style: misc

fulleni · fulleni · commit f98db03a2317 · 2025-05-18T16:58:49.000+01:00
diff --git a/lib/src/middlewares/authorization_middleware.dart b/lib/src/middlewares/authorization_middleware.dart
@@ -13,7 +13,7 @@ import 'package:ht_shared/ht_shared.dart'; // For User, ForbiddenException
 /// permission using the [PermissionService].
 ///
 /// If the user does not have the required permission, it throws a
-/// [ForbiddenException], which should be caught by the [errorHandler] middleware.
+/// [ForbiddenException], which should be caught by the 'errorHandler' middleware.
 ///
 /// This middleware runs *after* authentication and model validation.
 /// It does NOT perform instance-level ownership checks; those are handled
@@ -28,7 +28,8 @@ Middleware authorizationMiddleware() {
       final user = context.read<User>();
       final permissionService = context.read<PermissionService>();
       final modelName = context.read<String>(); // Provided by data/_middleware
-      final modelConfig = context.read<ModelConfig<dynamic>>(); // Provided by data/_middleware
+      final modelConfig =
+          context.read<ModelConfig<dynamic>>(); // Provided by data/_middleware
       final method = context.request.method;
 
       // Determine the required permission configuration based on the HTTP method
@@ -45,7 +46,9 @@ Middleware authorizationMiddleware() {
         default:
           // Should ideally be caught earlier by Dart Frog's routing,
           // but as a safeguard, deny unsupported methods.
-          throw const ForbiddenException('Method not supported for this resource.');
+          throw const ForbiddenException(
+            'Method not supported for this resource.',
+          );
       }
 
       // Perform the permission check based on the configuration type
@@ -67,8 +70,8 @@ Middleware authorizationMiddleware() {
           // Requires a specific permission string
           final permission = requiredPermissionConfig.permission;
           if (permission == null) {
-             // This indicates a configuration error in ModelRegistry
-             print(
+            // This indicates a configuration error in ModelRegistry
+            print(
               '[AuthorizationMiddleware] Configuration Error: specificPermission '
               'type requires a permission string for model "$modelName", method "$method".',
             );
diff --git a/lib/src/rbac/permissions.dart b/lib/src/rbac/permissions.dart
@@ -44,7 +44,8 @@ abstract class Permissions {
 
   // User Preferences Permissions (User-owned)
   static const String userPreferencesReadOwned = 'user_preferences.read_owned';
-  static const String userPreferencesUpdateOwned = 'user_preferences.update_owned';
+  static const String userPreferencesUpdateOwned =
+      'user_preferences.update_owned';
 
   // Remote Config Permissions (Admin-owned/managed)
   static const String remoteConfigReadAdmin = 'remote_config.read_admin';
diff --git a/lib/src/registry/model_registry.dart b/lib/src/registry/model_registry.dart
@@ -2,12 +2,10 @@
 // ignore_for_file: strict_raw_type, lines_longer_than_80_chars
 
 import 'package:dart_frog/dart_frog.dart';
-import 'package:ht_app_settings_client/ht_app_settings_client.dart';
+import 'package:ht_api/src/rbac/permissions.dart'; // Import permissions
 import 'package:ht_data_client/ht_data_client.dart';
 import 'package:ht_shared/ht_shared.dart';
 
-import 'package:ht_api/src/rbac/permissions.dart'; // Import permissions
-
 /// Defines the type of permission check required for a specific action.
 enum RequiredPermissionType {
   /// No specific permission check is required (e.g., public access).
diff --git a/lib/src/services/jwt_auth_token_service.dart b/lib/src/services/jwt_auth_token_service.dart
@@ -73,7 +73,9 @@ class JwtAuthTokenService implements AuthTokenService {
 
           // Custom claims (optional, include what's useful)
           'email': user.email,
-          'role': _userRoleToString(user.role), // Include the user's role as a string
+          'role': _userRoleToString(
+            user.role,
+          ), // Include the user's role as a string
         },
         issuer: _issuer,
         subject: user.id,
diff --git a/routes/api/v1/data/[id].dart b/routes/api/v1/data/[id].dart
@@ -17,7 +17,8 @@ Future<Response> onRequest(RequestContext context, String id) async {
   final requestId = context.read<RequestId>().id;
   // User is guaranteed non-null by requireAuthentication() middleware
   final authenticatedUser = context.read<User>();
-  final permissionService = context.read<PermissionService>(); // Read PermissionService
+  final permissionService =
+      context.read<PermissionService>(); // Read PermissionService
 
