owltide/server/api/schedule.patch.ts

/*
	SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
	SPDX-License-Identifier: AGPL-3.0-or-later
*/
import { z } from "zod/v4-mini";
import { readSchedule, writeSchedule } from "~/server/database";
import { broadcastEvent } from "~/server/streams";
import { apiScheduleSchema } from "~/shared/types/api";
import { applyUpdatesToArray } from "~/shared/utils/update";

export default defineEventHandler(async (event) => {
	const session = await requireServerSession(event);

	if (session.account.type !== "admin" && session.account.type !== "crew") {
		throw createError({
			status: 403,
			statusMessage: "Forbidden",
			message: "Only crew and admin accounts can edit the schedule.",
		});
	}

	const { success, error, data: update } = apiScheduleSchema.safeParse(await readBody(event));
	if (!success) {
		throw createError({
			status: 400,
			statusText: "Bad Request",
			message: z.prettifyError(error),
		});
	}

	if (update.deleted) {
		throw createError({
			statusCode: 400,
			statusMessage: "Not implemented",
		});
	}

	const schedule = await readSchedule();

	if (schedule.deleted) {
		throw createError({
			statusCode: 400,
			statusMessage: "Not implemented",
		});
	}

	// Validate edit restrictions for crew
	if (session.account.type === "crew") {
		if (update.locations?.length) {
			throw createError({
				status: 403,
				statusMessage: "Forbidden",
				message: "Only admin accounts can edit locations.",
			});
		}
		for (const event of update.events ?? []) {
			const original = schedule.events?.find(e => e.id === event.id);
			if (original && !original.deleted && !original.crew) {
				throw createError({
					status: 403,
					statusMessage: "Forbidden",
					message: "Only admin accounts can edit public events.",
				});
			}
		}
	}

	// Update schedule
	const updatedFrom = schedule.updatedAt;
	update.updatedAt = new Date().toISOString();
	if (update.events) {
		for (const event of update.events) event.updatedAt = update.updatedAt;
		applyUpdatesToArray(update.events, schedule.events = schedule.events ?? []);
	}
	if (update.locations) {
		for (const location of update.locations) location.updatedAt = update.updatedAt;
		applyUpdatesToArray(update.locations, schedule.locations = schedule.locations ?? []);
	}
	if (update.roles) {
		for (const role of update.roles) role.updatedAt = update.updatedAt;
		applyUpdatesToArray(update.roles, schedule.roles = schedule.roles ?? []);
	}
	if (update.shifts) {
		for (const shift of update.shifts) shift.updatedAt = update.updatedAt;
		applyUpdatesToArray(update.shifts, schedule.shifts = schedule.shifts ?? []);
	}

