@nextsparkjs/core 0.1.0-beta.84 → 0.1.0-beta.85

package/templates/app/api/v1/teams/[teamId]/invitations/route.ts

@@ -0,0 +1,171 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { queryWithRLS, mutateWithRLS } from '@nextsparkjs/core/lib/db'
+import {
+  createApiResponse,
+  createApiError,
+  createPaginationMeta,
+  withApiLogging,
+  handleCorsPreflightRequest,
+  addCorsHeaders,
+} from '@nextsparkjs/core/lib/api/helpers'
+import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { TeamMemberService, MembershipService } from '@nextsparkjs/core/lib/services'
+import type { TeamInvitation } from '@nextsparkjs/core/lib/teams/types'
+
+// Handle CORS preflight
+export async function OPTIONS() {
+  return handleCorsPreflightRequest()
+}
+
+// GET /api/v1/teams/:teamId/invitations - List pending invitations for a team
+export const GET = withApiLogging(
+  async (req: NextRequest, { params }: { params: Promise<{ teamId: string }> }): Promise<NextResponse> => {
+    try {
+      // Authenticate using dual auth
+      const authResult = await authenticateRequest(req)
+
+      if (!authResult.success) {
+        return NextResponse.json(
+          { success: false, error: 'Authentication required', code: 'AUTHENTICATION_FAILED' },
+          { status: 401 }
+        )
+      }
+
+      if (authResult.rateLimitResponse) {
+        return authResult.rateLimitResponse as NextResponse
+      }
+
+      const { teamId } = await params
+
+      // Validate that teamId is not empty
+      if (!teamId || teamId.trim() === '') {
+        const response = createApiError('Team ID is required', 400, null, 'MISSING_TEAM_ID')
+        return addCorsHeaders(response)
+      }
+
+      // Check if user is a member of the team
+      const isMember = await TeamMemberService.isMember(teamId, authResult.user!.id)
+
+      if (!isMember) {
+        const response = createApiError('Team not found or access denied', 404, null, 'TEAM_NOT_FOUND')
+        return addCorsHeaders(response)
+      }
+
+      // Parse query parameters
+      const { searchParams } = new URL(req.url)
+      const page = parseInt(searchParams.get('page') || '1', 10)
+      const limit = parseInt(searchParams.get('limit') || '50', 10)
+      const status = searchParams.get('status') || 'pending'
+      const offset = (page - 1) * limit
+
+      // Fetch team invitations
+      const invitations = await queryWithRLS<
+        TeamInvitation & {
+          inviterName: string | null
+          inviterEmail: string
+        }
+      >(
+        `SELECT
+          ti.*,
+          u.name as "inviterName",
+          u.email as "inviterEmail"
+        FROM "team_invitations" ti
+        INNER JOIN "users" u ON ti."invitedBy" = u.id
+        WHERE ti."teamId" = $1 AND ti.status = $2
+        ORDER BY ti."createdAt" DESC
+        LIMIT $3 OFFSET $4`,
+        [teamId, status, limit, offset],
+        authResult.user!.id
+      )
+
+      // Get total count for pagination
+      const totalResult = await queryWithRLS<{ count: string }>(
+        `SELECT COUNT(*) as count
+         FROM "team_invitations" ti
+         WHERE ti."teamId" = $1 AND ti.status = $2`,
+        [teamId, status],
+        authResult.user!.id
+      )
+
+      const total = parseInt(totalResult[0]?.count || '0', 10)
+      const paginationMeta = createPaginationMeta(page, limit, total)
+
+      const response = createApiResponse(invitations, paginationMeta)
+      return addCorsHeaders(response)
+    } catch (error) {
+      console.error('Error fetching team invitations:', error)
+      const response = createApiError('Internal server error', 500)
+      return addCorsHeaders(response)
+    }
+  }
+)
+
+// DELETE /api/v1/teams/:teamId/invitations/:invitationId - Cancel/revoke an invitation
+export const DELETE = withApiLogging(
+  async (req: NextRequest, { params }: { params: Promise<{ teamId: string }> }): Promise<NextResponse> => {
+    try {
