feat: add links api

Author: aeltorio

README.md

@@ -99,6 +99,8 @@ There may be a delay between the purchase and the refund. Additionally, the refu
 - View non-refunded feedbacks (read:api)
 - View refunded feedbacks (read:api)
 - Search purchases (search:api)
+- Generate short public links for dispute resolution (write:api)
+- Access dispute resolution information via public links (no permission required)
 
 ## Security
 
@@ -292,6 +294,63 @@ The REST API exchanges all objects in JSON format. The API provides the followin
 - **GET `/api/stats/purchases`** - Get purchase statistics overview - requires read:api permission
   - Response: `{success: boolean, data: {totalPurchases: number, totalRefundedPurchases: number, totalRefundedAmount: number}}`
 
+### Public Short Links for Dispute Resolution
+
+These endpoints enable testers to generate secure short links for sharing dispute resolution information publicly. This is useful for cases where proof of purchase, feedback, and publication needs to be shared with a third party or dispute resolution authority.
+
+#### Link Generation
+
+- **POST `/api/link/public`** - Generate a short public link for dispute resolution - requires write:api permission
+  - Query parameters:
+    - `duration` (required): Duration in seconds for which the link should be valid (minimum 60, maximum 31536000 / 1 year)
+    - `purchase` (required): The UUID of the purchase to create a link for
+  - The purchase must have both feedback and publication before a link can be created
+  - Link codes are 7 characters long, containing digits (0-9) and letters (a-z, A-Z)
+  - Each generated code is unique and automatically checked for collisions
+  - Request: `POST /api/link/public?duration=3600&purchase=550e8400-e29b-41d4-a716-446655440000`
+  - Response: `{success: boolean, code: string, url: string}`
+  - Example Response: `{success: true, code: "aBc1234", url: "/link/aBc1234"}`
+
+#### Link Data Retrieval
+
+- **GET `/api/link/:code`** - Access public dispute resolution information via short link - no permission required (public endpoint)
+  - Path parameter: `code` - The 7-character unique link code
+  - This endpoint returns the complete dispute resolution information if the link is valid (not expired and properly formatted)
+  - Returns the following data for eligible purchases:
+    - Order details: order number, date, amount, purchase screenshot
+    - Feedback details: submission date, feedback text
+    - Publication details: publication date, publication screenshot
+    - Refund details (if applicable): refund amount, transaction ID
+  - Response: `{success: boolean, data: {orderNumber: string, orderDate: string, purchaseAmount: number, purchaseScreenshot: string, feedbackDate: string, feedbackText: string, publicationDate: string, publicationScreenshot: string, isRefunded: boolean, refundAmount?: number, refundTransactionId?: string}}`
+  - Error responses:
+    - `400`: Invalid link code format (must be exactly 7 alphanumeric characters)
+    - `404`: Link not found or has expired
+
+#### Usage Example
+
+1. Generate a short link for dispute resolution:
+   ```bash
+   POST /api/link/public?duration=2592000&purchase=550e8400-e29b-41d4-a716-446655440000
+   # Response: {"success": true, "code": "xY7zQw", "url": "/link/xY7zQw"}
+   ```
+
+2. Share the link publicly (e.g., `https://example.com/link/xY7zQw`) or with dispute resolution services
+
+3. Access the dispute information using the link code:
+   ```bash
+   GET /link/xY7zQw
+   # Returns complete dispute resolution data including purchase proof, feedback, and publication proof
+   ```
+
+#### Technical Details
+
+- Link expiration is checked at retrieval time, not during link generation
+- The link will only return data if the purchase has both feedback and a publication entry
+- No authentication is required to retrieve data via a valid link code
+- Link codes use 62 possible characters per position (10 digits + 26 lowercase + 26 uppercase), providing 62^7 ≈ 3.5 trillion possible combinations
+- The database includes an index on the `(code, expires_at)` composite key for efficient expiration checks
+- Link cleanup can be performed using a background job that calls the repository's `cleanupExpired()` method
+
 ### Database Management
 
