feat(tier2): editable RSVPs — Block A

Guests can revisit their invitation link and change their response or plus-ones up to 5 times. Each prior state is snapshotted into `rsvp_revisions` and surfaced to the host via a per-guest history modal on the event detail page. - Migration 0007 adds rsvp_revisions + rsvps.edit_count (with down) - RSVPRepo.Update wraps snapshot+update+counter in one transaction, FOR UPDATE-locking the row so concurrent edits can't bypass the cap - PATCH /rsvp/{token} re-runs the fraud check on every edit attempt (different device on an edit is itself a signal) - POST /rsvp no longer marks the token used — the link stays valid so the guest can come back to edit - GET /access/{token} now embeds the existing RSVP so the frontend renders an edit form instead of a blank submit form on revisit - New host endpoint GET /events/{id}/guests/{guest_id}/rsvp/history - Frontend: rsvp/[token].vue toggles between summary + edit form, surfaces edits-remaining; dashboard adds a "History" action on responded guests opening a revision-trail modal Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 19:27:50 +01:00
parent e087fd53ef
commit 39533162bb
10 changed files with 1018 additions and 109 deletions
@@ -9,6 +9,8 @@ import (
 	"net/http"
 	"time"

+	"github.com/google/uuid"
+
 	"github.com/alchemistkay/guestguard/internal/auth"
 	"github.com/alchemistkay/guestguard/internal/domain"
 	"github.com/alchemistkay/guestguard/internal/fraud"
@@ -43,51 +45,24 @@ type submitRSVPRequest struct {
 }

 type submitRSVPResponse struct {
-	RSVP      *domain.RSVP   `json:"rsvp"`
-	Decision  fraud.Decision `json:"fraud"`
-	Blocked   bool           `json:"blocked"`
+	RSVP     *domain.RSVP   `json:"rsvp"`
+	Decision fraud.Decision `json:"fraud"`
+	Blocked  bool           `json:"blocked"`
+	Edited   bool           `json:"edited"`
 }

 // POST /rsvp/{token} — synchronous fraud check + RSVP recording.
 func (h *rsvpHandler) submit(w http.ResponseWriter, r *http.Request) {
-	raw := r.PathValue("token")
-	if err := auth.ValidateFormat(raw); err != nil {
-		writeError(w, http.StatusBadRequest, "malformed token")
+	tk, ok := h.loadValidToken(w, r)
+	if !ok {
 		return
 	}
-
-	tk, err := h.tokens.GetByHash(r.Context(), auth.HashToken(raw))
-	if err != nil {
-		if errors.Is(err, domain.ErrTokenNotFound) {
-			writeError(w, http.StatusNotFound, "token not found")
-			return
-		}
-		writeError(w, http.StatusInternalServerError, "failed to load token")
+	req, ok := decodeSubmitRSVP(w, r)
+	if !ok {
 		return
 	}
-	if err := tk.IsValid(time.Now().UTC()); err != nil {
-		writeError(w, http.StatusGone, err.Error())
-		return
-	}
-
-	var req submitRSVPRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		writeError(w, http.StatusBadRequest, "invalid json")
-		return
-	}
-	resp := domain.RSVPResponse(req.Response)
-	if !resp.Valid() {
-		writeError(w, http.StatusBadRequest, "response must be attending|declined|maybe")
-		return
-	}
-	if req.PlusOnes < 0 {
-		writeError(w, http.StatusBadRequest, "plus_ones must be >= 0")
-		return
-	}
-
-	guest, err := h.guests.Get(r.Context(), tk.GuestID)
-	if err != nil {
-		writeError(w, http.StatusInternalServerError, "failed to load guest")
+	guest, event, ok := h.loadGuestEvent(w, r, tk.GuestID)
+	if !ok {
 		return
 	}
 	if req.PlusOnes > guest.PlusOnes {
@@ -95,13 +70,246 @@ func (h *rsvpHandler) submit(w http.ResponseWriter, r *http.Request) {
 			fmt.Sprintf("you may bring up to %d plus-one(s)", guest.PlusOnes))
 		return
 	}
-	event, err := h.events.Get(r.Context(), guest.EventID)
-	if err != nil {
-		writeError(w, http.StatusInternalServerError, "failed to load event")
+
+	decision, fingerprint, ip, ok := h.scoreAccess(w, r, event, guest, tk, req.Fingerprint)
+	if !ok {
 		return
 	}

