@goscribe/server 1.1.7 → 1.2.0

package/src/lib/retry.ts

@@ -0,0 +1,61 @@
+import { logger } from './logger.js';
+
+export interface RetryOptions {
+  /** Maximum number of attempts (default: 3) */
+  maxRetries?: number;
+  /** Base delay in ms for exponential backoff (default: 2000) */
+  baseDelayMs?: number;
+  /** Timeout per attempt in ms (default: 300000 = 5 minutes) */
+  timeoutMs?: number;
+  /** Label for logging (optional) */
+  label?: string;
+}
+
+/**
+ * Wraps an async function with retry logic and exponential backoff.
+ * Throws the last error if all attempts fail.
+ */
+export async function withRetry<T>(
+  fn: () => Promise<T>,
+  options: RetryOptions = {}
+): Promise<T> {
+  const {
+    maxRetries = 3,
+    baseDelayMs = 2000,
+    timeoutMs = 300000,
+    label = 'operation',
+  } = options;
+
+  let lastError: Error | null = null;
+
+  for (let attempt = 1; attempt <= maxRetries; attempt++) {
+    try {
+      logger.info(`[retry] ${label} attempt ${attempt}/${maxRetries}`);
+
+      // Create an AbortController for per-attempt timeout
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+
+      try {
+        const result = await fn();
+        clearTimeout(timeoutId);
+        return result;
+      } catch (error) {
+        clearTimeout(timeoutId);
+        throw error;
+      }
+    } catch (error) {
+      lastError = error instanceof Error ? error : new Error(String(error));
+      logger.error(`[retry] ${label} attempt ${attempt} failed: ${lastError.message}`);
+
+      if (attempt < maxRetries) {
+        const delay = Math.pow(2, attempt) * baseDelayMs;
+        logger.info(`[retry] ${label} retrying in ${delay}ms...`);
+        await new Promise((resolve) => setTimeout(resolve, delay));
+      }
+    }
+  }
+
+  logger.error(`[retry] ${label} all ${maxRetries} attempts failed`);
+  throw lastError!;
+}

package/src/lib/storage.ts

@@ -88,13 +88,13 @@ export async function makeFilePublic(objectKey: string): Promise<void> {
   // In Supabase, files are public by default when uploaded to public buckets
   // For private buckets, you would need to update the bucket policy
   // This function is kept for compatibility but may not be needed
-  console.log(`File ${objectKey} is already public in Supabase Storage`);
+  // File is already public in Supabase Storage
 }
 
 export async function makeFilePrivate(objectKey: string): Promise<void> {
   // In Supabase, you would need to update the bucket policy to make files private
   // This function is kept for compatibility but may not be needed
-  console.log(`File ${objectKey} privacy is controlled by bucket policy in Supabase Storage`);
+  // File privacy is controlled by bucket policy in Supabase Storage
 }
 
 // Export supabase client for direct access if needed

package/src/lib/workspace-access.ts

@@ -0,0 +1,13 @@
+/**
+ * Prisma `where` filter for workspace access checks.
+ * Allows access if the user is the owner OR a member of the workspace.
+ * Use this instead of `{ ownerId: userId }` to support collaborative workspaces.
+ */
+export function workspaceAccessFilter(userId: string) {
+  return {
+    OR: [
+      { ownerId: userId },
+      { members: { some: { userId } } },
+    ],
+  };
+}

package/src/routers/_app.ts

@@ -8,6 +8,7 @@ import { studyguide } from './studyguide.js';
 import { podcast } from './podcast.js';
 import { chat } from './chat.js';
 import { members } from './members.js';
+import { annotations } from './annotations.js';
 
 export const appRouter = router({
   auth,
@@ -17,6 +18,7 @@ export const appRouter = router({
   studyguide,
   podcast,
   chat,
+  annotations,
   // Public member endpoints (for invitation acceptance)
   member: router({
     acceptInvite: members.acceptInvite,

