This commit is contained in:
Bastian Wagner
2026-06-10 15:44:18 +02:00
parent 67b5fb8532
commit e1cc78ca27
22 changed files with 749 additions and 26 deletions

View File

@@ -17,6 +17,8 @@ export type AuditAction =
| 'list.created_from_template'
| 'list.updated'
| 'list.deleted'
| 'list.shared'
| 'list.unshared'
| 'list.item_created'
| 'list.item_updated'
| 'list.item_checked'

View File

@@ -55,6 +55,15 @@ export class AuthController {
return this.authService.getPublicUser(request.user!.sub);
}
@Get('users/search')
@UseGuards(JwtAuthGuard)
searchUsers(
@Req() request: AuthenticatedRequest,
@Query('q') query?: string,
) {
return this.authService.searchUsers(request.user!.sub, query);
}
@Patch('me/onboarding')
@UseGuards(JwtAuthGuard)
updateOnboarding(

View File

@@ -9,7 +9,7 @@ import { EventEmitter2 } from '@nestjs/event-emitter';
import { JwtService } from '@nestjs/jwt';
import { InjectRepository } from '@nestjs/typeorm';
import { randomBytes, randomUUID, scryptSync, timingSafeEqual } from 'crypto';
import { Repository } from 'typeorm';
import { Like, Repository } from 'typeorm';
import { AuditLogService } from '../audit/audit-log.service';
import { LoginDto } from './dto/login.dto';
import { RegisterDto } from './dto/register.dto';
@@ -20,6 +20,7 @@ import {
AuthTokens,
JwtTokenPayload,
PublicUser,
PublicUserSearchResult,
} from './auth.types';
import { AppEvents } from '../events/app-events';
import { RefreshTokenEntity } from './refresh-token.entity';
@@ -293,6 +294,41 @@ export class AuthService {
return this.toPublicUser(user);
}
async searchUsers(
actorUserId: string,
query?: string,
): Promise<PublicUserSearchResult[]> {
const normalizedQuery = query?.trim();
if (!normalizedQuery || normalizedQuery.length < 2) {
return [];
}
const pattern = `%${normalizedQuery}%`;
const users = await this.usersRepository.find({
where: [
{ verified: true, email: Like(pattern) },
{ verified: true, name: Like(pattern) },
],
order: { email: 'ASC' },
take: 10,
});
return users
.filter((user) => user.id !== actorUserId)
.filter(
(user, index, allUsers) =>
allUsers.findIndex((existingUser) => existingUser.id === user.id) ===
index,
)
.slice(0, 10)
.map((user) => ({
id: user.id,
email: user.email,
name: user.name ?? undefined,
}));
}
async updateOnboardingCompleted(
userId: string,
completed: boolean,

View File

@@ -37,3 +37,9 @@ export interface PublicUser {
verified: boolean;
onboardingCompleted: boolean;
}
export interface PublicUserSearchResult {
id: string;
email: string;
name?: string;
}

View File

@@ -9,6 +9,7 @@ import {
} from 'typeorm';
import { ListTemplateEntity } from '../list-templates/list-template.entity';
import { UserListEntity } from '../lists/user-list.entity';
import { UserListShareEntity } from '../lists/user-list-share.entity';
import { RefreshTokenEntity } from './refresh-token.entity';
@Entity('users')
@@ -59,4 +60,7 @@ export class UserEntity {
@OneToMany(() => UserListEntity, (list) => list.owner)
lists?: UserListEntity[];
@OneToMany(() => UserListShareEntity, (share) => share.user)
sharedLists?: UserListShareEntity[];
}

View File

@@ -38,14 +38,27 @@ export interface UserListItem {
updatedAt: string;
}
export type UserListAccessRole = 'owner' | 'collaborator';
export interface UserListCollaborator {
id: string;
name?: string;
email: string;
role: 'collaborator';
}
export interface UserList {
id: string;
ownerId: string;
ownerName?: string;
ownerEmail?: string;
accessRole: UserListAccessRole;
sourceTemplateId?: string;
name: string;
description?: string;
kind: ListTemplateKind;
items: UserListItem[];
collaborators: UserListCollaborator[];
createdAt: string;
updatedAt: string;
}