-	fingerprint := mergeFingerprint(req.Fingerprint, collectFingerprint(r))
+	score := decision.Score
+	rsvp, err := h.rsvps.Create(r.Context(), storage.CreateRSVPParams{
+		GuestID:           guest.ID,
+		Response:          req.Resp,
+		PlusOnes:          req.PlusOnes,
+		DietaryNotes:      req.DietaryNotes,
+		DeviceFingerprint: fingerprint,
+		IPAddress:         ip,
+		RiskScore:         &score,
+	})
+	if err != nil {
+		if errors.Is(err, domain.ErrRSVPAlreadySubmitted) {
+			// Tier 2 Block A: guests edit an existing RSVP via PATCH. Tell
+			// the client to switch endpoints rather than swallowing the
+			// retry silently.
+			writeError(w, http.StatusConflict, "rsvp already submitted — use PATCH to edit")
+			return
+		}
+		h.logger.Error("create rsvp", "err", err, "guest_id", guest.ID)
+		writeError(w, http.StatusInternalServerError, "failed to record rsvp")
+		return
+	}
+
+	// Block A: we intentionally do NOT mark the token used here any more.
+	// The token must remain valid so the guest can come back to the same
+	// link and edit their response.
+
+	h.publishRSVPConfirmed(event.ID, guest.ID, rsvp, &score)
+
+	writeJSON(w, http.StatusCreated, submitRSVPResponse{
+		RSVP:     rsvp,
+		Decision: decision,
+		Blocked:  false,
+		Edited:   false,
+	})
+}
+
+// PATCH /rsvp/{token} — revise an existing RSVP. Same fraud check as POST.
+// The prior state is snapshotted into rsvp_revisions inside Update; edits
+// past MaxRSVPEdits return 429.
+func (h *rsvpHandler) edit(w http.ResponseWriter, r *http.Request) {
+	tk, ok := h.loadValidToken(w, r)
+	if !ok {
+		return
+	}
+	req, ok := decodeSubmitRSVP(w, r)
+	if !ok {
+		return
+	}
+	guest, event, ok := h.loadGuestEvent(w, r, tk.GuestID)
+	if !ok {
+		return
+	}
+	if req.PlusOnes > guest.PlusOnes {
+		writeError(w, http.StatusBadRequest,
+			fmt.Sprintf("you may bring up to %d plus-one(s)", guest.PlusOnes))
+		return
+	}
+
+	decision, fingerprint, ip, ok := h.scoreAccess(w, r, event, guest, tk, req.Fingerprint)
+	if !ok {
+		return
+	}
+
+	score := decision.Score
+	rsvp, err := h.rsvps.Update(r.Context(), storage.UpdateRSVPParams{
+		GuestID:           guest.ID,
+		Response:          req.Resp,
+		PlusOnes:          req.PlusOnes,
+		DietaryNotes:      req.DietaryNotes,
+		DeviceFingerprint: fingerprint,
+		IPAddress:         ip,
+		RiskScore:         &score,
+	})
+	if err != nil {
+		switch {
+		case errors.Is(err, domain.ErrRSVPNotFound):
+			writeError(w, http.StatusNotFound, "no rsvp to edit — submit first")
+		case errors.Is(err, domain.ErrRSVPEditLimitReached):
+			writeError(w, http.StatusTooManyRequests,
+				fmt.Sprintf("edit limit reached (%d edits)", domain.MaxRSVPEdits))
+		default:
+			h.logger.Error("update rsvp", "err", err, "guest_id", guest.ID)
+			writeError(w, http.StatusInternalServerError, "failed to update rsvp")
+		}
+		return
+	}
+
+	h.publishRSVPConfirmed(event.ID, guest.ID, rsvp, &score)
+
+	writeJSON(w, http.StatusOK, submitRSVPResponse{
+		RSVP:     rsvp,
+		Decision: decision,
+		Blocked:  false,
+		Edited:   true,
+	})
+}
+
+type rsvpHistoryResponse struct {
+	RSVP      *domain.RSVP          `json:"rsvp"`
+	Revisions []domain.RSVPRevision `json:"revisions"`
+}
+
+// GET /events/{id}/guests/{guest_id}/rsvp/history — host view of the
+// current RSVP plus every prior revision newest-first.
+func (h *rsvpHandler) history(w http.ResponseWriter, r *http.Request) {
+	hostID, ok := hostFromContext(w, r)
+	if !ok {
+		return
+	}
+	eventID, ok := parseIDParam(w, r, "id")
+	if !ok {
+		return
+	}
+	guestID, ok := parseIDParam(w, r, "guest_id")
+	if !ok {
+		return
+	}
+	if _, ok := requireEventOwner(w, r, h.events, eventID, hostID); !ok {
+		return
+	}
+
+	guest, err := h.guests.Get(r.Context(), guestID)
+	if err != nil {
+		if errors.Is(err, domain.ErrGuestNotFound) {
+			writeError(w, http.StatusNotFound, "guest not found")
+			return
+		}
+		writeError(w, http.StatusInternalServerError, "failed to load guest")
+		return
+	}
+	if guest.EventID != eventID {
+		writeError(w, http.StatusNotFound, "guest not found in event")
+		return
+	}
+
+	rsvp, err := h.rsvps.GetByGuest(r.Context(), guestID)
+	if err != nil {
+		if errors.Is(err, domain.ErrRSVPNotFound) {
+			writeJSON(w, http.StatusOK, rsvpHistoryResponse{Revisions: []domain.RSVPRevision{}})
+			return
+		}
+		writeError(w, http.StatusInternalServerError, "failed to load rsvp")
+		return
+	}
+
+	revisions, err := h.rsvps.ListRevisions(r.Context(), rsvp.ID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to load revisions")
+		return
+	}
+	writeJSON(w, http.StatusOK, rsvpHistoryResponse{RSVP: rsvp, Revisions: revisions})
+}
+
+// --- shared helpers ---
+
+type decodedRSVPRequest struct {
+	Resp         domain.RSVPResponse
+	PlusOnes     int
+	DietaryNotes *string
+	Fingerprint  map[string]any
+}
+
+func decodeSubmitRSVP(w http.ResponseWriter, r *http.Request) (decodedRSVPRequest, bool) {
+	var req submitRSVPRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid json")
+		return decodedRSVPRequest{}, false
+	}
+	resp := domain.RSVPResponse(req.Response)
+	if !resp.Valid() {
+		writeError(w, http.StatusBadRequest, "response must be attending|declined|maybe")
+		return decodedRSVPRequest{}, false
+	}
+	if req.PlusOnes < 0 {
+		writeError(w, http.StatusBadRequest, "plus_ones must be >= 0")
+		return decodedRSVPRequest{}, false
+	}
+	return decodedRSVPRequest{
+		Resp:         resp,
+		PlusOnes:     req.PlusOnes,
+		DietaryNotes: req.DietaryNotes,
+		Fingerprint:  req.Fingerprint,
+	}, true
+}
+
+func (h *rsvpHandler) loadValidToken(w http.ResponseWriter, r *http.Request) (*domain.Token, bool) {
+	raw := r.PathValue("token")
+	if err := auth.ValidateFormat(raw); err != nil {
+		writeError(w, http.StatusBadRequest, "malformed token")
+		return nil, false
+	}
+	tk, err := h.tokens.GetByHash(r.Context(), auth.HashToken(raw))
+	if err != nil {
+		if errors.Is(err, domain.ErrTokenNotFound) {
+			writeError(w, http.StatusNotFound, "token not found")
+			return nil, false
+		}
+		writeError(w, http.StatusInternalServerError, "failed to load token")
+		return nil, false
+	}
+	if err := tk.IsValid(time.Now().UTC()); err != nil {
+		writeError(w, http.StatusGone, err.Error())
+		return nil, false
+	}
+	return tk, true
+}
+
+func (h *rsvpHandler) loadGuestEvent(w http.ResponseWriter, r *http.Request, guestID uuid.UUID) (*domain.Guest, *domain.Event, bool) {
+	guest, err := h.guests.Get(r.Context(), guestID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to load guest")
+		return nil, nil, false
+	}
+	event, err := h.events.Get(r.Context(), guest.EventID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to load event")
+		return nil, nil, false
+	}
+	return guest, event, true
+}
+
+// scoreAccess logs the access attempt, scores it, and short-circuits with a
+// 403 on a BLOCK decision. Returns the decision and the merged fingerprint /
+// IP so the caller can persist them on the RSVP row.
+func (h *rsvpHandler) scoreAccess(
+	w http.ResponseWriter,
+	r *http.Request,
+	event *domain.Event,
+	guest *domain.Guest,
+	tk *domain.Token,
+	clientFP map[string]any,
+) (fraud.Decision, map[string]any, string, bool) {
+	fingerprint := mergeFingerprint(clientFP, collectFingerprint(r))
 	ip := clientIP(r)

