feat: Add user settings and preferences

- Added repositories and configs
- Implemented limit service for prefs
- Added middleware providers
- Added limit check to PUT handler

Author: fulleni

lib/src/registry/model_registry.dart

@@ -209,9 +209,58 @@ final modelRegistry = <String, ModelConfig<dynamic>>{
       requiresOwnershipCheck: true, // Must be the owner
     ),
   ),
-  // Example for AppSettings (user-owned)
-
-  // Add other models following this pattern...
+  // Configuration for UserAppSettings (user-owned)
+  'user_app_settings': ModelConfig<UserAppSettings>(
+    fromJson: UserAppSettings.fromJson,
+    getId: (s) => s.id,
+    getOwnerId: (s) => s.id, // User ID is the owner ID
+    getPermission: const ModelActionPermission(
+      type: RequiredPermissionType.specificPermission,
+      permission: Permissions.appSettingsReadOwned,
+      requiresOwnershipCheck: true,
+    ),
+    postPermission: const ModelActionPermission(
+      type: RequiredPermissionType.none,
+      // Creation of UserAppSettings is handled by the authentication service
+      // during user creation, not via a direct POST to /api/v1/data.
+    ),
+    putPermission: const ModelActionPermission(
+      type: RequiredPermissionType.specificPermission,
+      permission: Permissions.appSettingsUpdateOwned,
+      requiresOwnershipCheck: true,
+    ),
+    deletePermission: const ModelActionPermission(
+      type: RequiredPermissionType.none,
+      // Deletion of UserAppSettings is handled by the authentication service
+      // during account deletion, not via a direct DELETE to /api/v1/data.
+    ),
+  ),
+  // Configuration for UserContentPreferences (user-owned)
+  'user_content_preferences': ModelConfig<UserContentPreferences>(
+    fromJson: UserContentPreferences.fromJson,
+    getId: (p) => p.id,
+    getOwnerId: (p) => p.id, // User ID is the owner ID
+    getPermission: const ModelActionPermission(
+      type: RequiredPermissionType.specificPermission,
+      permission: Permissions.userPreferencesReadOwned,
+      requiresOwnershipCheck: true,
+    ),
+    postPermission: const ModelActionPermission(
+      type: RequiredPermissionType.none,
+      // Creation of UserContentPreferences is handled by the authentication
+      // service during user creation, not via a direct POST to /api/v1/data.
+    ),
+    putPermission: const ModelActionPermission(
+      type: RequiredPermissionType.specificPermission,
+      permission: Permissions.userPreferencesUpdateOwned,
+      requiresOwnershipCheck: true,
+    ),
+    deletePermission: const ModelActionPermission(
+      type: RequiredPermissionType.none,
+      // Deletion of UserContentPreferences is handled by the authentication
+      // service during account deletion, not via a direct DELETE to /api/v1/data.
+    ),
+  ),
 };
 
 /// Type alias for the ModelRegistry map for easier provider usage.

