problemi/server/routes.ts

import crypto from 'crypto'

import bodyParser from 'body-parser'
import cookieParser from 'cookie-parser'

import express, { Request, Response, Router } from 'express'

import { createStatusRouter } from './middlewares'

import { StatusCodes } from 'http-status-codes'

import {
    createDatabase,
    createProblem,
    createSolution,
    getProblem,
    getProblems,
    getSolution,
    getSolutions,
    getUser,
    getUsers,
    getVisibleSolutions,
    updateSolution,
} from './db/database'

import {
    Id,
    isAdministrator,
    isStudent,
    Opaque,
    Problem,
    ProblemId,
    Solution as SolutionModel,
    SolutionId,
    UserId,
} from '../shared/model'
import { initialDatabaseValue } from './db/example-data'

import { validateObjectKeys } from '../shared/utils'

export async function createApiRouter() {
    type SessionId = Opaque<string, string, 'session'>

    const sessionStore: Record<SessionId, UserId> = {}
    const sessions = {
        createSession(userId: UserId) {
            const sid = crypto.randomBytes(10).toString('hex') as SessionId
            sessionStore[sid] = userId
            return sid
        },
        getUserForSession(sid: SessionId) {
            return sessionStore[sid] ?? null
        },
    }

    const db = createDatabase('./db.local.json', initialDatabaseValue)

    async function getRequestUser(req: Request) {
        const userId = sessions.getUserForSession(req.cookies.sid)
        if (!userId) {
            return null
        }

        console.log(userId)

        return await getUser(db, userId)
    }

    const r: Router = express.Router()

    r.use(bodyParser.json())
    r.use(cookieParser())

    r.use('/api/status', createStatusRouter())
    // r.use('/api/ping', new PingRouter())

    r.get('/api/current-user', async (req, res) => {
        res.json(await getRequestUser(req))
    })

    r.post('/api/login', async (req, res) => {
        const { id } = req.body

        const user = await getUser(db, id)
        if (!user) {
            res.sendStatus(StatusCodes.FORBIDDEN)
            return
        }

        res.cookie('sid', sessions.createSession(id), { maxAge: 1000 * 60 * 60 * 24 * 7 })
        res.json({ status: 'ok' })
    })

    r.post('/api/logout', (req, res) => {
        res.cookie('sid', '', { expires: new Date() })
        res.json({ status: 'ok' })
    })

    r.get('/api/users', async (req, res) => {
        const requestUser = await getRequestUser(req)
        if (!requestUser || !isAdministrator(requestUser.role)) {
            res.sendStatus(StatusCodes.UNAUTHORIZED)
            return
        }

        const users = await getUsers(db)
        res.json(users)
    })

    r.get('/api/problems', async (req, res) => {
        type ProblemWithSolutionsCount = Problem & { solutionsCount?: number }

        const problems: ProblemWithSolutionsCount[] = await getProblems(db)
        const solutions = await getSolutions(db)

        const solutionCounts: Record<ProblemId, number> = {}

        for (const s of solutions) {
            solutionCounts[s.forProblem] ||= 0
            solutionCounts[s.forProblem]++
        }

        for (const p of problems) {
            p.solutionsCount = solutionCounts[p.id] || 0
        }

        res.json(problems)
    })

    r.get('/api/problem/:id', async (req, res) => {
        res.json(await getProblem(db, req.params.id))
    })

    r.post('/api/problem', async (req, res) => {
        const user = await getRequestUser(req)
        if (!user) {
            res.sendStatus(StatusCodes.UNAUTHORIZED)
            return
        }
        if (user.role !== 'admin' && user.role !== 'moderator') {
            res.sendStatus(StatusCodes.UNAUTHORIZED)
            return
        }

        const id = await createProblem(db, {
            content: req.body.content,
            createdBy: user.id,
        })

        res.json(id)
    })

    r.get('/api/solutions', async (req, res) => {
        let queryUser = (req.query.user ?? null) as UserId | null
        let queryProblem = (req.query.problem ?? null) as ProblemId | null

        const requestUser = await getRequestUser(req)

        let solutions = await getSolutions(db)
        // se l'utente non è loggato o se non è un amministratore allora mostra solo le soluzioni "visibili"
        if (!requestUser || !isAdministrator(requestUser.role)) {
            solutions = solutions.filter(
                s => s.visible || (requestUser && s.sentBy === requestUser.id)
            )
        }
        // filtra rispetto agli utenti
        if (queryUser !== null) {
            solutions = solutions.filter(s => s.sentBy === queryUser)
        }
        // filtra rispetto ai problemi
        if (queryProblem !== null) {
            solutions = solutions.filter(s => s.forProblem === queryProblem)
        }

        res.json(solutions)
    })

