refactor(api): extract comment procedures
This commit is contained in:
@@ -0,0 +1,254 @@
|
||||
import { TRPCError } from "@trpc/server";
|
||||
import { z } from "zod";
|
||||
import { createAuditEntry } from "../lib/audit.js";
|
||||
import { assertCommentEntityAccess, CommentEntityTypeSchema } from "../lib/comment-entity-registry.js";
|
||||
import { createNotification } from "../lib/create-notification.js";
|
||||
import type { TRPCContext } from "../trpc.js";
|
||||
import {
|
||||
assertCommentManageableByActor,
|
||||
buildCommentCreateData,
|
||||
buildCommentMentionNotifications,
|
||||
commentBelongsToEntity,
|
||||
commentThreadInclude,
|
||||
commentWithAuthorInclude,
|
||||
parseCommentMentions,
|
||||
} from "./comment-support.js";
|
||||
|
||||
export const CommentEntityInputSchema = z.object({
|
||||
entityType: CommentEntityTypeSchema,
|
||||
entityId: z.string(),
|
||||
});
|
||||
|
||||
export const CommentMentionCandidatesInputSchema = CommentEntityInputSchema.extend({
|
||||
query: z.string().trim().max(100).optional(),
|
||||
});
|
||||
|
||||
export const CreateCommentInputSchema = CommentEntityInputSchema.extend({
|
||||
parentId: z.string().optional(),
|
||||
body: z.string().min(1).max(10_000),
|
||||
});
|
||||
|
||||
export const ResolveCommentInputSchema = z.object({
|
||||
id: z.string(),
|
||||
resolved: z.boolean().default(true),
|
||||
});
|
||||
|
||||
export const DeleteCommentInputSchema = z.object({
|
||||
id: z.string(),
|
||||
});
|
||||
|
||||
type CommentProcedureContext = Pick<TRPCContext, "db" | "dbUser" | "roleDefaults">;
|
||||
type CreateCommentProcedureContext = Pick<TRPCContext, "db" | "dbUser" | "roleDefaults">;
|
||||
|
||||
export async function listComments(
|
||||
ctx: CommentProcedureContext,
|
||||
input: z.infer<typeof CommentEntityInputSchema>,
|
||||
) {
|
||||
await assertCommentEntityAccess(ctx, input.entityType, input.entityId);
|
||||
|
||||
return ctx.db.comment.findMany({
|
||||
where: {
|
||||
entityType: input.entityType,
|
||||
entityId: input.entityId,
|
||||
parentId: null,
|
||||
},
|
||||
include: commentThreadInclude,
|
||||
orderBy: { createdAt: "asc" },
|
||||
});
|
||||
}
|
||||
|
||||
export async function countComments(
|
||||
ctx: CommentProcedureContext,
|
||||
input: z.infer<typeof CommentEntityInputSchema>,
|
||||
) {
|
||||
await assertCommentEntityAccess(ctx, input.entityType, input.entityId);
|
||||
|
||||
return ctx.db.comment.count({
|
||||
where: {
|
||||
entityType: input.entityType,
|
||||
entityId: input.entityId,
|
||||
},
|
||||
});
|
||||
}
|
||||
|
||||
export async function listCommentMentionCandidates(
|
||||
ctx: CommentProcedureContext,
|
||||
input: z.infer<typeof CommentMentionCandidatesInputSchema>,
|
||||
) {
|
||||
const normalizedQuery = input.query && input.query.length > 0 ? input.query : undefined;
|
||||
const policy = await assertCommentEntityAccess(ctx, input.entityType, input.entityId);
|
||||
return policy.listMentionCandidates(ctx, input.entityId, normalizedQuery);
|
||||
}
|
||||
|
||||
export async function createComment(
|
||||
ctx: CreateCommentProcedureContext,
|
||||
input: z.infer<typeof CreateCommentInputSchema>,
|
||||
) {
|
||||
const policy = await assertCommentEntityAccess(ctx, input.entityType, input.entityId);
|
||||
const authorId = ctx.dbUser?.id;
|
||||
if (!authorId) {
|
||||
throw new TRPCError({ code: "UNAUTHORIZED" });
|
||||
}
|
||||
|
||||
const mentions = parseCommentMentions(input.body);
|
||||
|
||||
if (input.parentId) {
|
||||
const parent = await ctx.db.comment.findUnique({
