use serde::{Deserialize, Serialize}; use uuid::Uuid; use crate::error::AppError; use crate::models::common::Role; use crate::models::workspaces::{Workspace, WorkspaceDomain}; use crate::service::WorkspaceService; use crate::session::Session; use super::util::{clamp_limit_offset, ensure_affected, required_text}; #[derive(Deserialize, Serialize, Clone, Debug, utoipa::ToSchema)] pub struct AddDomainParams { pub domain: String, } impl WorkspaceService { pub async fn workspace_domains( &self, ctx: &Session, ws: &Workspace, limit: i64, offset: i64, ) -> Result, AppError> { let user_uid = ctx.user().ok_or(AppError::Unauthorized)?; self.ensure_workspace_role_at_least(user_uid, &ws, Role::Admin) .await?; let (limit, offset) = clamp_limit_offset(limit, offset); sqlx::query_as::<_, WorkspaceDomain>( "SELECT id, workspace_id, domain, verification_token_hash, is_primary, is_verified, \ verified_at, created_at, updated_at FROM workspace_domain \ WHERE workspace_id = $1 ORDER BY is_primary DESC, created_at ASC LIMIT $2 OFFSET $3", ) .bind(ws.id) .bind(limit) .bind(offset) .fetch_all(self.ctx.db.reader()) .await .map_err(AppError::Database) } pub async fn workspace_add_domain( &self, ctx: &Session, ws: &Workspace, params: AddDomainParams, ) -> Result { let user_uid = ctx.user().ok_or(AppError::Unauthorized)?; self.ensure_workspace_role_at_least(user_uid, &ws, Role::Admin) .await?; let domain = required_text(params.domain, "domain")?.to_lowercase(); let is_first = sqlx::query_scalar::<_, i64>( "SELECT COUNT(*) FROM workspace_domain WHERE workspace_id = $1", ) .bind(ws.id) .fetch_one(self.ctx.db.reader()) .await .map_err(AppError::Database)? == 0; let token = Self::generate_domain_verification_token(); let token_hash = sha256_hex(token.as_bytes()); let now = chrono::Utc::now(); let mut txn = self .ctx .db .writer() .begin() .await .map_err(|_| AppError::TxnError)?; sqlx::query("SET LOCAL app.current_user_id = $1") .bind(user_uid) .execute(&mut *txn) .await .map_err(AppError::Database)?; let result = sqlx::query_as::<_, WorkspaceDomain>( "INSERT INTO workspace_domain (id, workspace_id, domain, verification_token_hash, is_primary, is_verified, created_at, updated_at) \ VALUES ($1, $2, $3, $4, $5, false, $6, $6) \ RETURNING id, workspace_id, domain, verification_token_hash, is_primary, is_verified, verified_at, created_at, updated_at", ) .bind(Uuid::now_v7()) .bind(ws.id) .bind(&domain) .bind(&token_hash) .bind(is_first) .bind(now) .fetch_one(&mut *txn) .await .map_err(AppError::Database)?; txn.commit().await.map_err(|_| AppError::TxnError)?; Ok(result) } pub async fn workspace_verify_domain( &self, ctx: &Session, ws: &Workspace, domain_id: Uuid, ) -> Result<(), AppError> { let user_uid = ctx.user().ok_or(AppError::Unauthorized)?; self.ensure_workspace_role_at_least(user_uid, &ws, Role::Admin) .await?; let now = chrono::Utc::now(); let mut txn = self .ctx .db .writer() .begin() .await .map_err(|_| AppError::TxnError)?; sqlx::query("SET LOCAL app.current_user_id = $1") .bind(user_uid) .execute(&mut *txn) .await .map_err(AppError::Database)?; let result = sqlx::query( "UPDATE workspace_domain SET is_verified = true, verified_at = $1, updated_at = $1 \ WHERE id = $2 AND workspace_id = $3 AND is_verified = false", ) .bind(now) .bind(domain_id) .bind(ws.id) .execute(&mut *txn) .await .map_err(AppError::Database)?; ensure_affected( result.rows_affected(), "domain not found or already verified", )?; txn.commit().await.map_err(|_| AppError::TxnError)?; Ok(()) } pub async fn workspace_set_primary_domain( &self, ctx: &Session, ws: &Workspace, domain_id: Uuid, ) -> Result<(), AppError> { let user_uid = ctx.user().ok_or(AppError::Unauthorized)?; self.ensure_workspace_role_at_least(user_uid, &ws, Role::Owner) .await?; let now = chrono::Utc::now(); let mut txn = self .ctx .db .writer() .begin() .await .map_err(|_| AppError::TxnError)?; sqlx::query("SET LOCAL app.current_user_id = $1") .bind(user_uid) .execute(&mut *txn) .await .map_err(AppError::Database)?; let domain = sqlx::query_as::<_, WorkspaceDomain>( "SELECT id, workspace_id, domain, verification_token_hash, is_primary, is_verified, \ verified_at, created_at, updated_at FROM workspace_domain \ WHERE id = $1 AND workspace_id = $2", ) .bind(domain_id) .bind(ws.id) .fetch_optional(&mut *txn) .await .map_err(AppError::Database)? .ok_or(AppError::NotFound("domain not found".into()))?; if !domain.is_verified { return Err(AppError::BadRequest( "domain must be verified before setting as primary".into(), )); } sqlx::query("UPDATE workspace_domain SET is_primary = false, updated_at = $1 WHERE workspace_id = $2 AND is_primary = true") .bind(now) .bind(ws.id) .execute(&mut *txn) .await .map_err(AppError::Database)?; sqlx::query("UPDATE workspace_domain SET is_primary = true, updated_at = $1 WHERE id = $2") .bind(now) .bind(domain_id) .execute(&mut *txn) .await .map_err(AppError::Database)?; txn.commit().await.map_err(|_| AppError::TxnError)?; Ok(()) } pub async fn workspace_delete_domain( &self, ctx: &Session, ws: &Workspace, domain_id: Uuid, ) -> Result<(), AppError> { let user_uid = ctx.user().ok_or(AppError::Unauthorized)?; self.ensure_workspace_role_at_least(user_uid, &ws, Role::Admin) .await?; let is_primary = sqlx::query_scalar::<_, bool>( "SELECT is_primary FROM workspace_domain WHERE id = $1 AND workspace_id = $2", ) .bind(domain_id) .bind(ws.id) .fetch_optional(self.ctx.db.reader()) .await .map_err(AppError::Database)? .ok_or(AppError::NotFound("domain not found".into()))?; if is_primary { return Err(AppError::BadRequest("cannot delete primary domain".into())); } let mut txn = self .ctx .db .writer() .begin() .await .map_err(|_| AppError::TxnError)?; sqlx::query("SET LOCAL app.current_user_id = $1") .bind(user_uid) .execute(&mut *txn) .await .map_err(AppError::Database)?; let result = sqlx::query("DELETE FROM workspace_domain WHERE id = $1 AND workspace_id = $2") .bind(domain_id) .bind(ws.id) .execute(&mut *txn) .await .map_err(AppError::Database)?; ensure_affected(result.rows_affected(), "domain not found")?; txn.commit().await.map_err(|_| AppError::TxnError)?; Ok(()) } fn generate_domain_verification_token() -> String { (0..32) .map(|_| format!("{:02x}", rand::random::())) .collect() } } use crate::service::util::sha256_hex;