alchemistkay/guestguard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(tier2): multi-host / collaborators — Block C

Browse Source 
Events can now have multiple users with distinct roles:
  owner   — manage collaborators, delete event, full access
  editor  — manage guests, tokens, CSV import, patch event
  viewer  — read-only access to everything

Schema (migration 0008)
- collaborator_role ENUM + event_collaborators + collaborator_invites
- Backfill: every existing events.host_id becomes an owner row
- EventRepo.Create seeds the owner row in the same transaction so
  no future event can exist without one

Authz
- New requireRole(eventID, userID, minRole) helper. Non-members 404;
  insufficient role 403. Replaces requireEventOwner across every
  shared-role handler (events.get/update, guests CRUD, tokens issue/
  rotate/bulk, csv preview/commit/template, activity, ws-ticket)
- events.delete + collaborator management stay owner-only
- GET /events lists every event the user has any role on
- /events/{id} response now embeds your_role for UI branching

Collaborator endpoints
- GET    /events/{id}/collaborators           (viewer+)
- POST   /events/{id}/collaborators           (owner)  — sends invite email
- PATCH  /events/{id}/collaborators/{user_id} (owner)  — role change
- DELETE /events/{id}/collaborators/{user_id} (owner)  — refuses last owner
- DELETE /events/{id}/collaborators/pending   (owner)  — cancel invite
- GET    /invites/{token}                     (public) — preview summary
- POST   /invites/{token}/accept              (authed) — atomic accept

Invitations
- SHA-256 hashed in DB; raw value only lives in the email link
- 7-day TTL, single-use, email-bound (caller's email must match)
- New SendCollaboratorInvite on auth.EmailSender + Resend/SMTP/SES
  senders + log stub; collaborator_invite.html/txt branded template

Frontend
- TeamCard.vue on the event detail page: lists collaborators with
  inline role-change + remove, pending-invites with cancel, invite
  modal (email + role). Owner-only actions hidden for editors/viewers
- /invites/[token] accept page: shows invite summary, prompts signup
  or sign-in with pre-filled email, refuses mismatched accounts

Tests (all 6 pass on the existing testcontainers harness)
- backfill: legacy host gets owner role
- role enforcement: viewer can read, editor can write guests but not
  delete/manage team, non-member 404s everywhere
- last-owner removal refused (400)
- shared events show up in collaborator's /events list
- invite flow: create → preview → accept → role granted → replay 410
- email mismatch on accept returns 403
- expired invite returns 410

