package api import ( "encoding/json" "errors" "log/slog" "net/http" "github.com/alchemistkay/guestguard/internal/domain" "github.com/alchemistkay/guestguard/internal/storage" ) // securityHandler bundles the Tier 2 Block G endpoints: per-event fraud // thresholds, the CIDR allowlist, and the fraud-feedback inbox. type securityHandler struct { logger *slog.Logger events *storage.EventRepo collabs *storage.CollaboratorRepo allowlist *storage.AllowlistRepo feedback *storage.FeedbackRepo access *storage.AccessLogRepo } // --- thresholds --- type thresholdsResponse struct { domain.FraudThresholds // Defaults are echoed so the slider can show "reset" affordances // without a hardcoded duplicate in the frontend. Defaults domain.FraudThresholds `json:"defaults"` } // GET /events/{id}/security/thresholds — viewer+. func (h *securityHandler) getThresholds(w http.ResponseWriter, r *http.Request) { hostID, ok := hostFromContext(w, r) if !ok { return } eventID, ok := parseIDParam(w, r, "id") if !ok { return } if _, _, ok := requireRole(w, r, h.events, h.collabs, eventID, hostID, domain.RoleViewer); !ok { return } th, err := h.events.GetThresholds(r.Context(), eventID) if err != nil && !errors.Is(err, domain.ErrEventNotFound) { writeError(w, http.StatusInternalServerError, "failed to load thresholds") return } writeJSON(w, http.StatusOK, thresholdsResponse{ FraudThresholds: th, Defaults: domain.DefaultThresholds(), }) } // PUT /events/{id}/security/thresholds — editor+. func (h *securityHandler) putThresholds(w http.ResponseWriter, r *http.Request) { hostID, ok := hostFromContext(w, r) if !ok { return } eventID, ok := parseIDParam(w, r, "id") if !ok { return } if _, _, ok := requireRole(w, r, h.events, h.collabs, eventID, hostID, domain.RoleEditor); !ok { return } var req domain.FraudThresholds if err := json.NewDecoder(r.Body).Decode(&req); err != nil { writeError(w, http.StatusBadRequest, "invalid json") return } if err := req.Valid(); err != nil { writeError(w, http.StatusBadRequest, err.Error()) return } if err := h.events.UpdateThresholds(r.Context(), eventID, req); err != nil { if errors.Is(err, domain.ErrEventNotFound) { writeError(w, http.StatusNotFound, "event not found") return } h.logger.Error("update thresholds", "err", err) writeError(w, http.StatusInternalServerError, "failed to update thresholds") return } writeJSON(w, http.StatusOK, thresholdsResponse{ FraudThresholds: req, Defaults: domain.DefaultThresholds(), }) } // --- allowlist --- type addAllowlistRequest struct { CIDR string `json:"cidr"` Label string `json:"label"` } // GET /events/{id}/security/allowlist — viewer+. func (h *securityHandler) listAllowlist(w http.ResponseWriter, r *http.Request) { hostID, ok := hostFromContext(w, r) if !ok { return } eventID, ok := parseIDParam(w, r, "id") if !ok { return } if _, _, ok := requireRole(w, r, h.events, h.collabs, eventID, hostID, domain.RoleViewer); !ok { return } entries, err := h.allowlist.List(r.Context(), eventID) if err != nil { writeError(w, http.StatusInternalServerError, "failed to list allowlist") return } writeJSON(w, http.StatusOK, map[string]any{"entries": entries}) } // POST /events/{id}/security/allowlist — editor+. func (h *securityHandler) addAllowlist(w http.ResponseWriter, r *http.Request) { hostID, ok := hostFromContext(w, r) if !ok { return } eventID, ok := parseIDParam(w, r, "id") if !ok { return } if _, _, ok := requireRole(w, r, h.events, h.collabs, eventID, hostID, domain.RoleEditor); !ok { return } var req addAllowlistRequest if err := json.NewDecoder(r.Body).Decode(&req); err != nil { writeError(w, http.StatusBadRequest, "invalid json") return } canonical, _, err := domain.ParseAllowlistCIDR(req.CIDR) if err != nil { writeError(w, http.StatusBadRequest, err.Error()) return } entry, err := h.allowlist.Add(r.Context(), storage.AddAllowlistParams{ EventID: eventID, CIDR: canonical, Label: req.Label, CreatedBy: hostID, }) if err != nil { if errors.Is(err, storage.ErrAllowlistExists) { writeError(w, http.StatusConflict, "that CIDR is already allowlisted") return } h.logger.Error("add allowlist", "err", err) writeError(w, http.StatusInternalServerError, "failed to add allowlist entry") return } writeJSON(w, http.StatusCreated, entry) } // DELETE /events/{id}/security/allowlist?cidr=... — editor+. CIDR comes in // on the query string so the URL stays RESTful without route-encoding the // slash in the path. func (h *securityHandler) removeAllowlist(w http.ResponseWriter, r *http.Request) { hostID, ok := hostFromContext(w, r) if !ok { return } eventID, ok := parseIDParam(w, r, "id") if !ok { return } if _, _, ok := requireRole(w, r, h.events, h.collabs, eventID, hostID, domain.RoleEditor); !ok { return } cidr := r.URL.Query().Get("cidr") if cidr == "" { writeError(w, http.StatusBadRequest, "cidr query parameter required") return } canonical, _, err := domain.ParseAllowlistCIDR(cidr) if err != nil { writeError(w, http.StatusBadRequest, err.Error()) return } if err := h.allowlist.Remove(r.Context(), eventID, canonical); err != nil { if errors.Is(err, domain.ErrAllowlistNotFound) { writeError(w, http.StatusNotFound, "allowlist entry not found") return } writeError(w, http.StatusInternalServerError, "failed to remove allowlist entry") return } w.WriteHeader(http.StatusNoContent) } // --- feedback --- type feedbackRequest struct { Verdict string `json:"verdict"` // "legitimate" | "suspicious" Note string `json:"note"` } // POST /events/{id}/access-logs/{log_id}/feedback — editor+. Records the // host's verdict on a specific access log. We re-verify the log belongs // to the event (a hostile editor on event A shouldn't be able to mark // event B's logs). func (h *securityHandler) recordFeedback(w http.ResponseWriter, r *http.Request) { hostID, ok := hostFromContext(w, r) if !ok { return } eventID, ok := parseIDParam(w, r, "id") if !ok { return } if _, _, ok := requireRole(w, r, h.events, h.collabs, eventID, hostID, domain.RoleEditor); !ok { return } logID, ok := parseIDParam(w, r, "log_id") if !ok { return } // Confirm the access log is on this event. belongs, err := h.access.BelongsToEvent(r.Context(), logID, eventID) if err != nil { writeError(w, http.StatusInternalServerError, "failed to verify access log") return } if !belongs { writeError(w, http.StatusNotFound, "access log not found") return } var req feedbackRequest if err := json.NewDecoder(r.Body).Decode(&req); err != nil { writeError(w, http.StatusBadRequest, "invalid json") return } if err := (domain.FraudFeedback{Verdict: req.Verdict}).Valid(); err != nil { writeError(w, http.StatusBadRequest, err.Error()) return } f, err := h.feedback.Record(r.Context(), storage.RecordFeedbackParams{ AccessLogID: logID, Verdict: req.Verdict, MarkedBy: hostID, Note: req.Note, }) if err != nil { h.logger.Error("record feedback", "err", err) writeError(w, http.StatusInternalServerError, "failed to record feedback") return } writeJSON(w, http.StatusOK, f) } // GET /events/{id}/security/feedback — viewer+. func (h *securityHandler) listFeedback(w http.ResponseWriter, r *http.Request) { hostID, ok := hostFromContext(w, r) if !ok { return } eventID, ok := parseIDParam(w, r, "id") if !ok { return } if _, _, ok := requireRole(w, r, h.events, h.collabs, eventID, hostID, domain.RoleViewer); !ok { return } fb, err := h.feedback.ListForEvent(r.Context(), eventID) if err != nil { writeError(w, http.StatusInternalServerError, "failed to list feedback") return } writeJSON(w, http.StatusOK, map[string]any{"feedback": fb}) }