    r.get('/api/solution/:id', async (req, res) => {
        const user = await getRequestUser(req)

        const solution = await getSolution(db, req.params.id as SolutionId)
        // la soluzione deve esistere
        if (solution === null) {
            res.sendStatus(StatusCodes.NOT_FOUND)
            return
        }
        // uno studente può vedere solo soluzioni visibili o proprie soluzione
        if (!solution.visible && user && isStudent(user.role) && solution.sentBy !== user.id) {
            res.sendStatus(StatusCodes.UNAUTHORIZED)
            return
        }

        res.json(solution)
    })

    r.post('/api/solution', async (req, res) => {
        const user = await getRequestUser(req)
        if (!user) {
            res.sendStatus(StatusCodes.UNAUTHORIZED)
            return
        }

        await createSolution(db, {
            sentBy: user.id,
            forProblem: req.body.forProblem,
            content: req.body.content,
        })

        res.send({ status: 'ok' })
    })

    r.patch('/api/solution/:id', async (req, res) => {
        const id = req.params.id as SolutionId

        const user = await getRequestUser(req)
        // l'utente deve essere loggato
        if (!user) {
            res.sendStatus(StatusCodes.UNAUTHORIZED)
            return
        }

        const solution = await getSolution(db, id)
        // la soluzione deve esistere
        if (solution === null) {
            res.sendStatus(404)
            return
        }
        // uno studente non può modificare una soluzione di un altro utente
        if (user.role === 'student' && solution.sentBy !== user.id) {
            res.status(StatusCodes.UNAUTHORIZED)
            res.send(`a student can only modify its own solution`)
            return
        }
        // uno studente può modificare solo il campo "content"
        if (
            user.role === 'student' &&
            !validateObjectKeys<keyof SolutionModel>(req.body, ['content'])
        ) {
            res.status(StatusCodes.UNAUTHORIZED)
            res.send(`a student can only modify the field "content"`)
            return
        }
        // un moderatore può modificare solo i campi "content", "visible", "status"
        if (
            user.role === 'moderator' &&
            !validateObjectKeys<keyof SolutionModel>(req.body, ['content', 'status', 'visible'])
        ) {
            res.status(StatusCodes.UNAUTHORIZED)
            res.send(`a moderator can only modify the fields "content", "visible", "status"`)
            return
        }

        await updateSolution(db, id, req.body)

        res.json({ status: 'ok' })
    })

    r.get('/api/user/:id', async (req, res) => {
        const user = await getRequestUser(req)

        // intanto l'utente deve essere loggato
        if (!user) {
            res.sendStatus(StatusCodes.UNAUTHORIZED)
            return
        }

        // solo gli amministratori possono usare questa route
        if (!isAdministrator(user.role)) {
            res.sendStatus(StatusCodes.UNAUTHORIZED)
            return
        }

        const requestedUser = await getUser(db, req.params.id)

        // l'utente richiesto magari deve esistere
        if (!requestedUser) {
            res.sendStatus(404)
            return
        }

        res.json(requestedUser)
    })

    return r
}
Refactoring to Typescript... 2 years ago			`import crypto from 'crypto'`

			`import bodyParser from 'body-parser'`
			`import cookieParser from 'cookie-parser'`

			`import express, { Request, Response, Router } from 'express'`

			`import { createStatusRouter } from './middlewares'`

Almost MVP 2 years ago			`import { StatusCodes } from 'http-status-codes'`

Refactoring to Typescript... 2 years ago			`import {`
			`createDatabase,`
			`createProblem,`
			`createSolution,`
			`getProblem,`
			`getProblems,`
			`getSolution,`
			`getSolutions,`
			`getUser,`
			`getUsers,`
Almost MVP 2 years ago			`getVisibleSolutions,`
Refactoring to Typescript... 2 years ago			`updateSolution,`
			`} from './db/database'`

Almost MVP 2 years ago			`import {`
			`Id,`
			`isAdministrator,`
			`isStudent,`
			`Opaque,`
			`Problem,`
			`ProblemId,`
			`Solution as SolutionModel,`
			`SolutionId,`
			`UserId,`
			`} from '../shared/model'`
Refactoring to Typescript... 2 years ago			`import { initialDatabaseValue } from './db/example-data'`

Almost MVP 2 years ago			`import { validateObjectKeys } from '../shared/utils'`

Refactoring to Typescript... 2 years ago			`export async function createApiRouter() {`
Almost MVP 2 years ago			`type SessionId = Opaque<string, string, 'session'>`
Refactoring to Typescript... 2 years ago
Almost MVP 2 years ago			`const sessionStore: Record<SessionId, UserId> = {}`
Refactoring to Typescript... 2 years ago			`const sessions = {`
			`createSession(userId: UserId) {`
Almost MVP 2 years ago			`const sid = crypto.randomBytes(10).toString('hex') as SessionId`
			`sessionStore[sid] = userId`
Refactoring to Typescript... 2 years ago			`return sid`
			`},`
			`getUserForSession(sid: SessionId) {`
Almost MVP 2 years ago			`return sessionStore[sid] ?? null`
Refactoring to Typescript... 2 years ago			`},`
			`}`