package/src/routers/annotations.ts

@@ -0,0 +1,186 @@
+import { z } from 'zod';
+import { TRPCError } from '@trpc/server';
+import { router, authedProcedure } from '../trpc.js';
+
+export const annotations = router({
+  // List all highlights (with nested comments) for an artifact version
+  listHighlights: authedProcedure
+    .input(
+      z.object({
+        artifactVersionId: z.string(),
+      })
+    )
+    .query(async ({ ctx, input }) => {
+      const highlights = await ctx.db.studyGuideHighlight.findMany({
+        where: { artifactVersionId: input.artifactVersionId },
+        include: {
+          comments: {
+            include: {
+              user: { select: { id: true, name: true, profilePicture: true } },
+            },
+            orderBy: { createdAt: 'asc' },
+          },
+          user: { select: { id: true, name: true, profilePicture: true } },
+        },
+        orderBy: { startOffset: 'asc' },
+      });
+
+      return highlights;
+    }),
+
+  // Create a new highlight
+  createHighlight: authedProcedure
+    .input(
+      z.object({
+        artifactVersionId: z.string(),
+        startOffset: z.number().int().min(0),
+        endOffset: z.number().int().min(0),
+        selectedText: z.string().min(1),
+        color: z.string().optional(),
+      })
+    )
+    .mutation(async ({ ctx, input }) => {
+      // Verify the artifact version exists
+      const version = await ctx.db.artifactVersion.findUnique({
+        where: { id: input.artifactVersionId },
+      });
+
+      if (!version) {
+        throw new TRPCError({ code: 'NOT_FOUND', message: 'Artifact version not found' });
+      }
+
+      const highlight = await ctx.db.studyGuideHighlight.create({
+        data: {
+          artifactVersionId: input.artifactVersionId,
+          userId: ctx.session.user.id,
+          startOffset: input.startOffset,
+          endOffset: input.endOffset,
+          selectedText: input.selectedText,
+          ...(input.color && { color: input.color }),
+        },
+        include: {
+          comments: true,
+          user: { select: { id: true, name: true, profilePicture: true } },
+        },
+      });
+
+      return highlight;
+    }),
+
+  // Delete a highlight (and its comments via cascade)
+  deleteHighlight: authedProcedure
+    .input(
+      z.object({
+        highlightId: z.string(),
+      })
+    )
+    .mutation(async ({ ctx, input }) => {
+      const highlight = await ctx.db.studyGuideHighlight.findUnique({
+        where: { id: input.highlightId },
+      });
+
+      if (!highlight) {
+        throw new TRPCError({ code: 'NOT_FOUND', message: 'Highlight not found' });
+      }
+
+      if (highlight.userId !== ctx.session.user.id) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'You can only delete your own highlights' });
+      }
+
+      await ctx.db.studyGuideHighlight.delete({
+        where: { id: input.highlightId },
+      });
+
+      return { success: true };
+    }),
+
+  // Add a comment to a highlight
+  addComment: authedProcedure
+    .input(
+      z.object({
+        highlightId: z.string(),
+        content: z.string().min(1),
+      })
+    )
+    .mutation(async ({ ctx, input }) => {
+      const highlight = await ctx.db.studyGuideHighlight.findUnique({
+        where: { id: input.highlightId },
+      });
+
+      if (!highlight) {
+        throw new TRPCError({ code: 'NOT_FOUND', message: 'Highlight not found' });
+      }
+
+      const comment = await ctx.db.studyGuideComment.create({
+        data: {
+          highlightId: input.highlightId,
+          userId: ctx.session.user.id,
+          content: input.content,
+        },
+        include: {
+          user: { select: { id: true, name: true, profilePicture: true } },
+        },
+      });
+
+      return comment;
+    }),
+
+  // Update a comment
+  updateComment: authedProcedure
+    .input(
+      z.object({
+        commentId: z.string(),
+        content: z.string().min(1),
+      })
+    )
+    .mutation(async ({ ctx, input }) => {
+      const comment = await ctx.db.studyGuideComment.findUnique({
+        where: { id: input.commentId },
+      });
+
+      if (!comment) {
+        throw new TRPCError({ code: 'NOT_FOUND', message: 'Comment not found' });
+      }
+
+      if (comment.userId !== ctx.session.user.id) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'You can only edit your own comments' });
+      }
+
+      const updated = await ctx.db.studyGuideComment.update({
+        where: { id: input.commentId },
+        data: { content: input.content },
+        include: {
+          user: { select: { id: true, name: true, profilePicture: true } },
+        },
+      });
+
+      return updated;
+    }),
+
+  // Delete a comment
+  deleteComment: authedProcedure
+    .input(
+      z.object({
+        commentId: z.string(),
+      })
+    )
+    .mutation(async ({ ctx, input }) => {
+      const comment = await ctx.db.studyGuideComment.findUnique({
+        where: { id: input.commentId },
+      });
+
+      if (!comment) {
+        throw new TRPCError({ code: 'NOT_FOUND', message: 'Comment not found' });
+      }
+
+      if (comment.userId !== ctx.session.user.id) {
+        throw new TRPCError({ code: 'FORBIDDEN', message: 'You can only delete your own comments' });
+      }
+
+      await ctx.db.studyGuideComment.delete({
+        where: { id: input.commentId },
+      });
+
+      return { success: true };
+    }),
+});

