commit 95197f42c2adc9b537c969e236b2c72e18006aad · bretton.dev/coves

+19 -9

internal/api/handlers/community/create.go

···

       1
       1
        
       package community

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"Coves/internal/api/middleware"

     

       4
       5
        
       	"Coves/internal/core/communities"

     

       5
       6
        
       	"encoding/json"

     

       6
       7
        
       	"net/http"

     
···

       34
       35
        
       		return

     

       35
       36
        
       	}

     

       36
       37
        
       

     

       37
       37
       -
       	// TODO(Communities-OAuth): Extract authenticated user DID from request context

     

       38
       38
       -
       	// This MUST be replaced with OAuth middleware before production deployment

     

       39
       39
       -
       	// Expected implementation:

     

       40
       40
       -
       	//   userDID := r.Context().Value("authenticated_user_did").(string)

     

       41
       41
       -
       	//   req.CreatedByDID = userDID

     

       42
       42
       -
       	// For now, we require client to send it (INSECURE - allows impersonation)

     

       43
       43
       -
       	if req.CreatedByDID == "" {

     

       38
       38
       +
       	// Extract authenticated user DID from request context (injected by auth middleware)

     

       39
       39
       +
       	userDID := middleware.GetUserDID(r)

     

       40
       40
       +
       	if userDID == "" {

     

       44
       41
        
       		writeError(w, http.StatusUnauthorized, "AuthRequired", "Authentication required")

     

       45
       42
        
       		return

     

       46
       43
        
       	}

     

       47
       44
        
       

     

       48
       48
       -
       	if req.HostedByDID == "" {

     

       49
       49
       -
       		writeError(w, http.StatusBadRequest, "InvalidRequest", "hostedByDid is required")

     

       45
       45
       +
       	// Client should not send createdByDid - we derive it from authenticated user

     

       46
       46
       +
       	if req.CreatedByDID != "" {

     

       47
       47
       +
       		writeError(w, http.StatusBadRequest, "InvalidRequest",

     

       48
       48
       +
       			"createdByDid must not be provided - derived from authenticated user")

     

       49
       49
       +
       		return

     

       50
       50
       +
       	}

     

       51
       51
       +
       

     

       52
       52
       +
       	// Client should not send hostedByDid - we derive it from the instance

     

       53
       53
       +
       	if req.HostedByDID != "" {

     

       54
       54
       +
       		writeError(w, http.StatusBadRequest, "InvalidRequest",

     

       55
       55
       +
       			"hostedByDid must not be provided - derived from instance")

     

       50
       56
        
       		return

     

       51
       57
        
       	}

     

       58
       58
       +
       

     

       59
       59
       +
       	// Set the authenticated user as the creator

     

       60
       60
       +
       	req.CreatedByDID = userDID

     

       61
       61
       +
       	// Note: hostedByDID will be set by the service layer based on instance configuration

     

       52
       62
        
       

     

       53
       63
        
       	// Create community via service (write-forward to PDS)

     

       54
       64
        
       	community, err := h.service.CreateCommunity(r.Context(), req)

+7 -7

internal/api/handlers/community/update.go

···

       1
       1
        
       package community

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"Coves/internal/api/middleware"

     

       4
       5
        
       	"Coves/internal/core/communities"

     

       5
       6
        
       	"encoding/json"

     

       6
       7
        
       	"net/http"

     
···

       40
       41
        
       		return

     

       41
       42
        
       	}

     

       42
       43
        
       

     

       43
       43
       -
       	// TODO(Communities-OAuth): Extract authenticated user DID from request context

     

       44
       44
       -
       	// This MUST be replaced with OAuth middleware before production deployment

     

       45
       45
       -
       	// Expected implementation:

     

       46
       46
       -
       	//   userDID := r.Context().Value("authenticated_user_did").(string)

     

       47
       47
       -
       	//   req.UpdatedByDID = userDID

     

       48
       48
       -
       	// For now, we require client to send it (INSECURE - allows impersonation)

     

       49
       49
       -
       	if req.UpdatedByDID == "" {

     

       44
       44
       +
       	// Extract authenticated user DID from request context (injected by auth middleware)

     

       45
       45
       +
       	userDID := middleware.GetUserDID(r)

     

       46
       46
       +
       	if userDID == "" {

     

       50
       47
        
       		writeError(w, http.StatusUnauthorized, "AuthRequired", "Authentication required")

     

       51
       48
        
       		return

     

       52
       49
        
       	}

     

       50
       50
       +
       

     

       51
       51
       +
       	// Set the authenticated user as the updater

     

       52
       52
       +
       	req.UpdatedByDID = userDID

     

       53
       53
        
       

     

       54
       54
        
       	// Update community via service (write-forward to PDS)

     

       55
       55
        
       	community, err := h.service.UpdateCommunity(r.Context(), req)