mirror of
https://github.com/screentinker/screentinker.git
synced 2026-06-17 11:42:40 -06:00
57d78dd1fa
Agencies can only be designated FULL-SCREEN playlists (no item with zone_id) - a full-screen agency upload can't safely target a zone, so the ambiguous case is excluded rather than solved. Checked at THREE points: - Designation (tokens.js create + PUT /:id/targets) -> 400: reject a zoned target. - Upload (agency.js item-add) -> 409: block if the playlist BECAME zoned after designation. MANDATORY because auto-publish has no draft net - a full-screen playlist designated to an auto-publish token, then zone-assigned, would otherwise auto-publish a full-screen upload into a zoned playlist. The upload check is the only thing that catches it. - Picker (settings.js): zoned playlists greyed/disabled with the reason (GET /playlists now returns a zoned flag); backend reject is the guard if the UI is bypassed. i18n x5. isZonedPlaylist = EXISTS(playlist_items WHERE zone_id IS NOT NULL). Pure restriction - no zone structure, no api_token_target_zones. Bite-test (the exact sequence) GREEN and re-proven to bite: full-screen -> designate to an auto-publish token -> zone-assign the playlist -> agency upload is BLOCKED (409), not auto-published; neutralizing the upload check makes it go red. 149 suite green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
133 lines
7.8 KiB
JavaScript
133 lines
7.8 KiB
JavaScript
'use strict';
|
|
|
|
// #73: agency portal endpoints. Mounted behind bearerAuth + resolveTenancy + agencyGate
|
|
// (AGENCY_ROUTERS in config/api-surface.js). agencyGate has ALREADY proven, at one seam:
|
|
// the caller is an 'agency' token, and for any :playlistId the playlist is in THIS token's
|
|
// allowlist AND its bound workspace. So these handlers only add within-workspace content
|
|
// checks; router/target/cross-workspace confinement is proven upstream.
|
|
|
|
const express = require('express');
|
|
const router = express.Router();
|
|
const { v4: uuidv4 } = require('uuid');
|
|
const { db } = require('../db/database');
|
|
const upload = require('../middleware/upload');
|
|
const { checkStorageLimit } = require('../middleware/subscription');
|
|
const { ingestUploadedFile } = require('../lib/content-ingest');
|
|
const { listDesignatedPlaylists, isZonedPlaylist } = require('../lib/agency-targets');
|
|
const { listLayoutGeometry } = require('../lib/agency-layouts');
|
|
const { publishPlaylist } = require('./playlists'); // #73: shared publish path for auto-publish
|
|
const { isConfigured } = require('../services/email'); // #73: gate digest enqueue on SMTP being set
|
|
|
|
const TIME_RE = /^([01]\d|2[0-3]):[0-5]\d$/;
|
|
const DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
|
|
|
|
// List the playlists THIS token may post to (so the portal can show them). No :playlistId,
|
|
// so router.param doesn't apply - the confinement is the query in lib/agency-targets.js
|
|
// (own token + bound workspace only). Bite-tested in test/agency-list.test.js.
|
|
router.get('/playlists', (req, res) => {
|
|
res.json(listDesignatedPlaylists(db, req.apiToken.id, req.jwtWorkspaceId));
|
|
});
|
|
|
|
// Layout GEOMETRY for ONE designated playlist (the per-playlist size-guidance card): canvas
|
|
// size + zone positions/sizes, with feeds_zone_ids = the zones this playlist actually feeds
|
|
// (so the agency sees where/what-size their content lands). Returns [] when the playlist has
|
|
// no layout -> the card shows the full-screen message. Placement itself stays the admin's job
|
|
// (device-side). Has :playlistId, so router.param confines it. DEVICE-FREE (lib/agency-layouts.js).
|
|
router.get('/playlists/:playlistId/layout', (req, res) => {
|
|
res.json(listLayoutGeometry(db, req.apiToken.id, req.jwtWorkspaceId, req.params.playlistId));
|
|
});
|
|
|
|
// #73 THE target seam. router.param fires for EVERY route with :playlistId, WITH the param,
|
|
// BEFORE the handler - so no targeted route can skip the allowlist + bound-workspace check
|
|
// (the api-surface.js can't-drift property, at the param level: you cannot add a :playlistId
|
|
// route without this triggering). One query enforces both the target allowlist and
|
|
// cross-workspace isolation. Neutralizing the `if (!ok)` return makes integration BITE 1 red.
|
|
router.param('playlistId', (req, res, next, playlistId) => {
|
|
const ok = db.prepare(`
|
|
SELECT 1 FROM api_token_targets t
|
|
JOIN playlists p ON p.id = t.playlist_id
|
|
WHERE t.token_id = ? AND t.playlist_id = ? AND p.workspace_id = ?
|
|
`).get(req.apiToken.id, playlistId, req.jwtWorkspaceId);
|
|
if (!ok) return res.status(403).json({ error: 'playlist not in this agency token\'s allowlist' });
|
|
next();
|
|
});
|
|
|
|
// Upload to the bound workspace via the SHARED ingest -> first-class content (identical
|
|
// thumbnail/dimensions/duration to a dashboard upload).