|
||||
where: { id: input.parentId },
|
||||
select: { id: true, entityType: true, entityId: true },
|
||||
});
|
||||
if (!parent) {
|
||||
throw new TRPCError({ code: "NOT_FOUND", message: "Parent comment not found" });
|
||||
}
|
||||
if (!commentBelongsToEntity({
|
||||
comment: parent,
|
||||
entityType: input.entityType,
|
||||
entityId: input.entityId,
|
||||
})) {
|
||||
throw new TRPCError({
|
||||
code: "BAD_REQUEST",
|
||||
message: "Parent comment does not belong to the requested entity",
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
const comment = await ctx.db.comment.create({
|
||||
data: buildCommentCreateData({
|
||||
entityType: input.entityType,
|
||||
entityId: input.entityId,
|
||||
parentId: input.parentId,
|
||||
authorId,
|
||||
body: input.body,
|
||||
mentions,
|
||||
}),
|
||||
include: commentWithAuthorInclude,
|
||||
});
|
||||
|
||||
const mentionedUserIds = mentions.filter((id) => id !== authorId);
|
||||
if (mentionedUserIds.length > 0) {
|
||||
const authorName = comment.author.name ?? comment.author.email;
|
||||
const notifications = buildCommentMentionNotifications({
|
||||
mentionedUserIds,
|
||||
authorName,
|
||||
body: input.body,
|
||||
entityId: input.entityId,
|
||||
entityType: input.entityType,
|
||||
senderId: authorId,
|
||||
link: policy.buildLink(input.entityId),
|
||||
});
|
||||
|
||||
await Promise.all(
|
||||
notifications.map((notification) =>
|
||||
createNotification({
|
||||
db: ctx.db,
|
||||
...notification,
|
||||
})),
|
||||
);
|
||||
}
|
||||
|
||||
void createAuditEntry({
|
||||
db: ctx.db,
|
||||
entityType: "Comment",
|
||||
entityId: comment.id,
|
||||
entityName: input.body.slice(0, 50),
|
||||
action: "CREATE",
|
||||
...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
|
||||
after: comment as unknown as Record<string, unknown>,
|
||||
source: "ui",
|
||||
});
|
||||
|
||||
return comment;
|
||||
}
|
||||
|
||||
async function findManageableComment(
|
||||
ctx: CommentProcedureContext,
|
||||
id: string,
|
||||
) {
|
||||
const existing = await ctx.db.comment.findUnique({
|
||||
where: { id },
|
||||
select: { id: true, authorId: true, entityType: true, entityId: true },
|
||||
});
|
||||
|
||||
if (!existing) {
|
||||
throw new TRPCError({ code: "NOT_FOUND", message: "Comment not found" });
|
||||
}
|
||||
|
||||
await assertCommentEntityAccess(ctx, existing.entityType, existing.entityId);
|
||||
|
||||
return existing;
|
||||
}
|
||||
|
||||
export async function resolveComment(
|
||||
ctx: CommentProcedureContext,
|
||||
input: z.infer<typeof ResolveCommentInputSchema>,
|
||||
) {
|
||||
const userId = ctx.dbUser?.id;
|
||||
if (!userId) {
|
||||
throw new TRPCError({ code: "UNAUTHORIZED" });
|
||||
}
|
||||
|
||||
const existing = await findManageableComment(ctx, input.id);
|
||||
|
||||
assertCommentManageableByActor({
|
||||
authorId: existing.authorId,
|
||||
actorUserId: userId,
|
||||
isAdmin: ctx.dbUser?.systemRole === "ADMIN",
|
||||
action: "resolve",
|
||||
});
|
||||
|
||||
const updated = await ctx.db.comment.update({
|
||||
where: { id: input.id },
|
||||
data: { resolved: input.resolved },
|
||||
include: commentWithAuthorInclude,
|
||||
});
|
||||
|
||||
void createAuditEntry({
|
||||
db: ctx.db,
|
||||
entityType: "Comment",
|
||||
entityId: input.id,
|
||||
action: "UPDATE",
|
||||
...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
|
||||
summary: input.resolved ? "Resolved comment" : "Unresolved comment",
|
||||
after: updated as unknown as Record<string, unknown>,
|
||||