+      // Authenticate using dual auth
+      const authResult = await authenticateRequest(req)
+
+      if (!authResult.success) {
+        return NextResponse.json(
+          { success: false, error: 'Authentication required', code: 'AUTHENTICATION_FAILED' },
+          { status: 401 }
+        )
+      }
+
+      if (authResult.rateLimitResponse) {
+        return authResult.rateLimitResponse as NextResponse
+      }
+
+      const { teamId } = await params
+
+      // Get invitation ID from URL
+      const url = new URL(req.url)
+      const invitationId = url.searchParams.get('id')
+
+      if (!invitationId) {
+        const response = createApiError('Invitation ID is required', 400, null, 'MISSING_INVITATION_ID')
+        return addCorsHeaders(response)
+      }
+
+      // Check if user has permission to manage invitations using MembershipService
+      const membership = await MembershipService.get(authResult.user!.id, teamId)
+      const actionResult = membership.canPerformAction('members.invite')
+
+      if (!actionResult.allowed) {
+        const response = NextResponse.json(
+          {
+            success: false,
+            error: actionResult.message,
+            reason: actionResult.reason,
+            meta: actionResult.meta,
+          },
+          { status: 403 }
+        )
+        return addCorsHeaders(response)
+      }
+
+      // Update invitation status to 'cancelled' (or delete it)
+      const result = await mutateWithRLS(
+        `DELETE FROM "team_invitations"
+         WHERE id = $1 AND "teamId" = $2 AND status = 'pending'
+         RETURNING *`,
+        [invitationId, teamId],
+        authResult.user!.id
+      )
+
+      if (result.rowCount === 0) {
+        const response = createApiError('Invitation not found or already processed', 404, null, 'INVITATION_NOT_FOUND')
+        return addCorsHeaders(response)
+      }
+
+      const response = createApiResponse({ deleted: true, id: invitationId })
+      return addCorsHeaders(response)
+    } catch (error) {
+      console.error('Error cancelling invitation:', error)
+      const response = createApiError('Internal server error', 500)
+      return addCorsHeaders(response)
+    }
+  }
+)

package/templates/app/api/v1/teams/[teamId]/invoices/[invoiceNumber]/route.ts

@@ -0,0 +1,105 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { queryWithRLS } from '@nextsparkjs/core/lib/db'
+import {
+  createApiResponse,
+  createApiError,
+  withApiLogging,
+  handleCorsPreflightRequest,
+  addCorsHeaders,
+} from '@nextsparkjs/core/lib/api/helpers'
+import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { MembershipService } from '@nextsparkjs/core/lib/services'
+import type { InvoiceResponse } from '@nextsparkjs/core/lib/validation/invoices'
+
+// Handle CORS preflight
+export async function OPTIONS() {
+  return handleCorsPreflightRequest()
+}
+
+// GET /api/v1/teams/:teamId/invoices/:invoiceNumber - Get single invoice (owner only)
+export const GET = withApiLogging(
+  async (
+    req: NextRequest,
+    { params }: { params: Promise<{ teamId: string; invoiceNumber: string }> }
+  ): Promise<NextResponse> => {
+    try {
+      // Authenticate using dual auth (API key OR session)
+      const authResult = await authenticateRequest(req)
+
+      if (!authResult.success) {
+        return NextResponse.json(
+          { success: false, error: 'Authentication required', code: 'AUTHENTICATION_FAILED' },
+          { status: 401 }
+        )
+      }
+
+      if (authResult.rateLimitResponse) {
+        return authResult.rateLimitResponse as NextResponse
+      }
+
+      const { teamId, invoiceNumber } = await params
+
+      // Validate that teamId is not empty
+      if (!teamId || teamId.trim() === '') {
+        const response = createApiError('Team ID is required', 400, null, 'MISSING_TEAM_ID')
+        return addCorsHeaders(response)
+      }
+
+      // Validate that invoiceNumber is not empty
