package router import ( "net/http" "time" "github.com/gin-contrib/cors" "github.com/gin-gonic/gin" "gorm.io/gorm" "github.com/treytartt/casera-api/internal/admin" "github.com/treytartt/casera-api/internal/config" "github.com/treytartt/casera-api/internal/handlers" "github.com/treytartt/casera-api/internal/i18n" "github.com/treytartt/casera-api/internal/middleware" "github.com/treytartt/casera-api/internal/push" "github.com/treytartt/casera-api/internal/repositories" "github.com/treytartt/casera-api/internal/services" "github.com/treytartt/casera-api/pkg/utils" ) const Version = "2.0.0" // Dependencies holds all dependencies needed by the router type Dependencies struct { DB *gorm.DB Cache *services.CacheService Config *config.Config EmailService *services.EmailService PDFService *services.PDFService PushClient *push.Client // Direct APNs/FCM client StorageService *services.StorageService } // SetupRouter creates and configures the Gin router func SetupRouter(deps *Dependencies) *gin.Engine { cfg := deps.Config // Set Gin mode based on debug setting if cfg.Server.Debug { gin.SetMode(gin.DebugMode) } else { gin.SetMode(gin.ReleaseMode) } r := gin.New() // Global middleware r.Use(utils.GinRecovery()) r.Use(utils.GinLogger()) r.Use(corsMiddleware(cfg)) r.Use(i18n.Middleware()) // Serve landing page static files (if static directory is configured) staticDir := cfg.Server.StaticDir if staticDir != "" { r.Static("/css", staticDir+"/css") r.Static("/js", staticDir+"/js") r.Static("/images", staticDir+"/images") r.StaticFile("/favicon.ico", staticDir+"/images/favicon.svg") // Serve index.html at root r.GET("/", func(c *gin.Context) { c.File(staticDir + "/index.html") }) } // Health check endpoint (no auth required) r.GET("/api/health/", healthCheck) // Initialize onboarding email service for tracking handler onboardingService := services.NewOnboardingEmailService(deps.DB, deps.EmailService, cfg.Server.BaseURL) // Email tracking endpoint (no auth required - used by email tracking pixels) trackingHandler := handlers.NewTrackingHandler(onboardingService) r.GET("/api/track/open/:trackingID", trackingHandler.TrackEmailOpen) // NOTE: Public static file serving removed for security. // All uploaded media is now served through authenticated proxy endpoints: // - GET /api/media/document/:id // - GET /api/media/document-image/:id // - GET /api/media/completion-image/:id // These endpoints verify the user has access to the residence before serving files. // Initialize repositories userRepo := repositories.NewUserRepository(deps.DB) residenceRepo := repositories.NewResidenceRepository(deps.DB) taskRepo := repositories.NewTaskRepository(deps.DB) contractorRepo := repositories.NewContractorRepository(deps.DB) documentRepo := repositories.NewDocumentRepository(deps.DB) notificationRepo := repositories.NewNotificationRepository(deps.DB) subscriptionRepo := repositories.NewSubscriptionRepository(deps.DB) taskTemplateRepo := repositories.NewTaskTemplateRepository(deps.DB) // Initialize services authService := services.NewAuthService(userRepo, cfg) authService.SetNotificationRepository(notificationRepo) // For creating notification preferences on registration userService := services.NewUserService(userRepo) residenceService := services.NewResidenceService(residenceRepo, userRepo, cfg) residenceService.SetTaskRepository(taskRepo) // Wire up task repo for statistics taskService := services.NewTaskService(taskRepo, residenceRepo) contractorService := services.NewContractorService(contractorRepo, residenceRepo) documentService := services.NewDocumentService(documentRepo, residenceRepo) notificationService := services.NewNotificationService(notificationRepo, deps.PushClient) // Wire up notification, email, and residence services to task service taskService.SetNotificationService(notificationService) taskService.SetEmailService(deps.EmailService) taskService.SetResidenceService(residenceService) // For including TotalSummary in CRUD responses subscriptionService := services.NewSubscriptionService(subscriptionRepo, residenceRepo, taskRepo, contractorRepo, documentRepo) taskTemplateService := services.NewTaskTemplateService(taskTemplateRepo) // Initialize middleware authMiddleware := middleware.NewAuthMiddleware(deps.DB, deps.Cache) // Initialize