commit 6e056641a9a076ca10b20acba3613eeeacfb5443 · bretton.dev/coves

+106

internal/api/handlers/post/create.go

···

       1
       +
       package post

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"Coves/internal/api/middleware"

     

       5
       +
       	"Coves/internal/core/posts"

     

       6
       +
       	"encoding/json"

     

       7
       +
       	"log"

     

       8
       +
       	"net/http"

     

       9
       +
       	"strings"

     

       10
       +
       )

     

       11
       +
       

     

       12
       +
       // CreateHandler handles post creation requests

     

       13
       +
       type CreateHandler struct {

     

       14
       +
       	service posts.Service

     

       15
       +
       }

     

       16
       +
       

     

       17
       +
       // NewCreateHandler creates a new create handler

     

       18
       +
       func NewCreateHandler(service posts.Service) *CreateHandler {

     

       19
       +
       	return &CreateHandler{

     

       20
       +
       		service: service,

     

       21
       +
       	}

     

       22
       +
       }

     

       23
       +
       

     

       24
       +
       // HandleCreate handles POST /xrpc/social.coves.post.create

     

       25
       +
       // Creates a new post in a community's repository

     

       26
       +
       func (h *CreateHandler) HandleCreate(w http.ResponseWriter, r *http.Request) {

     

       27
       +
       	// 1. Check HTTP method

     

       28
       +
       	if r.Method != http.MethodPost {

     

       29
       +
       		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)

     

       30
       +
       		return

     

       31
       +
       	}

     

       32
       +
       

     

       33
       +
       	// 2. Limit request body size to prevent DoS attacks

     

       34
       +
       	// 1MB allows for large content + embeds while preventing abuse

     

       35
       +
       	r.Body = http.MaxBytesReader(w, r.Body, 1*1024*1024)

     

       36
       +
       

     

       37
       +
       	// 3. Parse request body

     

       38
       +
       	var req posts.CreatePostRequest

     

       39
       +
       	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {

     

       40
       +
       		// Check if error is due to body size limit

     

       41
       +
       		if err.Error() == "http: request body too large" {

     

       42
       +
       			writeError(w, http.StatusRequestEntityTooLarge, "RequestTooLarge",

     

       43
       +
       				"Request body too large (max 1MB)")

     

       44
       +
       			return

     

       45
       +
       		}

     

       46
       +
       		writeError(w, http.StatusBadRequest, "InvalidRequest", "Invalid request body")

     

       47
       +
       		return

     

       48
       +
       	}

     

       49
       +
       

     

       50
       +
       	// 4. Extract authenticated user DID from request context (injected by auth middleware)

     

       51
       +
       	userDID := middleware.GetUserDID(r)

     

       52
       +
       	if userDID == "" {

     

       53
       +
       		writeError(w, http.StatusUnauthorized, "AuthRequired", "Authentication required")

     

       54
       +
       		return

     

       55
       +
       	}

     

       56
       +
       

     

       57
       +
       	// 5. Validate required fields

     

       58
       +
       	if req.Community == "" {

     

       59
       +
       		writeError(w, http.StatusBadRequest, "InvalidRequest", "community is required")

     

       60
       +
       		return

     

       61
       +
       	}

     

       62
       +
       

     

       63
       +
       	// 5b. Basic format validation for better UX (fail fast on obviously invalid input)

     

       64
       +
       	// Valid formats accepted by resolver:

     

       65
       +
       	//   - DID: did:plc:xyz, did:web:example.com

     

       66
       +
       	//   - Scoped handle: !name@instance

     

       67
       +
       	//   - Canonical handle: name.community.instance

     

       68
       +
       	//   - @-prefixed handle: @name.community.instance

     

       69
       +
       	//

     

       70
       +
       	// We only reject obviously invalid formats here (no prefix, no dots, no @ for !)

     

       71
       +
       	// The service layer (ResolveCommunityIdentifier) does comprehensive validation

     

       72
       +
       

     

       73
       +
       	// Scoped handles must include @ symbol

     

       74
       +
       	if strings.HasPrefix(req.Community, "!") && !strings.Contains(req.Community, "@") {

     

       75
       +
       		writeError(w, http.StatusBadRequest, "InvalidRequest",

     

       76
       +
       			"scoped handle must include @ symbol (!name@instance)")

     

       77
       +
       		return

     

       78
       +
       	}

     

       79
       +
       

     

       80
       +
       	// 6. SECURITY: Reject client-provided authorDid

     

       81
       +
       	// This prevents users from impersonating other users

     

       82
       +
       	if req.AuthorDID != "" {

     

       83
       +
       		writeError(w, http.StatusBadRequest, "InvalidRequest",

     

       84
       +
       			"authorDid must not be provided - derived from authenticated user")

     

       85
       +
       		return

     

       86
       +
       	}

     

       87
       +
       

     

       88
       +
       	// 7. Set author from authenticated user context

     

       89
       +
       	req.AuthorDID = userDID

     

       90
       +
       

     

       91
       +
       	// 8. Call service to create post (write-forward to PDS)

     

       92
       +
       	// Note: Service layer will resolve community at-identifier (handle or DID) to DID

     

       93
       +
       	response, err := h.service.CreatePost(r.Context(), req)

     

       94
       +
       	if err != nil {

     

       95
       +
       		handleServiceError(w, err)

     

       96
       +
       		return

     

