nobalmako 1.0.0

package/src/app/api/environments/route.ts

@@ -0,0 +1,227 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getUserFromToken } from '@/lib/auth';
+import { db } from '@/lib/db';
+import { environments, teams, teamMembers } from '@/lib/schema';
+import { eq, and, or, exists } from 'drizzle-orm';
+import { hasPermission, Permissions } from '@/lib/permissions';
+
+export async function GET() {
+  try {
+    const user = await getUserFromToken();
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Not authenticated' },
+        { status: 401 }
+      );
+    }
+
+    // Get environments for teams owned by or shared with the user
+    const userEnvironments = await db
+      .select({
+        id: environments.id,
+        name: environments.name,
+        description: environments.description,
+        teamId: environments.teamId,
+        parentId: environments.parentId,
+        color: environments.color,
+        isDefault: environments.isDefault,
+        createdAt: environments.createdAt,
+        teamName: teams.name,
+      })
+      .from(environments)
+      .innerJoin(teams, eq(environments.teamId, teams.id))
+      .where(
+        or(
+          eq(teams.ownerId, user.id),
+          exists(
+            db.select()
+              .from(teamMembers)
+              .where(and(eq(teamMembers.teamId, teams.id), eq(teamMembers.userId, user.id)))
+          )
+        )
+      );
+
+    return NextResponse.json({ environments: userEnvironments });
+  } catch (error) {
+    console.error('Get environments error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Not authenticated' },
+        { status: 401 }
+      );
+    }
+
+    const { name, description, teamId, color, isDefault, parentId } = await request.json();
+
+    if (!name || !teamId) {
+      return NextResponse.json(
+        { error: 'Name and teamId are required' },
+        { status: 400 }
+      );
+    }
+
+    // Verify user has permission to manage projects/environments
+    const canManage = await hasPermission(user.id, teamId, Permissions.MANAGE_TEAM);
+
+    if (!canManage) {
+      return NextResponse.json(
+        { error: 'Forbidden: You do not have permission to manage environments in this project' },
+        { status: 403 }
+      );
+    }
+
+    const [newEnvironment] = await db.insert(environments).values({
+      name,
+      description,
+      teamId,
+      parentId: (parentId === 'none' || !parentId) ? null : parentId,
+      color: color || '#3b82f6',
+      isDefault: isDefault || false,
+    }).returning();
+
+    return NextResponse.json({ environment: newEnvironment });
+  } catch (error) {
+    console.error('Create environment error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}
+
+export async function PUT(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Not authenticated' },
+        { status: 401 }
+      );
+    }
+
+    const { id, name, description, color, isDefault } = await request.json();
+
+    if (!id) {
+      return NextResponse.json(
+        { error: 'Environment ID is required' },
+        { status: 400 }
+      );
+    }
+
+    if (!name) {
+      return NextResponse.json(
+        { error: 'Name is required' },
+        { status: 400 }
+      );
+    }
+
+    // Check for managing permissions
+    const env = await db
+      .select({ teamId: environments.teamId })
+      .from(environments)
+      .where(eq(environments.id, id))
+      .limit(1);
+
+    if (!env.length) {
+      return NextResponse.json(
+        { error: 'Environment not found' },
+        { status: 404 }
+      );
+    }
+
+    const canManage = await hasPermission(user.id, env[0].teamId, Permissions.MANAGE_TEAM);
+    if (!canManage) {
+      return NextResponse.json(
+        { error: 'Forbidden: You do not have permission to manage environments in this project' },
+        { status: 403 }
+      );
+    }
+
+    const [updatedEnvironment] = await db
+      .update(environments)
+      .set({
+        name,
+        description,
+        color: color || '#3b82f6',
+        isDefault: isDefault !== undefined ? isDefault : false,
+        updatedAt: new Date(),
+      })
+      .where(eq(environments.id, id))
+      .returning();
+
+    return NextResponse.json({ environment: updatedEnvironment });
+  } catch (error) {
+    console.error('Update environment error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}
+
+export async function DELETE(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Not authenticated' },
+        { status: 401 }
+      );
+    }
+
+    const { id } = await request.json();
+
+    if (!id) {
+      return NextResponse.json(
+        { error: 'Environment ID is required' },
+        { status: 400 }
+      );
+    }
+
+    // Check for managing permissions
+    const env = await db
+      .select({ teamId: environments.teamId })
+      .from(environments)
+      .where(eq(environments.id, id))
+      .limit(1);
+
+    if (!env.length) {
+      return NextResponse.json(
+        { error: 'Environment not found' },
+        { status: 404 }
+      );
+    }
+
+    const canManage = await hasPermission(user.id, env[0].teamId, Permissions.MANAGE_TEAM);
+    if (!canManage) {
+      return NextResponse.json(
+        { error: 'Forbidden: You do not have permission to delete environments in this project' },
