258 lines
8.1 KiB
TypeScript
258 lines
8.1 KiB
TypeScript
import { z } from "zod";
|
|
import { TRPCError } from "@trpc/server";
|
|
import { createTRPCRouter, protectedProcedure } from "../trpc.js";
|
|
import { createNotification } from "../lib/create-notification.js";
|
|
import { createAuditEntry } from "../lib/audit.js";
|
|
import { assertCommentEntityAccess, CommentEntityTypeSchema } from "../lib/comment-entity-registry.js";
|
|
import {
|
|
assertCommentManageableByActor,
|
|
buildCommentCreateData,
|
|
buildCommentMentionNotifications,
|
|
commentBelongsToEntity,
|
|
commentThreadInclude,
|
|
commentWithAuthorInclude,
|
|
parseCommentMentions,
|
|
} from "./comment-support.js";
|
|
|
|
// ─── Router ───────────────────────────────────────────────────────────────────
|
|
|
|
export const commentRouter = createTRPCRouter({
|
|
/** List comments for a given entity, with author info and 1-level nested replies */
|
|
list: protectedProcedure
|
|
.input(
|
|
z.object({
|
|
entityType: CommentEntityTypeSchema,
|
|
entityId: z.string(),
|
|
}),
|
|
)
|
|
.query(async ({ ctx, input }) => {
|
|
await assertCommentEntityAccess(ctx, input.entityType, input.entityId);
|
|
|
|
return ctx.db.comment.findMany({
|
|
where: {
|
|
entityType: input.entityType,
|
|
entityId: input.entityId,
|
|
parentId: null, // only top-level comments
|
|
},
|
|
include: commentThreadInclude,
|
|
orderBy: { createdAt: "asc" },
|
|
});
|
|
}),
|
|
|
|
/** List mention candidates that match the audience of the backing comment entity */
|
|
listMentionCandidates: protectedProcedure
|
|
.input(
|
|
z.object({
|
|
entityType: CommentEntityTypeSchema,
|
|
entityId: z.string(),
|
|
query: z.string().trim().max(100).optional(),
|
|
}),
|
|
)
|
|
.query(async ({ ctx, input }) => {
|
|
const normalizedQuery = input.query && input.query.length > 0 ? input.query : undefined;
|
|
const policy = await assertCommentEntityAccess(ctx, input.entityType, input.entityId);
|
|
return policy.listMentionCandidates(ctx, input.entityId, normalizedQuery);
|
|
}),
|
|
|
|
/** Count comments for a given entity (used for badge) */
|
|
count: protectedProcedure
|
|
.input(
|
|
z.object({
|
|
entityType: CommentEntityTypeSchema,
|
|
entityId: z.string(),
|
|
}),
|
|
)
|
|
.query(async ({ ctx, input }) => {
|
|
await assertCommentEntityAccess(ctx, input.entityType, input.entityId);
|
|
|
|
return ctx.db.comment.count({
|
|
where: {
|
|
entityType: input.entityType,
|
|
entityId: input.entityId,
|
|
},
|
|
});
|
|
}),
|
|
|
|
/** Create a comment, parse @mentions, and notify mentioned users */
|
|
create: protectedProcedure
|
|
.input(
|
|
z.object({
|
|
entityType: CommentEntityTypeSchema,
|
|
entityId: z.string(),
|
|
parentId: z.string().optional(),
|
|
body: z.string().min(1).max(10_000),
|
|
}),
|
|
)
|
|
.mutation(async ({ ctx, input }) => {
|
|
const policy = await assertCommentEntityAccess(ctx, input.entityType, input.entityId);
|
|
const authorId = ctx.dbUser?.id;
|
|
if (!authorId) throw new TRPCError({ code: "UNAUTHORIZED" });
|
|
const mentions = parseCommentMentions(input.body);
|
|
|
|
// If replying, verify the parent exists
|
|
if (input.parentId) {
|
|
const parent = await ctx.db.comment.findUnique({
|
|
where: { id: input.parentId },
|
|
select: { id: true, entityType: true, entityId: true },
|
|
});
|
|
if (!parent) {
|
|
throw new TRPCError({ code: "NOT_FOUND", message: "Parent comment not found" });
|
|
}
|
|
if (!commentBelongsToEntity({
|
|
comment: parent,
|
|
entityType: input.entityType,
|
|
entityId: input.entityId,
|
|
})) {
|
|
throw new TRPCError({
|
|
code: "BAD_REQUEST",
|
|
message: "Parent comment does not belong to the requested entity",
|
|
});
|
|
}
|
|
}
|
|
|
|
const comment = await ctx.db.comment.create({
|
|
data: buildCommentCreateData({
|
|
entityType: input.entityType,
|
|
entityId: input.entityId,
|
|
parentId: input.parentId,
