refactor(auth): move request-code handler to index.dart and apply rate limiting

fulleni · fulleni · commit 65f76a22a622 · 2025-07-29T18:30:02.000+01:00
- Rename request-code.dart to index.dart for better modularity
- Implement rate limiting middleware directly in the handler
- Improve code structure and prepare for additional endpoint implementations
diff --git a/routes/api/v1/auth/request-code/index.dart b/routes/api/v1/auth/request-code/index.dart
@@ -2,14 +2,28 @@ import 'dart:io';
 
 import 'package:core/core.dart'; // For exceptions
 import 'package:dart_frog/dart_frog.dart';
-import 'package:flutter_news_app_api_server_full_source_code/src/middlewares/rate_limiter_middleware.dart';
 import 'package:flutter_news_app_api_server_full_source_code/src/services/auth_service.dart';
 import 'package:logging/logging.dart';
 
 // Create a logger for this file.
 final _logger = Logger('request_code_handler');
 
-Future<Response> _onRequest(RequestContext context) async {
+/// Handles POST requests to `/api/v1/auth/request-code`.
+///
+/// Initiates an email-based sign-in process. This endpoint is context-aware.
+///
+/// - For the user-facing app, it sends a verification code to the provided
+///   email, supporting both sign-in and sign-up.
+/// - For the dashboard, the request body must include `"isDashboardLogin": true`.
+///   In this mode, it first verifies the user exists and has 'admin' or
+///   'publisher' roles before sending a code, effectively acting as a
+///   login-only gate.
+Future<Response> onRequest(RequestContext context) async {
+  // Ensure this is a POST request
+  if (context.request.method != HttpMethod.post) {
+    return Response(statusCode: HttpStatus.methodNotAllowed);
+  }
+
   // Read the AuthService provided by middleware
   final authService = context.read<AuthService>();
 
@@ -79,30 +93,4 @@ Future<Response> _onRequest(RequestContext context) async {
 }
 }
 
-/// Handles POST requests to `/api/v1/auth/request-code`.
-///
-/// Initiates an email-based sign-in process. This endpoint is context-aware.
-///
-/// - For the user-facing app, it sends a verification code to the provided
-///   email, supporting both sign-in and sign-up.
-/// - For the dashboard, the request body must include `"isDashboardLogin": true`.
-///   In this mode, it first verifies the user exists and has 'admin' or
-///   'publisher' roles before sending a code, effectively acting as a
-///   login-only gate.
-Future<Response> onRequest(RequestContext context) async {
-  // Ensure this is a POST request
-  if (context.request.method != HttpMethod.post) {
-    return Response(statusCode: HttpStatus.methodNotAllowed);
-  }
 
-  // Apply the rate limiter middleware before calling the actual handler.
-  final handler = const Pipeline().addMiddleware(
-    rateLimiter(
-      limit: 3,
-      window: const Duration(hours: 24),
-      keyExtractor: ipKeyExtractor,
-    ),
-  ).addHandler(_onRequest);
-
-  return handler(context);
-}
