@revenexx/cover 0.1.0

package/server/api/account/order-lists/[id].delete.ts

@@ -0,0 +1,22 @@
+import type { OrderList } from "../../../../app/interfaces/account/order-lists";
+
+/** Deletes an order list (owner only). */
+export default defineEventHandler(async (event) => {
+	const user = await getAuthService(event).me(event);
+	if (!user) {
+		throw createError({ statusCode: 401, message: "Unauthorized" });
+	}
+
+	const id = getRouterParam(event, "id") ?? "";
+	const lists = await readCoverMutableJson<OrderList[]>("account/order-lists.json");
+	const record = lists.find(list => list.id === id);
+	if (!record) {
+		throw createError({ statusCode: 404, message: "List not found" });
+	}
+	if (record.owner.id !== user.$id) {
+		throw createError({ statusCode: 403, message: "Only the owner can delete this list" });
+	}
+
+	await writeCoverMutableJson("account/order-lists.json", lists.filter(list => list.id !== id));
+	return { ok: true };
+});

package/server/api/account/order-lists/[id].get.ts

@@ -0,0 +1,17 @@
+import type { OrderList } from "../../../../app/interfaces/account/order-lists";
+
+/** Single order list (own or organization-public). */
+export default defineEventHandler(async (event) => {
+	const user = await getAuthService(event).me(event);
+	if (!user) {
+		throw createError({ statusCode: 401, message: "Unauthorized" });
+	}
+
+	const id = getRouterParam(event, "id") ?? "";
+	const lists = await readCoverMutableJson<OrderList[]>("account/order-lists.json");
+	const list = lists.find(l => l.id === id && (l.owner.id === user.$id || l.public));
+	if (!list) {
+		throw createError({ statusCode: 404, message: "List not found" });
+	}
+	return list;
+});

package/server/api/account/order-lists/[id].put.ts

@@ -0,0 +1,46 @@
+import type { OrderList, OrderListPosition } from "../../../../app/interfaces/account/order-lists";
+
+/**
+ * Updates an order list: rename, visibility, or the full positions array
+ * (quantity changes, removals, appends). Only the owner may modify.
+ */
+export default defineEventHandler(async (event) => {
+	const user = await getAuthService(event).me(event);
+	if (!user) {
+		throw createError({ statusCode: 401, message: "Unauthorized" });
+	}
+
+	const id = getRouterParam(event, "id") ?? "";
+	const body = await readBody<{
+		name?: string;
+		public?: boolean;
+		positions?: OrderListPosition[];
+		appendPositions?: OrderListPosition[];
+	}>(event);
+
+	const lists = await readCoverMutableJson<OrderList[]>("account/order-lists.json");
+	const record = lists.find(list => list.id === id);
+	if (!record) {
+		throw createError({ statusCode: 404, message: "List not found" });
+	}
+	if (record.owner.id !== user.$id) {
+		throw createError({ statusCode: 403, message: "Only the owner can modify this list" });
+	}
+
+	if (typeof body?.name === "string" && body.name.trim()) {
+		record.name = body.name.trim();
+	}
+	if (typeof body?.public === "boolean") {
+		record.public = body.public;
+	}
+	if (Array.isArray(body?.positions)) {
+		record.positions = body.positions;
+	}
+	if (Array.isArray(body?.appendPositions)) {
+		record.positions = [...record.positions, ...body.appendPositions];
+	}
+	record.updatedAt = new Date().toISOString();
+
+	await writeCoverMutableJson("account/order-lists.json", lists);
+	return record;
+});

package/server/api/account/order-lists/index.get.ts

@@ -0,0 +1,14 @@
+import type { OrderList } from "../../../../app/interfaces/account/order-lists";
+
+/** Order lists visible to the user: own lists plus public organization lists. */
+export default defineEventHandler(async (event) => {
+	const user = await getAuthService(event).me(event);
+	if (!user) {
+		throw createError({ statusCode: 401, message: "Unauthorized" });
+	}
+
+	const lists = await readCoverMutableJson<OrderList[]>("account/order-lists.json");
+	return lists
+		.filter(list => list.owner.id === user.$id || list.public)
+		.sort((a, b) => b.updatedAt.localeCompare(a.updatedAt));
+});

