Merge pull request #198 from LAA-Software-Engineering/feat/issue-117-book-ownership

feat: book ownership and JWT user_id (fix #117)

Author: leo-aa88

docs/docs.go

@@ -257,6 +257,12 @@ const docTemplate = `{
                             "type": "string"
                         }
                     },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "type": "string"
+                        }
+                    },
                     "404": {
                         "description": "book not found",
                         "schema": {
@@ -307,6 +313,12 @@ const docTemplate = `{
                             "type": "string"
                         }
                     },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "type": "string"
+                        }
+                    },
                     "404": {
                         "description": "book not found",
                         "schema": {
@@ -450,6 +462,9 @@ const docTemplate = `{
                 "id": {
                     "type": "integer"
                 },
+                "owner_id": {
+                    "type": "integer"
+                },
                 "title": {
                     "type": "string"
                 },

docs/swagger.json

@@ -251,6 +251,12 @@
                             "type": "string"
                         }
                     },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "type": "string"
+                        }
+                    },
                     "404": {
                         "description": "book not found",
                         "schema": {
@@ -301,6 +307,12 @@
                             "type": "string"
                         }
                     },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "type": "string"
+                        }
+                    },
                     "404": {
                         "description": "book not found",
                         "schema": {
@@ -444,6 +456,9 @@
                 "id": {
                     "type": "integer"
                 },
+                "owner_id": {
+                    "type": "integer"
+                },
                 "title": {
                     "type": "string"
                 },

docs/swagger.yaml

@@ -8,6 +8,8 @@ definitions:
         type: string
       id:
         type: integer
+      owner_id:
+        type: integer
       title:
         type: string
       updated_at:
@@ -168,6 +170,10 @@ paths:
           description: Unauthorized
           schema:
             type: string
+        "403":
+          description: Forbidden
+          schema:
+            type: string
         "404":
           description: book not found
           schema:
@@ -237,6 +243,10 @@ paths:
           description: Unauthorized
           schema:
             type: string
+        "403":
+          description: Forbidden
+          schema:
+            type: string
         "404":
           description: book not found
           schema:

pkg/api/book_routes_auth_test.go

@@ -36,7 +36,7 @@ func testBookWriteMiddlewareStack(t *testing.T) *gin.Engine {
 func TestBookWriteRoutesRequireAPIKeyAndJWT(t *testing.T) {
 	const apiKey = testAPISecretKey
 
-	token, err := auth.GenerateToken("book-writer")
+	token, err := auth.GenerateToken("book-writer", 1)
 	if err != nil {
 		t.Fatalf("GenerateToken: %v", err)
 	}
@@ -141,7 +141,7 @@ func TestBookWriteRoutesRequireAPIKeyAndJWT(t *testing.T) {
 func TestBookWriteRoutesRejectTamperedJWT(t *testing.T) {
 	const apiKey = testAPISecretKey
 
-	token, err := auth.GenerateToken("u1")
+	token, err := auth.GenerateToken("u1", 1)
 	if err != nil {
 		t.Fatalf("GenerateToken: %v", err)
 	}
@@ -175,7 +175,7 @@ func TestBookWriteRoutesRejectTamperedJWT(t *testing.T) {
 func TestBookWriteRoutesConcurrentAuthorizedRequests(t *testing.T) {
 	const apiKey = testAPISecretKey
 
-	token, err := auth.GenerateToken("concurrent-user")
+	token, err := auth.GenerateToken("concurrent-user", 1)
 	if err != nil {
 		t.Fatalf("GenerateToken: %v", err)
 	}

pkg/api/books.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"golang-rest-api-template/pkg/cache"
+	"golang-rest-api-template/pkg/middleware"
 	"golang-rest-api-template/pkg/models"
 	"golang-rest-api-template/pkg/repository"
 	"golang-rest-api-template/pkg/service"
@@ -80,6 +81,19 @@ func parseOffsetLimit(c *gin.Context) (offset, limit int, ok bool) {
 	return o, l, true
 }
 