View File

@@ -0,0 +1,3 @@
export class ShareListDto {
userId?: string;
}

View File

@@ -16,6 +16,7 @@ import { JwtAuthGuard } from '../auth/jwt-auth.guard';
import { AuthService } from '../auth/auth.service';
import { CreateListDto } from './dto/create-list.dto';
import { AddListItemDto, UpdateListItemDto } from './dto/list-item.dto';
import { ShareListDto } from './dto/share-list.dto';
import { UpdateListDto } from './dto/update-list.dto';
import { ListRealtimeService } from './list-realtime.service';
import { ListsService } from './lists.service';
@@ -78,6 +79,32 @@ export class ListsController {
return this.listsService.deleteList(this.requireUserId(request), listId);
}
@Post(':listId/shares')
shareList(
@Req() request: AuthenticatedRequest,
@Param('listId') listId: string,
@Body() shareDto: ShareListDto,
) {
return this.listsService.shareList(
this.requireUserId(request),
listId,
shareDto,
);
}
@Delete(':listId/shares/:userId')
removeShare(
@Req() request: AuthenticatedRequest,
@Param('listId') listId: string,
@Param('userId') userId: string,
) {
return this.listsService.removeShare(
this.requireUserId(request),
listId,
userId,
);
}
@Post(':listId/items')
addItem(
@Req() request: AuthenticatedRequest,

View File

@@ -2,17 +2,24 @@ import { Module } from '@nestjs/common';
import { TypeOrmModule } from '@nestjs/typeorm';
import { AuditModule } from '../audit/audit.module';
import { AuthModule } from '../auth/auth.module';
import { UserEntity } from '../auth/user.entity';
import { ListsController } from './lists.controller';
import { ListRealtimeService } from './list-realtime.service';
import { ListsService } from './lists.service';
import { UserListEntity } from './user-list.entity';
import { UserListItemEntity } from './user-list-item.entity';
import { UserListShareEntity } from './user-list-share.entity';
@Module({
imports: [
AuditModule,
AuthModule,
TypeOrmModule.forFeature([UserListEntity, UserListItemEntity]),
TypeOrmModule.forFeature([
UserEntity,
UserListEntity,
UserListItemEntity,
UserListShareEntity,
]),
],
controllers: [ListsController],
providers: [ListRealtimeService, ListsService],

View File

@@ -1,18 +1,24 @@
import { ForbiddenException, NotFoundException } from '@nestjs/common';
import { UserEntity } from '../auth/user.entity';
import { ListTemplate } from '../list-templates/list-template.types';
import { InMemoryRepository } from '../testing/in-memory-repository';
import { ListRealtimeService } from './list-realtime.service';
import { ListsService } from './lists.service';
import { UserListEntity } from './user-list.entity';
import { UserListItemEntity } from './user-list-item.entity';
import { UserListShareEntity } from './user-list-share.entity';
describe('ListsService', () => {
let service: ListsService;
let usersRepository: InMemoryRepository<UserEntity>;
beforeEach(() => {
usersRepository = new InMemoryRepository<UserEntity>();
service = new ListsService(
new InMemoryRepository<UserListEntity>() as never,
new InMemoryRepository<UserListItemEntity>() as never,
new InMemoryRepository<UserListShareEntity>() as never,
usersRepository as never,
);
});
@@ -57,6 +63,8 @@ describe('ListsService', () => {
service = new ListsService(
new InMemoryRepository<UserListEntity>() as never,
new InMemoryRepository<UserListItemEntity>() as never,
new InMemoryRepository<UserListShareEntity>() as never,
usersRepository as never,
undefined,
realtimeService as never,
);
@@ -100,6 +108,41 @@ describe('ListsService', () => {
);
});
it('allows owners to share lists with collaborators', async () => {
await usersRepository.save({
id: 'user-2',
email: 'collaborator@example.com',
passwordHash: 'hash',
verified: true,
onboardingCompleted: false,
createdAt: new Date(),
updatedAt: new Date(),
});
const list = await service.createList('user-1', {
name: 'Geteilte Liste',
});
const sharedList = await service.shareList('user-1', list.id, {
userId: 'user-2',
});
const collaboratorList = await service.getList('user-2', list.id);
const updatedByCollaborator = await service.addItem('user-2', list.id, {
title: 'Gemeinsamer Eintrag',
});
expect(sharedList.collaborators).toEqual([
expect.objectContaining({
id: 'user-2',
email: 'collaborator@example.com',
}),
]);
expect(collaboratorList.accessRole).toBe('collaborator');
expect(updatedByCollaborator.items).toHaveLength(1);
await expect(service.deleteList('user-2', list.id)).rejects.toThrow(
ForbiddenException,
);
});
it('adds, updates, checks and deletes list items', async () => {
const list = await service.createList('user-1', {
name: 'Einkauf',

