treewide: better cross-device sync capabilities; in-database storage

Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: Id99798df6f7e4470caae8a193c2654aa6a6a6964

crates/pinakes-server/src/routes/shares.rs

@@ -0,0 +1,543 @@
+use axum::{
+    Json,
+    extract::{ConnectInfo, Extension, Path, Query, State},
+    http::StatusCode,
+};
+use chrono::Utc;
+use std::net::SocketAddr;
+use uuid::Uuid;
+
+use crate::auth::resolve_user_id;
+use crate::dto::{
+    AccessSharedRequest, BatchDeleteSharesRequest, CreateShareRequest, MediaResponse,
+    PaginationParams, ShareActivityResponse, ShareNotificationResponse, ShareResponse,
+    UpdateShareRequest,
+};
+use crate::error::{ApiError, ApiResult};
+use crate::state::AppState;
+use pinakes_core::model::MediaId;
+use pinakes_core::model::Pagination;
+use pinakes_core::sharing::{
+    Share, ShareActivity, ShareActivityAction, ShareId, ShareNotification, ShareNotificationType,
+    SharePermissions, ShareRecipient, ShareTarget, generate_share_token, hash_share_password,
+    verify_share_password,
+};
+use pinakes_core::users::UserId;
+
+/// Create a new share
+/// POST /api/shares
+pub async fn create_share(
+    State(state): State<AppState>,
+    Extension(username): Extension<String>,
+    Json(req): Json<CreateShareRequest>,
+) -> ApiResult<Json<ShareResponse>> {
+    let config = state.config.read().await;
+    if !config.sharing.enabled {
+        return Err(ApiError::bad_request("Sharing is not enabled"));
+    }
+
+    // Validate public links are allowed
+    if req.recipient_type == "public_link" && !config.sharing.allow_public_links {
+        return Err(ApiError::bad_request("Public links are not allowed"));
+    }
+    drop(config);
+
+    let owner_id = resolve_user_id(&state.storage, &username).await?;
+
+    // Parse target
+    let target_id: Uuid = req
+        .target_id
+        .parse()
+        .map_err(|_| ApiError::bad_request("Invalid target_id"))?;
+
+    let target = match req.target_type.as_str() {
+        "media" => ShareTarget::Media {
+            media_id: MediaId(target_id),
+        },
+        "collection" => ShareTarget::Collection {
+            collection_id: target_id,
+        },
+        "tag" => ShareTarget::Tag { tag_id: target_id },
+        "saved_search" => ShareTarget::SavedSearch {
+            search_id: target_id,
+        },
+        _ => return Err(ApiError::bad_request("Invalid target_type")),
+    };
+
+    // Parse recipient
+    let recipient = match req.recipient_type.as_str() {
+        "public_link" => {
+            let token = generate_share_token();
+            let password_hash = req.password.as_ref().map(|p| hash_share_password(p));
+            ShareRecipient::PublicLink {
+                token,
+                password_hash,
+            }
+        }
+        "user" => {
+            let recipient_user_id = req.recipient_user_id.ok_or_else(|| {
+                ApiError::bad_request("recipient_user_id required for user share")
+            })?;
+            ShareRecipient::User {
+                user_id: UserId(recipient_user_id),
+            }
+        }
+        "group" => {
+            let group_id = req.recipient_group_id.ok_or_else(|| {
+                ApiError::bad_request("recipient_group_id required for group share")
+            })?;
+            ShareRecipient::Group { group_id }
+        }
+        _ => return Err(ApiError::bad_request("Invalid recipient_type")),
+    };
+
+    // Parse permissions
+    let permissions = if let Some(perms) = req.permissions {
+        SharePermissions {
+            can_view: perms.can_view.unwrap_or(true),
+            can_download: perms.can_download.unwrap_or(false),
+            can_edit: perms.can_edit.unwrap_or(false),
+            can_delete: perms.can_delete.unwrap_or(false),
+            can_reshare: perms.can_reshare.unwrap_or(false),
+            can_add: perms.can_add.unwrap_or(false),
+        }
+    } else {
+        SharePermissions::view_only()
+    };
+
+    // Calculate expiration
+    let expires_at = req
+        .expires_in_hours
+        .map(|hours| Utc::now() + chrono::Duration::hours(hours as i64));
+
+    let share = Share {
+        id: ShareId(Uuid::now_v7()),
+        target,
+        owner_id,
+        recipient,
+        permissions,
+        note: req.note,
+        expires_at,
+        access_count: 0,
+        last_accessed: None,
+        inherit_to_children: req.inherit_to_children.unwrap_or(true),
+        parent_share_id: None,
+        created_at: Utc::now(),