Apple auth service appleAuthService := services.NewAppleAuthService(deps.Cache, cfg) // Initialize handlers authHandler := handlers.NewAuthHandler(authService, deps.EmailService, deps.Cache) authHandler.SetAppleAuthService(appleAuthService) userHandler := handlers.NewUserHandler(userService) residenceHandler := handlers.NewResidenceHandler(residenceService, deps.PDFService, deps.EmailService) taskHandler := handlers.NewTaskHandler(taskService, deps.StorageService) contractorHandler := handlers.NewContractorHandler(contractorService) documentHandler := handlers.NewDocumentHandler(documentService, deps.StorageService) notificationHandler := handlers.NewNotificationHandler(notificationService) subscriptionHandler := handlers.NewSubscriptionHandler(subscriptionService) staticDataHandler := handlers.NewStaticDataHandler(residenceService, taskService, contractorService, taskTemplateService, deps.Cache) taskTemplateHandler := handlers.NewTaskTemplateHandler(taskTemplateService) // Initialize upload handler (if storage service is available) var uploadHandler *handlers.UploadHandler var mediaHandler *handlers.MediaHandler if deps.StorageService != nil { uploadHandler = handlers.NewUploadHandler(deps.StorageService) mediaHandler = handlers.NewMediaHandler(documentRepo, taskRepo, residenceRepo, deps.StorageService) } // Set up admin routes (separate auth system) adminDeps := &admin.Dependencies{ EmailService: deps.EmailService, PushClient: deps.PushClient, OnboardingService: onboardingService, } admin.SetupRoutes(r, deps.DB, cfg, adminDeps) // API group api := r.Group("/api") { // Public auth routes (no auth required) setupPublicAuthRoutes(api, authHandler) // Public data routes (no auth required) setupPublicDataRoutes(api, residenceHandler, taskHandler, contractorHandler, staticDataHandler, subscriptionHandler, taskTemplateHandler) // Protected routes (auth required) protected := api.Group("") protected.Use(authMiddleware.TokenAuth()) { setupProtectedAuthRoutes(protected, authHandler) setupResidenceRoutes(protected, residenceHandler) setupTaskRoutes(protected, taskHandler) setupContractorRoutes(protected, contractorHandler) setupDocumentRoutes(protected, documentHandler) setupNotificationRoutes(protected, notificationHandler) setupSubscriptionRoutes(protected, subscriptionHandler) setupUserRoutes(protected, userHandler) // Upload routes (only if storage service is configured) if uploadHandler != nil { setupUploadRoutes(protected, uploadHandler) } // Media routes (authenticated media serving) if mediaHandler != nil { setupMediaRoutes(protected, mediaHandler) } } } return r } // corsMiddleware configures CORS - allowing all origins for API access func corsMiddleware(cfg *config.Config) gin.HandlerFunc { return cors.New(cors.Config{ AllowAllOrigins: true, AllowMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"}, AllowHeaders: []string{"Origin", "Content-Type", "Accept", "Authorization", "X-Requested-With"}, ExposeHeaders: []string{"Content-Length"}, AllowCredentials: false, // Must be false when AllowAllOrigins is true MaxAge: 12 * time.Hour, }) } // healthCheck returns API health status func healthCheck(c *gin.Context) { c.JSON(http.StatusOK, gin.H{ "status": "healthy", "version": Version, "framework": "Gin", "timestamp": time.Now().UTC().Format(time.RFC3339), }) } // setupPublicAuthRoutes configures public authentication routes func setupPublicAuthRoutes(api *gin.RouterGroup, authHandler *handlers.AuthHandler) { auth := api.Group("/auth") { auth.POST("/login/", authHandler.Login) auth.POST("/register/", authHandler.Register) auth.POST("/forgot-password/", authHandler.ForgotPassword) auth.POST("/verify-reset-code/", authHandler.VerifyResetCode) auth.POST("/reset-password/", authHandler.ResetPassword) auth.POST("/apple-sign-in/", authHandler.AppleSignIn) } } // setupProtectedAuthRoutes configures protected authentication routes func setupProtectedAuthRoutes(api *gin.RouterGroup, authHandler *handlers.AuthHandler) { auth := api.Group("/auth") { auth.POST("/logout/", authHandler.Logout) auth.GET("/me/", authHandler.CurrentUser) auth.PUT("/profile/", authHandler.UpdateProfile) auth.PATCH("/profile/", authHandler.UpdateProfile) auth.POST("/verify/", authHandler.VerifyEmail) // Alias for mobile