 	accessLogID, err := h.accessLogs.Create(r.Context(), storage.CreateAccessLogParams{
@@ -124,39 +332,20 @@ func (h *rsvpHandler) submit(w http.ResponseWriter, r *http.Request) {
 		UserAgent:   r.UserAgent(),
 		Referrer:    r.Referer(),
 	})
-
 	if fraud.IsBlock(decision) {
 		writeJSON(w, http.StatusForbidden, submitRSVPResponse{
 			Decision: decision,
 			Blocked:  true,
 		})
+		return decision, nil, "", false
+	}
+	return decision, fingerprint, ip, true
+}
+
+func (h *rsvpHandler) publishRSVPConfirmed(eventID, guestID uuid.UUID, rsvp *domain.RSVP, score *int) {
+	if h.pub == nil {
 		return
 	}
-
-	score := decision.Score
-	rsvp, err := h.rsvps.Create(r.Context(), storage.CreateRSVPParams{
-		GuestID:           guest.ID,
-		Response:          resp,
-		PlusOnes:          req.PlusOnes,
-		DietaryNotes:      req.DietaryNotes,
-		DeviceFingerprint: fingerprint,
-		IPAddress:         ip,
-		RiskScore:         &score,
-	})
-	if err != nil {
-		if errors.Is(err, domain.ErrRSVPAlreadySubmitted) {
-			writeError(w, http.StatusConflict, "rsvp already submitted for this guest")
-			return
-		}
-		h.logger.Error("create rsvp", "err", err, "guest_id", guest.ID)
-		writeError(w, http.StatusInternalServerError, "failed to record rsvp")
-		return
-	}
-
-	if err := h.tokens.MarkUsed(r.Context(), tk.ID); err != nil {
-		h.logger.Warn("mark token used", "err", err, "token_id", tk.ID)
-	}
-
 	go func(evt natspub.RSVPConfirmed) {
 		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
@@ -164,20 +353,14 @@ func (h *rsvpHandler) submit(w http.ResponseWriter, r *http.Request) {
 			h.logger.Error("publish rsvp.confirmed", "err", err, "rsvp_id", evt.RSVPID)
 		}
 	}(natspub.RSVPConfirmed{
-		EventID:     event.ID,
-		GuestID:     guest.ID,
+		EventID:     eventID,
+		GuestID:     guestID,
 		RSVPID:      rsvp.ID,
 		Response:    string(rsvp.Response),
 		PlusOnes:    rsvp.PlusOnes,
-		RiskScore:   &score,
+		RiskScore:   score,
 		SubmittedAt: rsvp.SubmittedAt,
 	})
-
-	writeJSON(w, http.StatusCreated, submitRSVPResponse{
-		RSVP:     rsvp,
-		Decision: decision,
-		Blocked:  false,
-	})
 }

