honeyDueAPI/internal/handlers/auth_handler.go

package handlers

import (
	"net/http"

	"github.com/labstack/echo/v4"
	"github.com/rs/zerolog/log"

	"github.com/treytartt/honeydue-api/internal/apperrors"
	"github.com/treytartt/honeydue-api/internal/dto/requests"
	"github.com/treytartt/honeydue-api/internal/dto/responses"
	"github.com/treytartt/honeydue-api/internal/middleware"
	"github.com/treytartt/honeydue-api/internal/services"
	"github.com/treytartt/honeydue-api/internal/validator"
)

// AuthHandler handles user profile and account management endpoints.
// Session lifecycle (login, register, logout, password reset) is delegated
// to Ory Kratos; this handler only deals with the honeyDue user record.
type AuthHandler struct {
	authService    *services.AuthService
	emailService   *services.EmailService
	cache          *services.CacheService
	storageService *services.StorageService
	auditService   *services.AuditService
}

// NewAuthHandler creates a new auth handler.
func NewAuthHandler(authService *services.AuthService, emailService *services.EmailService, cache *services.CacheService) *AuthHandler {
	return &AuthHandler{
		authService:  authService,
		emailService: emailService,
		cache:        cache,
	}
}

// SetStorageService sets the storage service for file deletion during account deletion.
func (h *AuthHandler) SetStorageService(storageService *services.StorageService) {
	h.storageService = storageService
}

// SetAuditService sets the audit service for logging security events.
func (h *AuthHandler) SetAuditService(auditService *services.AuditService) {
	h.auditService = auditService
}

// noStore marks a response as non-cacheable.
func noStore(c echo.Context) {
	c.Response().Header().Set("Cache-Control", "no-store")
}

// CurrentUser handles GET /api/auth/me/
func (h *AuthHandler) CurrentUser(c echo.Context) error {
	noStore(c)
	user, err := middleware.MustGetAuthUser(c)
	if err != nil {
		return err
	}

	response, err := h.authService.GetCurrentUser(c.Request().Context(), user.ID)
	if err != nil {
		log.Error().Err(err).Uint("user_id", user.ID).Msg("Failed to get current user")
		return err
	}

	return c.JSON(http.StatusOK, response)
}

// UpdateProfile handles PUT/PATCH /api/auth/profile/
func (h *AuthHandler) UpdateProfile(c echo.Context) error {
	user, err := middleware.MustGetAuthUser(c)
	if err != nil {
		return err
	}

	var req requests.UpdateProfileRequest
	if err := c.Bind(&req); err != nil {
		return apperrors.BadRequest("error.invalid_request")
	}
	if err := c.Validate(&req); err != nil {
		return c.JSON(http.StatusBadRequest, validator.FormatValidationErrors(err))
	}

	response, err := h.authService.UpdateProfile(c.Request().Context(), user.ID, &req)
	if err != nil {
		log.Debug().Err(err).Uint("user_id", user.ID).Msg("Failed to update profile")
		return err
	}

	return c.JSON(http.StatusOK, response)
}

// DeleteAccount handles DELETE /api/auth/account/
func (h *AuthHandler) DeleteAccount(c echo.Context) error {
	user, err := middleware.MustGetAuthUser(c)
	if err != nil {
		return err
	}

	var req requests.DeleteAccountRequest
	if err := c.Bind(&req); err != nil {
		return apperrors.BadRequest("error.invalid_request")
	}

	fileURLs, err := h.authService.DeleteAccount(c.Request().Context(), user.ID, req.Password, req.Confirmation)
	if err != nil {
		log.Debug().Err(err).Uint("user_id", user.ID).Msg("Account deletion failed")
		return err
	}

	if h.auditService != nil {
		h.auditService.LogEvent(c, &user.ID, services.AuditEventAccountDeleted, map[string]interface{}{
			"user_id":  user.ID,
			"username": user.Username,
			"email":    user.Email,
		})
	}

	// Delete files from disk (best effort, don't fail the request)
	if h.storageService != nil && len(fileURLs) > 0 {
		go func() {
			defer func() {
				if r := recover(); r != nil {
					log.Error().Interface("panic", r).Uint("user_id", user.ID).Msg("Panic in file cleanup goroutine")
				}
			}()
			for _, fileURL := range fileURLs {
				if err := h.storageService.Delete(fileURL); err != nil {
					log.Warn().Err(err).Str("file_url", fileURL).Msg("Failed to delete file during account cleanup")
				}
			}
		}()
	}

	return c.JSON(http.StatusOK, responses.MessageResponse{Message: "Account deleted successfully"})
}