+        { status: 403 }
+      );
+    }
+
+    await db.delete(environments).where(eq(environments.id, id));
+
+    return NextResponse.json({ success: true });
+  } catch (error) {
+    console.error('Delete environment error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/team-members/route.ts

@@ -0,0 +1,385 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { eq, and } from 'drizzle-orm';
+import { getUserFromToken } from '@/lib/auth';
+import { db } from '@/lib/db';
+import { teamMembers, teams, users, invitations } from '@/lib/schema';
+import { createAuditLog } from '@/lib/audit';
+import { hasPermission, Permissions } from '@/lib/permissions';
+import { sendEmail, emailTemplates } from '@/lib/email';
+import crypto from 'crypto';
+
+export async function GET(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Not authenticated' },
+        { status: 401 }
+      );
+    }
+
+    const { searchParams } = new URL(request.url);
+    const teamId = searchParams.get('teamId');
+
+    if (!teamId) {
+      return NextResponse.json(
+        { error: 'Team ID is required' },
+        { status: 400 }
+      );
+    }
+
+    // Check if user is a member of the team or owner
+    const teamCheck = await db
+      .select()
+      .from(teams)
+      .where(and(eq(teams.id, teamId), eq(teams.ownerId, user.id)))
+      .limit(1);
+
+    const memberCheck = await db
+      .select()
+      .from(teamMembers)
+      .where(and(eq(teamMembers.teamId, teamId), eq(teamMembers.userId, user.id)))
+      .limit(1);
+
+    if (!teamCheck.length && !memberCheck.length) {
+      return NextResponse.json(
+        { error: 'Access denied' },
+        { status: 403 }
+      );
+    }
+
+    // Get team members with user details
+    const members = await db
+      .select({
+        id: teamMembers.id,
+        teamId: teamMembers.teamId,
+        userId: teamMembers.userId,
+        role: teamMembers.role,
+        joinedAt: teamMembers.joinedAt,
+        user: {
+          id: users.id,
+          name: users.name,
+          email: users.email,
+          avatar: users.avatar,
+        },
+      })
+      .from(teamMembers)
+      .innerJoin(users, eq(teamMembers.userId, users.id))
+      .where(eq(teamMembers.teamId, teamId));
+
+    return NextResponse.json({ members });
+  } catch (error) {
+    console.error('Get team members error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Not authenticated' },
+        { status: 401 }
+      );
+    }
+
+    const { teamId, email, role } = await request.json();
+
+    if (!teamId || !email || !role) {
+      return NextResponse.json(
+        { error: 'Team ID, email, and role are required' },
+        { status: 400 }
+      );
+    }
+
+    // Check if user has permission to manage team
+    const canManageTeam = await hasPermission(user.id, teamId, Permissions.MANAGE_TEAM);
+
+    if (!canManageTeam) {
+      return NextResponse.json(
+        { error: 'Forbidden: You do not have permission to manage team members' },
+        { status: 403 }
+      );
+    }
+
+    // Get team details for the email
+    const [team] = await db
+      .select()
+      .from(teams)
+      .where(eq(teams.id, teamId))
+      .limit(1);
+
+    if (!team) {
+      return NextResponse.json({ error: 'Team not found' }, { status: 404 });
+    }
+
+    // Check if user exists
+    const [targetUser] = await db
+      .select()
+      .from(users)
+      .where(eq(users.email, email))
+      .limit(1);
+
+    if (targetUser) {
+      // Check if user is already a member
+      const existingMember = await db
+        .select()
+        .from(teamMembers)
+        .where(and(eq(teamMembers.teamId, teamId), eq(teamMembers.userId, targetUser.id)))
+        .limit(1);
+
+      if (existingMember.length) {
+        return NextResponse.json(
+          { error: 'User is already a member of this team' },
+          { status: 400 }
+        );
+      }
+
+      // Add member to team directly
+      const [newMember] = await db.insert(teamMembers).values({
+        teamId,
+        userId: targetUser.id,
+        role,
+      }).returning();
+
+      // Audit log
+      await createAuditLog({
+        userId: user.id,
+        teamId,
+        action: 'create',
+        resourceType: 'member',
+        resourceId: newMember.id,
+        newValue: { userId: targetUser.id, role, email: targetUser.email },
+      });
+
+      // Send notification email
+      try {
+        const template = emailTemplates.teamInvitation(user.name, team.name, teamId, ''); // No token needed if they exist, or just link to dashboard
+        await sendEmail({ 
+          to: email, 
+          subject: `You've been added to ${team.name}`, 
+          html: template.html, 
+        });
+      } catch (mailError) {
+        console.error('Failed to send notification email:', mailError);
+        // Don't fail the request if email fails
+      }
+
+      return NextResponse.json({ member: newMember });
+    } else {
+      // User doesn't exist, create an invitation
+      const token = crypto.randomBytes(32).toString('hex');
+      const expiresAt = new Date();
+      expiresAt.setDate(expiresAt.getDate() + 7); // Invite expires in 7 days
+
+      // Check if there's already a pending invitation for this email and team
