package project
import (
"context"
"log/slog"
"net/http"
"strconv"
"strings"
"github.com/go-chi/chi/v5"
"go.bigb.es/auxilia/culpa"
"go.bigb.es/auxilia/scribe"
"sourcecraft.dev/bigbes/lethe/internal/domain/session"
"sourcecraft.dev/bigbes/lethe/internal/pkg/apierror"
"sourcecraft.dev/bigbes/lethe/internal/pkg/httputil"
"sourcecraft.dev/bigbes/lethe/internal/server/auth"
)
// Pagination knobs mirrored from the session handler spec.
const (
defaultLimit = 50
maxLimit = 200
)
// allOwnersSentinel is the ?owner=* value that an admin uses to read across
// all owners. Identical to the session handler's sentinel.
const allOwnersSentinel = "*"
// Handler is the steward-managed HTTP boundary for the project aggregation
// API. Repo is the injected SQL steward; the Handler holds no other state.
type Handler struct {
Repo *Repository `inject:""`
}
// Init satisfies the steward Initer contract.
func (h *Handler) Init(_ context.Context) error { return nil }
// Mount registers the single read route under r. Server.Init mounts this
// inside the /api/v1 group, so the effective path is /api/v1/projects.
func (h *Handler) Mount(r chi.Router) {
r.Get("/projects", h.List)
}
// listResponse is the JSON body returned by List.
type listResponse struct {
Projects []Project `json:"projects"`
Limit int `json:"limit"`
Offset int `json:"offset"`
}
// List handles GET /projects. It resolves the owner scope (admin gating on
// ?owner=), parses optional filters, clamps pagination, and writes a
// listResponse. Errors surface through apierror.Render as RFC 7807.
func (h *Handler) List(w http.ResponseWriter, r *http.Request) {
scope, err := h.resolveScope(r)
if err != nil {
apierror.Render(w, r, err)
return
}
q := r.URL.Query()
filter := ListFilter{Owner: scope}
if v := q.Get("since"); v != "" {
n, perr := strconv.ParseInt(v, 10, 64)
if perr != nil {
apierror.Render(w, r, culpa.WithCode(
culpa.WithPublic(culpa.Wrap(perr, "parse since"), "since must be an integer (unix epoch seconds)"),
"INVALID",
))
return
}
filter.Since = &n
}
filter.Limit = clampLimit(q.Get("limit"))
filter.Offset = clampOffset(q.Get("offset"))
rows, err := h.Repo.List(r.Context(), filter)
if err != nil {
apierror.Render(w, r, err)
return
}
if writeErr := httputil.WriteJSON(w, http.StatusOK, listResponse{
Projects: rows,
Limit: filter.Limit,
Offset: filter.Offset,
}); writeErr != nil {
slog.Default().ErrorContext(r.Context(), "write projects response", scribe.Err(writeErr))
}
}
// resolveScope reads the authenticated identity off the context and the
// optional ?owner= query parameter, then returns the appropriate
// session.OwnerScope. Non-admin requests with ?owner= set are 403.
func (h *Handler) resolveScope(r *http.Request) (session.OwnerScope, error) {
id := auth.MustIdentity(r.Context())
param := r.URL.Query().Get("owner")
if param == "" {
return session.OwnerScope{User: id.User}, nil
}
if !id.IsAdmin {
return session.OwnerScope{}, culpa.WithCode(
culpa.WithPublic(culpa.New("?owner= is admin-only"), "?owner= is admin-only"),
"FORBIDDEN",
)
}
if param == allOwnersSentinel {
return session.OwnerScope{User: id.User, AllOwners: true}, nil
}
owner := strings.ToLower(param)
return session.OwnerScope{User: id.User, SpecificOwner: &owner}, nil
}
// clampLimit returns the effective limit: defaultLimit when missing,
// non-numeric, or negative; capped at maxLimit when the parsed value
// exceeds it.
func clampLimit(raw string) int {
if raw == "" {
return defaultLimit
}
n, err := strconv.Atoi(raw)
if err != nil || n < 0 {
return defaultLimit
}
if n > maxLimit {
return maxLimit
}
return n
}
// clampOffset returns the effective offset: 0 when missing, non-numeric,
// or negative.
func clampOffset(raw string) int {
if raw == "" {
return 0
}
n, err := strconv.Atoi(raw)
if err != nil || n < 0 {
return 0
}
return n
}