+// contextUserID returns the authenticated users.id set by middleware.JWTAuth.
+func contextUserID(c *gin.Context) (uint, bool) {
+	if c == nil {
+		return 0, false
+	}
+	v, ok := c.Get(middleware.ContextUserID)
+	if !ok {
+		return 0, false
+	}
+	id, ok := v.(uint)
+	return id, ok && id > 0
+}
+
 // @BasePath /api/v1
 
 // Healthcheck godoc
@@ -146,12 +160,17 @@ func (h *bookHandler) FindBooks(c *gin.Context) {
 // @Failure 500 {string} string "Internal Server Error"
 // @Router /books [post]
 func (h *bookHandler) CreateBook(c *gin.Context) {
+	ownerID, ok := contextUserID(c)
+	if !ok {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Unauthorized"})
+		return
+	}
 	var input models.CreateBook
 	if err := c.ShouldBindJSON(&input); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
 	}
-	book, err := h.svc.CreateBook(c.Request.Context(), input.Title, input.Author)
+	book, err := h.svc.CreateBook(c.Request.Context(), ownerID, input.Title, input.Author)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create book"})
 		return
@@ -199,10 +218,16 @@ func (h *bookHandler) FindBook(c *gin.Context) {
 // @Success 200 {object} models.Book "Successfully updated book"
 // @Failure 400 {string} string "Bad Request"
 // @Failure 401 {string} string "Unauthorized"
+// @Failure 403 {string} string "Forbidden"
 // @Failure 404 {string} string "book not found"
 // @Failure 500 {string} string "Internal Server Error"
 // @Router /books/{id} [put]
 func (h *bookHandler) UpdateBook(c *gin.Context) {
+	actorID, ok := contextUserID(c)
+	if !ok {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Unauthorized"})
+		return
+	}
 	var input models.UpdateBook
 	id, ok := parseIDParam(c)
 	if !ok {
@@ -212,12 +237,16 @@ func (h *bookHandler) UpdateBook(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
 	}
-	book, err := h.svc.UpdateBook(c.Request.Context(), id, input.Title, input.Author)
+	book, err := h.svc.UpdateBook(c.Request.Context(), actorID, id, input.Title, input.Author)
 	if err != nil {
 		if repository.IsBookNotFound(err) {
 			c.JSON(http.StatusNotFound, gin.H{"error": "book not found"})
 			return
 		}
+		if errors.Is(err, service.ErrBookForbidden) {
+			c.JSON(http.StatusForbidden, gin.H{"error": "forbidden"})
+			return
+		}
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update book"})
 		return
 	}
@@ -234,19 +263,29 @@ func (h *bookHandler) UpdateBook(c *gin.Context) {
 // @Param id path string true "Book ID"
 // @Success 204 "Successfully deleted book"
 // @Failure 401 {string} string "Unauthorized"
+// @Failure 403 {string} string "Forbidden"
 // @Failure 404 {string} string "book not found"
 // @Failure 500 {string} string "Internal Server Error"
 // @Router /books/{id} [delete]
 func (h *bookHandler) DeleteBook(c *gin.Context) {
+	actorID, ok := contextUserID(c)
+	if !ok {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Unauthorized"})
+		return
+	}
 	id, ok := parseIDParam(c)
 	if !ok {
 		return
 	}
-	if err := h.svc.DeleteBook(c.Request.Context(), id); err != nil {
+	if err := h.svc.DeleteBook(c.Request.Context(), actorID, id); err != nil {
 		if repository.IsBookNotFound(err) {
 			c.JSON(http.StatusNotFound, gin.H{"error": "book not found"})
 			return
 		}
+		if errors.Is(err, service.ErrBookForbidden) {
+			c.JSON(http.StatusForbidden, gin.H{"error": "forbidden"})
+			return
+		}
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to delete book"})
 		return
 	}