View File

@@ -13,15 +13,19 @@ import {
ListTemplate,
ListTemplateKind,
UserList,
UserListAccessRole,
UserListItem,
} from '../list-templates/list-template.types';
import { UserEntity } from '../auth/user.entity';
import { CreateListFromTemplateDto } from '../list-templates/dto/create-list-from-template.dto';
import { AddListItemDto, UpdateListItemDto } from './dto/list-item.dto';
import { CreateListDto } from './dto/create-list.dto';
import { ListRealtimeService } from './list-realtime.service';
import { ShareListDto } from './dto/share-list.dto';
import { UpdateListDto } from './dto/update-list.dto';
import { UserListEntity } from './user-list.entity';
import { UserListItemEntity } from './user-list-item.entity';
import { UserListShareEntity } from './user-list-share.entity';
@Injectable()
export class ListsService {
@@ -30,6 +34,10 @@ export class ListsService {
private readonly listsRepository: Repository<UserListEntity>,
@InjectRepository(UserListItemEntity)
private readonly listItemsRepository: Repository<UserListItemEntity>,
@InjectRepository(UserListShareEntity)
private readonly listSharesRepository: Repository<UserListShareEntity>,
@InjectRepository(UserEntity)
private readonly usersRepository: Repository<UserEntity>,
@Optional()
private readonly auditLogService?: AuditLogService,
@Optional()
@@ -59,8 +67,8 @@ export class ListsService {
},
});
const userList = this.toUserList(savedList);
this.listRealtimeService?.publishSnapshot(ownerId, userList);
const userList = await this.getList(ownerId, savedList.id);
await this.publishListSnapshot(savedList.id);
return userList;
}
@@ -114,24 +122,51 @@ export class ListsService {
},
});
const userList = this.toUserList(savedList);
this.listRealtimeService?.publishSnapshot(ownerId, userList);
const userList = await this.getList(ownerId, savedList.id);
await this.publishListSnapshot(savedList.id);
return userList;
}
async listLists(ownerId: string): Promise<UserList[]> {
const lists = await this.listsRepository.find({
const ownedLists = await this.listsRepository.find({
where: { ownerId },
relations: { items: true },
relations: { items: true, owner: true, shares: { user: true } },
order: { name: 'ASC', items: { position: 'ASC' } },
});
const sharedListShares = await this.listSharesRepository.find({
where: { userId: ownerId },
relations: { list: { items: true, owner: true, shares: { user: true } } },
});
const listsById = new Map<string, UserListEntity>();
return lists.map((list) => this.toUserList(list));
for (const list of ownedLists) {
await this.hydrateListAccessRelations(list);
listsById.set(list.id, list);
}
for (const share of sharedListShares) {
const sharedList =
share.list ??
(await this.listsRepository.findOne({
where: { id: share.listId },
relations: { items: true, owner: true, shares: { user: true } },
order: { items: { position: 'ASC' } },
}));
if (sharedList) {
await this.hydrateListAccessRelations(sharedList);
listsById.set(sharedList.id, sharedList);
}
}
return [...listsById.values()]
.sort((left, right) => left.name.localeCompare(right.name))
.map((list) => this.toUserList(list, ownerId));
}
async getList(ownerId: string, listId: string): Promise<UserList> {
return this.toUserList(await this.findOwnedList(ownerId, listId));
return this.toUserList(await this.findAccessibleList(ownerId, listId), ownerId);
}
async updateList(
@@ -139,7 +174,7 @@ export class ListsService {
listId: string,
updateDto: UpdateListDto,
): Promise<UserList> {
const list = await this.findOwnedList(ownerId, listId);
const list = await this.findAccessibleList(ownerId, listId);
if (updateDto.name !== undefined) {
list.name = this.requireName(updateDto.name);
@@ -169,14 +204,15 @@ export class ListsService {
},
});
const userList = this.toUserList(savedList);
this.listRealtimeService?.publishSnapshot(ownerId, userList);
const userList = await this.getList(ownerId, savedList.id);
await this.publishListSnapshot(savedList.id);
return userList;
}
async deleteList(ownerId: string, listId: string): Promise<{ message: string }> {
const list = await this.findOwnedList(ownerId, listId);
const accessorIds = this.listAccessorIds(list);
const metadata = {
name: list.name,
kind: list.kind,
@@ -192,17 +228,100 @@ export class ListsService {
metadata,
});
this.listRealtimeService?.publishDeleted(ownerId, listId);
accessorIds.forEach((accessorId) =>
this.listRealtimeService?.publishDeleted(accessorId, listId),
);
return { message: 'List deleted.' };
}
async shareList(
ownerId: string,
listId: string,
shareDto: ShareListDto,
): Promise<UserList> {
const list = await this.findOwnedList(ownerId, listId);
const targetUserId = this.requireShareUserId(shareDto.userId);
if (targetUserId === ownerId) {
throw new BadRequestException('List owner cannot be added as collaborator.');
}
const targetUser = await this.usersRepository.findOne({
where: { id: targetUserId },
});
if (!targetUser || !targetUser.verified) {
throw new NotFoundException('User was not found.');
}
const existingShare = await this.listSharesRepository.findOne({
where: { listId, userId: targetUserId },
});
if (!existingShare) {
await this.listSharesRepository.save(
this.listSharesRepository.create({
id: randomUUID(),
listId,
userId: targetUserId,
role: 'collaborator',
}),
);
}
await this.auditLogService?.record({
actorUserId: ownerId,
action: 'list.shared',
entityType: 'list',
entityId: list.id,
metadata: {
sharedWithUserId: targetUserId,
sharedWithEmail: targetUser.email,
},
});
await this.publishListSnapshot(listId);
return this.getList(ownerId, listId);
}
async removeShare(
ownerId: string,
listId: string,
collaboratorUserId: string,
): Promise<UserList> {
const list = await this.findOwnedList(ownerId, listId);
const existingShare = await this.listSharesRepository.findOne({