lib/src/services/default_user_preference_limit_service.dart

@@ -0,0 +1,154 @@
+import 'package:ht_api/src/services/user_preference_limit_service.dart';
+import 'package:ht_data_repository/ht_data_repository.dart';
+import 'package:ht_shared/ht_shared.dart';
+
+/// {@template default_user_preference_limit_service}
+/// Default implementation of [UserPreferenceLimitService] that enforces limits
+/// based on user role and [AppConfig].
+/// {@endtemplate}
+class DefaultUserPreferenceLimitService implements UserPreferenceLimitService {
+  /// {@macro default_user_preference_limit_service}
+  const DefaultUserPreferenceLimitService({
+    required HtDataRepository<AppConfig> appConfigRepository,
+    required HtDataRepository<UserContentPreferences>
+        userContentPreferencesRepository,
+  })  : _appConfigRepository = appConfigRepository,
+        _userContentPreferencesRepository = userContentPreferencesRepository;
+
+  final HtDataRepository<AppConfig> _appConfigRepository;
+  final HtDataRepository<UserContentPreferences>
+      _userContentPreferencesRepository;
+
+  // Assuming a fixed ID for the AppConfig document
+  static const String _appConfigId = 'app_config';
+
+  @override
+  Future<void> checkAddItem(
+    User user,
+    String itemType,
+    int currentCount,
+  ) async {
+    try {
+      // 1. Fetch the application configuration to get limits
+      final appConfig = await _appConfigRepository.read(id: _appConfigId);
+      final limits = appConfig.userPreferenceLimits;
+
+      // 2. Determine the limit based on user role and item type
+      int limit;
+      switch (user.role) {
+        case UserRole.guestUser:
+          if (itemType == 'headline') {
+            limit = limits.guestSavedHeadlinesLimit;
+          } else {
+            // Applies to countries, sources, categories
+            limit = limits.guestFollowedItemsLimit;
+          }
+        case UserRole.standardUser:
+          if (itemType == 'headline') {
+            limit = limits.authenticatedSavedHeadlinesLimit;
+          } else {
+            // Applies to countries, sources, categories
+            limit = limits.authenticatedFollowedItemsLimit;
+          }
+        case UserRole.admin:
+          // Admins have no limits
+          return;
+        // Add premium user case when implemented
+        // case UserRole.premiumUser:
+        //   if (itemType == 'headline') {
+        //     limit = limits.premiumSavedHeadlinesLimit;
+        //   } else {
+        //     limit = limits.premiumFollowedItemsLimit;
+        //   }
+      }
+
+      // 3. Check if adding the item would exceed the limit
+      if (currentCount >= limit) {
+        throw ForbiddenException(
+          'You have reached the maximum number of $itemType items allowed '
+          'for your account type (${user.role.name}).',
+        );
+      }
+    } on HtHttpException {
+      // Propagate known exceptions from repositories
+      rethrow;
+    } catch (e) {
+      // Catch unexpected errors
+      print(
+        'Error checking limit for user ${user.id}, itemType $itemType: $e',
+      );
+      throw OperationFailedException(
+        'Failed to check user preference limits.',
+      );
+    }
+  }
+
+  @override
+  Future<void> checkUpdatePreferences(
+    User user,
+    UserContentPreferences updatedPreferences,
+  ) async {
+    try {
+      // 1. Fetch the application configuration to get limits
+      final appConfig = await _appConfigRepository.read(id: _appConfigId);
+      final limits = appConfig.userPreferenceLimits;
+
+      // 2. Determine limits based on user role
+      int followedItemsLimit;
+      int savedHeadlinesLimit;
+
+      switch (user.role) {
+        case UserRole.guestUser:
+          followedItemsLimit = limits.guestFollowedItemsLimit;
+          savedHeadlinesLimit = limits.guestSavedHeadlinesLimit;
+        case UserRole.standardUser:
+          followedItemsLimit = limits.authenticatedFollowedItemsLimit;
+          savedHeadlinesLimit = limits.authenticatedSavedHeadlinesLimit;
+        case UserRole.admin:
+          // Admins have no limits
+          return;
+        // Add premium user case when implemented
+        // case UserRole.premiumUser:
+        //   followedItemsLimit = limits.premiumFollowedItemsLimit;
+        //   savedHeadlinesLimit = limits.premiumSavedHeadlinesLimit;
+      }
+
+      // 3. Check if proposed preferences exceed limits
+      if (updatedPreferences.followedCountries.length > followedItemsLimit) {
+        throw ForbiddenException(
+          'You have reached the maximum number of followed countries allowed '
+          'for your account type (${user.role.name}).',
+        );
+      }
+      if (updatedPreferences.followedSources.length > followedItemsLimit) {
+        throw ForbiddenException(
+          'You have reached the maximum number of followed sources allowed '
+          'for your account type (${user.role.name}).',
+        );
+      }
+      if (updatedPreferences.followedCategories.length > followedItemsLimit) {
+        throw ForbiddenException(
+          'You have reached the maximum number of followed categories allowed '
+          'for your account type (${user.role.name}).',
+        );
+      }
+      if (updatedPreferences.savedHeadlines.length > savedHeadlinesLimit) {
+        throw ForbiddenException(
+          'You have reached the maximum number of saved headlines allowed '
+          'for your account type (${user.role.name}).',
+        );
+      }
+    } on HtHttpException {
+      // Propagate known exceptions from repositories
+      rethrow;
+    } catch (e) {
+      // Catch unexpected errors
+      print(
+        'Error checking update limits for user ${user.id}: $e',
+      );
+      throw OperationFailedException(
+        'Failed to check user preference update limits.',
+      );
+    }
+  }
+}