   // The main try/catch block here is removed to let the errorHandler middleware
   // handle all exceptions thrown by the handlers below.
@@ -82,12 +83,11 @@ Future<Response> _handleGet(
   // Note: This is for data *scoping* by the repository, not the permission check.
   // We infer user-owned based on the presence of getOwnerId function.
   if (modelConfig.getOwnerId != null) {
-     userIdForRepoCall = authenticatedUser.id;
+    userIdForRepoCall = authenticatedUser.id;
   } else {
-     userIdForRepoCall = null;
+    userIdForRepoCall = null;
   }
 
-
   // Repository exceptions (like NotFoundException) will propagate up to the
   // main onRequest try/catch (which is now removed, so they go to errorHandler).
   switch (modelName) {
@@ -104,8 +104,8 @@ Future<Response> _handleGet(
       final repo = context.read<HtDataRepository<Country>>();
       item = await repo.read(id: id, userId: userIdForRepoCall);
     case 'user': // Handle User model specifically if needed, or rely on generic
-       final repo = context.read<HtDataRepository<User>>();
-       item = await repo.read(id: id, userId: userIdForRepoCall);
+      final repo = context.read<HtDataRepository<User>>();
+      item = await repo.read(id: id, userId: userIdForRepoCall);
     // Add cases for other models as they are added to ModelRegistry
     default:
       // This case should ideally be caught by middleware, but added for safety
@@ -122,7 +122,7 @@ Future<Response> _handleGet(
       !permissionService.isAdmin(authenticatedUser)) {
     // Ensure getOwnerId is provided for models requiring ownership check
     if (modelConfig.getOwnerId == null) {
-       print(
+      print(
         '[ReqID: $requestId] Configuration Error: Model "$modelName" requires '
         'ownership check for GET but getOwnerId is not provided.',
       );
@@ -142,7 +142,6 @@ Future<Response> _handleGet(
     }
   }
 
-
   // Create metadata including the request ID and current timestamp
   final metadata = ResponseMetadata(
     requestId: requestId,
@@ -204,32 +203,30 @@ Future<Response> _handlePut(
   // Ensure the ID in the path matches the ID in the request body (if present)
   // This is a data integrity check, not an authorization check.
   try {
-     final bodyItemId = modelConfig.getId(itemToUpdate);
-     if (bodyItemId != id) {
-        // Throw BadRequestException to be caught by the errorHandler
-        throw BadRequestException(
-          'Bad Request: ID in request body ("$bodyItemId") does not match ID in path ("$id").',
-        );
-     }
+    final bodyItemId = modelConfig.getId(itemToUpdate);
+    if (bodyItemId != id) {
+      // Throw BadRequestException to be caught by the errorHandler
+      throw BadRequestException(
+        'Bad Request: ID in request body ("$bodyItemId") does not match ID in path ("$id").',
+      );
+    }
   } catch (e) {
-     // Ignore if getId throws, means ID might not be in the body,
-     // which is acceptable depending on the model/client.
-     // Log for debugging if needed.
-     print('[ReqID: $requestId] Warning: Could not get ID from PUT body: $e');
+    // Ignore if getId throws, means ID might not be in the body,
+    // which is acceptable depending on the model/client.
+    // Log for debugging if needed.
+    print('[ReqID: $requestId] Warning: Could not get ID from PUT body: $e');
   }
 
-
   // Determine userId for repository call based on ModelConfig (for data scoping/ownership enforcement)
   String? userIdForRepoCall;
   // If the model is user-owned, pass the authenticated user's ID to the repository
   // for ownership enforcement. Otherwise, pass null.
-   if (modelConfig.getOwnerId != null) {
-     userIdForRepoCall = authenticatedUser.id;
+  if (modelConfig.getOwnerId != null) {
+    userIdForRepoCall = authenticatedUser.id;
   } else {
-     userIdForRepoCall = null;
+    userIdForRepoCall = null;
   }
 
-
   dynamic updatedItem;
 
