pronounss/backend/routes/member/create_member.go

package member

import (
	"fmt"
	"net/http"
	"strings"

	"codeberg.org/u1f320/pronouns.cc/backend/common"
	"codeberg.org/u1f320/pronouns.cc/backend/db"
	"codeberg.org/u1f320/pronouns.cc/backend/log"
	"codeberg.org/u1f320/pronouns.cc/backend/server"
	"emperror.dev/errors"
	"github.com/go-chi/render"
)

type CreateMemberRequest struct {
	Name        string            `json:"name"`
	DisplayName *string           `json:"display_name"`
	Bio         string            `json:"bio"`
	Avatar      string            `json:"avatar"`
	Links       []string          `json:"links"`
	Names       []db.FieldEntry   `json:"names"`
	Pronouns    []db.PronounEntry `json:"pronouns"`
	Fields      []db.Field        `json:"fields"`
}

func (s *Server) createMember(w http.ResponseWriter, r *http.Request) (err error) {
	ctx := r.Context()
	claims, _ := server.ClaimsFromContext(ctx)

	if !claims.TokenWrite {
		return server.APIError{Code: server.ErrMissingPermissions, Details: "This token is read-only"}
	}

	u, err := s.DB.User(ctx, claims.UserID)
	if err != nil {
		return errors.Wrap(err, "getting user")
	}

	memberCount, err := s.DB.MemberCount(ctx, claims.UserID)
	if err != nil {
		return errors.Wrap(err, "getting member count")
	}
	if memberCount > db.MaxMemberCount {
		return server.APIError{
			Code: server.ErrMemberLimitReached,
		}
	}

	var cmr CreateMemberRequest
	err = render.Decode(r, &cmr)
	if err != nil {
		if _, ok := err.(server.APIError); ok {
			return err
		}

		return server.APIError{Code: server.ErrBadRequest}
	}

	// remove whitespace from all fields
	cmr.Name = strings.TrimSpace(cmr.Name)
	cmr.Bio = strings.TrimSpace(cmr.Bio)
	if cmr.DisplayName != nil {
		*cmr.DisplayName = strings.TrimSpace(*cmr.DisplayName)
	}

	// validate everything
	if cmr.Name == "" {
		return server.APIError{
			Code:    server.ErrBadRequest,
			Details: "Name may not be empty",
		}
	} else if len(cmr.Name) > 100 {
		return server.APIError{
			Code:    server.ErrBadRequest,
			Details: "Name may not be longer than 100 characters",
		}
	}

	if !db.MemberNameValid(cmr.Name) {
		return server.APIError{
			Code:    server.ErrBadRequest,
			Details: "Member name cannot contain any of the following: @, ?, !, #, /, \\, [, ], \", ', $, %, &, (, ), {, }, +, <, =, >, ^, |, ~, `, , and cannot be one or two periods.",
		}
	}

	if common.StringLength(&cmr.Name) > db.MaxMemberNameLength {
		return server.APIError{
			Code:    server.ErrBadRequest,
			Details: fmt.Sprintf("Name name too long (max %d, current %d)", db.MaxMemberNameLength, common.StringLength(&cmr.Name)),
		}
	}
	if common.StringLength(cmr.DisplayName) > db.MaxDisplayNameLength {
		return server.APIError{
			Code:    server.ErrBadRequest,
			Details: fmt.Sprintf("Display name too long (max %d, current %d)", db.MaxDisplayNameLength, common.StringLength(cmr.DisplayName)),
		}
	}
	if common.StringLength(&cmr.Bio) > db.MaxUserBioLength {
		return server.APIError{
			Code:    server.ErrBadRequest,
			Details: fmt.Sprintf("Bio too long (max %d, current %d)", db.MaxUserBioLength, common.StringLength(&cmr.Bio)),
		}
	}

	if err := validateSlicePtr("name", &cmr.Names, u.CustomPreferences); err != nil {
		return *err
	}

