einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-06-11 02:50:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(api): authenticated course & course-event write endpoints

Browse Source 
Implements Sanctum-authenticated write endpoints so a lecturer can create
and update their own courses and dated course events programmatically
(e.g. to keep the portal's course events in sync with an external system).

- CourseController@store / @update implemented (validation mirrors the
  Livewire course create form; create requires is_lecturer, update is
  restricted to the owner or a super-admin).
- New CourseEventController with index/store/update. index returns only the
  authenticated user's own events (optional ?course_id= filter) for
  idempotent syncing; validation mirrors the Livewire course event form.
- Public `courses` API resource narrowed to index/show; all writes moved
  behind an `auth:sanctum` route group (the previous store/update/destroy
  actions were empty no-ops).
- Pest feature test covering auth (401), authorization (403/is_lecturer/
  ownership), creation (201), validation (422) and ownership-scoped listing.

Ported from Einundzwanzig-Podcast/einundzwanzig-portal#25, adapted to this
repo's conventions (inline authorization instead of policies, Pest tests,
validation mirroring the current Livewire forms) while keeping the same
endpoint outputs.

Co-authored-by: schnuartz-ai <schnuartz@gmail.com>
This commit is contained in:
HolgerHatGarKeineNode
2026-06-07 22:14:29 +02:00
parent 3a8775fa52
commit a3062f6c4e
4 changed files with 298 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Http/Controllers/Api/CourseController.php
+52 -21
View File
@@ -6,7 +6,9 @@ use App\Http\Controllers\Controller;
use App\Models\Course;
use App\Models\Lecturer;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class CourseController extends Controller
{
@@ -16,36 +18,50 @@ class CourseController extends Controller
public function index(Request $request)
{
return Course::query()
->select('id', 'name', )
->orderBy('name')
->when($request->has('user_id'),
fn(Builder $query) => $query->where('created_by', $request->user_id))
->when(
->select('id', 'name')
->orderBy('name')
->when($request->has('user_id'),
fn (Builder $query) => $query->where('created_by', $request->user_id))
->when(
$request->search,
fn (Builder $query) => $query
->where('name', 'ilike', "%{$request->search}%")
)
->when(
$request->exists('selected'),
fn (Builder $query) => $query->whereIn('id',
$request->input('selected', [])),
fn (Builder $query) => $query->limit(10)
)
->get()
->map(function (Course $course) {
$course->image = $course->getFirstMediaUrl('logo',
'thumb');
->when(
$request->exists('selected'),
fn (Builder $query) => $query->whereIn('id',
$request->input('selected', [])),
fn (Builder $query) => $query->limit(10)
)
->get()
->map(function (Course $course) {
$course->image = $course->getFirstMediaUrl('logo',
'thumb');
return $course;
});
return $course;
});
}
/**
* Store a newly created resource in storage.
*
* Allows an authenticated lecturer to create a course programmatically
* (e.g. to sync courses from an external system). Validation mirrors the
* Livewire course create form; `created_by` is set by the model's creating hook.
*/
public function store(Request $request)
public function store(Request $request): JsonResponse
{
//
abort_unless((bool) $request->user()->is_lecturer, Response::HTTP_FORBIDDEN);
$validated = $request->validate([
'name' => ['required', 'string', 'max:255'],
'lecturer_id' => ['required', 'exists:lecturers,id'],
'description' => ['nullable', 'string'],
]);
$course = Course::create($validated);
return response()->json($course->fresh(), Response::HTTP_CREATED);
}
/**
@@ -58,10 +74,25 @@ class CourseController extends Controller
/**
* Update the specified resource in storage.
*
* Authorized for the course owner (or a super-admin).
*/
public function update(Request $request, Course $course)
public function update(Request $request, Course $course): JsonResponse
{
//
abort_unless(
(int) $course->created_by === $request->user()->id || $request->user()->hasRole('super-admin'),
Response::HTTP_FORBIDDEN
);
$validated = $request->validate([
'name' => ['sometimes', 'required', 'string', 'max:255'],
'lecturer_id' => ['sometimes', 'required', 'exists:lecturers,id'],
'description' => ['sometimes', 'nullable', 'string'],
]);
$course->update($validated);
return response()->json($course->fresh());
}
/**
app/Http/Controllers/Api/CourseEventController.php
+84
View File
@@ -0,0 +1,84 @@
<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use App\Models\CourseEvent;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Database\Eloquent\Collection;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class CourseEventController extends Controller
{
/**
* Display a listing of the course events created by the authenticated user.
*
* Useful for an external sync client to detect which events already exist
* (idempotent syncing). Optionally filtered by course_id.
*
* @return Collection<int, CourseEvent>
*/
public function index(Request $request): Collection
{
return CourseEvent::query()
->with(['course:id,name', 'venue:id,name'])
->where('created_by', $request->user()->id)
->when(
$request->filled('course_id'),
fn (Builder $query) => $query->where('course_id', $request->integer('course_id'))
)
->orderByDesc('from')
->get();
}
/**
* Store a newly created course event in storage.
