContext>(
+  "rules.stakeholders.list",
+  async (_request, context) => {
+    if (!isDatabaseConfigured()) {
+      return dbUnavailable();
+    }
+
+    const user = await getSessionUser();
+    if (!user) {
+      return unauthorized();
+    }
+
+    const { id: ruleId } = await context.params;
+    const rule = await ownedRuleMeta(ruleId, user.id);
+    if (!rule) {
+      return notFound();
+    }
+
+    const rows = await prisma.ruleStakeholder.findMany({
+      where: { ruleId: rule.id },
+      orderBy: [{ invitedAt: "asc" }, { id: "asc" }],
+      select: {
+        id: true,
+        email: true,
+        invitedAt: true,
+        acceptedAt: true,
+        inviteTokenHash: true,
+      },
+    });
+
+    return NextResponse.json({
+      stakeholders: rows.map((r) => ({
+        id: r.id,
+        email: r.email,
+        invitedAt: r.invitedAt.toISOString(),
+        acceptedAt: r.acceptedAt?.toISOString() ?? null,
+        status:
+          r.inviteTokenHash !== null ? ("pending" as const) : ("accepted" as const),
+      })),
+    });
+  },
+);
+
+export const POST = apiRoute<RouteContext>(
+  "rules.stakeholders.add",
+  async (request: NextRequest, context, { requestId }) => {
+    if (!isDatabaseConfigured()) {
+      return dbUnavailable();
+    }
+
+    const user = await getSessionUser();
+    if (!user) {
+      return unauthorized();
+    }
+
+    const { id: ruleId } = await context.params;
+    const rule = await ownedRuleMeta(ruleId, user.id);
+    if (!rule) {
+      return notFound();
+    }
+
+    const parsedBody = await readLimitedJson(request);
+    if (parsedBody.ok === false) {
+      return parsedBody.response;
+    }
+
+    const validated = postRuleStakeholderBodySchema.safeParse(parsedBody.value);
+    if (!validated.success) {
+      return jsonFromZodError(validated.error);
+    }
+
+    const email = validated.data.email;
+    if (email === user.email.trim().toLowerCase()) {
+      return errorJson(
+        "validation_error",
+        "You cannot invite your own account email",
+        400,
+      );
+    }
+
+    const existing = await prisma.ruleStakeholder.findFirst({
+      where: { ruleId: rule.id, email },
+    });
+    if (existing) {
+      return conflict("That email is already invited for this rule");
+    }
+
+    const count = await prisma.ruleStakeholder.count({
+      where: { ruleId: rule.id },
+    });
+    if (count >= MAX_STAKEHOLDER_EMAILS) {
+      return errorJson(
+        "validation_error",
+        `You can invite at most ${MAX_STAKEHOLDER_EMAILS} stakeholders per rule`,
+        400,
+      );
+    }
+
+    const ip =
+      request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ??
+      request.headers.get("x-real-ip") ??
+      "unknown";
+    const rl = rateLimitKey(`rule-stakeholders-add-ip:${ip}`, 60_000);
+    if (rl.ok === false) {
+      return rateLimited(rl.retryAfterMs);
+    }
+
+    let pepper: string;
+    try {
+      pepper = getSessionPepper();
+    } catch (err) {
+      logRouteError("rules.stakeholders.add", requestId, err, {
+        phase: "getSessionPepper",
+      });
+      return serverMisconfigured();
+    }
+
+    const origin = request.nextUrl.origin;
+    const sent = await createRuleStakeholderInviteAndSendMail({
+      scope: "rules.stakeholders.add",
+      requestId,
+      origin,
+      ruleId: rule.id,
+      ruleTitle: rule.title,
+      email,
+      invitedByUserId: user.id,
+      pepper,
+    });
+
+    if (!sent.ok) {
+      return errorJson(
+        "mail_failed",
+        "Could not send stakeholder invite",
+        502,
+      );
+    }
+
+    const created = await prisma.ruleStakeholder.findFirst({
+      where: { ruleId: rule.id, email },
+      select: { id: true, email: true, invitedAt: true },
+    });
+
+    return NextResponse.json(
+      {
+        stakeholder: created && {
+          id: created.id,
+          email: created.email,
+          invitedAt: created.invitedAt.toISOString(),
+          acceptedAt: null,
+          status: "pending" as const,
+        },
+      },
+      { status: 201 },
+    );
+  },
+);