feat: add admin tags and albums APIs

apps/web/app/api/albums/[id]/assets/route.ts

@@ -0,0 +1,57 @@
+import { z } from "zod";
+
+import {
+  getAdminOk,
+  handleAddAlbumAsset,
+  handleRemoveAlbumAsset,
+} from "../../handlers";
+
+export const runtime = "nodejs";
+
+const paramsSchema = z.object({
+  id: z.string().uuid(),
+});
+
+export async function POST(
+  request: Request,
+  context: { params: Promise<{ id: string }> },
+): Promise<Response> {
+  const rawParams = await context.params;
+  const paramsParsed = paramsSchema.safeParse(rawParams);
+  if (!paramsParsed.success) {
+    return Response.json(
+      { error: "invalid_params", issues: paramsParsed.error.issues },
+      { status: 400 },
+    );
+  }
+
+  const bodyJson = await request.json().catch(() => ({}));
+  const res = await handleAddAlbumAsset({
+    adminOk: getAdminOk(request.headers),
+    params: paramsParsed.data,
+    body: bodyJson,
+  });
+  return Response.json(res.body, { status: res.status });
+}
+
+export async function DELETE(
+  request: Request,
+  context: { params: Promise<{ id: string }> },
+): Promise<Response> {
+  const rawParams = await context.params;
+  const paramsParsed = paramsSchema.safeParse(rawParams);
+  if (!paramsParsed.success) {
+    return Response.json(
+      { error: "invalid_params", issues: paramsParsed.error.issues },
+      { status: 400 },
+    );
+  }
+
+  const bodyJson = await request.json().catch(() => ({}));
+  const res = await handleRemoveAlbumAsset({
+    adminOk: getAdminOk(request.headers),
+    params: paramsParsed.data,
+    body: bodyJson,
+  });
+  return Response.json(res.body, { status: res.status });
+}

apps/web/app/api/albums/handlers.ts

@@ -0,0 +1,176 @@
+import { getAdminToken, isAdminRequest } from "@tline/config";
+import { getDb } from "@tline/db";
+import { z } from "zod";
+
+const ADMIN_HEADER = "X-Porthole-Admin-Token";
+
+const createAlbumBodySchema = z
+  .object({
+    name: z.string().min(1),
+  })
+  .strict();
+
+const albumParamsSchema = z.object({
+  id: z.string().uuid(),
+});
+
+const albumAssetBodySchema = z
+  .object({
+    assetId: z.string().uuid(),
+    ord: z.coerce.number().int().optional(),
+  })
+  .strict();
+
+type DbLike = ReturnType<typeof getDb>;
+
+export function getAdminOk(headers: Headers) {
+  const headerToken = headers.get(ADMIN_HEADER);
+  return isAdminRequest({ adminToken: getAdminToken() }, { headerToken });
+}
+
+export async function handleListAlbums(input: {
+  adminOk: boolean;
+  db?: DbLike;
+}): Promise<{ status: number; body: unknown }> {
+  if (!input.adminOk) {
+    return { status: 401, body: { error: "admin_required" } };
+  }
+
+  const db = (input.db ?? getDb()) as DbLike;
+  const rows = await db<
+    {
+      id: string;
+      name: string;
+      created_at: string;
+    }[]
+  >`
+    select id, name, created_at
+    from albums
+    order by created_at desc
+  `;
+
+  return { status: 200, body: rows };
+}
+
+export async function handleCreateAlbum(input: {
+  adminOk: boolean;
+  body: unknown;
+  db?: DbLike;
+}): Promise<{ status: number; body: unknown }> {
+  if (!input.adminOk) {
+    return { status: 401, body: { error: "admin_required" } };
+  }
+
+  const body = createAlbumBodySchema.parse(input.body ?? {});
+  const db = (input.db ?? getDb()) as DbLike;
+  const rows = await db<
+    {
+      id: string;
+      name: string;
+      created_at: string;
+    }[]
+  >`
+    insert into albums (name)
+    values (${body.name})
+    returning id, name, created_at
+  `;
+
+  const created = rows[0];
+  if (!created) {
+    return { status: 500, body: { error: "insert_failed" } };
+  }
+
+  const payload = JSON.stringify({ name: created.name });
+  await db`
+    insert into audit_log (actor, action, entity_type, entity_id, payload)
+    values ('admin', 'create', 'album', ${created.id}, ${payload}::jsonb)
+  `;
+
+  return { status: 200, body: created };
+}
+
+export async function handleAddAlbumAsset(input: {
+  adminOk: boolean;
+  params: { id: string };
+  body: unknown;
+  db?: DbLike;
+}): Promise<{ status: number; body: unknown }> {
+  if (!input.adminOk) {
+    return { status: 401, body: { error: "admin_required" } };
+  }
+
+  const paramsParsed = albumParamsSchema.safeParse(input.params);
+  if (!paramsParsed.success) {
+    return {
+      status: 400,
+      body: { error: "invalid_params", issues: paramsParsed.error.issues },
+    };
+  }
+
+  const body = albumAssetBodySchema.parse(input.body ?? {});
+  const db = (input.db ?? getDb()) as DbLike;
+  const rows = await db<
+    {
+      album_id: string;
+      asset_id: string;
+      ord: number | null;
+    }[]
+  >`
+    insert into album_assets (album_id, asset_id, ord)
+    values (${paramsParsed.data.id}, ${body.assetId}, ${body.ord ?? null})
+    on conflict (album_id, asset_id)
+    do update set ord = excluded.ord
+    returning album_id, asset_id, ord
+  `;
+
+  const created = rows[0];
+  if (!created) {
+    return { status: 500, body: { error: "insert_failed" } };
+  }
+
+  const payload = JSON.stringify({
+    asset_id: created.asset_id,
+    ord: created.ord,
+  });
+  await db`
+    insert into audit_log (actor, action, entity_type, entity_id, payload)
+    values ('admin', 'add_asset', 'album', ${created.album_id}, ${payload}::jsonb)
+  `;
+
+  return { status: 200, body: created };
+}
+
+export async function handleRemoveAlbumAsset(input: {
+  adminOk: boolean;
+  params: { id: string };
+  body: unknown;
+  db?: DbLike;
+}): Promise<{ status: number; body: unknown }> {
+  if (!input.adminOk) {
+    return { status: 401, body: { error: "admin_required" } };
+  }
+
+  const paramsParsed = albumParamsSchema.safeParse(input.params);
+  if (!paramsParsed.success) {
+    return {
+      status: 400,
+      body: { error: "invalid_params", issues: paramsParsed.error.issues },
+    };
+  }
+
+  const body = albumAssetBodySchema.parse(input.body ?? {});
+  const db = (input.db ?? getDb()) as DbLike;
+  await db`
+    delete from album_assets
+    where album_id = ${paramsParsed.data.id}
+      and asset_id = ${body.assetId}
+  `;
+
+  const payload = JSON.stringify({ asset_id: body.assetId });
+  await db`
+    insert into audit_log (actor, action, entity_type, entity_id, payload)
+    values ('admin', 'remove_asset', 'album', ${paramsParsed.data.id}, ${payload}::jsonb)
+  `;
+
+  return { status: 200, body: { ok: true } };
+}