			`const db = createDatabase('./db.local.json', initialDatabaseValue)`

			`async function getRequestUser(req: Request) {`
			`const userId = sessions.getUserForSession(req.cookies.sid)`
			`if (!userId) {`
			`return null`
			`}`

			`console.log(userId)`

			`return await getUser(db, userId)`
			`}`

			`const r: Router = express.Router()`

			`r.use(bodyParser.json())`
			`r.use(cookieParser())`

			`r.use('/api/status', createStatusRouter())`
			`// r.use('/api/ping', new PingRouter())`

			`r.get('/api/current-user', async (req, res) => {`
			`res.json(await getRequestUser(req))`
			`})`

			`r.post('/api/login', async (req, res) => {`
			`const { id } = req.body`

			`const user = await getUser(db, id)`
			`if (!user) {`
Almost MVP 2 years ago			`res.sendStatus(StatusCodes.FORBIDDEN)`
Refactoring to Typescript... 2 years ago			`return`
			`}`

			`res.cookie('sid', sessions.createSession(id), { maxAge: 1000 * 60 * 60 * 24 * 7 })`
			`res.json({ status: 'ok' })`
			`})`

			`r.post('/api/logout', (req, res) => {`
			`res.cookie('sid', '', { expires: new Date() })`
			`res.json({ status: 'ok' })`
			`})`

			`r.get('/api/users', async (req, res) => {`
			`const requestUser = await getRequestUser(req)`
Almost MVP 2 years ago			`if (!requestUser \|\| !isAdministrator(requestUser.role)) {`
			`res.sendStatus(StatusCodes.UNAUTHORIZED)`
Refactoring to Typescript... 2 years ago			`return`
			`}`

			`const users = await getUsers(db)`
			`res.json(users)`
			`})`

			`r.get('/api/problems', async (req, res) => {`
			`type ProblemWithSolutionsCount = Problem & { solutionsCount?: number }`

			`const problems: ProblemWithSolutionsCount[] = await getProblems(db)`
			`const solutions = await getSolutions(db)`

			`const solutionCounts: Record<ProblemId, number> = {}`

			`for (const s of solutions) {`
			`solutionCounts[s.forProblem] \|\|= 0`
			`solutionCounts[s.forProblem]++`
			`}`

			`for (const p of problems) {`
			`p.solutionsCount = solutionCounts[p.id] \|\| 0`
			`}`

			`res.json(problems)`
			`})`

			`r.get('/api/problem/:id', async (req, res) => {`
			`res.json(await getProblem(db, req.params.id))`
			`})`

			`r.post('/api/problem', async (req, res) => {`
			`const user = await getRequestUser(req)`
			`if (!user) {`
Almost MVP 2 years ago			`res.sendStatus(StatusCodes.UNAUTHORIZED)`
Refactoring to Typescript... 2 years ago			`return`
			`}`
			`if (user.role !== 'admin' && user.role !== 'moderator') {`
Almost MVP 2 years ago			`res.sendStatus(StatusCodes.UNAUTHORIZED)`
Refactoring to Typescript... 2 years ago			`return`
			`}`

			`const id = await createProblem(db, {`
			`content: req.body.content,`
			`createdBy: user.id,`
			`})`

			`res.json(id)`
			`})`

Almost MVP 2 years ago			`r.get('/api/solutions', async (req, res) => {`
			`let queryUser = (req.query.user ?? null) as UserId \| null`
			`let queryProblem = (req.query.problem ?? null) as ProblemId \| null`
Refactoring to Typescript... 2 years ago
Almost MVP 2 years ago			`const requestUser = await getRequestUser(req)`
Refactoring to Typescript... 2 years ago
Almost MVP 2 years ago			`let solutions = await getSolutions(db)`
			`// se l'utente non è loggato o se non è un amministratore allora mostra solo le soluzioni "visibili"`
			`if (!requestUser \|\| !isAdministrator(requestUser.role)) {`
			`solutions = solutions.filter(`
			`s => s.visible \|\| (requestUser && s.sentBy === requestUser.id)`
			`)`
			`}`
			`// filtra rispetto agli utenti`
			`if (queryUser !== null) {`
			`solutions = solutions.filter(s => s.sentBy === queryUser)`
			`}`
			`// filtra rispetto ai problemi`
			`if (queryProblem !== null) {`
			`solutions = solutions.filter(s => s.forProblem === queryProblem)`
Refactoring to Typescript... 2 years ago			`}`