 - **GET `/api/backup/json`** - Backup the database to JSON format - requires backup:api permission

client/get-openapi.ts

@@ -8,13 +8,13 @@ const options = {
   format: "json",
   info: {
     title: "Feedback Flow API",
-    version: "1.4.0",
+    version: "1.5.0",
   },
   definition: {
     openapi: "3.0.0",
     info: {
       title: "Feedback Flow API",
-      version: "1.4.0",
+      version: "1.5.0",
     },
   }, // You can move properties from definition here if needed
   apis: [
@@ -30,6 +30,7 @@ const options = {
     "../cloudflare-worker/src/routes/refunds/index.ts",
     "../cloudflare-worker/src/routes/stats/index.ts",
     "../cloudflare-worker/src/routes/system/index.ts",
+    "../cloudflare-worker/src/routes/links/index.ts",
   ], // Path to the API docs
 };
 

client/public/openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.0.0",
   "info": {
     "title": "Feedback Flow API",
-    "version": "1.4.0"
+    "version": "1.5.0"
   },
   "paths": {
     "/api/testers": {
@@ -1830,6 +1830,185 @@
           }
         }
       }
+    },
+    "/api/link/public": {
+      "post": {
+        "summary": "Generate a short public link for dispute resolution",
+        "description": "Creates a short public link that allows sharing dispute information.\nThe link is only valid if the purchase has:\n- A feedback entry (feedback created)\n- A publication entry (feedback published)\n\nThe link will expire after the specified duration (in seconds).\nRequires write:api permission.\n",
+        "tags": [
+          "Links"
+        ],
+        "parameters": [
+          {
+            "name": "duration",
+            "in": "query",
+            "required": true,
+            "description": "Duration in seconds for which the link should be valid",
+            "schema": {
+              "type": "integer",
+              "minimum": 60,
+              "maximum": 31536000,
+              "example": 3600
+            }
+          },
+          {
+            "name": "purchase",
+            "in": "query",
+            "required": true,
+            "description": "The UUID of the purchase to create a link for",
+            "schema": {
+              "type": "string",
+              "format": "uuid"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Short link successfully generated",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "example": true
+                    },
+                    "code": {
+                      "type": "string",
+                      "description": "7-character unique code (0-9, a-z, A-Z)",
+                      "example": "aBc1234"
+                    },
+                    "url": {
+                      "type": "string",
+                      "description": "Full URL for accessing the dispute resolution page",
+                      "example": "/link/aBc1234"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Invalid request or purchase not eligible"
+          },
+          "401": {
+            "description": "Unauthorized - authentication required"
+          },
+          "404": {
+            "description": "Purchase not found or not owned by user"
+          }
+        }
+      }
+    },
+    "/api/link/{code}": {
+      "get": {
+        "summary": "Access public dispute resolution information",
+        "description": "Retrieves complete dispute resolution information for a valid short link.\nThis endpoint requires no authentication and provides:\n- Purchase details (order number, date, amount, screenshot)\n- Feedback details (creation date, content)\n- Publication details (publication date, screenshot)\n- Refund details if the purchase was refunded (amount, transaction ID)\n\nThe link must be valid (code format correct and not expired).\n\nNo permission required - public endpoint accessible with valid link code.\n",
+        "tags": [
+          "Links"
+        ],
+        "parameters": [
+          {
+            "name": "code",
+            "in": "path",
+            "required": true,
+            "description": "The 7-character unique link code",
+            "schema": {
+              "type": "string",
+              "pattern": "^[0-9a-zA-Z]{7}$",
+              "example": "aBc1234"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Dispute resolution information successfully retrieved",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "example": true
+                    },
+                    "data": {
+                      "type": "object",
+                      "properties": {
+                        "orderNumber": {
+                          "type": "string",
+                          "description": "The order number for the purchase",
+                          "example": "102-1234567-1234567"
+                        },
+                        "orderDate": {
+                          "type": "string",
+                          "format": "date",
+                          "description": "Date of the purchase",
+                          "example": "2024-03-15"
+                        },
+                        "purchaseAmount": {
+                          "type": "number",
+                          "description": "Amount paid for the purchase",
+                          "example": 99.99
+                        },
+                        "purchaseScreenshot": {
+                          "type": "string",
+                          "description": "Base64-encoded screenshot of the purchase"
+                        },
+                        "secondaryScreenshot": {
+                          "type": "string",
+                          "description": "Optional secondary screenshot (e.g., from publication)"
+                        },
+                        "feedbackDate": {
+                          "type": "string",
+                          "format": "date",
+                          "description": "Date when feedback was submitted",
+                          "example": "2024-03-16"
+                        },
+                        "feedbackText": {
+                          "type": "string",
+                          "description": "The feedback text provided by the tester"
+                        },
+                        "publicationDate": {
+                          "type": "string",
+                          "format": "date",
+                          "description": "Date when the feedback was published",
+                          "example": "2024-03-17"
+                        },
+                        "publicationScreenshot": {
+                          "type": "string",
+                          "description": "Base64-encoded screenshot of the publication"
+                        },
+                        "isRefunded": {
+                          "type": "boolean",
+                          "description": "Whether the purchase has been refunded",
+                          "example": false
+                        },
+                        "refundAmount": {
+                          "type": "number",
+                          "description": "Amount refunded (only if isRefunded is true)",
+                          "example": 99.99
+                        },
+                        "refundTransactionId": {
+                          "type": "string",
+                          "description": "Transaction ID of the refund (if available)"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Invalid link code format"
+          },
+          "404": {
+            "description": "Link not found or expired"
+          }
+        }
+      }
     }
   },
   "components": {