	await writeSchedule(schedule);
	await broadcastEvent({
		type: "schedule-update",
		updatedFrom,
		data: update,
	});
})
License under AGPL version 3 or later I firmly believe in free software. The application I'm making here have capabilities that I've not seen in any system. It presents itself as an opportunity to collaborate on a tool that serves the people rather than corporations. Whose incentives are to help people rather, not make the most money. And whose terms ensure that these freedoms and incentives cannot be taken back or subverted. I license this software under the AGPL. 2025-06-30 18:58:24 +02:00			`/*`
			`SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>`
			`SPDX-License-Identifier: AGPL-3.0-or-later`
			`*/`
Refactor API types and sync logic Rename and refactor the types passed over the API to be based on an entity that's either living or a tombstone. A living entity has a deleted property that's either undefined or false, while a tombstone has a deleted property set to true. All entities have a numeric id and an updatedAt timestamp. To sync entities, an array of replacements are passed around. Living entities are replaced with tombstones when they're deleted. And tombstones are replaced with living entities when restored. 2025-06-11 21:05:17 +02:00			`import { z } from "zod/v4-mini";`
Fix import statements Remove unused or unneeded imports and change imports of luxon APIs to use the wrapper. 2025-06-23 12:48:09 +02:00			`import { readSchedule, writeSchedule } from "~/server/database";`
Refactor API types and sync logic Rename and refactor the types passed over the API to be based on an entity that's either living or a tombstone. A living entity has a deleted property that's either undefined or false, while a tombstone has a deleted property set to true. All entities have a numeric id and an updatedAt timestamp. To sync entities, an array of replacements are passed around. Living entities are replaced with tombstones when they're deleted. And tombstones are replaced with living entities when restored. 2025-06-11 21:05:17 +02:00			`import { broadcastEvent } from "~/server/streams";`
			`import { apiScheduleSchema } from "~/shared/types/api";`
			`import { applyUpdatesToArray } from "~/shared/utils/update";`
Implement access controlled edit schedule endpoint Add PATCH /api/schedule endpoint for editing the schedule in a manner that's access controlled. 2025-03-11 14:11:05 +01:00
			`export default defineEventHandler(async (event) => {`
Rename AcountSession to ServerSession Start the work of clearly distingushing client side types, server side types and types shared over the API by renaming "AccountSession" and "Session" names used on the server to "ServerSession". 2025-06-09 16:51:05 +02:00			`const session = await requireServerSession(event);`
Implement access controlled edit schedule endpoint Add PATCH /api/schedule endpoint for editing the schedule in a manner that's access controlled. 2025-03-11 14:11:05 +01:00
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream. 2025-06-23 00:17:22 +02:00			`if (session.account.type !== "admin" && session.account.type !== "crew") {`
Implement access controlled edit schedule endpoint Add PATCH /api/schedule endpoint for editing the schedule in a manner that's access controlled. 2025-03-11 14:11:05 +01:00			`throw createError({`
			`status: 403,`
			`statusMessage: "Forbidden",`
			`message: "Only crew and admin accounts can edit the schedule.",`
			`});`
			`}`

Refactor API types and sync logic Rename and refactor the types passed over the API to be based on an entity that's either living or a tombstone. A living entity has a deleted property that's either undefined or false, while a tombstone has a deleted property set to true. All entities have a numeric id and an updatedAt timestamp. To sync entities, an array of replacements are passed around. Living entities are replaced with tombstones when they're deleted. And tombstones are replaced with living entities when restored. 2025-06-11 21:05:17 +02:00			`const { success, error, data: update } = apiScheduleSchema.safeParse(await readBody(event));`
			`if (!success) {`
			`throw createError({`
			`status: 400,`
			`statusText: "Bad Request",`
			`message: z.prettifyError(error),`
			`});`
			`}`

			`if (update.deleted) {`
			`throw createError({`
			`statusCode: 400,`
			`statusMessage: "Not implemented",`
			`});`
			`}`