+        updated_at: Utc::now(),
+    };
+
+    let created = state
+        .storage
+        .create_share(&share)
+        .await
+        .map_err(|e| ApiError::internal(format!("Failed to create share: {}", e)))?;
+
+    // Send notification to recipient if it's a user share
+    if let ShareRecipient::User { user_id } = &created.recipient {
+        let notification = ShareNotification {
+            id: Uuid::now_v7(),
+            user_id: *user_id,
+            share_id: created.id,
+            notification_type: ShareNotificationType::NewShare,
+            is_read: false,
+            created_at: Utc::now(),
+        };
+
+        // Ignore notification errors
+        let _ = state.storage.create_share_notification(&notification).await;
+    }
+
+    Ok(Json(created.into()))
+}
+
+/// List outgoing shares (shares I created)
+/// GET /api/shares/outgoing
+pub async fn list_outgoing(
+    State(state): State<AppState>,
+    Extension(username): Extension<String>,
+    Query(params): Query<PaginationParams>,
+) -> ApiResult<Json<Vec<ShareResponse>>> {
+    let user_id = resolve_user_id(&state.storage, &username).await?;
+    let pagination = Pagination {
+        offset: params.offset.unwrap_or(0),
+        limit: params.limit.unwrap_or(50),
+        sort: params.sort,
+    };
+
+    let shares = state
+        .storage
+        .list_shares_by_owner(user_id, &pagination)
+        .await
+        .map_err(|e| ApiError::internal(format!("Failed to list shares: {}", e)))?;
+
+    Ok(Json(shares.into_iter().map(Into::into).collect()))
+}
+
+/// List incoming shares (shares shared with me)
+/// GET /api/shares/incoming
+pub async fn list_incoming(
+    State(state): State<AppState>,
+    Extension(username): Extension<String>,
+    Query(params): Query<PaginationParams>,
+) -> ApiResult<Json<Vec<ShareResponse>>> {
+    let user_id = resolve_user_id(&state.storage, &username).await?;
+    let pagination = Pagination {
+        offset: params.offset.unwrap_or(0),
+        limit: params.limit.unwrap_or(50),
+        sort: params.sort,
+    };
+
+    let shares = state
+        .storage
+        .list_shares_for_user(user_id, &pagination)
+        .await
+        .map_err(|e| ApiError::internal(format!("Failed to list shares: {}", e)))?;
+
+    Ok(Json(shares.into_iter().map(Into::into).collect()))
+}
+
+/// Get share details
+/// GET /api/shares/{id}
+pub async fn get_share(
+    State(state): State<AppState>,
+    Extension(username): Extension<String>,
+    Path(id): Path<Uuid>,
+) -> ApiResult<Json<ShareResponse>> {
+    let user_id = resolve_user_id(&state.storage, &username).await?;
+    let share = state
+        .storage
+        .get_share(ShareId(id))
+        .await
+        .map_err(|e| ApiError::not_found(format!("Share not found: {}", e)))?;
+
+    // Check authorization
+    let is_owner = share.owner_id == user_id;
+    let is_recipient = match &share.recipient {
+        ShareRecipient::User {
+            user_id: recipient_id,
+        } => *recipient_id == user_id,
+        _ => false,
+    };
+
+    if !is_owner && !is_recipient {
+        return Err(ApiError::forbidden("Not authorized to view this share"));
+    }
+
+    Ok(Json(share.into()))
+}
+
+/// Update a share
+/// PATCH /api/shares/{id}
+pub async fn update_share(
+    State(state): State<AppState>,
+    Extension(username): Extension<String>,
+    Path(id): Path<Uuid>,
+    Json(req): Json<UpdateShareRequest>,
+) -> ApiResult<Json<ShareResponse>> {
+    let user_id = resolve_user_id(&state.storage, &username).await?;
+    let mut share = state
+        .storage
+        .get_share(ShareId(id))
+        .await
+        .map_err(|e| ApiError::not_found(format!("Share not found: {}", e)))?;
+
+    // Only owner can update
+    if share.owner_id != user_id {
+        return Err(ApiError::forbidden("Only the owner can update this share"));
+    }
+
+    // Update fields
+    if let Some(perms) = req.permissions {
+        share.permissions = SharePermissions {
+            can_view: perms.can_view.unwrap_or(share.permissions.can_view),
+            can_download: perms.can_download.unwrap_or(share.permissions.can_download),
+            can_edit: perms.can_edit.unwrap_or(share.permissions.can_edit),
+            can_delete: perms.can_delete.unwrap_or(share.permissions.can_delete),
+            can_reshare: perms.can_reshare.unwrap_or(share.permissions.can_reshare),
+            can_add: perms.can_add.unwrap_or(share.permissions.can_add),
+        };
+    }
+
+    if let Some(note) = req.note {
