guestguard/internal/api/rsvps.go

package api

import (
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"log/slog"
	"net/http"
	"time"

	"github.com/google/uuid"

	"github.com/alchemistkay/guestguard/internal/auth"
	"github.com/alchemistkay/guestguard/internal/domain"
	"github.com/alchemistkay/guestguard/internal/fraud"
	"github.com/alchemistkay/guestguard/internal/natspub"
	"github.com/alchemistkay/guestguard/internal/storage"
)

type rsvpPublisher interface {
	PublishRSVPConfirmed(ctx context.Context, evt natspub.RSVPConfirmed) error
}

type fraudScorer interface {
	Score(ctx context.Context, in fraud.ScoreInput) fraud.Decision
}

type rsvpHandler struct {
	logger     *slog.Logger
	guests     *storage.GuestRepo
	tokens     *storage.TokenRepo
	events     *storage.EventRepo
	rsvps      *storage.RSVPRepo
	accessLogs *storage.AccessLogRepo
	scorer     fraudScorer
	pub        rsvpPublisher
}

type submitRSVPRequest struct {
	Response     string         `json:"response"`
	PlusOnes     int            `json:"plus_ones"`
	DietaryNotes *string        `json:"dietary_notes"`
	Fingerprint  map[string]any `json:"fingerprint"`
}

type submitRSVPResponse struct {
	RSVP     *domain.RSVP   `json:"rsvp"`
	Decision fraud.Decision `json:"fraud"`
	Blocked  bool           `json:"blocked"`
	Edited   bool           `json:"edited"`
}

// POST /rsvp/{token} — synchronous fraud check + RSVP recording.
func (h *rsvpHandler) submit(w http.ResponseWriter, r *http.Request) {
	tk, ok := h.loadValidToken(w, r)
	if !ok {
		return
	}
	req, ok := decodeSubmitRSVP(w, r)
	if !ok {
		return
	}
	guest, event, ok := h.loadGuestEvent(w, r, tk.GuestID)
	if !ok {
		return
	}
	if req.PlusOnes > guest.PlusOnes {
		writeError(w, http.StatusBadRequest,
			fmt.Sprintf("you may bring up to %d plus-one(s)", guest.PlusOnes))
		return
	}

	decision, fingerprint, ip, ok := h.scoreAccess(w, r, event, guest, tk, req.Fingerprint)
	if !ok {
		return
	}

	score := decision.Score
	rsvp, err := h.rsvps.Create(r.Context(), storage.CreateRSVPParams{
		GuestID:           guest.ID,
		Response:          req.Resp,
		PlusOnes:          req.PlusOnes,
		DietaryNotes:      req.DietaryNotes,
		DeviceFingerprint: fingerprint,
		IPAddress:         ip,
		RiskScore:         &score,
	})
	if err != nil {
		if errors.Is(err, domain.ErrRSVPAlreadySubmitted) {
			// Tier 2 Block A: guests edit an existing RSVP via PATCH. Tell
			// the client to switch endpoints rather than swallowing the
			// retry silently.
			writeError(w, http.StatusConflict, "rsvp already submitted — use PATCH to edit")
			return
		}
		h.logger.Error("create rsvp", "err", err, "guest_id", guest.ID)
		writeError(w, http.StatusInternalServerError, "failed to record rsvp")
		return
	}

	// Block A: we intentionally do NOT mark the token used here any more.
	// The token must remain valid so the guest can come back to the same
	// link and edit their response.

	h.publishRSVPConfirmed(event.ID, guest.ID, rsvp, &score)

	writeJSON(w, http.StatusCreated, submitRSVPResponse{
		RSVP:     rsvp,
		Decision: decision,
		Blocked:  false,
		Edited:   false,
	})
}

// PATCH /rsvp/{token} — revise an existing RSVP. Same fraud check as POST.
// The prior state is snapshotted into rsvp_revisions inside Update; edits
// past MaxRSVPEdits return 429.
func (h *rsvpHandler) edit(w http.ResponseWriter, r *http.Request) {
	tk, ok := h.loadValidToken(w, r)
	if !ok {
		return
	}
	req, ok := decodeSubmitRSVP(w, r)
	if !ok {
		return
	}
	guest, event, ok := h.loadGuestEvent(w, r, tk.GuestID)
	if !ok {
		return
	}
	if req.PlusOnes > guest.PlusOnes {
		writeError(w, http.StatusBadRequest,
			fmt.Sprintf("you may bring up to %d plus-one(s)", guest.PlusOnes))
		return
	}