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Kwaku Danso
2026-05-17 22:14:50 +01:00
parent 6803d700b4
commit 3973e4058d
28 changed files with 2108 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/storage/collaborators.go
+381
View File
@@ -0,0 +1,381 @@
package storage
import (
"context"
"errors"
"strings"
"time"
"github.com/google/uuid"
"github.com/jackc/pgx/v5"
"github.com/jackc/pgx/v5/pgconn"
"github.com/jackc/pgx/v5/pgxpool"
"github.com/alchemistkay/guestguard/internal/domain"
)
// CollaboratorRepo manages the event_collaborators table. The original host
// has an "owner" row inserted by the migration backfill; everyone else lands
// here via the invite-accept flow.
type CollaboratorRepo struct {
pool *pgxpool.Pool
}
func NewCollaboratorRepo(db *DB) *CollaboratorRepo {
return &CollaboratorRepo{pool: db.Pool}
}
// RoleFor returns the user's role on the event, or empty + false when they
// have none. The role-gate middleware uses this exact signature so a missing
// row is rendered as 404 (matching the existing pre-Block-C behaviour where
// the event "didn't exist" from the perspective of a non-owner).
func (r *CollaboratorRepo) RoleFor(ctx context.Context, eventID, userID uuid.UUID) (domain.Role, bool, error) {
var role domain.Role
err := r.pool.QueryRow(ctx, `
SELECT role FROM event_collaborators
WHERE event_id = $1 AND user_id = $2 AND accepted_at IS NOT NULL
`, eventID, userID).Scan(&role)
if err != nil {
if errors.Is(err, pgx.ErrNoRows) {
return "", false, nil
}
return "", false, err
}
return role, true, nil
}
// AddAccepted inserts a collaborator row already marked as accepted (used by
// the invite-accept flow). Returns ErrCollaboratorExists when the user is
// already on the event regardless of role — the Team UI prevents the
// duplicate, but we double-check at the DB layer.
func (r *CollaboratorRepo) AddAccepted(ctx context.Context, eventID, userID, invitedBy uuid.UUID, role domain.Role) error {
_, err := r.pool.Exec(ctx, `
INSERT INTO event_collaborators (event_id, user_id, role, invited_by, invited_at, accepted_at)
VALUES ($1, $2, $3, $4, now(), now())
`, eventID, userID, role, invitedBy)
if err != nil {
var pgErr *pgconn.PgError
if errors.As(err, &pgErr) && pgErr.Code == "23505" {
return domain.ErrCollaboratorExists
}
return err
}
return nil
}
// List returns every collaborator on the event with their user details
// joined in. Owners + editors + viewers, ordered by role precedence then by
// invited_at so the host's view stays stable.
func (r *CollaboratorRepo) List(ctx context.Context, eventID uuid.UUID) ([]domain.Collaborator, error) {
rows, err := r.pool.Query(ctx, `
SELECT c.event_id, c.user_id, c.role, c.invited_by,
c.invited_at, c.accepted_at,
u.name, u.email
FROM event_collaborators c
JOIN users u ON u.id = c.user_id
WHERE c.event_id = $1
ORDER BY
CASE c.role
WHEN 'owner' THEN 1
WHEN 'editor' THEN 2
WHEN 'viewer' THEN 3
END,
c.invited_at ASC
`, eventID)
if err != nil {
return nil, err
}
defer rows.Close()
out := []domain.Collaborator{}
for rows.Next() {
var c domain.Collaborator
if err := rows.Scan(
&c.EventID, &c.UserID, &c.Role, &c.InvitedBy,
&c.InvitedAt, &c.AcceptedAt, &c.Name, &c.Email,
); err != nil {
return nil, err
}
out = append(out, c)
}
return out, rows.Err()
}
// UpdateRole changes a collaborator's role. Refuses to demote the last
// owner — if you'd be left with zero owners after the change, returns
// ErrLastOwner and leaves the row untouched.
func (r *CollaboratorRepo) UpdateRole(ctx context.Context, eventID, userID uuid.UUID, newRole domain.Role) error {
tx, err := r.pool.Begin(ctx)
if err != nil {
return err
}
defer tx.Rollback(ctx)
var currentRole domain.Role