apps/web/app/api/albums/route.ts

@@ -0,0 +1,17 @@
+import { getAdminOk, handleCreateAlbum, handleListAlbums } from "./handlers";
+
+export const runtime = "nodejs";
+
+export async function GET(request: Request): Promise<Response> {
+  const res = await handleListAlbums({ adminOk: getAdminOk(request.headers) });
+  return Response.json(res.body, { status: res.status });
+}
+
+export async function POST(request: Request): Promise<Response> {
+  const bodyJson = await request.json().catch(() => ({}));
+  const res = await handleCreateAlbum({
+    adminOk: getAdminOk(request.headers),
+    body: bodyJson,
+  });
+  return Response.json(res.body, { status: res.status });
+}

apps/web/app/api/tags/handlers.ts

@@ -0,0 +1,79 @@
+import { getAdminToken, isAdminRequest } from "@tline/config";
+import { getDb } from "@tline/db";
+import { z } from "zod";
+
+const ADMIN_HEADER = "X-Porthole-Admin-Token";
+
+const createTagBodySchema = z
+  .object({
+    name: z.string().min(1),
+  })
+  .strict();
+
+type DbLike = ReturnType<typeof getDb>;
+
+export function getAdminOk(headers: Headers) {
+  const headerToken = headers.get(ADMIN_HEADER);
+  return isAdminRequest({ adminToken: getAdminToken() }, { headerToken });
+}
+
+export async function handleListTags(input: {
+  adminOk: boolean;
+  db?: DbLike;
+}): Promise<{ status: number; body: unknown }> {
+  if (!input.adminOk) {
+    return { status: 401, body: { error: "admin_required" } };
+  }
+
+  const db = (input.db ?? getDb()) as DbLike;
+  const rows = await db<
+    {
+      id: string;
+      name: string;
+      created_at: string;
+    }[]
+  >`
+    select id, name, created_at
+    from tags
+    order by created_at desc
+  `;
+
+  return { status: 200, body: rows };
+}
+
+export async function handleCreateTag(input: {
+  adminOk: boolean;
+  body: unknown;
+  db?: DbLike;
+}): Promise<{ status: number; body: unknown }> {
+  if (!input.adminOk) {
+    return { status: 401, body: { error: "admin_required" } };
+  }
+
+  const body = createTagBodySchema.parse(input.body ?? {});
+  const db = (input.db ?? getDb()) as DbLike;
+  const rows = await db<
+    {
+      id: string;
+      name: string;
+      created_at: string;
+    }[]
+  >`
+    insert into tags (name)
+    values (${body.name})
+    returning id, name, created_at
+  `;
+
+  const created = rows[0];
+  if (!created) {
+    return { status: 500, body: { error: "insert_failed" } };
+  }
+
+  const payload = JSON.stringify({ name: created.name });
+  await db`
+    insert into audit_log (actor, action, entity_type, entity_id, payload)
+    values ('admin', 'create', 'tag', ${created.id}, ${payload}::jsonb)
+  `;
+
+  return { status: 200, body: created };
+}

apps/web/app/api/tags/route.ts

@@ -0,0 +1,17 @@
+import { getAdminOk, handleCreateTag, handleListTags } from "./handlers";
+
+export const runtime = "nodejs";
+
+export async function GET(request: Request): Promise<Response> {
+  const res = await handleListTags({ adminOk: getAdminOk(request.headers) });
+  return Response.json(res.body, { status: res.status });
+}
+
+export async function POST(request: Request): Promise<Response> {
+  const bodyJson = await request.json().catch(() => ({}));
+  const res = await handleCreateTag({
+    adminOk: getAdminOk(request.headers),
+    body: bodyJson,
+  });
+  return Response.json(res.body, { status: res.status });
+}