	if err := validateSlicePtr("pronoun", &cmr.Pronouns, u.CustomPreferences); err != nil {
		return *err
	}

	if err := validateSlicePtr("field", &cmr.Fields, u.CustomPreferences); err != nil {
		return *err
	}

	tx, err := s.DB.Begin(ctx)
	if err != nil {
		return errors.Wrap(err, "starting transaction")
	}
	defer tx.Rollback(ctx)

	m, err := s.DB.CreateMember(ctx, tx, claims.UserID, cmr.Name, cmr.DisplayName, cmr.Bio, cmr.Links)
	if err != nil {
		if errors.Cause(err) == db.ErrMemberNameInUse {
			return server.APIError{Code: server.ErrMemberNameInUse}
		}

		return err
	}

	// set names, pronouns, fields
	err = s.DB.SetMemberNamesPronouns(ctx, tx, m.ID, db.NotNull(cmr.Names), db.NotNull(cmr.Pronouns))
	if err != nil {
		log.Errorf("setting names and pronouns for member %v: %v", m.ID, err)
		return err
	}
	m.Names = cmr.Names
	m.Pronouns = cmr.Pronouns

	err = s.DB.SetMemberFields(ctx, tx, m.ID, cmr.Fields)
	if err != nil {
		log.Errorf("setting fields for member %v: %v", m.ID, err)
		return err
	}

	if cmr.Avatar != "" {
		webp, jpg, err := s.DB.ConvertAvatar(cmr.Avatar)
		if err != nil {
			if err == db.ErrInvalidDataURI {
				return server.APIError{
					Code:    server.ErrBadRequest,
					Details: "invalid avatar data URI",
				}
			} else if err == db.ErrInvalidContentType {
				return server.APIError{
					Code:    server.ErrBadRequest,
					Details: "invalid avatar content type",
				}
			}

			log.Errorf("converting member avatar: %v", err)
			return err
		}

		hash, err := s.DB.WriteMemberAvatar(ctx, m.ID, webp, jpg)
		if err != nil {
			log.Errorf("uploading member avatar: %v", err)
			return err
		}

		err = tx.QueryRow(ctx, "UPDATE members SET avatar = $1 WHERE id = $2", hash, m.ID).Scan(&m.Avatar)
		if err != nil {
			return errors.Wrap(err, "setting avatar urls in db")
		}
	}

	// update last active time
	err = s.DB.UpdateActiveTime(ctx, tx, claims.UserID)
	if err != nil {
		log.Errorf("updating last active time for user %v: %v", claims.UserID, err)
		return err
	}

	err = tx.Commit(ctx)
	if err != nil {
		return errors.Wrap(err, "committing transaction")
	}

	render.JSON(w, r, dbMemberToMember(u, m, cmr.Fields, nil, true))
	return nil
}

type validator interface {
	Validate(custom db.CustomPreferences) string
}

// validateSlicePtr validates a slice of validators.
// If the slice is nil, a nil error is returned (assuming that the field is not required)
func validateSlicePtr[T validator](typ string, slice *[]T, custom db.CustomPreferences) *server.APIError {
	if slice == nil {
		return nil
	}

	max := db.MaxFields
	if typ != "field" {
		max = db.FieldEntriesLimit
	}

	// max 25 fields
	if len(*slice) > max {
		return &server.APIError{
			Code:    server.ErrBadRequest,
			Details: fmt.Sprintf("Too many %ss (max %d, current %d)", typ, max, len(*slice)),
		}
	}

	// validate all fields
	for i, pronouns := range *slice {
		if s := pronouns.Validate(custom); s != "" {
			return &server.APIError{
				Code:    server.ErrBadRequest,
				Details: fmt.Sprintf("%s %d: %s", typ, i+1, s),
			}
		}
	}

	return nil
}
feat(backend): some member routes, half-broken avatar uploading 2022-09-20 12:55:00 +02:00			`package member`