       97
       +
       	}

     

       98
       +
       

     

       99
       +
       	// 9. Return success response matching lexicon output

     

       100
       +
       	w.Header().Set("Content-Type", "application/json")

     

       101
       +
       	w.WriteHeader(http.StatusOK)

     

       102
       +
       	if err := json.NewEncoder(w).Encode(response); err != nil {

     

       103
       +
       		// Log encoding errors but don't return error response (headers already sent)

     

       104
       +
       		log.Printf("Failed to encode post creation response: %v", err)

     

       105
       +
       	}

     

       106
       +
       }

+57

internal/api/handlers/post/errors.go

···

       1
       +
       package post

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"Coves/internal/core/posts"

     

       5
       +
       	"encoding/json"

     

       6
       +
       	"log"

     

       7
       +
       	"net/http"

     

       8
       +
       )

     

       9
       +
       

     

       10
       +
       type errorResponse struct {

     

       11
       +
       	Error   string `json:"error"`

     

       12
       +
       	Message string `json:"message"`

     

       13
       +
       }

     

       14
       +
       

     

       15
       +
       // writeError writes a JSON error response

     

       16
       +
       func writeError(w http.ResponseWriter, statusCode int, errorType, message string) {

     

       17
       +
       	w.Header().Set("Content-Type", "application/json")

     

       18
       +
       	w.WriteHeader(statusCode)

     

       19
       +
       	if err := json.NewEncoder(w).Encode(errorResponse{

     

       20
       +
       		Error:   errorType,

     

       21
       +
       		Message: message,

     

       22
       +
       	}); err != nil {

     

       23
       +
       		log.Printf("Failed to encode error response: %v", err)

     

       24
       +
       	}

     

       25
       +
       }

     

       26
       +
       

     

       27
       +
       // handleServiceError maps service errors to HTTP responses

     

       28
       +
       func handleServiceError(w http.ResponseWriter, err error) {

     

       29
       +
       	switch {

     

       30
       +
       	case err == posts.ErrCommunityNotFound:

     

       31
       +
       		writeError(w, http.StatusNotFound, "CommunityNotFound",

     

       32
       +
       			"Community not found")

     

       33
       +
       

     

       34
       +
       	case err == posts.ErrNotAuthorized:

     

       35
       +
       		writeError(w, http.StatusForbidden, "NotAuthorized",

     

       36
       +
       			"You are not authorized to post in this community")

     

       37
       +
       

     

       38
       +
       	case err == posts.ErrBanned:

     

       39
       +
       		writeError(w, http.StatusForbidden, "Banned",

     

       40
       +
       			"You are banned from this community")

     

       41
       +
       

     

       42
       +
       	case posts.IsContentRuleViolation(err):

     

       43
       +
       		writeError(w, http.StatusBadRequest, "ContentRuleViolation", err.Error())

     

       44
       +
       

     

       45
       +
       	case posts.IsValidationError(err):

     

       46
       +
       		writeError(w, http.StatusBadRequest, "InvalidRequest", err.Error())

     

       47
       +
       

     

       48
       +
       	case posts.IsNotFound(err):

     

       49
       +
       		writeError(w, http.StatusNotFound, "NotFound", err.Error())

     

       50
       +
       

     

       51
       +
       	default:

     

       52
       +
       		// Don't leak internal error details to clients

     

       53
       +
       		log.Printf("Unexpected error in post handler: %v", err)

     

       54
       +
       		writeError(w, http.StatusInternalServerError, "InternalServerError",

     

       55
       +
       			"An internal error occurred")

     

       56
       +
       	}

     

       57
       +
       }

+26

internal/api/routes/post.go

···

       1
       +
       package routes

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"Coves/internal/api/handlers/post"

     

       5
       +
       	"Coves/internal/api/middleware"

     

       6
       +
       	"Coves/internal/core/posts"

     

       7
       +
       

     

       8
       +
       	"github.com/go-chi/chi/v5"

     

       9
       +
       )

     

       10
       +
       

     

       11
       +
       // RegisterPostRoutes registers post-related XRPC endpoints on the router

     

       12
       +
       // Implements social.coves.post.* lexicon endpoints

     

       13
       +
       func RegisterPostRoutes(r chi.Router, service posts.Service, authMiddleware *middleware.AtProtoAuthMiddleware) {

     

       14
       +
       	// Initialize handlers

     

       15
       +
       	createHandler := post.NewCreateHandler(service)

     

       16
       +
       

     

       17
       +
       	// Procedure endpoints (POST) - require authentication

     

       18
       +
       	// social.coves.post.create - create a new post in a community

     

       19
       +
       	r.With(authMiddleware.RequireAuth).Post("/xrpc/social.coves.post.create", createHandler.HandleCreate)

     

       20
       +
       

     

       21
       +
       	// Future endpoints (Beta):

     

       22
       +
       	// r.Get("/xrpc/social.coves.post.get", getHandler.HandleGet)

     

       23
       +
       	// r.With(authMiddleware.RequireAuth).Post("/xrpc/social.coves.post.update", updateHandler.HandleUpdate)

     

       24
       +
       	// r.With(authMiddleware.RequireAuth).Post("/xrpc/social.coves.post.delete", deleteHandler.HandleDelete)

     

       25
       +
       	// r.Get("/xrpc/social.coves.post.list", listHandler.HandleList)

     

       26
       +
       }