 func mergeFingerprint(client map[string]any, server map[string]any) map[string]any {
@@ -207,4 +390,3 @@ func stringifyFingerprint(fp map[string]any) map[string]string {
 	}
 	return out
 }
-
@@ -161,6 +161,7 @@ func NewServer(deps ServerDeps) (*Server, error) {
 			events:        eventRepo,
 			users:         userRepo,
 			accessLogs:    accessRepo,
+			rsvps:         rsvpRepo,
 			gen:           auth.NewGenerator(),
 			ttl:           deps.TokenTTL,
 			pub:           deps.AccessPublisher,
@@ -306,6 +307,16 @@ func (s *Server) Handler() http.Handler {
 		rl("access", 60, time.Hour, pathKey("token"), http.HandlerFunc(s.tokens.access)))
 	mux.Handle("POST /rsvp/{token}",
 		rl("rsvp", 10, time.Hour, pathKey("token"), http.HandlerFunc(s.rsvps.submit)))
+	// Block A: edits are bounded by MaxRSVPEdits server-side. The redis
+	// limiter is a coarser guard that also throttles attempts that hit the
+	// edit-cap 429 path, so a hostile actor can't burn through fraud-engine
+	// calls on the same token.
+	mux.Handle("PATCH /rsvp/{token}",
+		rl("rsvp_edit", 10, time.Hour, pathKey("token"), http.HandlerFunc(s.rsvps.edit)))
+
+	// Host view of the edit trail for a single guest.
+	mux.Handle("GET /events/{id}/guests/{guest_id}/rsvp/history",
+		authed(http.HandlerFunc(s.rsvps.history)))