			`import (`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`"fmt"`
feat(backend): some member routes, half-broken avatar uploading 2022-09-20 12:55:00 +02:00			`"net/http"`
fix: validate member name contents 2023-03-18 23:00:44 +01:00			`"strings"`
feat(backend): some member routes, half-broken avatar uploading 2022-09-20 12:55:00 +02:00
feat: count characters consistently 2023-04-02 22:50:22 +02:00			`"codeberg.org/u1f320/pronouns.cc/backend/common"`
feat(backend): some member routes, half-broken avatar uploading 2022-09-20 12:55:00 +02:00			`"codeberg.org/u1f320/pronouns.cc/backend/db"`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`"codeberg.org/u1f320/pronouns.cc/backend/log"`
feat(backend): some member routes, half-broken avatar uploading 2022-09-20 12:55:00 +02:00			`"codeberg.org/u1f320/pronouns.cc/backend/server"`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`"emperror.dev/errors"`
feat(backend): some member routes, half-broken avatar uploading 2022-09-20 12:55:00 +02:00			`"github.com/go-chi/render"`
			`)`

			`type CreateMemberRequest struct {`
feat: read/write improved names/pronouns for users, read/write improved fields/names/pronouns for members 2023-01-31 00:50:17 +01:00			Name string `json:"name"`
			DisplayName *string `json:"display_name"`
			Bio string `json:"bio"`
			Avatar string `json:"avatar"`
			Links []string `json:"links"`
			Names []db.FieldEntry `json:"names"`
			Pronouns []db.PronounEntry `json:"pronouns"`
			Fields []db.Field `json:"fields"`
feat(backend): some member routes, half-broken avatar uploading 2022-09-20 12:55:00 +02:00			`}`

			`func (s Server) createMember(w http.ResponseWriter, r http.Request) (err error) {`
			`ctx := r.Context()`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`claims, _ := server.ClaimsFromContext(ctx)`

feat: restrict certain endpoints from API tokens and/or read-only tokens 2023-03-30 16:58:35 +02:00			`if !claims.TokenWrite {`
			`return server.APIError{Code: server.ErrMissingPermissions, Details: "This token is read-only"}`
			`}`

feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`u, err := s.DB.User(ctx, claims.UserID)`
			`if err != nil {`
			`return errors.Wrap(err, "getting user")`
			`}`

			`memberCount, err := s.DB.MemberCount(ctx, claims.UserID)`
			`if err != nil {`
			`return errors.Wrap(err, "getting member count")`
			`}`
			`if memberCount > db.MaxMemberCount {`
			`return server.APIError{`
			`Code: server.ErrMemberLimitReached,`
			`}`
			`}`
feat(backend): some member routes, half-broken avatar uploading 2022-09-20 12:55:00 +02:00
			`var cmr CreateMemberRequest`
			`err = render.Decode(r, &cmr)`
			`if err != nil {`
			`if _, ok := err.(server.APIError); ok {`
			`return err`
			`}`

			`return server.APIError{Code: server.ErrBadRequest}`
			`}`

fix: validate member name contents 2023-03-18 23:00:44 +01:00			`// remove whitespace from all fields`
			`cmr.Name = strings.TrimSpace(cmr.Name)`
			`cmr.Bio = strings.TrimSpace(cmr.Bio)`
			`if cmr.DisplayName != nil {`
			`cmr.DisplayName = strings.TrimSpace(cmr.DisplayName)`
			`}`

feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`// validate everything`
			`if cmr.Name == "" {`
			`return server.APIError{`
			`Code: server.ErrBadRequest,`
feat(api): add display_name to member 2022-11-20 21:09:29 +01:00			`Details: "Name may not be empty",`
			`}`
			`} else if len(cmr.Name) > 100 {`
			`return server.APIError{`
			`Code: server.ErrBadRequest,`
			`Details: "Name may not be longer than 100 characters",`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`}`
			`}`

