opensession_api_types/

service.rs

//! Shared business logic — framework-agnostic pure functions.
//!
//! Both the Axum server and Cloudflare Worker call these functions,
//! keeping route handlers as thin adapters.

use crate::{db, AuthTokenResponse, ServiceError, SessionListQuery};

// ─── Validation ─────────────────────────────────────────────────────────────

/// Validate and normalize an email address. Returns the lowercased, trimmed email.
pub fn validate_email(email: &str) -> Result<String, ServiceError> {
    let email = email.trim().to_lowercase();
    if email.is_empty() || !email.contains('@') || email.len() > 254 {
        return Err(ServiceError::BadRequest("invalid email address".into()));
    }
    Ok(email)
}

/// Validate a password (8-12 characters).
pub fn validate_password(password: &str) -> Result<(), ServiceError> {
    if password.len() < 8 {
        return Err(ServiceError::BadRequest(
            "password must be at least 8 characters".into(),
        ));
    }
    if password.len() > 12 {
        return Err(ServiceError::BadRequest(
            "password must be at most 12 characters".into(),
        ));
    }
    Ok(())
}

/// Validate and normalize a user nickname. Returns the trimmed nickname.
pub fn validate_nickname(nickname: &str) -> Result<String, ServiceError> {
    let trimmed = nickname.trim().to_string();
    if trimmed.is_empty() || trimmed.len() > 64 {
        return Err(ServiceError::BadRequest(
            "nickname must be 1-64 characters".into(),
        ));
    }
    Ok(trimmed)
}

// ─── API Key Generation ─────────────────────────────────────────────────────

/// Generate a new API key with the `osk_` prefix.
pub fn generate_api_key() -> String {
    format!("osk_{}", uuid::Uuid::new_v4().simple())
}

/// Validate and normalize a team name. Returns the trimmed name.
pub fn validate_team_name(name: &str) -> Result<String, ServiceError> {
    let trimmed = name.trim().to_string();
    if trimmed.is_empty() || trimmed.len() > 128 {
        return Err(ServiceError::BadRequest(
            "name must be 1-128 characters".into(),
        ));
    }
    Ok(trimmed)
}

// ─── Token Bundle ───────────────────────────────────────────────────────────

/// Pre-computed token bundle returned by [`prepare_token_bundle`].
///
/// Contains everything needed to insert a refresh token and return the auth
/// response. The caller only needs to perform the DB INSERT.
pub struct TokenBundle {
    /// JWT access token.
    pub access_token: String,
    /// Raw refresh token (sent to the client).
    pub refresh_token: String,
    /// SHA-256 hash of the refresh token (stored in DB).
    pub token_hash: String,
    /// UUID primary key for the refresh_tokens row.
    pub token_id: String,
    /// `datetime` string for the refresh token expiry (DB column value).
    pub expires_at: String,
    /// Ready-to-return API response.
    pub response: AuthTokenResponse,
}

/// Build a [`TokenBundle`] containing a JWT, refresh token, and the auth response.
///
/// This is the pure-computation part of `issue_tokens`. Each backend only needs
/// to insert the refresh token row into its database.
pub fn prepare_token_bundle(
    jwt_secret: &str,
    user_id: &str,
    nickname: &str,
    now_unix: u64,
) -> TokenBundle {
    use crate::crypto;

    let access_token = crypto::sign_jwt(user_id, jwt_secret, now_unix);
    let refresh_token = crypto::generate_token();
    let token_hash = crypto::hash_token(&refresh_token);
    let token_id = uuid::Uuid::new_v4().to_string();

    let expires_at = chrono::DateTime::from_timestamp(now_unix as i64, 0)
        .unwrap_or_default()
        .checked_add_signed(chrono::Duration::seconds(
            crypto::REFRESH_EXPIRY_SECS as i64,
        ))
        .unwrap_or_default()
        .format("%Y-%m-%d %H:%M:%S")
        .to_string();

    let response = AuthTokenResponse {
        access_token: access_token.clone(),
        refresh_token: refresh_token.clone(),
        expires_in: crypto::JWT_EXPIRY_SECS,
        user_id: user_id.to_string(),
        nickname: nickname.to_string(),
    };

    TokenBundle {
        access_token,
        refresh_token,
        token_hash,
        token_id,
        expires_at,
        response,
    }
}

// ─── Session List Query Builder ─────────────────────────────────────────────

/// Abstract query parameter value, framework-agnostic.
///
/// Each backend converts this into its native bind type:
/// - Axum/rusqlite: `Box<dyn ToSql>`
/// - Worker/D1: `JsValue`
#[derive(Debug, Clone)]
pub enum ParamValue {
    Text(String),
    Int(i64),
}

/// Result of building a session list query from [`SessionListQuery`].
pub struct BuiltSessionListQuery {
    /// SQL for counting total results: `SELECT COUNT(*) as count FROM sessions s WHERE {where_clause}`
    pub count_sql: String,
    /// SQL for fetching a page: `SELECT ... FROM sessions s LEFT JOIN users u ... WHERE ... ORDER BY ... LIMIT ?N OFFSET ?N+1`
    pub select_sql: String,
    /// Bind params for the count query.
    pub count_params: Vec<ParamValue>,
    /// Bind params for the select query (count_params + LIMIT + OFFSET).
    pub select_params: Vec<ParamValue>,
    /// Current page number (from the query).
    pub page: u32,
    /// Clamped per_page value.
    pub per_page: u32,
}