Almost MVP 2 years ago			`res.json(solutions)`
Refactoring to Typescript... 2 years ago			`})`

Almost MVP 2 years ago			`r.get('/api/solution/:id', async (req, res) => {`
			`const user = await getRequestUser(req)`
Refactoring to Typescript... 2 years ago
Almost MVP 2 years ago			`const solution = await getSolution(db, req.params.id as SolutionId)`
			`// la soluzione deve esistere`
			`if (solution === null) {`
			`res.sendStatus(StatusCodes.NOT_FOUND)`
Refactoring to Typescript... 2 years ago			`return`
			`}`
Almost MVP 2 years ago			`// uno studente può vedere solo soluzioni visibili o proprie soluzione`
			`if (!solution.visible && user && isStudent(user.role) && solution.sentBy !== user.id) {`
			`res.sendStatus(StatusCodes.UNAUTHORIZED)`
			`return`
Refactoring to Typescript... 2 years ago			`}`

Almost MVP 2 years ago			`res.json(solution)`
Refactoring to Typescript... 2 years ago			`})`

			`r.post('/api/solution', async (req, res) => {`
			`const user = await getRequestUser(req)`
			`if (!user) {`
Almost MVP 2 years ago			`res.sendStatus(StatusCodes.UNAUTHORIZED)`
Refactoring to Typescript... 2 years ago			`return`
			`}`

			`await createSolution(db, {`
			`sentBy: user.id,`
Almost MVP 2 years ago			`forProblem: req.body.forProblem,`
Refactoring to Typescript... 2 years ago			`content: req.body.content,`
			`})`

			`res.send({ status: 'ok' })`
			`})`

Almost MVP 2 years ago			`r.patch('/api/solution/:id', async (req, res) => {`
			`const id = req.params.id as SolutionId`
Refactoring to Typescript... 2 years ago
Almost MVP 2 years ago			`const user = await getRequestUser(req)`
Refactoring to Typescript... 2 years ago			`// l'utente deve essere loggato`
			`if (!user) {`
Almost MVP 2 years ago			`res.sendStatus(StatusCodes.UNAUTHORIZED)`
Refactoring to Typescript... 2 years ago			`return`
			`}`

Almost MVP 2 years ago			`const solution = await getSolution(db, id)`
			`// la soluzione deve esistere`
			`if (solution === null) {`
			`res.sendStatus(404)`
			`return`
			`}`
Refactoring to Typescript... 2 years ago			`// uno studente non può modificare una soluzione di un altro utente`
Almost MVP 2 years ago			`if (user.role === 'student' && solution.sentBy !== user.id) {`
			`res.status(StatusCodes.UNAUTHORIZED)`
			res.send(`a student can only modify its own solution`)
			`return`
			`}`
			`// uno studente può modificare solo il campo "content"`
			`if (`
			`user.role === 'student' &&`
			`!validateObjectKeys<keyof SolutionModel>(req.body, ['content'])`
			`) {`
			`res.status(StatusCodes.UNAUTHORIZED)`
			res.send(`a student can only modify the field "content"`)
			`return`
			`}`
			`// un moderatore può modificare solo i campi "content", "visible", "status"`
			`if (`
			`user.role === 'moderator' &&`
			`!validateObjectKeys<keyof SolutionModel>(req.body, ['content', 'status', 'visible'])`
			`) {`
			`res.status(StatusCodes.UNAUTHORIZED)`
			res.send(`a moderator can only modify the fields "content", "visible", "status"`)
Refactoring to Typescript... 2 years ago			`return`
			`}`

Almost MVP 2 years ago			`await updateSolution(db, id, req.body)`
Refactoring to Typescript... 2 years ago
			`res.json({ status: 'ok' })`
			`})`

			`r.get('/api/user/:id', async (req, res) => {`
			`const user = await getRequestUser(req)`

			`// intanto l'utente deve essere loggato`
			`if (!user) {`
Almost MVP 2 years ago			`res.sendStatus(StatusCodes.UNAUTHORIZED)`
Refactoring to Typescript... 2 years ago			`return`
			`}`

			`// solo gli amministratori possono usare questa route`
			`if (!isAdministrator(user.role)) {`
Almost MVP 2 years ago			`res.sendStatus(StatusCodes.UNAUTHORIZED)`
Refactoring to Typescript... 2 years ago			`return`
			`}`

			`const requestedUser = await getUser(db, req.params.id)`

			`// l'utente richiesto magari deve esistere`
			`if (!requestedUser) {`
			`res.sendStatus(404)`
			`return`
			`}`

			`res.json(requestedUser)`
			`})`

			`return r`
			`}`