fix: validate member name contents 2023-03-18 23:00:44 +01:00			`if !db.MemberNameValid(cmr.Name) {`
			`return server.APIError{`
			`Code: server.ErrBadRequest,`
fix(backend): mention disallowed names in error messages 2023-05-12 01:39:02 +02:00			Details: "Member name cannot contain any of the following: @, ?, !, #, /, \\, [, ], \", ', $, %, &, (, ), {, }, +, <, =, >, ^, \|, ~, `, , and cannot be one or two periods.",
fix: validate member name contents 2023-03-18 23:00:44 +01:00			`}`
			`}`

feat: count characters consistently 2023-04-02 22:50:22 +02:00			`if common.StringLength(&cmr.Name) > db.MaxMemberNameLength {`
			`return server.APIError{`
			`Code: server.ErrBadRequest,`
			`Details: fmt.Sprintf("Name name too long (max %d, current %d)", db.MaxMemberNameLength, common.StringLength(&cmr.Name)),`
			`}`
			`}`
			`if common.StringLength(cmr.DisplayName) > db.MaxDisplayNameLength {`
			`return server.APIError{`
			`Code: server.ErrBadRequest,`
			`Details: fmt.Sprintf("Display name too long (max %d, current %d)", db.MaxDisplayNameLength, common.StringLength(cmr.DisplayName)),`
			`}`
			`}`
			`if common.StringLength(&cmr.Bio) > db.MaxUserBioLength {`
			`return server.APIError{`
			`Code: server.ErrBadRequest,`
			`Details: fmt.Sprintf("Bio too long (max %d, current %d)", db.MaxUserBioLength, common.StringLength(&cmr.Bio)),`
			`}`
			`}`

feat(backend): add custom preferences 2023-04-19 12:00:21 +02:00			`if err := validateSlicePtr("name", &cmr.Names, u.CustomPreferences); err != nil {`
fix(backend): return 400 error on bad request, not 500 2023-03-14 01:30:46 +01:00			`return *err`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`}`

feat(backend): add custom preferences 2023-04-19 12:00:21 +02:00			`if err := validateSlicePtr("pronoun", &cmr.Pronouns, u.CustomPreferences); err != nil {`
fix(backend): return 400 error on bad request, not 500 2023-03-14 01:30:46 +01:00			`return *err`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`}`

feat(backend): add custom preferences 2023-04-19 12:00:21 +02:00			`if err := validateSlicePtr("field", &cmr.Fields, u.CustomPreferences); err != nil {`
fix(backend): return 400 error on bad request, not 500 2023-03-14 01:30:46 +01:00			`return *err`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`}`

			`tx, err := s.DB.Begin(ctx)`
			`if err != nil {`
			`return errors.Wrap(err, "starting transaction")`
			`}`
			`defer tx.Rollback(ctx)`

feat(api): add display_name to member 2022-11-20 21:09:29 +01:00			`m, err := s.DB.CreateMember(ctx, tx, claims.UserID, cmr.Name, cmr.DisplayName, cmr.Bio, cmr.Links)`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`if err != nil {`
feat(api): add display_name to member 2022-11-20 21:09:29 +01:00			`if errors.Cause(err) == db.ErrMemberNameInUse {`
			`return server.APIError{Code: server.ErrMemberNameInUse}`
			`}`

feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`return err`
			`}`

			`// set names, pronouns, fields`
fix: fix internal server error in POST /members 2023-04-08 01:25:27 +02:00			`err = s.DB.SetMemberNamesPronouns(ctx, tx, m.ID, db.NotNull(cmr.Names), db.NotNull(cmr.Pronouns))`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`if err != nil {`
feat: read/write improved names/pronouns for users, read/write improved fields/names/pronouns for members 2023-01-31 00:50:17 +01:00			`log.Errorf("setting names and pronouns for member %v: %v", m.ID, err)`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`return err`
			`}`
feat: read/write improved names/pronouns for users, read/write improved fields/names/pronouns for members 2023-01-31 00:50:17 +01:00			`m.Names = cmr.Names`
			`m.Pronouns = cmr.Pronouns`

feat(api): add display_name to member 2022-11-20 21:09:29 +01:00			`err = s.DB.SetMemberFields(ctx, tx, m.ID, cmr.Fields)`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`if err != nil {`
feat(api): add display_name to member 2022-11-20 21:09:29 +01:00			`log.Errorf("setting fields for member %v: %v", m.ID, err)`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`return err`
			`}`