cloudflare-worker/package.json

@@ -13,6 +13,14 @@
 		"start": "wrangler dev",
 		"test": "set -a && source ../.env && set +a && node --experimental-vm-modules ./node_modules/.bin/jest",
 		"d1:create": "npx wrangler d1 execute --local --file src/db/create.sql feedbackflow-db",
+		"d1:migrate:v0-v1": "npx wrangler d1 execute --local --file src/db/migrations/v1_add_transaction_id.sql feedbackflow-db",
+		"d1:migrate:v1-v2": "npx wrangler d1 execute --local --file src/db/migrations/v2_add_screenshot_summary.sql feedbackflow-db",
+		"d1:migrate:v2-v3": "npx wrangler d1 execute --local --file src/db/migrations/v3_add_links_table.sql feedbackflow-db",
+		"d1:migrate:all": "npm run d1:migrate:v0-v1 && npm run d1:migrate:v1-v2 && npm run d1:migrate:v2-v3",
+		"d1:migrate:v0-v1:remote": "npx wrangler d1 execute --remote --file src/db/migrations/v1_add_transaction_id.sql feedbackflow-db",
+		"d1:migrate:v1-v2:remote": "npx wrangler d1 execute --remote --file src/db/migrations/v2_add_screenshot_summary.sql feedbackflow-db",
+		"d1:migrate:v2-v3:remote": "npx wrangler d1 execute --remote --file src/db/migrations/v3_add_links_table.sql feedbackflow-db",
+		"d1:migrate:all:remote": "npm run d1:migrate:v0-v1:remote && npm run d1:migrate:v1-v2:remote && npm run d1:migrate:v2-v3:remote",
 		"d1:create:remote": "npx wrangler d1 execute --remote --file src/db/create.sql feedbackflow-db",
 		"d1:init": "npx wrangler d1 execute --local --file src/test/seed-test-data.sql feedbackflow-db",
 		"cf-typegen": "wrangler types"
@@ -45,4 +53,4 @@
 		"jose": "^6.1.0",
 		"uuid": "^13.0.0"
 	}
-}
+}

cloudflare-worker/src/db/create.sql

@@ -27,6 +27,7 @@ PRAGMA foreign_keys = ON;
 
 -- Drop tables if they already exist (for reset)
 DROP TABLE IF EXISTS schema_version;
+DROP TABLE IF EXISTS links;
 DROP TABLE IF EXISTS publications;
 DROP TABLE IF EXISTS feedbacks;
 DROP TABLE IF EXISTS purchases;
@@ -109,8 +110,30 @@ CREATE TABLE refunds (
     FOREIGN KEY (purchase_id) REFERENCES purchases(id) ON DELETE CASCADE
 );
 
--- Index for searching purchases by tester
-CREATE INDEX idx_purchases_tester_uuid ON purchases(tester_uuid);
+-- Links table for short public dispute resolution links
+CREATE TABLE links (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    code TEXT NOT NULL UNIQUE,              -- 7-character unique code for the short link
+    purchase_id TEXT NOT NULL,              -- Reference to the purchase
+    expires_at TIMESTAMP NOT NULL,          -- Expiration timestamp
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    FOREIGN KEY (purchase_id) REFERENCES purchases(id) ON DELETE CASCADE
+);
+
+-- Index to speed up refunds lookups
+CREATE INDEX idx_refunds_purchase_id ON refunds(purchase_id);
+
+-- Index to speed up links lookups by code
+CREATE INDEX idx_links_code ON links(code);
+
+-- Index to speed up links lookups by purchase_id
+CREATE INDEX idx_links_purchase_id ON links(purchase_id);
+
+-- Index to efficiently find non-expired links
+CREATE INDEX idx_links_expires_at ON links(expires_at);
+
+-- Composite index for checking if a link exists and is still valid
+CREATE INDEX idx_links_code_expires_at ON links(code, expires_at);
 -- Index for searching refunded/non-refunded purchases
 CREATE INDEX idx_purchases_refunded ON purchases(refunded);
 
@@ -194,4 +217,4 @@ GROUP BY t.uuid;
 
 -- Insert initial schema version (or update if exists)
 INSERT  INTO schema_version (id, version, description) 
-VALUES (1, 2, 'Initial schema with transactionId support for refunds and screenshot summary');
+VALUES (1, 3, 'Schema with transactionId support for refunds, screenshot summary, and short public links');