package/src/routers/auth.ts

@@ -4,13 +4,14 @@ import bcrypt from 'bcryptjs';
 import { serialize } from 'cookie';
 import crypto from 'node:crypto';
 import { TRPCError } from '@trpc/server';
-import { supabaseClient } from 'src/lib/storage.js';
+import { supabaseClient } from '../lib/storage.js';
+import { sendVerificationEmail } from '../lib/email.js';
 
 // Helper to create custom auth token
 function createCustomAuthToken(userId: string): string {
   const secret = process.env.AUTH_SECRET;
   if (!secret) {
-    throw new Error("AUTH_SECRET is not set");
+    throw new TRPCError({ code: 'INTERNAL_SERVER_ERROR', message: "AUTH_SECRET is not set" });
   }
   
   const base64UserId = Buffer.from(userId, 'utf8').toString('base64url');
@@ -80,7 +81,7 @@ export const auth = router({
         where: { email: input.email },
       });
       if (existing) {
-        throw new Error("Email already registered");
+        throw new TRPCError({ code: 'CONFLICT', message: "Email already registered" });
       }
 
       const hash = await bcrypt.hash(input.password, 10);
@@ -90,12 +91,99 @@ export const auth = router({
           name: input.name,
           email: input.email,
           passwordHash: hash,
-          emailVerified: new Date(), // skip verification for demo
+          // emailVerified is null -- user must verify
         },
       });
 