	decision, fingerprint, ip, ok := h.scoreAccess(w, r, event, guest, tk, req.Fingerprint)
	if !ok {
		return
	}

	score := decision.Score
	rsvp, err := h.rsvps.Update(r.Context(), storage.UpdateRSVPParams{
		GuestID:           guest.ID,
		Response:          req.Resp,
		PlusOnes:          req.PlusOnes,
		DietaryNotes:      req.DietaryNotes,
		DeviceFingerprint: fingerprint,
		IPAddress:         ip,
		RiskScore:         &score,
	})
	if err != nil {
		switch {
		case errors.Is(err, domain.ErrRSVPNotFound):
			writeError(w, http.StatusNotFound, "no rsvp to edit — submit first")
		case errors.Is(err, domain.ErrRSVPEditLimitReached):
			writeError(w, http.StatusTooManyRequests,
				fmt.Sprintf("edit limit reached (%d edits)", domain.MaxRSVPEdits))
		default:
			h.logger.Error("update rsvp", "err", err, "guest_id", guest.ID)
			writeError(w, http.StatusInternalServerError, "failed to update rsvp")
		}
		return
	}

	h.publishRSVPConfirmed(event.ID, guest.ID, rsvp, &score)

	writeJSON(w, http.StatusOK, submitRSVPResponse{
		RSVP:     rsvp,
		Decision: decision,
		Blocked:  false,
		Edited:   true,
	})
}

type rsvpHistoryResponse struct {
	RSVP      *domain.RSVP          `json:"rsvp"`
	Revisions []domain.RSVPRevision `json:"revisions"`
}

// GET /events/{id}/guests/{guest_id}/rsvp/history — host view of the
// current RSVP plus every prior revision newest-first.
func (h *rsvpHandler) history(w http.ResponseWriter, r *http.Request) {
	hostID, ok := hostFromContext(w, r)
	if !ok {
		return
	}
	eventID, ok := parseIDParam(w, r, "id")
	if !ok {
		return
	}
	guestID, ok := parseIDParam(w, r, "guest_id")
	if !ok {
		return
	}
	if _, ok := requireEventOwner(w, r, h.events, eventID, hostID); !ok {
		return
	}

	guest, err := h.guests.Get(r.Context(), guestID)
	if err != nil {
		if errors.Is(err, domain.ErrGuestNotFound) {
			writeError(w, http.StatusNotFound, "guest not found")
			return
		}
		writeError(w, http.StatusInternalServerError, "failed to load guest")
		return
	}
	if guest.EventID != eventID {
		writeError(w, http.StatusNotFound, "guest not found in event")
		return
	}

	rsvp, err := h.rsvps.GetByGuest(r.Context(), guestID)
	if err != nil {
		if errors.Is(err, domain.ErrRSVPNotFound) {
			writeJSON(w, http.StatusOK, rsvpHistoryResponse{Revisions: []domain.RSVPRevision{}})
			return
		}
		writeError(w, http.StatusInternalServerError, "failed to load rsvp")
		return
	}

	revisions, err := h.rsvps.ListRevisions(r.Context(), rsvp.ID)
	if err != nil {
		writeError(w, http.StatusInternalServerError, "failed to load revisions")
		return
	}
	writeJSON(w, http.StatusOK, rsvpHistoryResponse{RSVP: rsvp, Revisions: revisions})
}

// --- shared helpers ---

type decodedRSVPRequest struct {
	Resp         domain.RSVPResponse
	PlusOnes     int
	DietaryNotes *string
	Fingerprint  map[string]any
}

func decodeSubmitRSVP(w http.ResponseWriter, r *http.Request) (decodedRSVPRequest, bool) {
	var req submitRSVPRequest
	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
		writeError(w, http.StatusBadRequest, "invalid json")
		return decodedRSVPRequest{}, false
	}
	resp := domain.RSVPResponse(req.Response)
	if !resp.Valid() {
		writeError(w, http.StatusBadRequest, "response must be attending|declined|maybe")
		return decodedRSVPRequest{}, false
	}
	if req.PlusOnes < 0 {
		writeError(w, http.StatusBadRequest, "plus_ones must be >= 0")
		return decodedRSVPRequest{}, false
	}
	return decodedRSVPRequest{
		Resp:         resp,
		PlusOnes:     req.PlusOnes,
		DietaryNotes: req.DietaryNotes,
		Fingerprint:  req.Fingerprint,
	}, true
}