package/server/api/account/order-lists/index.post.ts

@@ -0,0 +1,38 @@
+import type { OrderList, OrderListPosition } from "../../../../app/interfaces/account/order-lists";
+
+/** Creates an order list, optionally pre-filled with positions. */
+export default defineEventHandler(async (event) => {
+	const user = await getAuthService(event).me(event);
+	if (!user) {
+		throw createError({ statusCode: 401, message: "Unauthorized" });
+	}
+
+	const body = await readBody<{
+		name?: string;
+		kind?: string;
+		public?: boolean;
+		positions?: OrderListPosition[];
+	}>(event);
+
+	const name = String(body?.name ?? "").trim();
+	const kind = body?.kind === "label" ? "label" : "shopping";
+	if (!name) {
+		throw createError({ statusCode: 400, message: "name required" });
+	}
+
+	const now = new Date().toISOString();
+	const record: OrderList = {
+		id: `ol-${Date.now().toString(36)}`,
+		name,
+		kind,
+		public: Boolean(body?.public),
+		owner: { id: user.$id, name: user.name },
+		positions: Array.isArray(body?.positions) ? body.positions : [],
+		createdAt: now,
+		updatedAt: now,
+	};
+
+	const lists = await readCoverMutableJson<OrderList[]>("account/order-lists.json");
+	await writeCoverMutableJson("account/order-lists.json", [record, ...lists]);
+	return record;
+});

package/server/api/account/orders/[id].get.ts

@@ -0,0 +1,35 @@
+import type { AccountOrderListResponse } from "../../../../app/interfaces/account/order-list";
+
+/** Single order from the account history (live: by display number). */
+export default defineEventHandler(async (event) => {
+	const user = await getAuthService(event).me(event);
+	if (!user) {
+		throw createError({ statusCode: 401, message: "Unauthorized" });
+	}
+
+	const id = getRouterParam(event, "id") ?? "";
+
+	if (resolveOrderServiceKey(event) === "api") {
+		try {
+			const order = await getLiveOrderByNumber(id);
+			if (!order) {
+				throw createError({ statusCode: 404, message: "Order not found" });
+			}
+			return mapLiveOrderToAccount(order);
+		}
+		catch (err) {
+			if (isError(err)) {
+				throw err;
+			}
+			getLogService().error("Live order detail failed", apiErrorContext(err));
+			throw createError({ statusCode: 502, message: "Order service unavailable" });
+		}
+	}
+
+	const history = await readCoverMutableJson<AccountOrderListResponse>("account/order-list.json");
+	const order = history.orders.find(o => o.id === id);
+	if (!order) {
+		throw createError({ statusCode: 404, message: "Order not found" });
+	}
+	return order;
+});

package/server/api/account/orders.get.ts

@@ -0,0 +1,35 @@
+import type { AccountOrderListResponse } from "../../../app/interfaces/account/order-list";
+import type { LiveOrder } from "../../utils/liveOrders";
+
+const LIVE_HISTORY_LIMIT = 20;
+
+export default defineEventHandler(async (event): Promise<AccountOrderListResponse> => {
+	if (resolveOrderServiceKey(event) === "api") {
+		const refs = sessionOrderRefs(event);
+		if (!refs.contact_id) {
+			return { orders: [] };
+		}
+		try {
+			const api = useRevenexxApi();
+			const { items } = await api.get<{ items: LiveOrder[] }>("/v1/orders", {
+				contact_id: refs.contact_id,
+				limit: LIVE_HISTORY_LIMIT,
+			});
+			// The list rows carry no positions — load the aggregates (the
+			// history is capped, so this stays a bounded fan-out).
+			const aggregates = await Promise.all(
+				items.map(row => api.get<LiveOrder>(`/v1/orders/${row.id}`)),
+			);
+			const orders = aggregates
+				.sort((a, b) => (b.placed_at ?? b.created_at).localeCompare(a.placed_at ?? a.created_at))
+				.map(mapLiveOrderToAccount);
+			return { orders };
+		}
+		catch (err) {
+			getLogService().error("Live order history failed", apiErrorContext(err));
+			throw createError({ statusCode: 502, message: "Order service unavailable" });
+		}
+	}
+
+	return readCoverMutableJson<AccountOrderListResponse>("account/order-list.json");
+});