+      if (!invoiceNumber || invoiceNumber.trim() === '') {
+        const response = createApiError('Invoice number is required', 400, null, 'MISSING_INVOICE_NUMBER')
+        return addCorsHeaders(response)
+      }
+
+      // Check if user has permission to view invoices using MembershipService
+      const membership = await MembershipService.get(authResult.user!.id, teamId)
+      const actionResult = membership.canPerformAction('billing.invoices')
+
+      if (!actionResult.allowed) {
+        const response = NextResponse.json(
+          {
+            success: false,
+            error: actionResult.message,
+            reason: actionResult.reason,
+            meta: actionResult.meta,
+          },
+          { status: 403 }
+        )
+        return addCorsHeaders(response)
+      }
+
+      // Query single invoice by invoiceNumber
+      const invoices = await queryWithRLS<InvoiceResponse>(
+        `SELECT
+          id,
+          "teamId",
+          "invoiceNumber",
+          to_char(date, 'YYYY-MM-DD"T"HH24:MI:SS"Z"') as date,
+          amount::NUMERIC(10,2)::FLOAT as amount,
+          currency,
+          status::TEXT as status,
+          "pdfUrl",
+          description,
+          to_char("createdAt", 'YYYY-MM-DD"T"HH24:MI:SS"Z"') as "createdAt",
+          to_char("updatedAt", 'YYYY-MM-DD"T"HH24:MI:SS"Z"') as "updatedAt"
+        FROM "invoices"
+        WHERE "teamId" = $1 AND "invoiceNumber" = $2
+        LIMIT 1`,
+        [teamId, decodeURIComponent(invoiceNumber)],
+        authResult.user!.id
+      )
+
+      if (invoices.length === 0) {
+        const response = createApiError('Invoice not found', 404, null, 'INVOICE_NOT_FOUND')
+        return addCorsHeaders(response)
+      }
+
+      const response = createApiResponse(invoices[0])
+      return addCorsHeaders(response)
+    } catch (error) {
+      console.error('Error fetching invoice:', error)
+      const response = createApiError('Internal server error', 500)
+      return addCorsHeaders(response)
+    }
+  }
+)

package/templates/app/api/v1/teams/[teamId]/invoices/route.ts

@@ -0,0 +1,125 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { queryWithRLS } from '@nextsparkjs/core/lib/db'
+import {
+  createApiResponse,
+  createApiError,
+  createPaginationMeta,
+  withApiLogging,
+  handleCorsPreflightRequest,
+  addCorsHeaders,
+} from '@nextsparkjs/core/lib/api/helpers'
+import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { MembershipService } from '@nextsparkjs/core/lib/services'
+import { invoiceQuerySchema } from '@nextsparkjs/core/lib/validation/invoices'
+import type { InvoiceResponse } from '@nextsparkjs/core/lib/validation/invoices'
+
+// Handle CORS preflight
+export async function OPTIONS() {
+  return handleCorsPreflightRequest()
+}
+
+// GET /api/v1/teams/:teamId/invoices - List team invoices (owner only)
+export const GET = withApiLogging(
+  async (req: NextRequest, { params }: { params: Promise<{ teamId: string }> }): Promise<NextResponse> => {
+    try {
+      // Authenticate using dual auth (API key OR session)
+      const authResult = await authenticateRequest(req)
+
+      if (!authResult.success) {
+        return NextResponse.json(
+          { success: false, error: 'Authentication required', code: 'AUTHENTICATION_FAILED' },
+          { status: 401 }
+        )
+      }
+
+      if (authResult.rateLimitResponse) {
+        return authResult.rateLimitResponse as NextResponse
+      }
+
+      const { teamId } = await params
+
+      // Validate that teamId is not empty
+      if (!teamId || teamId.trim() === '') {
+        const response = createApiError('Team ID is required', 400, null, 'MISSING_TEAM_ID')
+        return addCorsHeaders(response)
+      }
+
+      // Check if user has permission to view invoices using MembershipService
+      const membership = await MembershipService.get(authResult.user!.id, teamId)