err = tx.QueryRow(ctx, `
SELECT role FROM event_collaborators
WHERE event_id = $1 AND user_id = $2
FOR UPDATE
`, eventID, userID).Scan(&currentRole)
if err != nil {
if errors.Is(err, pgx.ErrNoRows) {
return domain.ErrCollaboratorNotFound
}
return err
}
// Demoting the last owner is the only ordering trap. Promote → owner is
// always fine.
if currentRole == domain.RoleOwner && newRole != domain.RoleOwner {
if err := assertNotLastOwner(ctx, tx, eventID); err != nil {
return err
}
}
if _, err := tx.Exec(ctx, `
UPDATE event_collaborators SET role = $3
WHERE event_id = $1 AND user_id = $2
`, eventID, userID, newRole); err != nil {
return err
}
return tx.Commit(ctx)
}
// Remove deletes a collaborator. Refuses to remove the last owner so the
// event can't be orphaned. The host can demote-then-leave if they really
// want out, but only after promoting someone else.
func (r *CollaboratorRepo) Remove(ctx context.Context, eventID, userID uuid.UUID) error {
tx, err := r.pool.Begin(ctx)
if err != nil {
return err
}
defer tx.Rollback(ctx)
var currentRole domain.Role
err = tx.QueryRow(ctx, `
SELECT role FROM event_collaborators
WHERE event_id = $1 AND user_id = $2
FOR UPDATE
`, eventID, userID).Scan(&currentRole)
if err != nil {
if errors.Is(err, pgx.ErrNoRows) {
return domain.ErrCollaboratorNotFound
}
return err
}
if currentRole == domain.RoleOwner {
if err := assertNotLastOwner(ctx, tx, eventID); err != nil {
return err
}
}
if _, err := tx.Exec(ctx, `
DELETE FROM event_collaborators
WHERE event_id = $1 AND user_id = $2
`, eventID, userID); err != nil {
return err
}
return tx.Commit(ctx)
}
// assertNotLastOwner refuses to proceed when the event has exactly one
// owner. Call inside a transaction that holds a row lock on the candidate
// row so the count is accurate against concurrent removals.
func assertNotLastOwner(ctx context.Context, tx pgx.Tx, eventID uuid.UUID) error {
var owners int
if err := tx.QueryRow(ctx, `
SELECT count(*) FROM event_collaborators
WHERE event_id = $1 AND role = 'owner'
`, eventID).Scan(&owners); err != nil {
return err
}
if owners <= 1 {
return domain.ErrLastOwner
}
return nil
}
// ListEventIDsForUser returns the set of event IDs the user has any accepted
// role on. Used by GET /events to widen the dashboard list beyond just
// `events.host_id = userID`.
func (r *CollaboratorRepo) ListEventIDsForUser(ctx context.Context, userID uuid.UUID) ([]uuid.UUID, error) {
rows, err := r.pool.Query(ctx, `
SELECT event_id FROM event_collaborators
WHERE user_id = $1 AND accepted_at IS NOT NULL
`, userID)
if err != nil {
return nil, err
}
defer rows.Close()
var out []uuid.UUID
for rows.Next() {
var id uuid.UUID
if err := rows.Scan(&id); err != nil {
return nil, err
}
out = append(out, id)
}
return out, rows.Err()
}
// --- invites ---
type InviteRepo struct {
pool *pgxpool.Pool
}
func NewInviteRepo(db *DB) *InviteRepo {
return &InviteRepo{pool: db.Pool}
}
type CreateInviteParams struct {
EventID uuid.UUID
Email string
Role domain.Role
InvitedBy uuid.UUID
TokenHash string
ExpiresAt time.Time
}
// Create writes an invite row. Multiple pending invites for the same email
// on the same event are allowed; the most recent one wins because the user
// only ever clicks the latest email. Old tokens stay valid until they
// expire — that's fine, they all point at the same event/role tuple.
func (r *InviteRepo) Create(ctx context.Context, p CreateInviteParams) error {
_, err := r.pool.Exec(ctx, `
INSERT INTO collaborator_invites
(token_hash, event_id, email, role, invited_by, expires_at)
VALUES ($1, $2, $3, $4, $5, $6)
`, p.TokenHash, p.EventID, strings.ToLower(strings.TrimSpace(p.Email)),
p.Role, p.InvitedBy, p.ExpiresAt)
return err
}