 	// WebSocket endpoint authenticates via single-use ticket on the query
 	// string (see POST /auth/ws-ticket).
@@ -32,6 +32,7 @@ type tokenHandler struct {
 	events        *storage.EventRepo
 	users         *storage.UserRepo
 	accessLogs    *storage.AccessLogRepo
+	rsvps         *storage.RSVPRepo
 	gen           *auth.Generator
 	ttl           time.Duration
 	pub           accessPublisher
@@ -401,10 +402,14 @@ func (h *tokenHandler) rotate(w http.ResponseWriter, r *http.Request) {
 }

 type accessResponse struct {
-	Guest      *domain.Guest `json:"guest"`
-	Event      *domain.Event `json:"event"`
-	Token      *domain.Token `json:"token"`
-	AccessLog  uuid.UUID     `json:"access_log_id"`
+	Guest     *domain.Guest `json:"guest"`
+	Event     *domain.Event `json:"event"`
+	Token     *domain.Token `json:"token"`
+	AccessLog uuid.UUID     `json:"access_log_id"`
+	// RSVP is the guest's current submission, if any. Populated so the RSVP
+	// page can show an edit form instead of a fresh submit form when the
+	// guest revisits their invitation link (Tier 2 Block A).
+	RSVP *domain.RSVP `json:"rsvp,omitempty"`
 }

 // GET /access/{token} — validate token, log the access attempt, publish to NATS.
@@ -471,11 +476,28 @@ func (h *tokenHandler) access(w http.ResponseWriter, r *http.Request) {
 		OccurredAt:  time.Now().UTC(),
 	})

+	var existingRSVP *domain.RSVP
+	if h.rsvps != nil {
+		// Best-effort: a missing RSVP just means the guest hasn't submitted
+		// yet. Any other error is logged but doesn't fail the access call —
+		// we'd rather the guest see the form than a 500.
+		rs, err := h.rsvps.GetByGuest(r.Context(), guest.ID)
+		switch {
+		case err == nil:
+			existingRSVP = rs
+		case errors.Is(err, domain.ErrRSVPNotFound):
+			// expected first-visit case
+		default:
+			h.logger.Warn("load rsvp for access", "err", err, "guest_id", guest.ID)
+		}
+	}
+
 	writeJSON(w, http.StatusOK, accessResponse{
 		Guest:     guest,
 		Event:     event,
 		Token:     tk,
 		AccessLog: accessLogID,
+		RSVP:      existingRSVP,
 	})
 }