+      const actionResult = membership.canPerformAction('billing.invoices')
+
+      if (!actionResult.allowed) {
+        const response = NextResponse.json(
+          {
+            success: false,
+            error: actionResult.message,
+            reason: actionResult.reason,
+            meta: actionResult.meta,
+          },
+          { status: 403 }
+        )
+        return addCorsHeaders(response)
+      }
+
+      // Parse query parameters for pagination
+      const { searchParams } = new URL(req.url)
+      const queryParams = Object.fromEntries(
+        Object.entries({
+          limit: searchParams.get('limit'),
+          offset: searchParams.get('offset'),
+        }).filter(([, value]) => value !== null && value !== '')
+      )
+
+      const validatedQuery = invoiceQuerySchema.parse(queryParams)
+      const { limit, offset } = validatedQuery
+
+      // Query invoices with pagination (ordered by date DESC)
+      const invoices = await queryWithRLS<InvoiceResponse>(
+        `SELECT
+          id,
+          "teamId",
+          "invoiceNumber",
+          to_char(date, 'YYYY-MM-DD"T"HH24:MI:SS"Z"') as date,
+          amount::NUMERIC(10,2)::FLOAT as amount,
+          currency,
+          status::TEXT as status,
+          "pdfUrl",
+          description,
+          to_char("createdAt", 'YYYY-MM-DD"T"HH24:MI:SS"Z"') as "createdAt",
+          to_char("updatedAt", 'YYYY-MM-DD"T"HH24:MI:SS"Z"') as "updatedAt"
+        FROM "invoices"
+        WHERE "teamId" = $1
+        ORDER BY date DESC
+        LIMIT $2 OFFSET $3`,
+        [teamId, limit, offset],
+        authResult.user!.id
+      )
+
+      // Get total count for pagination
+      const totalResult = await queryWithRLS<{ count: string }>(
+        `SELECT COUNT(*) as count FROM "invoices" WHERE "teamId" = $1`,
+        [teamId],
+        authResult.user!.id
+      )
+
+      const total = parseInt(totalResult[0]?.count || '0', 10)
+
+      // Calculate pagination metadata
+      const page = Math.floor(offset / limit) + 1
+      const paginationMeta = createPaginationMeta(page, limit, total)
+
+      const response = createApiResponse(invoices, paginationMeta)
+      return addCorsHeaders(response)
+    } catch (error) {
+      if (error instanceof Error && error.name === 'ZodError') {
+        const zodError = error as { issues?: unknown[] }
+        const response = createApiError('Validation error', 400, zodError.issues, 'VALIDATION_ERROR')
+        return addCorsHeaders(response)
+      }
+
+      console.error('Error fetching invoices:', error)
+      const response = createApiError('Internal server error', 500)
+      return addCorsHeaders(response)
+    }
+  }
+)

package/templates/app/api/v1/teams/[teamId]/members/[memberId]/route.ts

@@ -0,0 +1,263 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { queryOneWithRLS, mutateWithRLS } from '@nextsparkjs/core/lib/db'
+import {
+  createApiResponse,
+  createApiError,
+  withApiLogging,
+  handleCorsPreflightRequest,
+  addCorsHeaders,
+} from '@nextsparkjs/core/lib/api/helpers'
+import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { updateMemberRoleSchema } from '@nextsparkjs/core/lib/teams/schema'
+import { MembershipService } from '@nextsparkjs/core/lib/services'
+import { validateRoleTransition, canManageRole } from '@nextsparkjs/core/lib/teams/permissions'
+import type { TeamMember, TeamRole } from '@nextsparkjs/core/lib/teams/types'
+
+// Handle CORS preflight
+export async function OPTIONS() {
+  return handleCorsPreflightRequest()
+}
+
+// PATCH /api/v1/teams/:teamId/members/:memberId - Update member role
+export const PATCH = withApiLogging(
+  async (
+    req: NextRequest,
+    { params }: { params: Promise<{ teamId: string; memberId: string }> }
+  ): Promise<NextResponse> => {
+    try {
+      // Authenticate using dual auth
+      const authResult = await authenticateRequest(req)
+
+      if (!authResult.success) {
+        return NextResponse.json(