|
|
authorId,
|
|
body: input.body,
|
|
mentions,
|
|
}),
|
|
include: commentWithAuthorInclude,
|
|
});
|
|
|
|
// Create notifications for mentioned users (excluding the author)
|
|
const mentionedUserIds = mentions.filter((id) => id !== authorId);
|
|
if (mentionedUserIds.length > 0) {
|
|
const authorName = comment.author.name ?? comment.author.email;
|
|
const notifications = buildCommentMentionNotifications({
|
|
mentionedUserIds,
|
|
authorName,
|
|
body: input.body,
|
|
entityId: input.entityId,
|
|
entityType: input.entityType,
|
|
senderId: authorId,
|
|
link: policy.buildLink(input.entityId),
|
|
});
|
|
|
|
await Promise.all(
|
|
notifications.map((notification) =>
|
|
createNotification({
|
|
db: ctx.db,
|
|
...notification,
|
|
}),
|
|
),
|
|
);
|
|
}
|
|
|
|
void createAuditEntry({
|
|
db: ctx.db,
|
|
entityType: "Comment",
|
|
entityId: comment.id,
|
|
entityName: input.body.slice(0, 50),
|
|
action: "CREATE",
|
|
userId: ctx.dbUser?.id,
|
|
after: comment as unknown as Record<string, unknown>,
|
|
source: "ui",
|
|
});
|
|
|
|
return comment;
|
|
}),
|
|
|
|
/** Resolve or unresolve a comment (author or admin only) */
|
|
resolve: protectedProcedure
|
|
.input(
|
|
z.object({
|
|
id: z.string(),
|
|
resolved: z.boolean().default(true),
|
|
}),
|
|
)
|
|
.mutation(async ({ ctx, input }) => {
|
|
const userId = ctx.dbUser?.id;
|
|
if (!userId) throw new TRPCError({ code: "UNAUTHORIZED" });
|
|
const dbUser = ctx.dbUser;
|
|
|
|
const existing = await ctx.db.comment.findUnique({
|
|
where: { id: input.id },
|
|
select: { id: true, authorId: true, entityType: true, entityId: true },
|
|
});
|
|
|
|
if (!existing) {
|
|
throw new TRPCError({ code: "NOT_FOUND", message: "Comment not found" });
|
|
}
|
|
|
|
await assertCommentEntityAccess(ctx, existing.entityType, existing.entityId);
|
|
|
|
assertCommentManageableByActor({
|
|
authorId: existing.authorId,
|
|
actorUserId: userId,
|
|
isAdmin: dbUser?.systemRole === "ADMIN",
|
|
action: "resolve",
|
|
});
|
|
|
|
const updated = await ctx.db.comment.update({
|
|
where: { id: input.id },
|
|
data: { resolved: input.resolved },
|
|
include: commentWithAuthorInclude,
|
|
});
|
|
|
|
void createAuditEntry({
|
|
db: ctx.db,
|
|
entityType: "Comment",
|
|
entityId: input.id,
|
|
action: "UPDATE",
|
|
userId: ctx.dbUser?.id,
|
|
summary: input.resolved ? "Resolved comment" : "Unresolved comment",
|
|
after: updated as unknown as Record<string, unknown>,
|
|
source: "ui",
|
|
});
|
|
|
|
return updated;
|
|
}),
|
|
|
|
/** Delete a comment (author or admin only). Hard-deletes, including all replies. */
|
|
delete: protectedProcedure
|
|
.input(z.object({ id: z.string() }))
|
|
.mutation(async ({ ctx, input }) => {
|
|
const userId = ctx.dbUser?.id;
|
|
if (!userId) throw new TRPCError({ code: "UNAUTHORIZED" });
|
|
const dbUser = ctx.dbUser;
|
|
|
|
const existing = await ctx.db.comment.findUnique({
|
|
where: { id: input.id },
|
|
select: { id: true, authorId: true, entityType: true, entityId: true },
|
|
});
|
|
|
|
if (!existing) {
|
|
throw new TRPCError({ code: "NOT_FOUND", message: "Comment not found" });
|
|
}
|
|
|
|
await assertCommentEntityAccess(ctx, existing.entityType, existing.entityId);
|
|
|
|
assertCommentManageableByActor({
|
|
authorId: existing.authorId,
|
|
actorUserId: userId,
|
|
isAdmin: dbUser?.systemRole === "ADMIN",
|
|
action: "delete",
|
|
});
|
|
|
|
// Delete all replies first (they reference this comment as parent)
|
|
await ctx.db.comment.deleteMany({
|
|
where: { parentId: input.id },
|
|
});
|
|
|
|
await ctx.db.comment.delete({ where: { id: input.id } });
|
|
|
|
void createAuditEntry({
|
|
db: ctx.db,
|
|
entityType: "Comment",
|
|
entityId: input.id,
|
|
action: "DELETE",
|
|
userId: ctx.dbUser?.id,
|
|
before: existing as unknown as Record<string, unknown>,
|
|
source: "ui",
|
|
});
|
|
}),
|
|
});
|