*
* Allows an authenticated lecturer to create a dated course event
* programmatically. Validation mirrors the Livewire course event form;
* `created_by` is set by the model's creating hook.
*/
public function store(Request $request): JsonResponse
{
abort_unless((bool) $request->user()->is_lecturer, Response::HTTP_FORBIDDEN);
$validated = $request->validate([
'course_id' => ['required', 'integer', 'exists:courses,id'],
'venue_id' => ['required', 'integer', 'exists:venues,id'],
'from' => ['required', 'date'],
'to' => ['required', 'date', 'after_or_equal:from'],
'link' => ['required', 'url', 'max:255'],
]);
$courseEvent = CourseEvent::create($validated);
return response()->json($courseEvent->fresh(), Response::HTTP_CREATED);
}
/**
* Update the specified course event in storage.
*
* Authorized for the course event owner (or a super-admin).
*/
public function update(Request $request, CourseEvent $courseEvent): JsonResponse
{
abort_unless(
(int) $courseEvent->created_by === $request->user()->id || $request->user()->hasRole('super-admin'),
Response::HTTP_FORBIDDEN
);
$validated = $request->validate([
'course_id' => ['sometimes', 'required', 'integer', 'exists:courses,id'],
'venue_id' => ['sometimes', 'required', 'integer', 'exists:venues,id'],
'from' => ['sometimes', 'required', 'date'],
'to' => ['sometimes', 'required', 'date', 'after_or_equal:from'],
'link' => ['sometimes', 'required', 'url', 'max:255'],
]);
$courseEvent->update($validated);
return response()->json($courseEvent->fresh());
}
}
routes/api.php
+36 -8
View File
@@ -3,11 +3,17 @@
use App\Http\Controllers\Api\CityController;
use App\Http\Controllers\Api\CountryController;
use App\Http\Controllers\Api\CourseController;
use App\Http\Controllers\Api\CourseEventController;
use App\Http\Controllers\Api\HighscoreController;
use App\Http\Controllers\Api\LecturerController;
use App\Http\Controllers\Api\MeetupController;
use App\Http\Controllers\Api\VenueController;
use App\Http\Controllers\LnurlAuthController;
use App\Models\LibraryItem;
use App\Models\Meetup;
use App\Models\MeetupEvent;
use App\Models\User;
use Carbon\Carbon;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;
@@ -18,7 +24,8 @@ Route::middleware(['throttle:60,1'])
Route::get('meetup/ical', [MeetupController::class, 'ical'])->name('api.meetup.ical');
Route::resource('meetup', MeetupController::class);
Route::resource('lecturers', LecturerController::class);
Route::resource('courses', CourseController::class);
Route::resource('courses', CourseController::class)
->only(['index', 'show']);
Route::resource('cities', CityController::class);
Route::resource('venues', VenueController::class);
Route::get('highscores', [HighscoreController::class, 'index'])->name('highscores.index');
@@ -46,7 +53,7 @@ Route::middleware(['throttle:60,1'])
->pluck('nostr');
});
Route::get('bindles', function () {
return \App\Models\LibraryItem::query()
return LibraryItem::query()
->where('type', 'bindle')
->with([
'media',
@@ -61,7 +68,7 @@ Route::middleware(['throttle:60,1'])
]);
});
Route::get('meetups', function (Request $request) {
return \App\Models\Meetup::query()
return Meetup::query()
->where('visible_on_map', true)
->with([
'meetupEvents',
@@ -95,9 +102,9 @@ Route::middleware(['throttle:60,1'])
});
Route::get('meetup-events/{date?}', function ($date = null) {
if ($date) {
$date = \Carbon\Carbon::parse($date);
$date = Carbon::parse($date);
}
$events = \App\Models\MeetupEvent::query()
$events = MeetupEvent::query()
->with([
'meetup.city.country',
'meetup.media',
@@ -139,7 +146,7 @@ Route::middleware(['throttle:60,1'])
});
Route::get('btc-map-communities', function () {
return response()->json(
\App\Models\Meetup::query()
Meetup::query()
->with([
'media',
'city.country',
@@ -184,8 +191,29 @@ Route::middleware(['throttle:60,1'])
});
});
Route::get('/lnurl-auth-callback', [\App\Http\Controllers\LnurlAuthController::class, 'callback'])
/*
* Authenticated write endpoints (Sanctum token auth).
* Lets a lecturer create/update their own courses and course events
* programmatically, e.g. to sync events from an external system.
*/
Route::middleware('auth:sanctum')
->as('api.')