app compatibility auth.POST("/verify-email/", authHandler.VerifyEmail) // Original route auth.POST("/resend-verification/", authHandler.ResendVerification) } } // setupPublicDataRoutes configures public data routes (lookups, static data) func setupPublicDataRoutes(api *gin.RouterGroup, residenceHandler *handlers.ResidenceHandler, taskHandler *handlers.TaskHandler, contractorHandler *handlers.ContractorHandler, staticDataHandler *handlers.StaticDataHandler, subscriptionHandler *handlers.SubscriptionHandler, taskTemplateHandler *handlers.TaskTemplateHandler) { // Static data routes (public, cached) staticData := api.Group("/static_data") { staticData.GET("/", staticDataHandler.GetStaticData) staticData.POST("/refresh/", staticDataHandler.RefreshStaticData) } // Public subscription routes (upgrade triggers needed at app start before login) subscriptionPublic := api.Group("/subscription") { subscriptionPublic.GET("/upgrade-triggers/", subscriptionHandler.GetAllUpgradeTriggers) } // Lookup routes (public) api.GET("/residences/types/", residenceHandler.GetResidenceTypes) api.GET("/tasks/categories/", taskHandler.GetCategories) api.GET("/tasks/priorities/", taskHandler.GetPriorities) api.GET("/tasks/frequencies/", taskHandler.GetFrequencies) api.GET("/tasks/statuses/", taskHandler.GetStatuses) api.GET("/contractors/specialties/", contractorHandler.GetSpecialties) // Task template routes (public, for app autocomplete) templates := api.Group("/tasks/templates") { templates.GET("/", taskTemplateHandler.GetTemplates) templates.GET("/grouped/", taskTemplateHandler.GetTemplatesGrouped) templates.GET("/search/", taskTemplateHandler.SearchTemplates) templates.GET("/by-category/:category_id/", taskTemplateHandler.GetTemplatesByCategory) templates.GET("/:id/", taskTemplateHandler.GetTemplate) } } // setupResidenceRoutes configures residence routes func setupResidenceRoutes(api *gin.RouterGroup, residenceHandler *handlers.ResidenceHandler) { residences := api.Group("/residences") { residences.GET("/", residenceHandler.ListResidences) residences.POST("/", residenceHandler.CreateResidence) residences.GET("/my-residences/", residenceHandler.GetMyResidences) residences.GET("/summary/", residenceHandler.GetSummary) residences.POST("/join-with-code/", residenceHandler.JoinWithCode) residences.GET("/:id/", residenceHandler.GetResidence) residences.PUT("/:id/", residenceHandler.UpdateResidence) residences.PATCH("/:id/", residenceHandler.UpdateResidence) residences.DELETE("/:id/", residenceHandler.DeleteResidence) residences.POST("/:id/generate-share-code/", residenceHandler.GenerateShareCode) residences.POST("/:id/generate-share-package/", residenceHandler.GenerateSharePackage) residences.POST("/:id/generate-tasks-report/", residenceHandler.GenerateTasksReport) residences.GET("/:id/users/", residenceHandler.GetResidenceUsers) residences.DELETE("/:id/users/:user_id/", residenceHandler.RemoveResidenceUser) } } // setupTaskRoutes configures task routes func setupTaskRoutes(api *gin.RouterGroup, taskHandler *handlers.TaskHandler) { tasks := api.Group("/tasks") { tasks.GET("/", taskHandler.ListTasks) tasks.POST("/", taskHandler.CreateTask) tasks.GET("/by-residence/:residence_id/", taskHandler.GetTasksByResidence) tasks.GET("/:id/", taskHandler.GetTask) tasks.PUT("/:id/", taskHandler.UpdateTask) tasks.PATCH("/:id/", taskHandler.UpdateTask) tasks.DELETE("/:id/", taskHandler.DeleteTask) tasks.POST("/:id/mark-in-progress/", taskHandler.MarkInProgress) tasks.POST("/:id/cancel/", taskHandler.CancelTask) tasks.POST("/:id/uncancel/", taskHandler.UncancelTask) tasks.POST("/:id/archive/", taskHandler.ArchiveTask) tasks.POST("/:id/unarchive/", taskHandler.UnarchiveTask) tasks.POST("/:id/quick-complete/", taskHandler.QuickComplete) tasks.GET("/:id/completions/", taskHandler.GetTaskCompletions) } // Task Completions completions := api.Group("/task-completions") { completions.GET("/", taskHandler.ListCompletions) completions.POST("/", taskHandler.CreateCompletion) completions.GET("/:id/", taskHandler.GetCompletion) completions.DELETE("/:id/", taskHandler.DeleteCompletion) } } // setupContractorRoutes configures contractor routes func setupContractorRoutes(api *gin.RouterGroup, contractorHandler *handlers.ContractorHandler) { contractors := api.Group("/contractors") { contractors.GET("/", contractorHandler.ListContractors) contractors.POST("/", contractorHandler.CreateContractor) contractors.GET("/by-residence/:residence_id/", contractorHandler.ListContractorsByResidence) contractors.GET("/:id/", contractorHandler.GetContractor) contractors.PUT("/:id/", contractorHandler.UpdateContractor) contractors.PATCH("/:id/", contractorHandler.UpdateContractor) contractors.DELETE("/:id/", contractorHandler.DeleteContractor) contractors.POST("/:id/toggle-favorite/", contractorHandler.ToggleFavorite) contractors.GET("/:id/tasks/", contractorHandler.GetContractorTasks) } } // setupDocumentRoutes configures document routes func setupDocumentRoutes(api *gin.RouterGroup, documentHandler *handlers.DocumentHandler) { documents := api.Group("/documents") { documents.GET("/", documentHandler.ListDocuments) documents.POST("/", documentHandler.CreateDocument) documents.GET("/warranties/", documentHandler.ListWarranties) documents.GET("/:id/", documentHandler.GetDocument) documents.PUT("/:id/", documentHandler.UpdateDocument) documents.PATCH("/:id/", documentHandler.UpdateDocument) documents.DELETE("/:id/", documentHandler.DeleteDocument) documents.POST("/:id/activate/", documentHandler.ActivateDocument) documents.POST("/:id/deactivate/", documentHandler.DeactivateDocument) } } // setupNotificationRoutes configures notification routes func setupNotificationRoutes(api *gin.RouterGroup, notificationHandler *handlers.NotificationHandler) { notifications := api.Group("/notifications") { notifications.GET("/", notificationHandler.ListNotifications) notifications.GET("/unread-count/", notificationHandler.GetUnreadCount) notifications.POST("/mark-all-read/", notificationHandler.MarkAllAsRead) notifications.POST("/:id/read/", notificationHandler.MarkAsRead) notifications.POST("/devices/", notificationHandler.RegisterDevice) notifications.POST("/devices/register/", notificationHandler.RegisterDevice) // Alias for mobile clients notifications.GET("/devices/", notificationHandler.ListDevices) notifications.DELETE("/devices/:id/", notificationHandler.DeleteDevice) notifications.GET("/preferences/", notificationHandler.GetPreferences) notifications.PUT("/preferences/", notificationHandler.UpdatePreferences) notifications.PATCH("/preferences/", notificationHandler.UpdatePreferences) } } // setupSubscriptionRoutes configures subscription routes (authenticated) // Note: /upgrade-triggers/ is in setupPublicDataRoutes (public, no auth required) func setupSubscriptionRoutes(api *gin.RouterGroup, subscriptionHandler *handlers.SubscriptionHandler) { subscription := api.Group("/subscription") { subscription.GET("/", subscriptionHandler.GetSubscription) subscription.GET("/status/", subscriptionHandler.GetSubscriptionStatus) subscription.GET("/upgrade-trigger/:key/", subscriptionHandler.GetUpgradeTrigger) subscription.GET("/features/", subscriptionHandler.GetFeatureBenefits) subscription.GET("/promotions/", subscriptionHandler.GetPromotions) subscription.POST("/purchase/", subscriptionHandler.ProcessPurchase) subscription.POST("/cancel/", subscriptionHandler.CancelSubscription) subscription.POST("/restore/", subscriptionHandler.RestoreSubscription) } } // setupUserRoutes configures user routes func setupUserRoutes(api *gin.RouterGroup, userHandler *handlers.UserHandler) { users := api.Group("/users") { users.GET("/", userHandler.ListUsers) users.GET("/:id/", userHandler.GetUser) users.GET("/profiles/", userHandler.ListProfiles) } } // setupUploadRoutes configures file upload routes func setupUploadRoutes(api *gin.RouterGroup, uploadHandler *handlers.UploadHandler) { uploads := api.Group("/uploads") { uploads.POST("/image/", uploadHandler.UploadImage) uploads.POST("/document/", uploadHandler.UploadDocument) uploads.POST("/completion/", uploadHandler.UploadCompletion) uploads.DELETE("/", uploadHandler.DeleteFile) } } // setupMediaRoutes configures authenticated media serving routes func setupMediaRoutes(api *gin.RouterGroup, mediaHandler *handlers.MediaHandler) { media := api.Group("/media") { media.GET("/document/:id", mediaHandler.ServeDocument) media.GET("/document-image/:id", mediaHandler.ServeDocumentImage) media.GET("/completion-image/:id", mediaHandler.ServeCompletionImage) } }