lib/src/services/user_preference_limit_service.dart

@@ -0,0 +1,34 @@
+import 'package:ht_shared/ht_shared.dart';
+
+/// {@template user_preference_limit_service}
+/// Service responsible for enforcing user preference limits based on user role.
+/// {@endtemplate}
+abstract class UserPreferenceLimitService {
+  /// {@macro user_preference_limit_service}
+  const UserPreferenceLimitService();
+
+  /// Checks if the user is allowed to add an item of the given type,
+  /// considering their current count of that item type and their role.
+  ///
+  /// - [user]: The authenticated user.
+  /// - [itemType]: The type of item being added (e.g., 'country', 'source',
+  ///   'category', 'headline').
+  /// - [currentCount]: The current number of items of this type the user has.
+  ///
+  /// Throws [ForbiddenException] if adding the item would exceed the user's
+  /// limit for their role.
+  Future<void> checkAddItem(User user, String itemType, int currentCount);
+
+  /// Checks if the proposed [updatedPreferences] for the user exceed
+  /// the limits based on their role.
+  ///
+  /// - [user]: The authenticated user.
+  /// - [updatedPreferences]: The proposed [UserContentPreferences] object.
+  ///
+  /// Throws [ForbiddenException] if any list within the preferences exceeds
+  /// the user's limit for their role.
+  Future<void> checkUpdatePreferences(
+    User user,
+    UserContentPreferences updatedPreferences,
+  );
+}

routes/_middleware.dart

@@ -7,8 +7,10 @@ import 'package:ht_api/src/rbac/permission_service.dart'; // Import PermissionSe
 import 'package:ht_api/src/registry/model_registry.dart';
 import 'package:ht_api/src/services/auth_service.dart';
 import 'package:ht_api/src/services/auth_token_service.dart';
+import 'package:ht_api/src/services/default_user_preference_limit_service.dart'; // Import DefaultUserPreferenceLimitService
 import 'package:ht_api/src/services/jwt_auth_token_service.dart';
 import 'package:ht_api/src/services/token_blacklist_service.dart';
+import 'package:ht_api/src/services/user_preference_limit_service.dart'; // Import UserPreferenceLimitService interface
 import 'package:ht_api/src/services/verification_code_storage_service.dart';
 import 'package:ht_app_settings_client/ht_app_settings_client.dart';
 import 'package:ht_app_settings_inmemory/ht_app_settings_inmemory.dart';
@@ -19,6 +21,7 @@ import 'package:ht_email_repository/ht_email_repository.dart';
 import 'package:ht_shared/ht_shared.dart';
 import 'package:uuid/uuid.dart';
 
+
 // --- Request ID Wrapper ---
 
 /// {@template request_id}
@@ -154,6 +157,47 @@ HtDataRepository<Country> _createCountryRepository() {
   return HtDataRepository<Country>(dataClient: client);
 }
 