package/server/api/account/profile.get.ts

@@ -0,0 +1,56 @@
+import type { StoredSession } from "../../../app/interfaces/auth";
+
+interface AccountProfileResponse {
+	readonly name: string;
+	readonly email: string;
+	readonly phone: string;
+	readonly company: string;
+	readonly initials: string;
+}
+
+interface AccountProfileRaw {
+	readonly userId: string;
+	readonly name?: string;
+	readonly email?: string;
+	readonly profile: {
+		readonly phone: string;
+		readonly company: string;
+	};
+}
+
+export default defineEventHandler(async (event): Promise<AccountProfileResponse> => {
+	// Session guard — the profile endpoint always requires a login, regardless
+	// of which identity implementation resolves the user below.
+	const rawSession = getCookie(event, SESSION_COOKIE_NAME);
+	if (!rawSession) {
+		throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+	}
+	let session: StoredSession;
+	try {
+		session = JSON.parse(rawSession) as StoredSession;
+	}
+	catch {
+		deleteCookie(event, SESSION_COOKIE_NAME, sessionCookieOptions());
+		throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+	}
+	if (!session.fallbackCookie && !session.personaId) {
+		deleteCookie(event, SESSION_COOKIE_NAME, sessionCookieOptions());
+		throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+	}
+
+	// Identity comes from the registry: "mock" serves the demo user, "sdk"
+	// resolves the real account through the platform.
+	const user = await getAccountService(event).getUser(event);
+
+	// Profile extras (phone, company) live in the mutable demo store until a
+	// platform profile capability exists.
+	const profileData = await readCoverMutableJson<AccountProfileRaw>("account/profile.json");
+
+	return {
+		name: user.name,
+		email: user.email,
+		phone: profileData.profile.phone,
+		company: profileData.profile.company,
+		initials: user.initials,
+	};
+});