+      // Create verification token (24h expiry)
+      const token = crypto.randomUUID();
+      await ctx.db.verificationToken.create({
+        data: {
+          identifier: input.email,
+          token,
+          expires: new Date(Date.now() + 24 * 60 * 60 * 1000),
+        },
+      });
+
+      // Send verification email (non-blocking)
+      sendVerificationEmail(input.email, token, input.name).catch(() => {});
+
       return { id: user.id, email: user.email, name: user.name };
     }),
+
+  // Verify email with token from the email link
+  verifyEmail: publicProcedure
+    .input(z.object({
+      token: z.string(),
+    }))
+    .mutation(async ({ ctx, input }) => {
+      const record = await ctx.db.verificationToken.findUnique({
+        where: { token: input.token },
+      });
+
+      if (!record) {
+        throw new TRPCError({ code: 'NOT_FOUND', message: 'Invalid or expired verification link' });
+      }
+
+      if (record.expires < new Date()) {
+        // Clean up expired token
+        await ctx.db.verificationToken.delete({ where: { token: input.token } });
+        throw new TRPCError({ code: 'BAD_REQUEST', message: 'Verification link has expired. Please request a new one.' });
+      }
+
+      // Mark user as verified
+      await ctx.db.user.update({
+        where: { email: record.identifier },
+        data: { emailVerified: new Date() },
+      });
+
+      // Delete used token
+      await ctx.db.verificationToken.delete({ where: { token: input.token } });
+
+      return { success: true, message: 'Email verified successfully' };
+    }),
+
+  // Resend verification email (for logged-in users who haven't verified)
+  resendVerification: publicProcedure
+    .mutation(async ({ ctx }) => {
+      if (!ctx.session?.user?.id) {
+        throw new TRPCError({ code: 'UNAUTHORIZED', message: 'Not logged in' });
+      }
+
+      const user = await ctx.db.user.findUnique({
+        where: { id: ctx.session.user.id },
+      });
+
+      if (!user || !user.email) {
+        throw new TRPCError({ code: 'NOT_FOUND', message: 'User not found' });
+      }
+
+      if (user.emailVerified) {
+        return { success: true, message: 'Email is already verified' };
+      }
+
+      // Delete any existing tokens for this email
+      await ctx.db.verificationToken.deleteMany({
+        where: { identifier: user.email },
+      });
+
+      // Create new token
+      const token = crypto.randomUUID();
+      await ctx.db.verificationToken.create({
+        data: {
+          identifier: user.email,
+          token,
+          expires: new Date(Date.now() + 24 * 60 * 60 * 1000),
+        },
+      });
+
+      const sent = await sendVerificationEmail(user.email, token, user.name);
+      if (!sent) {
+        throw new TRPCError({ code: 'INTERNAL_SERVER_ERROR', message: 'Failed to send email. Please try again.' });
+      }
+
+      return { success: true, message: 'Verification email sent' };
+    }),
   login: publicProcedure
     .input(z.object({
       email: z.string().email(),
@@ -106,12 +194,12 @@ export const auth = router({
         where: { email: input.email },
       });
       if (!user) {
-        throw new Error("Invalid credentials");
+        throw new TRPCError({ code: 'UNAUTHORIZED', message: "Invalid credentials" });
       }
 
       const valid = await bcrypt.compare(input.password, user.passwordHash!);
       if (!valid) {
-        throw new Error("Invalid credentials");
+        throw new TRPCError({ code: 'UNAUTHORIZED', message: "Invalid credentials" });
       }
 
       // Create custom auth token
@@ -141,7 +229,7 @@ export const auth = router({
   getSession: publicProcedure.query(async ({ ctx }) => {
     // Just return the current session from context
     if (!ctx.session) {
-      throw new Error("No session found");
+      throw new TRPCError({ code: 'UNAUTHORIZED', message: "No session found" });
     }
 
     const user = await ctx.db.user.findUnique({
@@ -149,7 +237,7 @@ export const auth = router({
     });
 
     if (!user) {
-      throw new Error("User not found");
+      throw new TRPCError({ code: 'NOT_FOUND', message: "User not found" });
     }
 
     return { 
@@ -157,6 +245,7 @@ export const auth = router({
         id: user.id, 
         email: user.email, 
         name: user.name, 
+        emailVerified: !!user.emailVerified,
       } 
     };
   }),
@@ -164,7 +253,7 @@ export const auth = router({
     const token = ctx.cookies["auth_token"];
 
     if (!token) {
-      throw new Error("No token found");
+      throw new TRPCError({ code: 'UNAUTHORIZED', message: "No token found" });
     }
 