+          { success: false, error: 'Authentication required', code: 'AUTHENTICATION_FAILED' },
+          { status: 401 }
+        )
+      }
+
+      if (authResult.rateLimitResponse) {
+        return authResult.rateLimitResponse as NextResponse
+      }
+
+      const { teamId, memberId } = await params
+
+      // Validate parameters
+      if (!teamId || teamId.trim() === '') {
+        const response = createApiError('Team ID is required', 400, null, 'MISSING_TEAM_ID')
+        return addCorsHeaders(response)
+      }
+
+      if (!memberId || memberId.trim() === '') {
+        const response = createApiError('Member ID is required', 400, null, 'MISSING_MEMBER_ID')
+        return addCorsHeaders(response)
+      }
+
+      // Check if user has permission to update member roles using MembershipService
+      const membership = await MembershipService.get(authResult.user!.id, teamId)
+      const actionResult = membership.canPerformAction('members.update_role')
+
+      if (!actionResult.allowed) {
+        const response = NextResponse.json(
+          {
+            success: false,
+            error: actionResult.message,
+            reason: actionResult.reason,
+            meta: actionResult.meta,
+          },
+          { status: 403 }
+        )
+        return addCorsHeaders(response)
+      }
+
+      // Get user's role for role hierarchy validation
+      const userRole = membership.role as TeamRole
+
+      // Get target member
+      const targetMember = await queryOneWithRLS<TeamMember>(
+        'SELECT * FROM "team_members" WHERE id = $1 AND "teamId" = $2',
+        [memberId, teamId],
+        authResult.user!.id
+      )
+
+      if (!targetMember) {
+        const response = createApiError('Member not found', 404, null, 'MEMBER_NOT_FOUND')
+        return addCorsHeaders(response)
+      }
+
+      const body = await req.json()
+      const validatedData = updateMemberRoleSchema.parse(body)
+
+      // Validate role transition
+      const transitionValidation = validateRoleTransition(targetMember.role, validatedData.role, userRole)
+
+      if (!transitionValidation.allowed) {
+        const response = createApiError(transitionValidation.reason || 'Invalid role transition', 403, null, 'INVALID_ROLE_TRANSITION')
+        return addCorsHeaders(response)
+      }
+
+      // Check if actor can manage the target role
+      if (!canManageRole(userRole, targetMember.role)) {
+        const response = createApiError(
+          'You do not have permission to change this user\'s role.',
+          403,
+          null,
+          'INSUFFICIENT_PERMISSIONS'
+        )
+        return addCorsHeaders(response)
+      }
+
+      // Update member role
+      const result = await mutateWithRLS(
+        `UPDATE "team_members"
+         SET role = $1, "updatedAt" = CURRENT_TIMESTAMP
+         WHERE id = $2 AND "teamId" = $3
+         RETURNING *`,
+        [validatedData.role, memberId, teamId],
+        authResult.user!.id
+      )
+
+      if (result.rows.length === 0) {
+        const response = createApiError('Member not found', 404, null, 'MEMBER_NOT_FOUND')
+        return addCorsHeaders(response)
+      }
+
+      // Fetch member with user details
+      const memberWithUser = await queryOneWithRLS<
+        TeamMember & {
+          userName: string | null
+          userEmail: string
+          userImage: string | null
+        }
+      >(
+        `SELECT
+          tm.*,
+          u.name as "userName",
+          u.email as "userEmail",
+          u.image as "userImage"
+        FROM "team_members" tm
+        INNER JOIN "users" u ON tm."userId" = u.id
+        WHERE tm.id = $1`,
+        [memberId],
+        authResult.user!.id
+      )
+
+      const response = createApiResponse(memberWithUser)
+      return addCorsHeaders(response)
+    } catch (error) {
+      if (error instanceof Error && error.name === 'ZodError') {