->group(function () {
Route::post('courses', [CourseController::class, 'store'])
->name('courses.store');
Route::patch('courses/{course}', [CourseController::class, 'update'])
->name('courses.update');
Route::get('course-events', [CourseEventController::class, 'index'])
->name('course-events.index');
Route::post('course-events', [CourseEventController::class, 'store'])
->name('course-events.store');
Route::patch('course-events/{courseEvent}', [CourseEventController::class, 'update'])
->name('course-events.update');
});
Route::get('/lnurl-auth-callback', [LnurlAuthController::class, 'callback'])
->name('auth.ln.callback');
Route::post('/check-auth-error', [\App\Http\Controllers\LnurlAuthController::class, 'checkError'])
Route::post('/check-auth-error', [LnurlAuthController::class, 'checkError'])
->name('auth.check-error');
tests/Feature/Api/CourseEventApiTest.php
+126
View File
@@ -0,0 +1,126 @@
<?php
use App\Models\Course;
use App\Models\CourseEvent;
use App\Models\Lecturer;
use App\Models\User;
use App\Models\Venue;
use Laravel\Sanctum\Sanctum;
it('rejects a guest creating a course with 401', function () {
$lecturer = Lecturer::factory()->create();
$this->postJson('/api/courses', [
'name' => 'Specter Shield Lite Workshop',
'lecturer_id' => $lecturer->id,
])->assertUnauthorized();
});
it('forbids a non-lecturer from creating a course', function () {
Sanctum::actingAs(User::factory()->create(['is_lecturer' => false]));
$lecturer = Lecturer::factory()->create();
$this->postJson('/api/courses', [
'name' => 'Specter Shield Lite Workshop',
'lecturer_id' => $lecturer->id,
])->assertForbidden();
});
it('lets a lecturer create a course', function () {
Sanctum::actingAs($user = User::factory()->lecturer()->create());
$lecturer = Lecturer::factory()->create();
$this->postJson('/api/courses', [
'name' => 'Specter Shield Lite Workshop',
'lecturer_id' => $lecturer->id,
'description' => 'Hardware-Wallet selbst bauen.',
])
->assertCreated()
->assertJsonPath('name', 'Specter Shield Lite Workshop');
$this->assertDatabaseHas('courses', [
'name' => 'Specter Shield Lite Workshop',
'created_by' => $user->id,
]);
});
it('lets a lecturer create a course event', function () {
Sanctum::actingAs($user = User::factory()->lecturer()->create());
$course = Course::factory()->create();
$venue = Venue::factory()->create();
$this->postJson('/api/course-events', [
'course_id' => $course->id,
'venue_id' => $venue->id,
'from' => '2026-07-01 18:00:00',
'to' => '2026-07-01 21:00:00',
'link' => 'https://clavastack.com/produkt/specter-shield-lite-workshop',
])
->assertCreated()
->assertJsonPath('course_id', $course->id);
$this->assertDatabaseHas('course_events', [
'course_id' => $course->id,
'venue_id' => $venue->id,
'created_by' => $user->id,
]);
});
it('fails course event validation without required fields', function () {
Sanctum::actingAs(User::factory()->lecturer()->create());
$this->postJson('/api/course-events', [])
->assertUnprocessable()
->assertJsonValidationErrors(['course_id', 'venue_id', 'from', 'to', 'link']);
});
it('returns only the authenticated user\'s own course events', function () {
Sanctum::actingAs($user = User::factory()->lecturer()->create());
$other = User::factory()->lecturer()->create();
CourseEvent::factory()->count(2)->create(['created_by' => $user->id]);
CourseEvent::factory()->create(['created_by' => $other->id]);
$response = $this->getJson('/api/course-events');
$response->assertSuccessful();
expect($response->json())->toHaveCount(2);
collect($response->json())->each(
fn ($event) => expect($event['created_by'])->toBe($user->id)
);
});
it('filters own course events by course_id', function () {
Sanctum::actingAs($user = User::factory()->lecturer()->create());
$event = CourseEvent::factory()->create(['created_by' => $user->id]);
CourseEvent::factory()->create(['created_by' => $user->id]);
$response = $this->getJson('/api/course-events?course_id='.$event->course_id);
$response->assertSuccessful();
expect($response->json())->toHaveCount(1)
->and($response->json('0.id'))->toBe($event->id);
});
it('lets the owner update their course event', function () {
Sanctum::actingAs($user = User::factory()->lecturer()->create());
$event = CourseEvent::factory()->create(['created_by' => $user->id]);
$this->patchJson('/api/course-events/'.$event->id, [
'link' => 'https://einundzwanzig.space/courses/updated',
])
->assertSuccessful()
->assertJsonPath('link', 'https://einundzwanzig.space/courses/updated');
});
it('forbids updating a course event owned by someone else', function () {
$owner = User::factory()->lecturer()->create();
$event = CourseEvent::factory()->create(['created_by' => $owner->id]);
Sanctum::actingAs(User::factory()->lecturer()->create());
$this->patchJson('/api/course-events/'.$event->id, [
'link' => 'https://einundzwanzig.space/courses/hijacked',
])->assertForbidden();
});