+      const [existingInvite] = await db
+        .select()
+        .from(invitations)
+        .where(and(
+          eq(invitations.teamId, teamId), 
+          eq(invitations.email, email),
+          eq(invitations.status, 'pending')
+        ))
+        .limit(1);
+
+      if (existingInvite) {
+        // Update existing invite
+        await db.update(invitations)
+          .set({ token, expiresAt, role, updatedAt: new Date() })
+          .where(eq(invitations.id, existingInvite.id));
+      } else {
+        // Create new invite
+        await db.insert(invitations).values({
+          teamId,
+          email,
+          role,
+          invitedBy: user.id,
+          token,
+          expiresAt,
+        });
+      }
+
+      // Send invitation email
+      try {
+        const template = emailTemplates.teamInvitation(user.name, team.name, teamId, token);
+        await sendEmail({ to: email, ...template });
+      } catch (mailError) {
+        console.error('Failed to send invitation email:', mailError);
+        return NextResponse.json(
+          { error: 'Failed to send invitation email. Please check SMTP settings.' },
+          { status: 500 }
+        );
+      }
+
+      return NextResponse.json({ message: 'Invitation sent' });
+    }
+  } catch (error) {
+    console.error('Invite team member error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}
+
+export async function PUT(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Not authenticated' },
+        { status: 401 }
+      );
+    }
+
+    const { teamId, memberId, role } = await request.json();
+
+    if (!memberId || !role) {
+      return NextResponse.json(
+        { error: 'Member ID and role are required' },
+        { status: 400 }
+      );
+    }
+
+    // Get member details
+    const [member] = await db
+      .select()
+      .from(teamMembers)
+      .where(eq(teamMembers.id, memberId))
+      .limit(1);
+
+    if (!member) {
+      return NextResponse.json(
+        { error: 'Member not found' },
+        { status: 404 }
+      );
+    }
+
+    // Check if user has permission to manage team
+    const targetTeamId = teamId || member.teamId;
+    const canManageTeam = await hasPermission(user.id, targetTeamId, Permissions.MANAGE_TEAM);
+
+    if (!canManageTeam) {
+      return NextResponse.json(
+        { error: 'Forbidden: You do not have permission to manage team members' },
+        { status: 403 }
+      );
+    }
+
+    // Update member role
+    const [updatedMember] = await db
+      .update(teamMembers)
+      .set({ role })
+      .where(eq(teamMembers.id, memberId))
+      .returning();
+
+    // Audit log
+    await createAuditLog({
+      userId: user.id,
+      teamId: member.teamId,
+      action: 'update',
+      resourceType: 'member',
+      resourceId: memberId,
+      oldValue: { role: member.role },
+      newValue: { role },
+    });
+
+    return NextResponse.json({ member: updatedMember });
+  } catch (error) {
+    console.error('Update team member error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}
+
+export async function DELETE(request: NextRequest) {
+  try {
+    const user = await getUserFromToken();
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Not authenticated' },
+        { status: 401 }
+      );
+    }
+
+    const { teamId, memberId } = await request.json();
+
+    if (!memberId) {
+      return NextResponse.json(
+        { error: 'Member ID is required' },
+        { status: 400 }
+      );
+    }
+
+    // Get member details
+    const [member] = await db
+      .select()
+      .from(teamMembers)
+      .where(eq(teamMembers.id, memberId))
+      .limit(1);
+
+    if (!member) {
+      return NextResponse.json(
+        { error: 'Member not found' },
+        { status: 404 }
+      );
+    }
+
+    // Check if user has permission to manage team (or if they are removing themselves)
+    const targetTeamId = teamId || member.teamId;
+    const isRemovingSelf = member.userId === user.id;
+    const canManageTeam = await hasPermission(user.id, targetTeamId, Permissions.MANAGE_TEAM);
+
+    if (!canManageTeam && !isRemovingSelf) {
+      return NextResponse.json(
+        { error: 'Forbidden: You do not have permission to manage team members' },
+        { status: 403 }
+      );
+    }
+
+    // Can't remove yourself if you're the owner
+    const [team] = await db
+      .select()
+      .from(teams)
+      .where(eq(teams.id, targetTeamId))
+      .limit(1);
+
+    if (member.userId === user.id && team?.ownerId === user.id) {
+      return NextResponse.json(
+        { error: 'Cannot remove yourself as team owner' },
+        { status: 400 }
+      );
+    }
+
+    await db.delete(teamMembers).where(eq(teamMembers.id, memberId));
+
+    // Audit log
+    await createAuditLog({
+      userId: user.id,
+      teamId: member.teamId,
+      action: 'delete',
+      resourceType: 'member',
+      resourceId: memberId,
+      oldValue: { userId: member.userId, role: member.role },
+    });
+
+    return NextResponse.json({ success: true });
+  } catch (error) {
+    console.error('Remove team member error:', error);
+    return NextResponse.json(
+      { error: 'Internal server error' },
+      { status: 500 }
+    );
+  }
+}