+// New repositories for user settings and preferences
+HtDataRepository<UserAppSettings> _createUserAppSettingsRepository() {
+  print('Initializing UserAppSettings Repository...');
+  final client = HtDataInMemoryClient<UserAppSettings>(
+    toJson: (i) => i.toJson(),
+    getId: (i) => i.id,
+    // User settings are created on demand, no initial fixture needed
+  );
+  print('UserAppSettings Repository Initialized.');
+  return HtDataRepository<UserAppSettings>(dataClient: client);
+}
+
+HtDataRepository<UserContentPreferences>
+    _createUserContentPreferencesRepository() {
+  print('Initializing UserContentPreferences Repository...');
+  final client = HtDataInMemoryClient<UserContentPreferences>(
+    toJson: (i) => i.toJson(),
+    getId: (i) => i.id,
+    // User preferences are created on demand, no initial fixture needed
+  );
+  print('UserContentPreferences Repository Initialized.');
+  return HtDataRepository<UserContentPreferences>(dataClient: client);
+}
+
+HtDataRepository<AppConfig> _createAppConfigRepository() {
+  print('Initializing AppConfig Repository...');
+  // AppConfig should have a single instance, potentially loaded from a file
+  // or created with defaults if not found. For in-memory, we can create a
+  // default instance.
+  final initialData = [
+    const AppConfig(id: 'app_config'), // Default config
+  ];
+  final client = HtDataInMemoryClient<AppConfig>(
+    toJson: (i) => i.toJson(),
+    getId: (i) => i.id,
+    initialData: initialData,
+  );
+  print('AppConfig Repository Initialized.');
+  return HtDataRepository<AppConfig>(dataClient: client);
+}
+
 // --- Middleware Definition ---
 Handler middleware(Handler handler) {
   // Initialize repositories when middleware is first created
@@ -162,6 +206,11 @@ Handler middleware(Handler handler) {
   final categoryRepository = _createCategoryRepository();
   final sourceRepository = _createSourceRepository();
   final countryRepository = _createCountryRepository();
+  final userSettingsRepository = _createUserAppSettingsRepository(); // New
+  final userContentPreferencesRepository =
+      _createUserContentPreferencesRepository(); // New
+  final appConfigRepository = _createAppConfigRepository(); // New
+
   final settingsClientImpl = HtAppSettingsInMemory();
   const uuid = Uuid();
 
@@ -208,6 +257,13 @@ Handler middleware(Handler handler) {
   const permissionService =
       PermissionService(); // Instantiate PermissionService
 
+  // --- User Preference Limit Service --- // New
+  final userPreferenceLimitService = DefaultUserPreferenceLimitService(
+    appConfigRepository: appConfigRepository,
+    userContentPreferencesRepository: userContentPreferencesRepository,
+  );
+  print('[MiddlewareSetup] DefaultUserPreferenceLimitService instantiated.');
+
   // ==========================================================================
   //                            MIDDLEWARE CHAIN
   // ==========================================================================
@@ -263,6 +319,22 @@ Handler middleware(Handler handler) {
           (_) => emailRepository,
         ),
       ) // Used by AuthService
+      // New Repositories for User Settings and Preferences
+      .use(
+        provider<HtDataRepository<UserAppSettings>>(
+          (_) => userSettingsRepository,
+        ),
+      )
+      .use(
+        provider<HtDataRepository<UserContentPreferences>>(
+          (_) => userContentPreferencesRepository,
+        ),
+      )
+      .use(
+        provider<HtDataRepository<AppConfig>>(
+          (_) => appConfigRepository,
+        ),
+      )
 
       // --- 4. Authentication Service Providers (Auth Logic Dependencies) ---
       // PURPOSE: Provide the core services needed for authentication logic.
@@ -301,15 +373,25 @@ Handler middleware(Handler handler) {
       //          (e.g., authorizationMiddleware).
       .use(provider<PermissionService>((_) => permissionService))
 
-      // --- 6. Request Logger (Logging) ---
+      // --- 6. User Preference Limit Service Provider --- // New
+      // PURPOSE: Provides the service for enforcing user preference limits.
+      // ORDER:   Must be provided before any handlers that use it (specifically
+      //          the generic data route handlers for UserContentPreferences).
+      .use(
+        provider<UserPreferenceLimitService>(
+          (_) => userPreferenceLimitService,
+        ),
+      )
+
+      // --- 7. Request Logger (Logging) ---
       // PURPOSE: Logs details about the incoming request and outgoing response.
       // ORDER:   Often placed late in the request phase / early in the response
       //          phase. Placing it here logs the request *before* the handler
       //          runs and the response *after* the handler (and error handler)
       //          completes. Can access `RequestId` and potentially `User?`.
       .use(requestLogger())
 
-      // --- 7. Error Handler (Catch-All) ---
+      // --- 8. Error Handler (Catch-All) ---
       // PURPOSE: Catches exceptions thrown by upstream middleware or route
       //          handlers and converts them into standardized JSON error responses.
       // ORDER:   MUST be placed *late* in the chain (typically last before the