+        share.note = Some(note);
+    }
+
+    if let Some(expires_at) = req.expires_at {
+        share.expires_at = Some(expires_at);
+    }
+
+    if let Some(inherit) = req.inherit_to_children {
+        share.inherit_to_children = inherit;
+    }
+
+    share.updated_at = Utc::now();
+
+    let updated = state
+        .storage
+        .update_share(&share)
+        .await
+        .map_err(|e| ApiError::internal(format!("Failed to update share: {}", e)))?;
+
+    // Notify recipient of update
+    if let ShareRecipient::User { user_id } = &updated.recipient {
+        let notification = ShareNotification {
+            id: Uuid::now_v7(),
+            user_id: *user_id,
+            share_id: updated.id,
+            notification_type: ShareNotificationType::ShareUpdated,
+            is_read: false,
+            created_at: Utc::now(),
+        };
+        let _ = state.storage.create_share_notification(&notification).await;
+    }
+
+    Ok(Json(updated.into()))
+}
+
+/// Delete (revoke) a share
+/// DELETE /api/shares/{id}
+pub async fn delete_share(
+    State(state): State<AppState>,
+    Extension(username): Extension<String>,
+    Path(id): Path<Uuid>,
+) -> ApiResult<StatusCode> {
+    let user_id = resolve_user_id(&state.storage, &username).await?;
+    let share = state
+        .storage
+        .get_share(ShareId(id))
+        .await
+        .map_err(|e| ApiError::not_found(format!("Share not found: {}", e)))?;
+
+    // Only owner can delete
+    if share.owner_id != user_id {
+        return Err(ApiError::forbidden("Only the owner can revoke this share"));
+    }
+
+    // Notify recipient before deletion
+    if let ShareRecipient::User { user_id } = &share.recipient {
+        let notification = ShareNotification {
+            id: Uuid::now_v7(),
+            user_id: *user_id,
+            share_id: share.id,
+            notification_type: ShareNotificationType::ShareRevoked,
+            is_read: false,
+            created_at: Utc::now(),
+        };
+        let _ = state.storage.create_share_notification(&notification).await;
+    }
+
+    state
+        .storage
+        .delete_share(ShareId(id))
+        .await
+        .map_err(|e| ApiError::internal(format!("Failed to delete share: {}", e)))?;
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+/// Batch delete shares
+/// POST /api/shares/batch/delete
+pub async fn batch_delete(
+    State(state): State<AppState>,
+    Extension(username): Extension<String>,
+    Json(req): Json<BatchDeleteSharesRequest>,
+) -> ApiResult<Json<serde_json::Value>> {
+    let user_id = resolve_user_id(&state.storage, &username).await?;
+    let share_ids: Vec<ShareId> = req.share_ids.into_iter().map(ShareId).collect();
+
+    // Verify ownership of all shares
+    for share_id in &share_ids {
+        let share = state
+            .storage
+            .get_share(*share_id)
+            .await
+            .map_err(|e| ApiError::not_found(format!("Share not found: {}", e)))?;
+
+        if share.owner_id != user_id {
+            return Err(ApiError::forbidden(format!(
+                "Not authorized to delete share {}",
+                share_id.0
+            )));
+        }
+    }
+
+    let deleted = state
+        .storage
+        .batch_delete_shares(&share_ids)
+        .await
+        .map_err(|e| ApiError::internal(format!("Failed to batch delete: {}", e)))?;
+
+    Ok(Json(serde_json::json!({ "deleted": deleted })))
+}
+
+/// Access a public shared resource
+/// GET /api/shared/{token}
+pub async fn access_shared(
+    State(state): State<AppState>,
+    Path(token): Path<String>,
+    Query(params): Query<AccessSharedRequest>,
+    ConnectInfo(addr): ConnectInfo<SocketAddr>,
+) -> ApiResult<Json<MediaResponse>> {
+    let share = state
+        .storage
+        .get_share_by_token(&token)
+        .await
+        .map_err(|e| ApiError::not_found(format!("Share not found: {}", e)))?;
+
+    // Check expiration
+    if let Some(expires_at) = share.expires_at {
+        if Utc::now() > expires_at {
+            return Err(ApiError::not_found("Share has expired"));
+        }
+    }
+
+    // Check password if required
+    if let ShareRecipient::PublicLink { password_hash, .. } = &share.recipient {
+        if let Some(hash) = password_hash {
+            let provided_password = params
+                .password
+                .as_ref()
+                .ok_or_else(|| ApiError::unauthorized("Password required"))?;
+
+            if !verify_share_password(provided_password, hash) {