   // Repository exceptions (like NotFoundException, BadRequestException)
@@ -247,7 +244,7 @@ Future<Response> _handlePut(
     case 'category':
       {
         final repo = context.read<HtDataRepository<Category>>();
-         updatedItem = await repo.update(
+        updatedItem = await repo.update(
           id: id,
           item: itemToUpdate as Category,
           userId: userIdForRepoCall,
@@ -256,7 +253,7 @@ Future<Response> _handlePut(
     case 'source':
       {
         final repo = context.read<HtDataRepository<Source>>();
-         updatedItem = await repo.update(
+        updatedItem = await repo.update(
           id: id,
           item: itemToUpdate as Source,
           userId: userIdForRepoCall,
@@ -265,16 +262,16 @@ Future<Response> _handlePut(
     case 'country':
       {
         final repo = context.read<HtDataRepository<Country>>();
-         updatedItem = await repo.update(
+        updatedItem = await repo.update(
           id: id,
           item: itemToUpdate as Country,
           userId: userIdForRepoCall,
         );
       }
-     case 'user':
+    case 'user':
       {
         final repo = context.read<HtDataRepository<User>>();
-         updatedItem = await repo.update(
+        updatedItem = await repo.update(
           id: id,
           item: itemToUpdate as User,
           userId: userIdForRepoCall,
@@ -289,7 +286,7 @@ Future<Response> _handlePut(
       );
   }
 
-   // --- Handler-Level Ownership Check (for PUT) ---
+  // --- Handler-Level Ownership Check (for PUT) ---
   // This check is needed if the ModelConfig for PUT requires ownership
   // AND the user is NOT an admin (admins can bypass ownership checks).
   // Note: The repository *might* have already enforced ownership if userId was passed.
@@ -298,9 +295,9 @@ Future<Response> _handlePut(
   // (e.g., if the repo update method allows admins to update any item even if userId is passed).
   if (modelConfig.putPermission.requiresOwnershipCheck &&
       !permissionService.isAdmin(authenticatedUser)) {
-     // Ensure getOwnerId is provided for models requiring ownership check
+    // Ensure getOwnerId is provided for models requiring ownership check
     if (modelConfig.getOwnerId == null) {
-       print(
+      print(
         '[ReqID: $requestId] Configuration Error: Model "$modelName" requires '
         'ownership check for PUT but getOwnerId is not provided.',
       );
@@ -313,7 +310,7 @@ Future<Response> _handlePut(
     // after the update, or ideally, the update method returns the item with owner ID.
     // Assuming the updatedItem returned by the repo has the owner ID:
     final itemOwnerId = modelConfig.getOwnerId!(updatedItem);
-     if (itemOwnerId != authenticatedUser.id) {
+    if (itemOwnerId != authenticatedUser.id) {
       // This scenario should ideally not happen if the repository correctly
       // enforced ownership during the update call when userId was passed.
       // But as a defense-in-depth, we check here.
@@ -328,7 +325,6 @@ Future<Response> _handlePut(
     }
   }
 
-
   // Create metadata including the request ID and current timestamp
   final metadata = ResponseMetadata(
     requestId: requestId,
@@ -368,21 +364,21 @@ Future<Response> _handleDelete(
   String? userIdForRepoCall;
   // If the model is user-owned, pass the authenticated user's ID to the repository
   // for ownership enforcement. Otherwise, pass null.
-   if (modelConfig.getOwnerId != null) {
-     userIdForRepoCall = authenticatedUser.id;
+  if (modelConfig.getOwnerId != null) {
+    userIdForRepoCall = authenticatedUser.id;
   } else {
-     userIdForRepoCall = null;
+    userIdForRepoCall = null;
   }
 
   // --- Handler-Level Ownership Check (for DELETE) ---
   // For DELETE, we need to fetch the item *before* attempting deletion
   // to perform the ownership check if required.
   dynamic itemToDelete;
-   if (modelConfig.deletePermission.requiresOwnershipCheck &&
+  if (modelConfig.deletePermission.requiresOwnershipCheck &&
       !permissionService.isAdmin(authenticatedUser)) {
-     // Ensure getOwnerId is provided for models requiring ownership check
+    // Ensure getOwnerId is provided for models requiring ownership check
     if (modelConfig.getOwnerId == null) {
-       print(
+      print(
         '[ReqID: $requestId] Configuration Error: Model "$modelName" requires '
         'ownership check for DELETE but getOwnerId is not provided.',
       );
@@ -406,12 +402,12 @@ Future<Response> _handleDelete(
       case 'country':
         final repo = context.read<HtDataRepository<Country>>();
         itemToDelete = await repo.read(id: id, userId: userIdForRepoCall);
-       case 'user':
+      case 'user':
         final repo = context.read<HtDataRepository<User>>();
         itemToDelete = await repo.read(id: id, userId: userIdForRepoCall);
       // Add cases for other models
       default:
-         print(
+        print(
           '[ReqID: $requestId] Error: Unsupported model type "$modelName" reached _handleDelete ownership check.',
         );
         // Throw an exception to be caught by the errorHandler
@@ -431,11 +427,10 @@ Future<Response> _handleDelete(
         );
       }
     }
-     // If itemToDelete is null here, it means the item wasn't found during the read.
-     // The subsequent delete call will likely throw NotFoundException, which is correct.
+    // If itemToDelete is null here, it means the item wasn't found during the read.
+    // The subsequent delete call will likely throw NotFoundException, which is correct.
   }
 
