feat(middleware): implement data fetch and ownership check chain

fulleni · fulleni · commit c13a2adfe5a0 · 2025-08-08T15:59:47.000+01:00
- Add `dataFetchMiddleware` to retrieve data item by ID
- Integrate `ownershipCheckMiddleware` for access control
- Establish middleware chain for efficient request handling
diff --git a/routes/api/v1/data/[id]/_middleware.dart b/routes/api/v1/data/[id]/_middleware.dart
@@ -1,18 +1,27 @@
 import 'package:dart_frog/dart_frog.dart';
+import 'package:flutter_news_app_api_server_full_source_code/src/middlewares/data_fetch_middleware.dart';
 import 'package:flutter_news_app_api_server_full_source_code/src/middlewares/ownership_check_middleware.dart';
 
 /// Middleware specific to the item-level `/api/v1/data/[id]` route path.
 ///
-/// This middleware applies the [ownershipCheckMiddleware] to perform an
-/// ownership check on the requested item *after* the parent middleware
-/// (`/api/v1/data/_middleware.dart`) has already performed authentication and
-/// authorization checks.
+/// This middleware chain is responsible for fetching the requested data item
+/// and then performing an ownership check on it.
 ///
-/// This ensures that only authorized users can proceed, and then this
-/// middleware adds the final layer of security by verifying item ownership
-/// for non-admin users when required by the model's configuration.
+/// The execution order is as follows:
+/// 1. `dataFetchMiddleware`: This runs first. It fetches the item by its ID
+///    from the database and provides it to the context. If the item is not
+///    found, it throws a `NotFoundException`, aborting the request.
+/// 2. `ownershipCheckMiddleware`: This runs second. It reads the fetched item
+///    from the context and verifies that the authenticated user is the owner,
+///    if the model's configuration requires such a check.
+///
+/// This ensures that the final route handler only executes for valid,
+/// authorized requests and can safely assume the requested item exists.
 Handler middleware(Handler handler) {
-  // The `ownershipCheckMiddleware` will run after the middleware from
-  // `/api/v1/data/_middleware.dart` (authn, authz, model validation).
-  return handler.use(ownershipCheckMiddleware());
+  // The middleware is applied in reverse order of execution.
+  // `ownershipCheckMiddleware` is the inner middleware, running after
+  // `dataFetchMiddleware`.
+  return handler
+      .use(ownershipCheckMiddleware()) // Runs second
+      .use(dataFetchMiddleware()); // Runs first
 }