func (h *rsvpHandler) loadValidToken(w http.ResponseWriter, r *http.Request) (*domain.Token, bool) {
	raw := r.PathValue("token")
	if err := auth.ValidateFormat(raw); err != nil {
		writeError(w, http.StatusBadRequest, "malformed token")
		return nil, false
	}
	tk, err := h.tokens.GetByHash(r.Context(), auth.HashToken(raw))
	if err != nil {
		if errors.Is(err, domain.ErrTokenNotFound) {
			writeError(w, http.StatusNotFound, "token not found")
			return nil, false
		}
		writeError(w, http.StatusInternalServerError, "failed to load token")
		return nil, false
	}
	if err := tk.IsValid(time.Now().UTC()); err != nil {
		writeError(w, http.StatusGone, err.Error())
		return nil, false
	}
	return tk, true
}

func (h *rsvpHandler) loadGuestEvent(w http.ResponseWriter, r *http.Request, guestID uuid.UUID) (*domain.Guest, *domain.Event, bool) {
	guest, err := h.guests.Get(r.Context(), guestID)
	if err != nil {
		writeError(w, http.StatusInternalServerError, "failed to load guest")
		return nil, nil, false
	}
	event, err := h.events.Get(r.Context(), guest.EventID)
	if err != nil {
		writeError(w, http.StatusInternalServerError, "failed to load event")
		return nil, nil, false
	}
	return guest, event, true
}

// scoreAccess logs the access attempt, scores it, and short-circuits with a
// 403 on a BLOCK decision. Returns the decision and the merged fingerprint /
// IP so the caller can persist them on the RSVP row.
func (h *rsvpHandler) scoreAccess(
	w http.ResponseWriter,
	r *http.Request,
	event *domain.Event,
	guest *domain.Guest,
	tk *domain.Token,
	clientFP map[string]any,
) (fraud.Decision, map[string]any, string, bool) {
	fingerprint := mergeFingerprint(clientFP, collectFingerprint(r))
	ip := clientIP(r)

	accessLogID, err := h.accessLogs.Create(r.Context(), storage.CreateAccessLogParams{
		GuestID:     guest.ID,
		TokenID:     tk.ID,
		Fingerprint: fingerprint,
		IPAddress:   ip,
	})
	if err != nil {
		h.logger.Error("create access log", "err", err)
	}

	decision := h.scorer.Score(r.Context(), fraud.ScoreInput{
		EventID:     event.ID,
		GuestID:     guest.ID,
		TokenID:     tk.ID,
		AccessLogID: accessLogID,
		Fingerprint: stringifyFingerprint(fingerprint),
		IPAddress:   ip,
		UserAgent:   r.UserAgent(),
		Referrer:    r.Referer(),
	})
	if fraud.IsBlock(decision) {
		writeJSON(w, http.StatusForbidden, submitRSVPResponse{
			Decision: decision,
			Blocked:  true,
		})
		return decision, nil, "", false
	}
	return decision, fingerprint, ip, true
}

func (h *rsvpHandler) publishRSVPConfirmed(eventID, guestID uuid.UUID, rsvp *domain.RSVP, score *int) {
	if h.pub == nil {
		return
	}
	go func(evt natspub.RSVPConfirmed) {
		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
		defer cancel()
		if err := h.pub.PublishRSVPConfirmed(ctx, evt); err != nil {
			h.logger.Error("publish rsvp.confirmed", "err", err, "rsvp_id", evt.RSVPID)
		}
	}(natspub.RSVPConfirmed{
		EventID:     eventID,
		GuestID:     guestID,
		RSVPID:      rsvp.ID,
		Response:    string(rsvp.Response),
		PlusOnes:    rsvp.PlusOnes,
		RiskScore:   score,
		SubmittedAt: rsvp.SubmittedAt,
	})
}

func mergeFingerprint(client map[string]any, server map[string]any) map[string]any {
	out := make(map[string]any, len(server)+len(client))
	for k, v := range server {
		out[k] = v
	}
	for k, v := range client {
		out["client_"+k] = v
	}
	return out
}

func stringifyFingerprint(fp map[string]any) map[string]string {
	if fp == nil {
		return nil
	}
	out := make(map[string]string, len(fp))
	for k, v := range fp {
		switch tv := v.(type) {
		case string:
			out[k] = tv
		default:
			b, _ := json.Marshal(tv)
			out[k] = string(b)
		}
	}
	return out
}