			`if cmr.Avatar != "" {`
			`webp, jpg, err := s.DB.ConvertAvatar(cmr.Avatar)`
			`if err != nil {`
			`if err == db.ErrInvalidDataURI {`
			`return server.APIError{`
			`Code: server.ErrBadRequest,`
			`Details: "invalid avatar data URI",`
			`}`
			`} else if err == db.ErrInvalidContentType {`
			`return server.APIError{`
			`Code: server.ErrBadRequest,`
			`Details: "invalid avatar content type",`
			`}`
			`}`

			`log.Errorf("converting member avatar: %v", err)`
			`return err`
			`}`

feat: hashes in avatar file names (closes #19) 2023-03-13 02:04:09 +01:00			`hash, err := s.DB.WriteMemberAvatar(ctx, m.ID, webp, jpg)`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`if err != nil {`
			`log.Errorf("uploading member avatar: %v", err)`
			`return err`
			`}`

feat: hashes in avatar file names (closes #19) 2023-03-13 02:04:09 +01:00			`err = tx.QueryRow(ctx, "UPDATE members SET avatar = $1 WHERE id = $2", hash, m.ID).Scan(&m.Avatar)`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`if err != nil {`
			`return errors.Wrap(err, "setting avatar urls in db")`
			`}`
			`}`

feat: add last active time per user 2023-05-02 02:54:08 +02:00			`// update last active time`
			`err = s.DB.UpdateActiveTime(ctx, tx, claims.UserID)`
			`if err != nil {`
			`log.Errorf("updating last active time for user %v: %v", claims.UserID, err)`
			`return err`
			`}`

feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`err = tx.Commit(ctx)`
			`if err != nil {`
			`return errors.Wrap(err, "committing transaction")`
			`}`

feat: add flags to PATCH /users/@me 2023-05-25 13:40:15 +02:00			`render.JSON(w, r, dbMemberToMember(u, m, cmr.Fields, nil, true))`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`return nil`
			`}`

			`type validator interface {`
feat(backend): add custom preferences 2023-04-19 12:00:21 +02:00			`Validate(custom db.CustomPreferences) string`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`}`

			`// validateSlicePtr validates a slice of validators.`
			`// If the slice is nil, a nil error is returned (assuming that the field is not required)`
feat(backend): add custom preferences 2023-04-19 12:00:21 +02:00			`func validateSlicePtr[T validator](typ string, slice []T, custom db.CustomPreferences) server.APIError {`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`if slice == nil {`
			`return nil`
			`}`

			`max := db.MaxFields`
			`if typ != "field" {`
			`max = db.FieldEntriesLimit`
			`}`

			`// max 25 fields`
			`if len(*slice) > max {`
			`return &server.APIError{`
			`Code: server.ErrBadRequest,`
			`Details: fmt.Sprintf("Too many %ss (max %d, current %d)", typ, max, len(*slice)),`
			`}`
			`}`

			`// validate all fields`
			`for i, pronouns := range *slice {`
feat(backend): add custom preferences 2023-04-19 12:00:21 +02:00			`if s := pronouns.Validate(custom); s != "" {`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`return &server.APIError{`
			`Code: server.ErrBadRequest,`
fix(backend): return 400 error on bad request, not 500 2023-03-14 01:30:46 +01:00			`Details: fmt.Sprintf("%s %d: %s", typ, i+1, s),`
feat(api): add POST /members 2022-10-03 10:59:30 +02:00			`}`
			`}`
			`}`
feat(backend): some member routes, half-broken avatar uploading 2022-09-20 12:55:00 +02:00
			`return nil`
			`}`