-
   // Allow repository exceptions (e.g., NotFoundException) to propagate
   // upwards to be handled by the standard error handling mechanism.
   switch (modelName) {
@@ -455,7 +450,7 @@ Future<Response> _handleDelete(
       await context
           .read<HtDataRepository<Country>>()
           .delete(id: id, userId: userIdForRepoCall);
-     case 'user':
+    case 'user':
       await context
           .read<HtDataRepository<User>>()
           .delete(id: id, userId: userIdForRepoCall);
@@ -472,7 +467,6 @@ Future<Response> _handleDelete(
       );
   }
 
-
   // Return 204 No Content for successful deletion (no body, no metadata)
   return Response(statusCode: HttpStatus.noContent);
 }
diff --git a/routes/api/v1/data/index.dart b/routes/api/v1/data/index.dart
@@ -17,7 +17,8 @@ Future<Response> onRequest(RequestContext context) async {
   final requestId = context.read<RequestId>().id;
   // User is guaranteed non-null by requireAuthentication() middleware
   final authenticatedUser = context.read<User>();
-  final permissionService = context.read<PermissionService>(); // Read PermissionService
+  final permissionService =
+      context.read<PermissionService>(); // Read PermissionService
 
   // The main try/catch block here is removed to let the errorHandler middleware
   // handle all exceptions thrown by the handlers below.
@@ -81,9 +82,9 @@ Future<Response> _handleGet(
   // Note: This is for data *scoping* by the repository, not the permission check.
   // We infer user-owned based on the presence of getOwnerId function.
   if (modelConfig.getOwnerId != null) {
-     userIdForRepoCall = authenticatedUser.id;
+    userIdForRepoCall = authenticatedUser.id;
   } else {
-     userIdForRepoCall = null;
+    userIdForRepoCall = null;
   }
 
   // Repository exceptions (like NotFoundException, BadRequestException)
@@ -146,11 +147,11 @@ Future<Response> _handleGet(
               limit: limit,
             );
     case 'user': // Handle User model specifically if needed, or rely on generic
-       final repo = context.read<HtDataRepository<User>>();
-       // Note: readAll/readAllByQuery on User repo might need special handling
-       // depending on whether non-admins can list *all* users or just their own.
-       // Assuming for now readAll/readAllByQuery with userId scopes to owned.
-       paginatedResponse = specificQuery.isNotEmpty
+      final repo = context.read<HtDataRepository<User>>();
+      // Note: readAll/readAllByQuery on User repo might need special handling
+      // depending on whether non-admins can list *all* users or just their own.
+      // Assuming for now readAll/readAllByQuery with userId scopes to owned.
+      paginatedResponse = specificQuery.isNotEmpty
           ? await repo.readAllByQuery(
               specificQuery,
               userId: userIdForRepoCall,
@@ -238,7 +239,6 @@ Future<Response> _handlePost(
     userIdForRepoCall = null;
   }
 
-
   // Process based on model type
   dynamic createdItem;
 
@@ -270,12 +270,11 @@ Future<Response> _handlePost(
         userId: userIdForRepoCall,
       );
     case 'user': // Handle User model specifically if needed, or rely on generic
-       final repo = context.read<HtDataRepository<User>>();
-       // User creation is typically handled by auth routes, not generic data POST.
-       // Throw Forbidden or BadRequest if attempted here.
-       throw const ForbiddenException(
+      // User creation is typically handled by auth routes, not generic data POST.
+      // Throw Forbidden or BadRequest if attempted here.
+      throw const ForbiddenException(
         'User creation is not allowed via the generic data endpoint.',
-       );
+      );
     // Add cases for other models as they are added to ModelRegistry
     default:
       // This case should ideally be caught by middleware, but added for safety
