Close all 25 codex audit findings and add KMP contract tests
Remediate all P0-S priority findings from cross-platform architecture audit: - Add input validation and authorization checks across handlers - Harden social auth (Apple/Google) token validation - Add document ownership verification and file type validation - Add rate limiting config and CORS origin restrictions - Add subscription tier enforcement in handlers - Add OpenAPI 3.0.3 spec (81 schemas, 104 operations) - Add URL-level contract test (KMP API routes match spec paths) - Add model-level contract test (65 schemas, 464 fields validated) - Add CI workflow for backend tests Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Trey t
@@ -321,3 +321,89 @@ func (s *DocumentService) DeactivateDocument(documentID, userID uint) (*response
|
||||
resp := responses.NewDocumentResponse(document)
|
||||
return &resp, nil
|
||||
}
|
||||
|
||||
// UploadDocumentImage adds an image to an existing document
|
||||
func (s *DocumentService) UploadDocumentImage(documentID, userID uint, imageURL, caption string) (*responses.DocumentResponse, error) {
|
||||
document, err := s.documentRepo.FindByID(documentID)
|
||||
if err != nil {
|
||||
if errors.Is(err, gorm.ErrRecordNotFound) {
|
||||
return nil, apperrors.NotFound("error.document_not_found")
|
||||
}
|
||||
return nil, apperrors.Internal(err)
|
||||
}
|
||||
|
||||
// Check access via residence
|
||||
hasAccess, err := s.residenceRepo.HasAccess(document.ResidenceID, userID)
|
||||
if err != nil {
|
||||
return nil, apperrors.Internal(err)
|
||||
}
|
||||
if !hasAccess {
|
||||
return nil, apperrors.Forbidden("error.document_access_denied")
|
||||
}
|
||||
|
||||
img := &models.DocumentImage{
|
||||
DocumentID: documentID,
|
||||
ImageURL: imageURL,
|
||||
Caption: caption,
|
||||
}
|
||||
if err := s.documentRepo.CreateDocumentImage(img); err != nil {
|
||||
return nil, apperrors.Internal(err)
|
||||
}
|
||||
|
||||
// Reload with relations
|
||||
document, err = s.documentRepo.FindByID(documentID)
|
||||
if err != nil {
|
||||
return nil, apperrors.Internal(err)
|
||||
}
|
||||
|
||||
resp := responses.NewDocumentResponse(document)
|
||||
return &resp, nil
|
||||
}
|
||||
|
||||
// DeleteDocumentImage removes an image from a document
|
||||
func (s *DocumentService) DeleteDocumentImage(documentID, imageID, userID uint) (*responses.DocumentResponse, error) {
|
||||
// Find the image first
|
||||
image, err := s.documentRepo.FindImageByID(imageID)
|
||||
if err != nil {
|
||||
if errors.Is(err, gorm.ErrRecordNotFound) {
|
||||
return nil, apperrors.NotFound("error.document_image_not_found")
|
||||
}
|
||||
return nil, apperrors.Internal(err)
|
||||
}
|
||||
|
||||
// Verify image belongs to the specified document
|
||||
if image.DocumentID != documentID {
|
||||
return nil, apperrors.NotFound("error.document_image_not_found")
|
||||
}
|
||||
|
||||
// Find parent document to check access
|
||||
document, err := s.documentRepo.FindByID(documentID)
|
||||
if err != nil {
|
||||
if errors.Is(err, gorm.ErrRecordNotFound) {
|
||||
return nil, apperrors.NotFound("error.document_not_found")
|
||||
}
|
||||
return nil, apperrors.Internal(err)
|
||||
}
|
||||
|
||||
// Check access via residence
|
||||
hasAccess, err := s.residenceRepo.HasAccess(document.ResidenceID, userID)
|
||||
if err != nil {
|
||||
return nil, apperrors.Internal(err)
|
||||
}
|
||||
if !hasAccess {
|
||||
return nil, apperrors.Forbidden("error.document_access_denied")
|
||||
}
|
||||
|
||||
if err := s.documentRepo.DeleteDocumentImage(imageID); err != nil {
|
||||
return nil, apperrors.Internal(err)
|
||||
}
|
||||
|
||||
// Reload with relations
|
||||
document, err = s.documentRepo.FindByID(documentID)
|
||||
if err != nil {
|
||||
return nil, apperrors.Internal(err)
|
||||
}
|
||||
|
||||
resp := responses.NewDocumentResponse(document)
|
||||
return &resp, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user