|
|
router.post('/content', checkStorageLimit, upload.single('file'), async (req, res) => {
|
|
try {
|
|
if (!req.file) return res.status(400).json({ error: 'No file uploaded' });
|
|
const content = await ingestUploadedFile({ file: req.file, userId: req.user.id, workspaceId: req.workspaceId });
|
|
res.status(201).json(content);
|
|
} catch (e) {
|
|
console.error('agency upload error:', e.message);
|
|
res.status(500).json({ error: 'Upload failed' });
|
|
}
|
|
});
|
|
|
|
// Add a date-bounded item to a DESIGNATED playlist (#74/#75 schedule block). The playlist
|
|
// is already gate-verified. Lands as DRAFT (markDraft) so the admin's re-publish is the
|
|
// approval gate for external-party content - same draft-on-change behavior as the dashboard.
|
|
router.post('/playlists/:playlistId/items', (req, res) => {
|
|
const { content_id } = req.body;
|
|
if (!content_id) return res.status(400).json({ error: 'content_id required' });
|
|
|
|
// #73 full-screen guardrail, upload-time (MANDATORY because auto-publish has no draft net):
|
|
// if the designated playlist has BECOME zoned since designation, block the add - a full-screen
|
|
// agency upload can't target a zone. 409 (not 401/403) so the portal shows the message, not its
|
|
// "key invalid" reset. This runs BEFORE the draft/publish branch, so auto-publish can't slip through.
|
|
if (isZonedPlaylist(db, req.params.playlistId)) {
|
|
return res.status(409).json({ error: "This playlist can't accept uploads right now — it's been assigned to a zone on a screen. Ask your contact." });
|
|
}
|
|
|
|
const content = db.prepare('SELECT id, workspace_id, duration_sec FROM content WHERE id = ?').get(content_id);
|
|
if (!content) return res.status(404).json({ error: 'Content not found' });
|
|
// cross-tenant guard: content must be in the token's bound workspace (or a template)
|
|
if (content.workspace_id && content.workspace_id !== req.workspaceId) {
|
|
return res.status(403).json({ error: 'Content is not in this workspace' });
|
|
}
|
|
|
|
let { duration_sec, days, start, end, start_date, end_date } = req.body;
|
|
if (duration_sec != null && (typeof duration_sec !== 'number' || duration_sec < 1)) {
|
|
return res.status(400).json({ error: 'duration_sec must be a positive integer' });
|
|
}
|
|
duration_sec = duration_sec || content.duration_sec || 10;
|
|
|
|
const sd = start_date ?? null, ed = end_date ?? null;
|
|
for (const [k, v] of [['start_date', sd], ['end_date', ed]]) {
|
|
if (v != null && !DATE_RE.test(v)) return res.status(400).json({ error: `${k} must be YYYY-MM-DD or null` });
|
|
}
|
|
const dys = (Array.isArray(days) && days.length) ? days : [0, 1, 2, 3, 4, 5, 6];
|
|
if (!dys.every(d => Number.isInteger(d) && d >= 0 && d <= 6)) return res.status(400).json({ error: 'days must be integers 0-6' });
|
|
const st = start ?? '00:00', en = end ?? '24:00';
|
|
if (!TIME_RE.test(st)) return res.status(400).json({ error: 'start must be HH:MM' });
|
|
if (!(TIME_RE.test(en) || en === '24:00')) return res.status(400).json({ error: 'end must be HH:MM or 24:00' });
|
|
|
|
const order = db.prepare('SELECT COALESCE(MAX(sort_order),0)+1 AS n FROM playlist_items WHERE playlist_id = ?').get(req.params.playlistId).n;
|
|
const itemId = db.prepare('INSERT INTO playlist_items (playlist_id, content_id, sort_order, duration_sec) VALUES (?, ?, ?, ?)')
|
|
.run(req.params.playlistId, content_id, order, duration_sec).lastInsertRowid;
|
|
db.prepare('INSERT INTO playlist_item_schedules (id, playlist_item_id, active_days, start_time, end_time, start_date, end_date, sort_order) VALUES (?,?,?,?,?,?,?,0)')
|
|
.run(uuidv4(), itemId, dys.join(','), st, en, sd, ed);
|
|
// #73: draft vs live is decided by the TOKEN's auto_publish (admin-set, read from
|
|
// req.apiToken - NEVER req.body, so the agency can't opt itself out of approval). Default
|
|
// 0 -> draft for admin re-publish. 1 -> the SHARED publishPlaylist path (snapshot + push).
|
|
let published = false;
|
|
if (req.apiToken.auto_publish) {
|
|
publishPlaylist(req.params.playlistId, req);
|
|
published = true;
|
|
} else {
|
|
db.prepare("UPDATE playlists SET status = 'draft', updated_at = strftime('%s','now') WHERE id = ?").run(req.params.playlistId);
|
|
}
|
|
|
|
// #73: enqueue a digest notification ONLY when email is configured, so the queue can't
|
|
// balloon on installs without SMTP. action reflects what actually happened (draft vs live).
|
|
if (isConfigured()) {
|
|
db.prepare('INSERT INTO agency_notifications (workspace_id, token_id, playlist_id, action, content_id) VALUES (?,?,?,?,?)')
|
|
.run(req.workspaceId, req.apiToken.id, req.params.playlistId, published ? 'published' : 'draft', content_id);
|
|
}
|
|
|
|
res.status(201).json({ id: itemId, playlist_id: req.params.playlistId, content_id, duration_sec, start_date: sd, end_date: ed, published });
|
|
});
|
|
|
|
module.exports = router;
|