     await ctx.db.session.delete({

package/src/routers/flashcards.ts

@@ -5,14 +5,8 @@ import createInferenceService from '../lib/inference.js';
 import { aiSessionService } from '../lib/ai-session.js';
 import PusherService from '../lib/pusher.js';
 import { createFlashcardProgressService } from '../services/flashcard-progress.service.js';
-// Prisma enum values mapped manually to avoid type import issues in ESM
-const ArtifactType = {
-  STUDY_GUIDE: 'STUDY_GUIDE',
-  FLASHCARD_SET: 'FLASHCARD_SET',
-  WORKSHEET: 'WORKSHEET',
-  MEETING_SUMMARY: 'MEETING_SUMMARY',
-  PODCAST_EPISODE: 'PODCAST_EPISODE',
-} as const;
+import { ArtifactType } from '../lib/constants.js';
+import { workspaceAccessFilter } from '../lib/workspace-access.js';
 
 export const flashcards = router({
   listSets: authedProcedure
@@ -37,7 +31,7 @@ export const flashcards = router({
     .input(z.object({ workspaceId: z.string() }))
     .query(async ({ ctx, input }) => {
       const set = await ctx.db.artifact.findFirst({
-        where: { workspaceId: input.workspaceId, type: ArtifactType.FLASHCARD_SET, workspace: { ownerId: ctx.session.user.id } },
+        where: { workspaceId: input.workspaceId, type: ArtifactType.FLASHCARD_SET, workspace: workspaceAccessFilter(ctx.session.user.id) },
         include: {
           flashcards: {
             include: {
@@ -59,7 +53,7 @@ export const flashcards = router({
     .input(z.object({ workspaceId: z.string() }))
     .query(async ({ ctx, input }) => {
       const artifact = await ctx.db.artifact.findFirst({
-        where: { workspaceId: input.workspaceId, type: ArtifactType.FLASHCARD_SET, workspace: { ownerId: ctx.session.user.id } }, orderBy: { updatedAt: 'desc' },
+        where: { workspaceId: input.workspaceId, type: ArtifactType.FLASHCARD_SET, workspace: workspaceAccessFilter(ctx.session.user.id) }, orderBy: { updatedAt: 'desc' },
       });
       return artifact?.generating;
     }),
@@ -103,7 +97,7 @@ export const flashcards = router({
     }))
     .mutation(async ({ ctx, input }) => {
       const card = await ctx.db.flashcard.findFirst({
-        where: { id: input.cardId, artifact: { type: ArtifactType.FLASHCARD_SET, workspace: { ownerId: ctx.session.user.id } } },
+        where: { id: input.cardId, artifact: { type: ArtifactType.FLASHCARD_SET, workspace: workspaceAccessFilter(ctx.session.user.id) } },
       });
       if (!card) throw new TRPCError({ code: 'NOT_FOUND' });
       return ctx.db.flashcard.update({
@@ -121,7 +115,7 @@ export const flashcards = router({
     .input(z.object({ cardId: z.string() }))
     .mutation(async ({ ctx, input }) => {
       const card = await ctx.db.flashcard.findFirst({
-        where: { id: input.cardId, artifact: { workspace: { ownerId: ctx.session.user.id } } },
+        where: { id: input.cardId, artifact: { workspace: workspaceAccessFilter(ctx.session.user.id) } },
       });
       if (!card) throw new TRPCError({ code: 'NOT_FOUND' });
       await ctx.db.flashcard.delete({ where: { id: input.cardId } });
@@ -132,7 +126,7 @@ export const flashcards = router({
     .input(z.object({ setId: z.string().uuid() }))
     .mutation(async ({ ctx, input }) => {
       const deleted = await ctx.db.artifact.deleteMany({
-        where: { id: input.setId, type: ArtifactType.FLASHCARD_SET, workspace: { ownerId: ctx.session.user.id } },
+        where: { id: input.setId, type: ArtifactType.FLASHCARD_SET, workspace: workspaceAccessFilter(ctx.session.user.id) },
       });
       if (deleted.count === 0) throw new TRPCError({ code: 'NOT_FOUND' });
       return true;