package/server/api/account/profile.put.ts

@@ -0,0 +1,128 @@
+import type { StoredSession } from "../../../app/interfaces/auth";
+interface AccountProfileResponse {
+	readonly name: string;
+	readonly email: string;
+	readonly phone: string;
+	readonly company: string;
+	readonly initials: string;
+}
+
+interface AccountProfileRaw {
+	readonly userId: string;
+	readonly name?: string;
+	readonly email?: string;
+	readonly profile: {
+		readonly phone: string;
+		readonly company: string;
+	};
+}
+
+interface AccountProfileUpdateBody {
+	readonly phone?: unknown;
+	readonly company?: unknown;
+}
+
+function createInitials(name: string): string {
+	const parts = name
+		.trim()
+		.split(/\s+/)
+		.filter(Boolean);
+
+	if (parts.length === 0) {
+		return "";
+	}
+
+	return parts
+		.slice(0, 2)
+		.map(part => part[0]?.toUpperCase() ?? "")
+		.join("");
+}
+
+function normalizeProfileValue(value: unknown): string {
+	if (typeof value !== "string") {
+		throw createError({
+			statusCode: 422,
+			statusMessage: "Invalid profile payload",
+		});
+	}
+
+	return value.trim();
+}
+
+function validateProfileValue(value: string, maxLength: number, field: string): void {
+	if (value.length > maxLength) {
+		throw createError({
+			statusCode: 422,
+			statusMessage: `${field} is too long`,
+		});
+	}
+}
+
+export default defineEventHandler(async (event): Promise<AccountProfileResponse> => {
+	const rawSession = getCookie(event, SESSION_COOKIE_NAME);
+	if (!rawSession) {
+		throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+	}
+
+	let session: StoredSession;
+	try {
+		session = JSON.parse(rawSession) as StoredSession;
+	}
+	catch {
+		deleteCookie(event, SESSION_COOKIE_NAME, sessionCookieOptions());
+		throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+	}
+
+	if (!session.fallbackCookie) {
+		deleteCookie(event, SESSION_COOKIE_NAME, sessionCookieOptions());
+		throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+	}
+
+	let user: { $id: string; name: string; email: string };
+	try {
+		const accountUser = await useAuthenticatedAccount(session.fallbackCookie).accountGet();
+		user = { $id: accountUser.$id, name: accountUser.name, email: accountUser.email };
+	}
+	catch {
+		deleteCookie(event, SESSION_COOKIE_NAME, sessionCookieOptions());
+		throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+	}
+
+	const body = await readBody<AccountProfileUpdateBody>(event);
+	const phone = normalizeProfileValue(body.phone);
+	const company = normalizeProfileValue(body.company);
+
+	validateProfileValue(phone, 32, "phone");
+	validateProfileValue(company, 120, "company");
+
+	let profileData: AccountProfileRaw;
+	try {
+		profileData = await readCoverMutableJson<AccountProfileRaw>("account/profile.json");
+	}
+	catch {
+		throw createError({ statusCode: 500, statusMessage: "Profile store unavailable" });
+	}
+
+	const updatedProfileData: AccountProfileRaw = {
+		userId: user.$id,
+		name: user.name,
+		email: user.email,
+		profile: { phone, company },
+	};
+
+	if (!profileData || typeof profileData !== "object") {
+		throw createError({ statusCode: 500, statusMessage: "Profile store unavailable" });
+	}
+
+	// Temporary dummy-store behavior: keep one writable profile document and
+	// rebind it to the current authenticated user until DB-backed records exist.
+	await writeCoverMutableJson("account/profile.json", updatedProfileData);
+
+	return {
+		name: user.name,
+		email: user.email,
+		phone,
+		company,
+		initials: createInitials(user.name),
+	};
+});

package/server/api/account/requisitions/[id].get.ts

@@ -0,0 +1,15 @@
+/** Single requisition, visibility-checked via the requisition service. */
+export default defineEventHandler(async (event) => {
+	const user = await getAuthService(event).me(event);
+	if (!user) {
+		throw createError({ statusCode: 401, message: "Unauthorized" });
+	}
+
+	const id = getRouterParam(event, "id") ?? "";
+	const visible = await getRequisitionService().list(user.$id);
+	const requisition = visible.find(r => r.id === id);
+	if (!requisition) {
+		throw createError({ statusCode: 404, message: "Requisition not found" });
+	}
+	return requisition;
+});

package/server/api/account/requisitions.get.ts

@@ -0,0 +1,23 @@
+/**
+ * Requisitions visible to the current user. `?status=open` narrows to the
+ * loadable ones (cart); without it the full list incl. audit trail returns.
+ */
+export default defineEventHandler(async (event) => {
+	const user = await getAuthService(event).me(event);
+	if (!user) {
+		throw createError({ statusCode: 401, message: "Unauthorized" });
+	}
+
+	const { status } = getQuery(event);
+
+	try {
+		const service = getRequisitionService();
+		return status === "open"
+			? await service.listOpen(user.$id)
+			: await service.list(user.$id);
+	}
+	catch (err) {
+		getLogService().error("Service error: account/requisitions", toErrorContext(err));
+		throw createError({ statusCode: 500, message: "Internal server error" });
+	}
+});

package/server/api/auth/login.post.ts

@@ -0,0 +1,37 @@
+export default defineEventHandler(async (event) => {
+	const { email, password } = await readBody<{
+		email: string; password: string;
+	}>(event);
+
+	try {
+		const result = await getAuthService(event).login(event, email, password);
+
+		// Live carts: hand the guest's session carts to the contact — merge
+		// into the customer's current cart or adopt them. Best-effort: a cart
+		// hiccup must never fail the login.
+		const manager = getCartManager(event);
+		if (manager && result.contactId) {
+			try {
+				await manager.claimSession(event, result.contactId);
+			}
+			catch (claimErr) {
+				getLogService().error("Cart claim on login failed", toErrorContext(claimErr));
+			}
+		}
+
+		return result;
+	}
+	catch (err) {
+		if (isSdkUserError(err)) {
+			throw createError({ statusCode: err.code, data: { type: err.type } });
+		}
+		if (isApiUserError(err)) {
+			throw createError({ statusCode: err.statusCode, data: { type: apiAuthErrorType(err) } });
+		}
+		if (isError(err)) {
+			throw err;
+		}
+		getLogService().error("Auth request failed: login", sdkErrorContext(err));
+		throw createError({ statusCode: 503, data: { type: "service_unavailable" } });
+	}
+});