// Get loads an invite by token hash. Returns ErrInviteNotFound on miss,
// ErrInviteExpired when the row exists but `expires_at` has passed, and
// ErrInviteAlreadyConsumed when the invite was already accepted.
func (r *InviteRepo) Get(ctx context.Context, tokenHash string) (*domain.CollaboratorInvite, error) {
var (
inv domain.CollaboratorInvite
consumedAt *time.Time
)
err := r.pool.QueryRow(ctx, `
SELECT event_id, email, role, invited_by, expires_at, consumed_at, created_at
FROM collaborator_invites
WHERE token_hash = $1
`, tokenHash).Scan(
&inv.EventID, &inv.Email, &inv.Role, &inv.InvitedBy,
&inv.ExpiresAt, &consumedAt, &inv.CreatedAt,
)
if err != nil {
if errors.Is(err, pgx.ErrNoRows) {
return nil, domain.ErrInviteNotFound
}
return nil, err
}
if consumedAt != nil {
return nil, domain.ErrInviteAlreadyConsumed
}
if time.Now().UTC().After(inv.ExpiresAt) {
return nil, domain.ErrInviteExpired
}
return &inv, nil
}
// MarkConsumed flags the invite as used. Called inside the same transaction
// that inserts the new event_collaborators row so the two states stay in
// sync (no "accepted but invite still pending" race).
func (r *InviteRepo) MarkConsumed(ctx context.Context, tokenHash string) error {
tag, err := r.pool.Exec(ctx, `
UPDATE collaborator_invites
SET consumed_at = now()
WHERE token_hash = $1 AND consumed_at IS NULL
`, tokenHash)
if err != nil {
return err
}
if tag.RowsAffected() == 0 {
return domain.ErrInviteNotFound
}
return nil
}
// AcceptInvite atomically consumes the invite and inserts the collaborator
// row. Returns ErrCollaboratorExists if the user already has a role on the
// event (the invite is still consumed so the link can't be replayed).
func (r *CollaboratorRepo) AcceptInvite(
ctx context.Context,
tokenHash string,
userID uuid.UUID,
eventID uuid.UUID,
invitedBy uuid.UUID,
role domain.Role,
) error {
tx, err := r.pool.Begin(ctx)
if err != nil {
return err
}
defer tx.Rollback(ctx)
tag, err := tx.Exec(ctx, `
UPDATE collaborator_invites
SET consumed_at = now()
WHERE token_hash = $1 AND consumed_at IS NULL
`, tokenHash)
if err != nil {
return err
}
if tag.RowsAffected() == 0 {
return domain.ErrInviteAlreadyConsumed
}
_, err = tx.Exec(ctx, `
INSERT INTO event_collaborators (event_id, user_id, role, invited_by, invited_at, accepted_at)
VALUES ($1, $2, $3, $4, now(), now())
ON CONFLICT (event_id, user_id) DO NOTHING
`, eventID, userID, role, invitedBy)
if err != nil {
return err
}
return tx.Commit(ctx)
}
// ListPendingForEvent returns invitations the host hasn't seen accepted yet,
// shown alongside accepted collaborators on the Team tab.
func (r *InviteRepo) ListPendingForEvent(ctx context.Context, eventID uuid.UUID) ([]domain.CollaboratorInvite, error) {
rows, err := r.pool.Query(ctx, `
SELECT event_id, email, role, invited_by, expires_at, created_at
FROM collaborator_invites
WHERE event_id = $1 AND consumed_at IS NULL
ORDER BY created_at DESC
`, eventID)
if err != nil {
return nil, err
}
defer rows.Close()
out := []domain.CollaboratorInvite{}
for rows.Next() {
var inv domain.CollaboratorInvite
if err := rows.Scan(
&inv.EventID, &inv.Email, &inv.Role, &inv.InvitedBy,
&inv.ExpiresAt, &inv.CreatedAt,
); err != nil {
return nil, err
}
out = append(out, inv)
}
return out, rows.Err()
}
// DeletePendingByEmail clears any unconsumed invites for the (event, email)
// pair. Called when the host cancels a pending invite from the Team UI.
func (r *InviteRepo) DeletePendingByEmail(ctx context.Context, eventID uuid.UUID, email string) error {
_, err := r.pool.Exec(ctx, `
DELETE FROM collaborator_invites
WHERE event_id = $1
AND lower(email) = lower($2)
AND consumed_at IS NULL
`, eventID, strings.TrimSpace(email))
return err
}