where: { listId, userId: collaboratorUserId },
});
if (!existingShare) {
throw new NotFoundException('List share was not found.');
}
await this.listSharesRepository.remove(existingShare);
await this.auditLogService?.record({
actorUserId: ownerId,
action: 'list.unshared',
entityType: 'list',
entityId: list.id,
metadata: { removedUserId: collaboratorUserId },
});
this.listRealtimeService?.publishDeleted(collaboratorUserId, listId);
await this.publishListSnapshot(listId);
return this.getList(ownerId, listId);
}
async addItem(
ownerId: string,
listId: string,
addDto: AddListItemDto,
): Promise<UserList> {
const list = await this.findOwnedList(ownerId, listId);
const list = await this.findAccessibleList(ownerId, listId);
const item = this.createListItem(addDto, list.items.length);
item.listId = list.id;
@@ -224,7 +343,7 @@ export class ListsService {
});
const updatedList = await this.getList(ownerId, listId);
this.listRealtimeService?.publishSnapshot(ownerId, updatedList);
await this.publishListSnapshot(listId);
return updatedList;
}
@@ -236,7 +355,7 @@ export class ListsService {
updateDto: UpdateListItemDto,
actorName?: string,
): Promise<UserList> {
const list = await this.findOwnedList(ownerId, listId);
const list = await this.findAccessibleList(ownerId, listId);
const item = this.findListItem(list, itemId);
const wasChecked = item.checked;
@@ -297,7 +416,7 @@ export class ListsService {
});
const updatedList = await this.getList(ownerId, listId);
this.listRealtimeService?.publishSnapshot(ownerId, updatedList);
await this.publishListSnapshot(listId);
return updatedList;
}
@@ -307,7 +426,7 @@ export class ListsService {
listId: string,
itemId: string,
): Promise<UserList> {
const list = await this.findOwnedList(ownerId, listId);
const list = await this.findAccessibleList(ownerId, listId);
const itemIndex = list.items.findIndex((item) => item.id === itemId);
if (itemIndex === -1) {
@@ -336,18 +455,18 @@ export class ListsService {
});
const updatedList = await this.getList(ownerId, listId);
this.listRealtimeService?.publishSnapshot(ownerId, updatedList);
await this.publishListSnapshot(listId);
return updatedList;
}
private async findOwnedList(
private async findAccessibleList(
ownerId: string,
listId: string,
): Promise<UserListEntity> {
const list = await this.listsRepository.findOne({
where: { id: listId },
relations: { items: true },
relations: { items: true, owner: true, shares: { user: true } },
order: { items: { position: 'ASC' } },
});
@@ -355,11 +474,27 @@ export class ListsService {
throw new NotFoundException('List was not found.');
}
if (list.ownerId !== ownerId) {
await this.hydrateListAccessRelations(list);
if (!this.canAccessList(list, ownerId)) {
throw new ForbiddenException('List belongs to another user.');
}
list.items = list.items ?? [];
list.shares = list.shares ?? [];
return list;
}
private async findOwnedList(
ownerId: string,
listId: string,
): Promise<UserListEntity> {
const list = await this.findAccessibleList(ownerId, listId);
if (list.ownerId !== ownerId) {
throw new ForbiddenException('Only the list owner can perform this action.');
}
return list;
}
@@ -465,10 +600,87 @@ export class ListsService {
return value;
}
private toUserList(list: UserListEntity): UserList {
private requireShareUserId(userId?: string): string {
const normalizedUserId = userId?.trim();
if (!normalizedUserId) {
throw new BadRequestException('User id is required.');
}
return normalizedUserId;
}
private canAccessList(list: UserListEntity, userId: string): boolean {
return (
list.ownerId === userId ||
Boolean(list.shares?.some((share) => share.userId === userId))
);
}
private accessRoleFor(
list: UserListEntity,
viewerId?: string,
): UserListAccessRole {
return list.ownerId === viewerId ? 'owner' : 'collaborator';
}
private listAccessorIds(list: UserListEntity): string[] {
return [
list.ownerId,
...(list.shares ?? []).map((share) => share.userId),
].filter((userId, index, userIds) => userIds.indexOf(userId) === index);
}
private async hydrateListAccessRelations(list: UserListEntity): Promise<void> {
list.owner ??= (await this.usersRepository.findOne({
where: { id: list.ownerId },
})) ?? undefined;
const storedShares = await this.listSharesRepository.find({
where: { listId: list.id },
relations: { user: true },
});
list.shares = storedShares;
for (const share of list.shares) {
share.user ??= (await this.usersRepository.findOne({
where: { id: share.userId },
})) ?? undefined;
}
}
private async publishListSnapshot(listId: string): Promise<void> {
if (!this.listRealtimeService) {
return;
}
const list = await this.listsRepository.findOne({
where: { id: listId },
relations: { items: true, owner: true, shares: { user: true } },
order: { items: { position: 'ASC' } },
});
if (!list) {
return;
}
await this.hydrateListAccessRelations(list);
this.listAccessorIds(list).forEach((accessorId) => {
this.listRealtimeService?.publishSnapshot(
accessorId,
this.toUserList(list, accessorId),
);
});
}
private toUserList(list: UserListEntity, viewerId?: string): UserList {
return {
id: list.id,
ownerId: list.ownerId,
ownerName: list.owner?.name ?? undefined,
ownerEmail: list.owner?.email ?? undefined,
accessRole: this.accessRoleFor(list, viewerId),
sourceTemplateId: list.sourceTemplateId ?? undefined,
name: list.name,
description: list.description ?? undefined,
@@ -476,6 +688,14 @@ export class ListsService {
items: (list.items ?? [])
.sort((left, right) => left.position - right.position)
.map((item) => this.toUserListItem(item)),
collaborators: (list.shares ?? [])
.filter((share) => Boolean(share.user))
.map((share) => ({
id: share.userId,
name: share.user?.name ?? undefined,
email: share.user!.email,
role: 'collaborator',
})),
createdAt: this.toIsoString(list.createdAt),
updatedAt: this.toIsoString(list.updatedAt),
};

