Enable self service

apps/api/package.json

@@ -33,9 +33,11 @@
     "nock": "^13.5.4",
     "typescript": "^5.3.3",
     "wait-on": "^8.0.2",
-    "zod": "^3.24.4"
+    "zod": "^3.25.62"
   },
   "dependencies": {
+    "@crosspost/sdk": "^0.3.0",
+    "@crosspost/types": "^0.3.0",
     "@crosspost/scheduler-sdk": "^0.1.1",
     "@curatedotfun/shared-db": "workspace:*",
     "@curatedotfun/types": "workspace:*",
@@ -59,6 +61,7 @@
     "lodash": "^4.17.21",
     "mustache": "^4.2.0",
     "near-api-js": "^5.1.1",
+    "near-sign-verify": "^0.3.6",
     "ora": "^8.1.1",
     "pg": "^8.15.6",
     "pinata-web3": "^0.5.4",

apps/api/src/app.ts

@@ -4,10 +4,11 @@ import { secureHeaders } from "hono/secure-headers";
 import { db } from "./db";
 import { apiRoutes } from "./routes/api";
 import { AppInstance, Env } from "./types/app";
-import { web3AuthJwtMiddleware } from "./utils/auth";
 import { getAllowedOrigins } from "./utils/config";
 import { errorHandler } from "./utils/error";
 import { ServiceProvider } from "./utils/service-provider";
+import { logger } from "utils/logger";
+import { createAuthMiddleware } from "./middlewares/auth.middleware";
 
 const ALLOWED_ORIGINS = getAllowedOrigins();
 
@@ -18,7 +19,7 @@ export async function createApp(): Promise<AppInstance> {
   const app = new Hono<Env>();
 
   app.onError((err, c) => {
-    return errorHandler(err, c);
+    return errorHandler(err, c, logger);
   });
 
   app.use(
@@ -44,8 +45,8 @@ export async function createApp(): Promise<AppInstance> {
     await next();
   });
 
-  // Authentication middleware
-  app.use("*", web3AuthJwtMiddleware);
+  // Apply auth middleware to all /api routes
+  app.use("/api/*", createAuthMiddleware());
 
   // Mount API routes
   app.route("/api", apiRoutes);

apps/api/src/db/index.ts

@@ -5,6 +5,6 @@ import { Pool } from "pg";
 const pool = new Pool({
   connectionString: process.env.DATABASE_URL!,
 });
-const db: DB = drizzle(pool, { schema });
+const db: DB = drizzle({ client: pool, schema, casing: "snake_case" });
 
 export { db, pool };

apps/api/src/middlewares/auth.middleware.ts

@@ -0,0 +1,54 @@
+import { Context, MiddlewareHandler, Next } from "hono";
+import { verify } from "near-sign-verify";
+
+export function createAuthMiddleware(): MiddlewareHandler {
+  return async (c: Context, next: Next) => {
+    const method = c.req.method;
+    let accountId: string | null = null;
+
+    if (method === "GET") {
+      const nearAccountHeader = c.req.header("X-Near-Account");
+      if (
+        nearAccountHeader &&
+        nearAccountHeader.toLowerCase() !== "anonymous"
+      ) {
+        accountId = nearAccountHeader;
+      }
+      // If header is missing or "anonymous", accountId remains null
+      c.set("accountId", accountId);
+      await next();
+      return;
+    }
+
+    // For non-GET requests (POST, PUT, DELETE, PATCH, etc.)
+    const authHeader = c.req.header("Authorization");
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      c.status(401);
+      return c.json({
+        error: "Unauthorized",
+        details: "Missing or malformed Authorization header.",
+      });
+    }
+
+    const token = authHeader.substring(7); // Remove "Bearer "
+
+    try {
+      const verificationResult = await verify(token, {
+        expectedRecipient: "curatefun.near",
+        requireFullAccessKey: false,
+        nonceMaxAge: 300000, // 5 mins
+      });
+
+      accountId = verificationResult.accountId;
+      c.set("accountId", accountId);
+      await next();
+    } catch (error) {
+      console.error("Token verification error:", error);
+      c.status(401);
+      return c.json({
+        error: "Unauthorized",
+        details: "Invalid token signature or recipient.",
+      });
+    }
+  };
+}

apps/api/src/routes/api/feeds.ts

@@ -3,6 +3,9 @@ import { Env } from "../../types/app";
 import { badRequest } from "../../utils/error";
 import { logger } from "../../utils/logger";
 import { insertFeedSchema, updateFeedSchema } from "@curatedotfun/shared-db";
+import { z } from "zod"; // Added import for z
+import { zValidator } from "@hono/zod-validator"; // Added import for zValidator
+import { ModerationService } from "../../services/moderation.service"; // Added import for ModerationService
 
 const feedsRoutes = new Hono<Env>();
 
@@ -25,17 +28,49 @@ feedsRoutes.get("/", async (c) => {
  * Create a new feed
  */
 feedsRoutes.post("/", async (c) => {
+  const accountId = c.get("accountId");
+  if (!accountId) {
+    return c.json(
+      { error: "Unauthorized. User must be logged in to create a feed." },
+      401,
+    );
+  }
+
   const body = await c.req.json();
-  const validationResult = insertFeedSchema.safeParse(body);
+  const partialValidationResult = insertFeedSchema
+    .omit({ created_by: true })
+    .safeParse(body);
 