source: "ui",
|
||||
});
|
||||
|
||||
return updated;
|
||||
}
|
||||
|
||||
export async function deleteComment(
|
||||
ctx: CommentProcedureContext,
|
||||
input: z.infer<typeof DeleteCommentInputSchema>,
|
||||
) {
|
||||
const userId = ctx.dbUser?.id;
|
||||
if (!userId) {
|
||||
throw new TRPCError({ code: "UNAUTHORIZED" });
|
||||
}
|
||||
|
||||
const existing = await findManageableComment(ctx, input.id);
|
||||
|
||||
assertCommentManageableByActor({
|
||||
authorId: existing.authorId,
|
||||
actorUserId: userId,
|
||||
isAdmin: ctx.dbUser?.systemRole === "ADMIN",
|
||||
action: "delete",
|
||||
});
|
||||
|
||||
await ctx.db.comment.deleteMany({
|
||||
where: { parentId: input.id },
|
||||
});
|
||||
|
||||
await ctx.db.comment.delete({
|
||||
where: { id: input.id },
|
||||
});
|
||||
|
||||
void createAuditEntry({
|
||||
db: ctx.db,
|
||||
entityType: "Comment",
|
||||
entityId: input.id,
|
||||
action: "DELETE",
|
||||
...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
|
||||
before: existing as unknown as Record<string, unknown>,
|
||||
source: "ui",
|
||||
});
|
||||
}
|
||||
@@ -1,257 +1,40 @@
|
||||
import { z } from "zod";
|
||||
import { TRPCError } from "@trpc/server";
|
||||
import { createTRPCRouter, protectedProcedure } from "../trpc.js";
|
||||
import { createNotification } from "../lib/create-notification.js";
|
||||
import { createAuditEntry } from "../lib/audit.js";
|
||||
import { assertCommentEntityAccess, CommentEntityTypeSchema } from "../lib/comment-entity-registry.js";
|
||||
import {
|
||||
assertCommentManageableByActor,
|
||||
buildCommentCreateData,
|
||||
buildCommentMentionNotifications,
|
||||
commentBelongsToEntity,
|
||||
commentThreadInclude,
|
||||
commentWithAuthorInclude,
|
||||
parseCommentMentions,
|
||||
} from "./comment-support.js";
|
||||
|
||||
// ─── Router ───────────────────────────────────────────────────────────────────
|
||||
CommentEntityInputSchema,
|
||||
CommentMentionCandidatesInputSchema,
|
||||
CreateCommentInputSchema,
|
||||
DeleteCommentInputSchema,
|
||||
ResolveCommentInputSchema,
|
||||
countComments,
|
||||
createComment,
|
||||
deleteComment,
|
||||
listCommentMentionCandidates,
|
||||
listComments,
|
||||
resolveComment,
|
||||
} from "./comment-procedure-support.js";
|
||||
|
||||
export const commentRouter = createTRPCRouter({
|
||||
/** List comments for a given entity, with author info and 1-level nested replies */
|
||||
list: protectedProcedure
|
||||
.input(
|
||||
z.object({
|
||||
entityType: CommentEntityTypeSchema,
|
||||
entityId: z.string(),
|
||||
}),
|
||||
)
|
||||
.query(async ({ ctx, input }) => {
|
||||
await assertCommentEntityAccess(ctx, input.entityType, input.entityId);
|
||||
.input(CommentEntityInputSchema)
|
||||
.query(({ ctx, input }) => listComments(ctx, input)),
|
||||
|
||||
return ctx.db.comment.findMany({
|
||||
where: {
|
||||
entityType: input.entityType,
|
||||
entityId: input.entityId,
|
||||
parentId: null, // only top-level comments
|
||||
},
|
||||
include: commentThreadInclude,
|
||||
orderBy: { createdAt: "asc" },
|
||||
});
|
||||
}),
|
||||
|
||||
/** List mention candidates that match the audience of the backing comment entity */
|
||||
listMentionCandidates: protectedProcedure
|
||||
.input(
|
||||
z.object({
|
||||
entityType: CommentEntityTypeSchema,
|
||||
entityId: z.string(),
|
||||
query: z.string().trim().max(100).optional(),
|
||||
}),
|
||||
)
|
||||
.query(async ({ ctx, input }) => {
|
||||
const normalizedQuery = input.query && input.query.length > 0 ? input.query : undefined;