View File

@@ -0,0 +1,50 @@
import {
Column,
CreateDateColumn,
Entity,
Index,
JoinColumn,
ManyToOne,
PrimaryColumn,
} from 'typeorm';
import { UserEntity } from '../auth/user.entity';
import { UserListEntity } from './user-list.entity';
export type UserListShareRole = 'collaborator';
@Entity('user_list_shares')
@Index(['listId', 'userId'], { unique: true })
export class UserListShareEntity {
@PrimaryColumn({ type: 'varchar', length: 36 })
id!: string;
@Index()
@Column({ type: 'varchar', length: 36 })
listId!: string;
@Index()
@Column({ type: 'varchar', length: 36 })
userId!: string;
@Column({ type: 'varchar', length: 32, default: 'collaborator' })
role!: UserListShareRole;
@CreateDateColumn({
type: 'datetime',
precision: 3,
default: () => 'CURRENT_TIMESTAMP(3)',
})
createdAt!: Date;
@ManyToOne(() => UserListEntity, (list) => list.shares, {
onDelete: 'CASCADE',
})
@JoinColumn({ name: 'listId' })
list?: UserListEntity;
@ManyToOne(() => UserEntity, (user) => user.sharedLists, {
onDelete: 'CASCADE',
})
@JoinColumn({ name: 'userId' })
user?: UserEntity;
}

View File

@@ -10,6 +10,7 @@ import {
UpdateDateColumn,
} from 'typeorm';
import { UserEntity } from '../auth/user.entity';
import { UserListShareEntity } from './user-list-share.entity';
import { UserListItemEntity } from './user-list-item.entity';
import type { ListTemplateKind } from '../list-templates/list-template.types';
@@ -59,4 +60,7 @@ export class UserListEntity {
cascade: ['insert', 'update'],
})
items!: UserListItemEntity[];
@OneToMany(() => UserListShareEntity, (share) => share.list)
shares?: UserListShareEntity[];
}