-  if (!validationResult.success) {
-    return badRequest(c, "Invalid feed data", validationResult.error.flatten());
+  if (!partialValidationResult.success) {
+    return badRequest(
+      c,
+      "Invalid feed data",
+      partialValidationResult.error.flatten(),
+    );
+  }
+
+  const feedDataWithCreator = {
+    ...partialValidationResult.data,
+    created_by: accountId,
+  };
+
+  const finalValidationResult = insertFeedSchema.safeParse(feedDataWithCreator);
+  if (!finalValidationResult.success) {
+    logger.error(
+      "Error in final validation after adding created_by",
+      finalValidationResult.error,
+    );
+    return badRequest(
+      c,
+      "Internal validation error",
+      finalValidationResult.error.flatten(),
+    );
   }
 
   const sp = c.get("sp");
   const feedService = sp.getFeedService();
   try {
-    const newFeed = await feedService.createFeed(validationResult.data);
+    const newFeed = await feedService.createFeed(finalValidationResult.data);
     return c.json(newFeed, 201);
   } catch (error) {
     logger.error("Error creating feed:", error);
@@ -66,16 +101,37 @@ feedsRoutes.get("/:feedId", async (c) => {
  * Update an existing feed
  */
 feedsRoutes.put("/:feedId", async (c) => {
+  const accountId = c.get("accountId");
+  if (!accountId) {
+    return c.json(
+      { error: "Unauthorized. User must be logged in to update a feed." },
+      401,
+    );
+  }
+
   const feedId = c.req.param("feedId");
+  const sp = c.get("sp");
+  const feedService = sp.getFeedService();
+
+  const canUpdate = await feedService.hasPermission(
+    accountId,
+    feedId,
+    "update",
+  );
+  if (!canUpdate) {
+    return c.json(
+      { error: "Forbidden. You do not have permission to update this feed." },
+      403,
+    );
+  }
+
   const body = await c.req.json();
   const validationResult = updateFeedSchema.safeParse(body);
 
   if (!validationResult.success) {
     return badRequest(c, "Invalid feed data", validationResult.error.flatten());
   }
 
-  const sp = c.get("sp");
-  const feedService = sp.getFeedService();
   try {
     const updatedFeed = await feedService.updateFeed(
       feedId,
@@ -97,6 +153,14 @@ feedsRoutes.put("/:feedId", async (c) => {
  * Example: /api/feeds/solana/process?distributors=@curatedotfun/rss
  */
 feedsRoutes.post("/:feedId/process", async (c) => {
+  const accountId = c.get("accountId");
+  if (!accountId) {
+    return c.json(
+      { error: "Unauthorized. User must be logged in to process a feed." },
+      401,
+    );
+  }
+
   const sp = c.get("sp");
   const feedService = sp.getFeedService();
 
@@ -127,9 +191,30 @@ feedsRoutes.post("/:feedId/process", async (c) => {
  * Delete a specific feed by its ID
  */
 feedsRoutes.delete("/:feedId", async (c) => {
+  const accountId = c.get("accountId");
+  if (!accountId) {
+    return c.json(
+      { error: "Unauthorized. User must be logged in to delete a feed." },
+      401,
+    );
+  }
+
   const feedId = c.req.param("feedId");
   const sp = c.get("sp");
   const feedService = sp.getFeedService();
+
+  const canDelete = await feedService.hasPermission(
+    accountId,
+    feedId,
+    "delete",
+  );
+  if (!canDelete) {
+    return c.json(
+      { error: "Forbidden. You do not have permission to delete this feed." },
+      403,
+    );
+  }
+
   try {
     const result = await feedService.deleteFeed(feedId);
     if (!result) {
@@ -142,4 +227,44 @@ feedsRoutes.delete("/:feedId", async (c) => {
   }
 });
 
+const feedParamSchemaCanModerate = z.object({
+  // Renamed to avoid conflict if other schemas exist
+  feedId: z.string().min(1, "Feed ID is required"),
+});
+
+feedsRoutes.get(
+  "/:feedId/can-moderate",
+  zValidator("param", feedParamSchemaCanModerate),
+  async (c) => {
+    const { feedId } = c.req.valid("param");
+    const sp = c.get("sp");
+    const moderationService =
+      sp.getService<ModerationService>("moderationService");
+
+    const actingAccountId = c.get("accountId");
+
+    if (!actingAccountId) {
+      return c.json({ canModerate: false, reason: "User not authenticated" });
+    }
+
+    try {
+      const canModerate =
+        await moderationService.checkUserFeedModerationPermission(
+          feedId,
+          actingAccountId,
+        );
+      return c.json({ canModerate });
+    } catch (error: any) {
+      logger.error(
+        `Error in /:feedId/can-moderate for feed ${feedId}, user ${actingAccountId}:`,
+        error,
+      );
+      return c.json(
+        { canModerate: false, error: "Failed to check moderation permission" },
+        500,
+      );
+    }
+  },
+);
+
 export { feedsRoutes };