+                // Log failed attempt
+                let activity = ShareActivity {
+                    id: Uuid::now_v7(),
+                    share_id: share.id,
+                    actor_id: None,
+                    actor_ip: Some(addr.ip().to_string()),
+                    action: ShareActivityAction::PasswordFailed,
+                    details: None,
+                    timestamp: Utc::now(),
+                };
+                let _ = state.storage.record_share_activity(&activity).await;
+
+                return Err(ApiError::unauthorized("Invalid password"));
+            }
+        }
+    }
+
+    // Record access
+    state
+        .storage
+        .record_share_access(share.id)
+        .await
+        .map_err(|e| ApiError::internal(format!("Failed to record access: {}", e)))?;
+
+    // Log the access
+    let activity = ShareActivity {
+        id: Uuid::now_v7(),
+        share_id: share.id,
+        actor_id: None,
+        actor_ip: Some(addr.ip().to_string()),
+        action: ShareActivityAction::Accessed,
+        details: None,
+        timestamp: Utc::now(),
+    };
+    let _ = state.storage.record_share_activity(&activity).await;
+
+    // Return the shared content
+    match &share.target {
+        ShareTarget::Media { media_id } => {
+            let item = state
+                .storage
+                .get_media(*media_id)
+                .await
+                .map_err(|e| ApiError::not_found(format!("Media not found: {}", e)))?;
+
+            Ok(Json(item.into()))
+        }
+        _ => {
+            // For collections/tags, return a placeholder
+            // Full implementation would return the collection contents
+            Err(ApiError::bad_request(
+                "Collection/tag sharing not yet fully implemented",
+            ))
+        }
+    }
+}
+
+/// Get share activity log
+/// GET /api/shares/{id}/activity
+pub async fn get_activity(
+    State(state): State<AppState>,
+    Extension(username): Extension<String>,
+    Path(id): Path<Uuid>,
+    Query(params): Query<PaginationParams>,
+) -> ApiResult<Json<Vec<ShareActivityResponse>>> {
+    let user_id = resolve_user_id(&state.storage, &username).await?;
+    let share = state
+        .storage
+        .get_share(ShareId(id))
+        .await
+        .map_err(|e| ApiError::not_found(format!("Share not found: {}", e)))?;
+
+    // Only owner can view activity
+    if share.owner_id != user_id {
+        return Err(ApiError::forbidden(
+            "Only the owner can view share activity",
+        ));
+    }
+
+    let pagination = Pagination {
+        offset: params.offset.unwrap_or(0),
+        limit: params.limit.unwrap_or(50),
+        sort: params.sort,
+    };
+
+    let activity = state
+        .storage
+        .get_share_activity(ShareId(id), &pagination)
+        .await
+        .map_err(|e| ApiError::internal(format!("Failed to get activity: {}", e)))?;
+
+    Ok(Json(activity.into_iter().map(Into::into).collect()))
+}
+
+/// Get unread share notifications
+/// GET /api/notifications/shares
+pub async fn get_notifications(
+    State(state): State<AppState>,
+    Extension(username): Extension<String>,
+) -> ApiResult<Json<Vec<ShareNotificationResponse>>> {
+    let user_id = resolve_user_id(&state.storage, &username).await?;
+    let notifications = state
+        .storage
+        .get_unread_notifications(user_id)
+        .await
+        .map_err(|e| ApiError::internal(format!("Failed to get notifications: {}", e)))?;
+
+    Ok(Json(notifications.into_iter().map(Into::into).collect()))
+}
+
+/// Mark a notification as read
+/// POST /api/notifications/shares/{id}/read
+pub async fn mark_notification_read(
+    State(state): State<AppState>,
+    Extension(_username): Extension<String>,
+    Path(id): Path<Uuid>,
+) -> ApiResult<StatusCode> {
+    state
+        .storage
+        .mark_notification_read(id)
+        .await
+        .map_err(|e| ApiError::internal(format!("Failed to mark as read: {}", e)))?;
+
+    Ok(StatusCode::OK)
+}
+
+/// Mark all notifications as read
+/// POST /api/notifications/shares/read-all
+pub async fn mark_all_read(
+    State(state): State<AppState>,
+    Extension(username): Extension<String>,
+) -> ApiResult<StatusCode> {
+    let user_id = resolve_user_id(&state.storage, &username).await?;
+    state
+        .storage
+        .mark_all_notifications_read(user_id)
+        .await
+        .map_err(|e| ApiError::internal(format!("Failed to mark all as read: {}", e)))?;
+
+    Ok(StatusCode::OK)
+}