/// Build framework-agnostic SQL + params for paginated session listing.
///
/// The generated SQL uses the shared `SESSION_COLUMNS` and numbered `?N` bind
/// parameters compatible with both SQLite and D1.
pub fn build_session_list_query(q: &SessionListQuery) -> BuiltSessionListQuery {
    let per_page = q.per_page.clamp(1, 100);
    let offset = (q.page.saturating_sub(1)) * per_page;

    let mut where_parts = vec!["(s.event_count > 0 OR s.message_count > 0)".to_string()];
    let mut params: Vec<ParamValue> = Vec::new();
    let mut idx = 1u32;

    if let Some(ref tool) = q.tool {
        where_parts.push(format!("s.tool = ?{idx}"));
        params.push(ParamValue::Text(tool.clone()));
        idx += 1;
    }

    if let Some(ref team_id) = q.team_id {
        where_parts.push(format!("s.team_id = ?{idx}"));
        params.push(ParamValue::Text(team_id.clone()));
        idx += 1;
    }

    if let Some(ref search) = q.search {
        let like = format!("%{search}%");
        where_parts.push(format!(
            "(s.title LIKE ?{p1} OR s.description LIKE ?{p2} OR s.tags LIKE ?{p3})",
            p1 = idx,
            p2 = idx + 1,
            p3 = idx + 2,
        ));
        params.push(ParamValue::Text(like.clone()));
        params.push(ParamValue::Text(like.clone()));
        params.push(ParamValue::Text(like));
        idx += 3;
    }

    if let Some(ref time_range) = q.time_range {
        let interval = match time_range.as_str() {
            "24h" => Some("-1 day"),
            "7d" => Some("-7 days"),
            "30d" => Some("-30 days"),
            _ => None,
        };
        if let Some(interval) = interval {
            where_parts.push(format!("s.created_at >= datetime('now', ?{idx})"));
            params.push(ParamValue::Text(interval.to_string()));
            idx += 1;
        }
    }

    let where_clause = where_parts.join(" AND ");

    let order_clause = match q.sort.as_deref() {
        Some("popular") => "s.message_count DESC, s.created_at DESC",
        Some("longest") => "s.duration_seconds DESC, s.created_at DESC",
        _ => "s.created_at DESC",
    };

    let count_sql = format!("SELECT COUNT(*) as count FROM sessions s WHERE {where_clause}");

    let select_sql = format!(
        "SELECT {} \
         FROM sessions s \
         LEFT JOIN users u ON u.id = s.user_id \
         WHERE {where_clause} \
         ORDER BY {order_clause} \
         LIMIT ?{idx} OFFSET ?{}",
        db::SESSION_COLUMNS,
        idx + 1,
    );

    let mut select_params = params.clone();
    select_params.push(ParamValue::Int(per_page as i64));
    select_params.push(ParamValue::Int(offset as i64));

    BuiltSessionListQuery {
        count_sql,
        select_sql,
        count_params: params,
        select_params,
        page: q.page,
        per_page,
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_validate_nickname() {
        assert!(validate_nickname("alice").is_ok());
        assert_eq!(validate_nickname("  bob  ").unwrap(), "bob");
        assert!(validate_nickname("").is_err());
        assert!(validate_nickname("   ").is_err());
        assert!(validate_nickname(&"x".repeat(65)).is_err());
        assert!(validate_nickname(&"x".repeat(64)).is_ok());
    }

    #[test]
    fn test_validate_team_name() {
        assert!(validate_team_name("my-team").is_ok());
        assert_eq!(validate_team_name("  team  ").unwrap(), "team");
        assert!(validate_team_name("").is_err());
        assert!(validate_team_name("   ").is_err());
        assert!(validate_team_name(&"x".repeat(129)).is_err());
        assert!(validate_team_name(&"x".repeat(128)).is_ok());
    }

    #[test]
    fn test_build_session_list_query_defaults() {
        let q = SessionListQuery {
            page: 1,
            per_page: 20,
            search: None,
            tool: None,
            team_id: None,
            sort: None,
            time_range: None,
        };
        let built = build_session_list_query(&q);
        assert!(built
            .count_sql
            .contains("WHERE (s.event_count > 0 OR s.message_count > 0)"));
        assert!(built.select_sql.contains("ORDER BY s.created_at DESC"));
        assert!(built.count_params.is_empty());
        assert_eq!(built.select_params.len(), 2); // LIMIT + OFFSET
        assert_eq!(built.page, 1);
        assert_eq!(built.per_page, 20);
    }

    #[test]
    fn test_build_session_list_query_with_filters() {
        let q = SessionListQuery {
            page: 2,
            per_page: 10,
            search: Some("rust".into()),
            tool: Some("claude-code".into()),
            team_id: Some("team-1".into()),
            sort: Some("popular".into()),
            time_range: Some("7d".into()),
        };
        let built = build_session_list_query(&q);
        assert!(built.count_sql.contains("s.tool = ?1"));
        assert!(built.count_sql.contains("s.team_id = ?2"));
        assert!(built.count_sql.contains("s.title LIKE ?3"));
        assert!(built.count_sql.contains("datetime('now', ?6)"));
        assert!(built.select_sql.contains("ORDER BY s.message_count DESC"));
        // 1 tool + 1 team_id + 3 search + 1 time_range = 6 count params
        assert_eq!(built.count_params.len(), 6);
        // + 2 for LIMIT/OFFSET
        assert_eq!(built.select_params.len(), 8);
        assert_eq!(built.per_page, 10);
    }

    #[test]
    fn test_build_session_list_query_clamps_per_page() {
        let q = SessionListQuery {
            page: 1,
            per_page: 500,
            search: None,
            tool: None,
            team_id: None,
            sort: None,
            time_range: None,
        };
        let built = build_session_list_query(&q);
        assert_eq!(built.per_page, 100);
    }
}