Implement access controlled edit schedule endpoint Add PATCH /api/schedule endpoint for editing the schedule in a manner that's access controlled. 2025-03-11 14:11:05 +01:00			`const schedule = await readSchedule();`
Refactor API types and sync logic Rename and refactor the types passed over the API to be based on an entity that's either living or a tombstone. A living entity has a deleted property that's either undefined or false, while a tombstone has a deleted property set to true. All entities have a numeric id and an updatedAt timestamp. To sync entities, an array of replacements are passed around. Living entities are replaced with tombstones when they're deleted. And tombstones are replaced with living entities when restored. 2025-06-11 21:05:17 +02:00
			`if (schedule.deleted) {`
			`throw createError({`
			`statusCode: 400,`
			`statusMessage: "Not implemented",`
			`});`
			`}`
Implement access controlled edit schedule endpoint Add PATCH /api/schedule endpoint for editing the schedule in a manner that's access controlled. 2025-03-11 14:11:05 +01:00
			`// Validate edit restrictions for crew`
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream. 2025-06-23 00:17:22 +02:00			`if (session.account.type === "crew") {`
Refactor API types and sync logic Rename and refactor the types passed over the API to be based on an entity that's either living or a tombstone. A living entity has a deleted property that's either undefined or false, while a tombstone has a deleted property set to true. All entities have a numeric id and an updatedAt timestamp. To sync entities, an array of replacements are passed around. Living entities are replaced with tombstones when they're deleted. And tombstones are replaced with living entities when restored. 2025-06-11 21:05:17 +02:00			`if (update.locations?.length) {`
Implement access controlled edit schedule endpoint Add PATCH /api/schedule endpoint for editing the schedule in a manner that's access controlled. 2025-03-11 14:11:05 +01:00			`throw createError({`
			`status: 403,`
			`statusMessage: "Forbidden",`
			`message: "Only admin accounts can edit locations.",`
			`});`
			`}`
Refactor API types and sync logic Rename and refactor the types passed over the API to be based on an entity that's either living or a tombstone. A living entity has a deleted property that's either undefined or false, while a tombstone has a deleted property set to true. All entities have a numeric id and an updatedAt timestamp. To sync entities, an array of replacements are passed around. Living entities are replaced with tombstones when they're deleted. And tombstones are replaced with living entities when restored. 2025-06-11 21:05:17 +02:00			`for (const event of update.events ?? []) {`
			`const original = schedule.events?.find(e => e.id === event.id);`
			`if (original && !original.deleted && !original.crew) {`
Implement access controlled edit schedule endpoint Add PATCH /api/schedule endpoint for editing the schedule in a manner that's access controlled. 2025-03-11 14:11:05 +01:00			`throw createError({`
			`status: 403,`
			`statusMessage: "Forbidden",`
			`message: "Only admin accounts can edit public events.",`
			`});`
			`}`
			`}`
			`}`

Refactor API types and sync logic Rename and refactor the types passed over the API to be based on an entity that's either living or a tombstone. A living entity has a deleted property that's either undefined or false, while a tombstone has a deleted property set to true. All entities have a numeric id and an updatedAt timestamp. To sync entities, an array of replacements are passed around. Living entities are replaced with tombstones when they're deleted. And tombstones are replaced with living entities when restored. 2025-06-11 21:05:17 +02:00			`// Update schedule`
			`const updatedFrom = schedule.updatedAt;`
			`update.updatedAt = new Date().toISOString();`
			`if (update.events) {`
			`for (const event of update.events) event.updatedAt = update.updatedAt;`
			`applyUpdatesToArray(update.events, schedule.events = schedule.events ?? []);`
			`}`
			`if (update.locations) {`
			`for (const location of update.locations) location.updatedAt = update.updatedAt;`
			`applyUpdatesToArray(update.locations, schedule.locations = schedule.locations ?? []);`
			`}`
			`if (update.roles) {`
			`for (const role of update.roles) role.updatedAt = update.updatedAt;`
			`applyUpdatesToArray(update.roles, schedule.roles = schedule.roles ?? []);`
			`}`
			`if (update.shifts) {`
			`for (const shift of update.shifts) shift.updatedAt = update.updatedAt;`
			`applyUpdatesToArray(update.shifts, schedule.shifts = schedule.shifts ?? []);`
			`}`
Implement access controlled edit schedule endpoint Add PATCH /api/schedule endpoint for editing the schedule in a manner that's access controlled. 2025-03-11 14:11:05 +01:00
			`await writeSchedule(schedule);`
Refactor API types and sync logic Rename and refactor the types passed over the API to be based on an entity that's either living or a tombstone. A living entity has a deleted property that's either undefined or false, while a tombstone has a deleted property set to true. All entities have a numeric id and an updatedAt timestamp. To sync entities, an array of replacements are passed around. Living entities are replaced with tombstones when they're deleted. And tombstones are replaced with living entities when restored. 2025-06-11 21:05:17 +02:00			`await broadcastEvent({`
			`type: "schedule-update",`
			`updatedFrom,`
			`data: update,`
			`});`
Implement access controlled edit schedule endpoint Add PATCH /api/schedule endpoint for editing the schedule in a manner that's access controlled. 2025-03-11 14:11:05 +01:00			`})`