+        const zodError = error as { issues?: unknown[] }
+        const response = createApiError('Validation error', 400, zodError.issues, 'VALIDATION_ERROR')
+        return addCorsHeaders(response)
+      }
+
+      console.error('Error updating member role:', error)
+      const response = createApiError('Internal server error', 500)
+      return addCorsHeaders(response)
+    }
+  }
+)
+
+// DELETE /api/v1/teams/:teamId/members/:memberId - Remove member from team
+export const DELETE = withApiLogging(
+  async (
+    req: NextRequest,
+    { params }: { params: Promise<{ teamId: string; memberId: string }> }
+  ): Promise<NextResponse> => {
+    try {
+      // Authenticate using dual auth
+      const authResult = await authenticateRequest(req)
+
+      if (!authResult.success) {
+        return NextResponse.json(
+          { success: false, error: 'Authentication required', code: 'AUTHENTICATION_FAILED' },
+          { status: 401 }
+        )
+      }
+
+      if (authResult.rateLimitResponse) {
+        return authResult.rateLimitResponse as NextResponse
+      }
+
+      const { teamId, memberId } = await params
+
+      // Validate parameters
+      if (!teamId || teamId.trim() === '') {
+        const response = createApiError('Team ID is required', 400, null, 'MISSING_TEAM_ID')
+        return addCorsHeaders(response)
+      }
+
+      if (!memberId || memberId.trim() === '') {
+        const response = createApiError('Member ID is required', 400, null, 'MISSING_MEMBER_ID')
+        return addCorsHeaders(response)
+      }
+
+      // Check if user has permission to remove members using MembershipService
+      const membership = await MembershipService.get(authResult.user!.id, teamId)
+      const actionResult = membership.canPerformAction('members.remove')
+
+      if (!actionResult.allowed) {
+        const response = NextResponse.json(
+          {
+            success: false,
+            error: actionResult.message,
+            reason: actionResult.reason,
+            meta: actionResult.meta,
+          },
+          { status: 403 }
+        )
+        return addCorsHeaders(response)
+      }
+
+      // Get user's role for role hierarchy validation
+      const userRole = membership.role as TeamRole
+
+      // Get target member
+      const targetMember = await queryOneWithRLS<TeamMember>(
+        'SELECT * FROM "team_members" WHERE id = $1 AND "teamId" = $2',
+        [memberId, teamId],
+        authResult.user!.id
+      )
+
+      if (!targetMember) {
+        const response = createApiError('Member not found', 404, null, 'MEMBER_NOT_FOUND')
+        return addCorsHeaders(response)
+      }
+
+      // Cannot remove the owner
+      if (targetMember.role === 'owner') {
+        const response = createApiError('Cannot remove the team owner', 403, null, 'CANNOT_REMOVE_OWNER')
+        return addCorsHeaders(response)
+      }
+
+      // Check if actor can manage the target role
+      if (!canManageRole(userRole, targetMember.role)) {
+        const response = createApiError(
+          'You do not have permission to remove this user.',
+          403,
+          null,
+          'INSUFFICIENT_PERMISSIONS'
+        )
+        return addCorsHeaders(response)
+      }
+
+      // Remove member
+      const result = await mutateWithRLS(
+        'DELETE FROM "team_members" WHERE id = $1 AND "teamId" = $2 RETURNING id',
+        [memberId, teamId],
+        authResult.user!.id
+      )
+
+      if (result.rows.length === 0) {
+        const response = createApiError('Member not found', 404, null, 'MEMBER_NOT_FOUND')
+        return addCorsHeaders(response)
+      }
+
+      const response = createApiResponse({ deleted: true, id: memberId })
+      return addCorsHeaders(response)
+    } catch (error) {
+      console.error('Error removing member:', error)
+      const response = createApiError('Internal server error', 500)
+      return addCorsHeaders(response)
+    }
+  }
+)