|
||||
const policy = await assertCommentEntityAccess(ctx, input.entityType, input.entityId);
|
||||
return policy.listMentionCandidates(ctx, input.entityId, normalizedQuery);
|
||||
}),
|
||||
.input(CommentMentionCandidatesInputSchema)
|
||||
.query(({ ctx, input }) => listCommentMentionCandidates(ctx, input)),
|
||||
|
||||
/** Count comments for a given entity (used for badge) */
|
||||
count: protectedProcedure
|
||||
.input(
|
||||
z.object({
|
||||
entityType: CommentEntityTypeSchema,
|
||||
entityId: z.string(),
|
||||
}),
|
||||
)
|
||||
.query(async ({ ctx, input }) => {
|
||||
await assertCommentEntityAccess(ctx, input.entityType, input.entityId);
|
||||
.input(CommentEntityInputSchema)
|
||||
.query(({ ctx, input }) => countComments(ctx, input)),
|
||||
|
||||
return ctx.db.comment.count({
|
||||
where: {
|
||||
entityType: input.entityType,
|
||||
entityId: input.entityId,
|
||||
},
|
||||
});
|
||||
}),
|
||||
|
||||
/** Create a comment, parse @mentions, and notify mentioned users */
|
||||
create: protectedProcedure
|
||||
.input(
|
||||
z.object({
|
||||
entityType: CommentEntityTypeSchema,
|
||||
entityId: z.string(),
|
||||
parentId: z.string().optional(),
|
||||
body: z.string().min(1).max(10_000),
|
||||
}),
|
||||
)
|
||||
.mutation(async ({ ctx, input }) => {
|
||||
const policy = await assertCommentEntityAccess(ctx, input.entityType, input.entityId);
|
||||
const authorId = ctx.dbUser?.id;
|
||||
if (!authorId) throw new TRPCError({ code: "UNAUTHORIZED" });
|
||||
const mentions = parseCommentMentions(input.body);
|
||||
.input(CreateCommentInputSchema)
|
||||
.mutation(({ ctx, input }) => createComment(ctx, input)),
|
||||
|
||||
// If replying, verify the parent exists
|
||||
if (input.parentId) {
|
||||
const parent = await ctx.db.comment.findUnique({
|
||||
where: { id: input.parentId },
|
||||
select: { id: true, entityType: true, entityId: true },
|
||||
});
|
||||
if (!parent) {
|
||||
throw new TRPCError({ code: "NOT_FOUND", message: "Parent comment not found" });
|
||||
}
|
||||
if (!commentBelongsToEntity({
|
||||
comment: parent,
|
||||
entityType: input.entityType,
|
||||
entityId: input.entityId,
|
||||
})) {
|
||||
throw new TRPCError({
|
||||
code: "BAD_REQUEST",
|
||||
message: "Parent comment does not belong to the requested entity",
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
const comment = await ctx.db.comment.create({
|
||||
data: buildCommentCreateData({
|
||||
entityType: input.entityType,
|
||||
entityId: input.entityId,
|
||||
parentId: input.parentId,
|
||||
authorId,
|
||||
body: input.body,
|
||||
mentions,
|
||||
}),
|
||||
include: commentWithAuthorInclude,
|
||||
});
|
||||
|
||||
// Create notifications for mentioned users (excluding the author)
|
||||
const mentionedUserIds = mentions.filter((id) => id !== authorId);
|
||||
if (mentionedUserIds.length > 0) {
|
||||
const authorName = comment.author.name ?? comment.author.email;
|
||||
const notifications = buildCommentMentionNotifications({
|
||||
mentionedUserIds,
|
||||
authorName,
|
||||
body: input.body,
|
||||
entityId: input.entityId,
|
||||
entityType: input.entityType,
|
||||
senderId: authorId,
|
||||
link: policy.buildLink(input.entityId),
|
||||
});
|
||||
|
||||
await Promise.all(
|
||||
notifications.map((notification) =>
|
||||
createNotification({
|
||||
db: ctx.db,
|
||||
...notification,
|
||||
}),
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
void createAuditEntry({
|
||||
db: ctx.db,
|
||||
entityType: "Comment",
|
||||
entityId: comment.id,