package/server/api/auth/logout.post.ts

@@ -0,0 +1,4 @@
+export default defineEventHandler(async (event) => {
+	await getAuthService(event).logout(event);
+	return { ok: true };
+});

package/server/api/auth/me.get.ts

@@ -0,0 +1,3 @@
+export default defineEventHandler(async (event) => {
+	return getAuthService(event).me(event);
+});

package/server/api/auth/personas.get.ts

@@ -0,0 +1,7 @@
+/**
+ * Lists the B2B demo personas for the dev panel. Only meaningful while the
+ * mock auth implementation is active; returns the bundled persona catalog.
+ */
+export default defineEventHandler(async () => {
+	return getMockAuthService().listPersonas();
+});

package/server/api/auth/recovery.post.ts

@@ -0,0 +1,32 @@
+export default defineEventHandler(async (event) => {
+	const { email, url } = await readBody<{ email: string; url: string }>(event);
+
+	// Public-API mode: the customers app passes the recovery request through
+	// to platform auth — the mail carries `url?userId=…&secret=…`, exactly
+	// what the reset-password page expects.
+	if (resolveAuthServiceKey(event) === "api") {
+		try {
+			await useRevenexxApi().post("/v1/customers/auth/recovery", { email, url });
+			return { ok: true };
+		}
+		catch (err) {
+			if (isApiUserError(err)) {
+				throw createError({ statusCode: err.statusCode, data: { type: apiAuthErrorType(err) } });
+			}
+			getLogService().error("API request failed: recovery", apiErrorContext(err));
+			throw createError({ statusCode: 503, data: { type: "service_unavailable" } });
+		}
+	}
+
+	try {
+		await useShopSdkAccount().accountCreateRecovery({ email, url });
+		return { ok: true };
+	}
+	catch (err) {
+		if (isSdkUserError(err)) {
+			throw createError({ statusCode: err.code, data: { type: err.type } });
+		}
+		getLogService().error("SDK request failed: recovery", sdkErrorContext(err));
+		throw createError({ statusCode: 503, data: { type: "service_unavailable" } });
+	}
+});

package/server/api/auth/recovery.put.ts

@@ -0,0 +1,37 @@
+export default defineEventHandler(async (event) => {
+	const body = await readBody<{
+		userId: string; secret: string; password: string;
+	}>(event);
+	const { userId, secret, password } = body;
+
+	// Public-API mode: confirm the recovery through the customers app.
+	if (resolveAuthServiceKey(event) === "api") {
+		try {
+			await useRevenexxApi().put("/v1/customers/auth/recovery", {
+				user_id: userId,
+				secret,
+				password,
+			});
+			return { ok: true };
+		}
+		catch (err) {
+			if (isApiUserError(err)) {
+				throw createError({ statusCode: err.statusCode, data: { type: apiAuthErrorType(err) } });
+			}
+			getLogService().error("API request failed: recovery-confirm", apiErrorContext(err));
+			throw createError({ statusCode: 503, data: { type: "service_unavailable" } });
+		}
+	}
+
+	try {
+		await useShopSdkAccount().accountUpdateRecovery({ userId, secret, password });
+		return { ok: true };
+	}
+	catch (err) {
+		if (isSdkUserError(err)) {
+			throw createError({ statusCode: err.code, data: { type: err.type } });
+		}
+		getLogService().error("SDK request failed: recovery-confirm", sdkErrorContext(err));
+		throw createError({ statusCode: 503, data: { type: "service_unavailable" } });
+	}
+});