|
||||
entityName: input.body.slice(0, 50),
|
||||
action: "CREATE",
|
||||
userId: ctx.dbUser?.id,
|
||||
after: comment as unknown as Record<string, unknown>,
|
||||
source: "ui",
|
||||
});
|
||||
|
||||
return comment;
|
||||
}),
|
||||
|
||||
/** Resolve or unresolve a comment (author or admin only) */
|
||||
resolve: protectedProcedure
|
||||
.input(
|
||||
z.object({
|
||||
id: z.string(),
|
||||
resolved: z.boolean().default(true),
|
||||
}),
|
||||
)
|
||||
.mutation(async ({ ctx, input }) => {
|
||||
const userId = ctx.dbUser?.id;
|
||||
if (!userId) throw new TRPCError({ code: "UNAUTHORIZED" });
|
||||
const dbUser = ctx.dbUser;
|
||||
.input(ResolveCommentInputSchema)
|
||||
.mutation(({ ctx, input }) => resolveComment(ctx, input)),
|
||||
|
||||
const existing = await ctx.db.comment.findUnique({
|
||||
where: { id: input.id },
|
||||
select: { id: true, authorId: true, entityType: true, entityId: true },
|
||||
});
|
||||
|
||||
if (!existing) {
|
||||
throw new TRPCError({ code: "NOT_FOUND", message: "Comment not found" });
|
||||
}
|
||||
|
||||
await assertCommentEntityAccess(ctx, existing.entityType, existing.entityId);
|
||||
|
||||
assertCommentManageableByActor({
|
||||
authorId: existing.authorId,
|
||||
actorUserId: userId,
|
||||
isAdmin: dbUser?.systemRole === "ADMIN",
|
||||
action: "resolve",
|
||||
});
|
||||
|
||||
const updated = await ctx.db.comment.update({
|
||||
where: { id: input.id },
|
||||
data: { resolved: input.resolved },
|
||||
include: commentWithAuthorInclude,
|
||||
});
|
||||
|
||||
void createAuditEntry({
|
||||
db: ctx.db,
|
||||
entityType: "Comment",
|
||||
entityId: input.id,
|
||||
action: "UPDATE",
|
||||
userId: ctx.dbUser?.id,
|
||||
summary: input.resolved ? "Resolved comment" : "Unresolved comment",
|
||||
after: updated as unknown as Record<string, unknown>,
|
||||
source: "ui",
|
||||
});
|
||||
|
||||
return updated;
|
||||
}),
|
||||
|
||||
/** Delete a comment (author or admin only). Hard-deletes, including all replies. */
|
||||
delete: protectedProcedure
|
||||
.input(z.object({ id: z.string() }))
|
||||
.mutation(async ({ ctx, input }) => {
|
||||
const userId = ctx.dbUser?.id;
|
||||
if (!userId) throw new TRPCError({ code: "UNAUTHORIZED" });
|
||||
const dbUser = ctx.dbUser;
|
||||
|
||||
const existing = await ctx.db.comment.findUnique({
|
||||
where: { id: input.id },
|
||||
select: { id: true, authorId: true, entityType: true, entityId: true },
|
||||
});
|
||||
|
||||
if (!existing) {
|
||||
throw new TRPCError({ code: "NOT_FOUND", message: "Comment not found" });
|
||||
}
|
||||
|
||||
await assertCommentEntityAccess(ctx, existing.entityType, existing.entityId);
|
||||
|
||||
assertCommentManageableByActor({
|
||||
authorId: existing.authorId,
|
||||
actorUserId: userId,
|
||||
isAdmin: dbUser?.systemRole === "ADMIN",
|
||||
action: "delete",
|
||||
});
|
||||
|
||||
// Delete all replies first (they reference this comment as parent)
|
||||
await ctx.db.comment.deleteMany({
|
||||
where: { parentId: input.id },
|
||||
});
|
||||
|
||||
await ctx.db.comment.delete({ where: { id: input.id } });
|
||||
|
||||
void createAuditEntry({
|
||||
db: ctx.db,
|
||||
entityType: "Comment",
|
||||
entityId: input.id,
|
||||
action: "DELETE",
|
||||
userId: ctx.dbUser?.id,
|
||||
before: existing as unknown as Record<string, unknown>,
|
||||
source: "ui",
|
||||
});
|
||||
}),
|
||||
.input(DeleteCommentInputSchema)
|
||||
.mutation(({ ctx, input }) => deleteComment(ctx, input)),
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user