Files
multica/server/internal/handler/pin.go
Naiyuan Qing f0f3cb5c3a fix(server): resolve X-Workspace-Slug in middleware-less handlers (#1165)
Problem
-------
The v2 workspace URL refactor (#1141) switched the frontend from sending
X-Workspace-ID (UUID) to X-Workspace-Slug. The workspace middleware was
updated to accept the slug and translate it via GetWorkspaceBySlug.

But the handler package maintained a PARALLEL resolver
(`resolveWorkspaceID` in handler.go) used by endpoints that sit outside
the workspace middleware — and that resolver was never updated. It only
checked context / ?workspace_id / X-Workspace-ID, never the slug.

/api/upload-file is the one production route that hit the broken path:
it's user-scoped (not behind workspace middleware) because it also
serves avatar uploads (no workspace). Post-refactor requests from the
frontend arrived with only X-Workspace-Slug; the handler resolver
returned "", the code fell into the "no workspace context" branch, and
every file upload since v2 landed in S3 with no corresponding DB
attachment row — files orphaned, invisible to the UI.

Root cause is structural: two resolvers doing the same job, written
independently, diverged silently when one was updated.

Fix
---
Collapse to a single shared helper. middleware.ResolveWorkspaceIDFromRequest
is the new canonical resolver; both the middleware's internal
`resolveWorkspaceUUID` (for middleware gating) and the handler-side
`(h *Handler).resolveWorkspaceID` (promoted from a package function)
now delegate to it. Priority order matches what the middleware has had
since v2: context > X-Workspace-Slug header > ?workspace_slug query >
X-Workspace-ID header > ?workspace_id query.

Impact analysis
---------------
47 call sites of the old `resolveWorkspaceID(r)` are renamed to
`h.resolveWorkspaceID(r)`. 46 of them sit behind workspace middleware,
so they hit the context fast path and see zero behavior change. The
one caller that actually gains capability is UploadFile — which now
correctly recognizes slug requests and creates DB attachment rows.

Tests
-----
- New table-driven unit test for ResolveWorkspaceIDFromRequest covers
  all priority levels and the unknown-slug fallback.
- Regression tests for UploadFile: once with X-Workspace-Slug only
  (the broken path), once with X-Workspace-ID only (legacy CLI/daemon
  compat path). Both assert that a DB attachment row is created.
- Full Go test suite passes; typecheck + pnpm test unaffected.

Plan
----
See docs/plans/2026-04-16-unify-workspace-identity-resolver.md for the
full first-principles writeup.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 18:01:56 +08:00

231 lines
6.2 KiB
Go

package handler
import (
"encoding/json"
"net/http"
"strconv"
"github.com/go-chi/chi/v5"
db "github.com/multica-ai/multica/server/pkg/db/generated"
"github.com/multica-ai/multica/server/pkg/protocol"
)
type PinnedItemResponse struct {
ID string `json:"id"`
WorkspaceID string `json:"workspace_id"`
UserID string `json:"user_id"`
ItemType string `json:"item_type"`
ItemID string `json:"item_id"`
Position float64 `json:"position"`
CreatedAt string `json:"created_at"`
// Enriched fields (set by list endpoint)
Title string `json:"title"`
Identifier *string `json:"identifier,omitempty"`
Icon *string `json:"icon,omitempty"`
Status string `json:"status,omitempty"`
}
func pinnedItemToResponse(p db.PinnedItem) PinnedItemResponse {
return PinnedItemResponse{
ID: uuidToString(p.ID),
WorkspaceID: uuidToString(p.WorkspaceID),
UserID: uuidToString(p.UserID),
ItemType: p.ItemType,
ItemID: uuidToString(p.ItemID),
Position: p.Position,
CreatedAt: timestampToString(p.CreatedAt),
}
}
type CreatePinRequest struct {
ItemType string `json:"item_type"`
ItemID string `json:"item_id"`
}
type ReorderPinsRequest struct {
Items []ReorderItem `json:"items"`
}
type ReorderItem struct {
ID string `json:"id"`
Position float64 `json:"position"`
}
func (h *Handler) ListPins(w http.ResponseWriter, r *http.Request) {
userID, ok := requireUserID(w, r)
if !ok {
return
}
workspaceID := h.resolveWorkspaceID(r)
pins, err := h.Queries.ListPinnedItems(r.Context(), db.ListPinnedItemsParams{
WorkspaceID: parseUUID(workspaceID),
UserID: parseUUID(userID),
})
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to list pins")
return
}
// Enrich with item details
resp := make([]PinnedItemResponse, 0, len(pins))
for _, p := range pins {
pr := pinnedItemToResponse(p)
switch p.ItemType {
case "issue":
issue, err := h.Queries.GetIssue(r.Context(), p.ItemID)
if err != nil {
continue // Skip deleted items
}
pr.Title = issue.Title
prefix := h.getIssuePrefix(r.Context(), issue.WorkspaceID)
identifier := formatIdentifier(prefix, issue.Number)
pr.Identifier = &identifier
pr.Status = issue.Status
case "project":
project, err := h.Queries.GetProject(r.Context(), p.ItemID)
if err != nil {
continue // Skip deleted items
}
pr.Title = project.Title
pr.Icon = textToPtr(project.Icon)
pr.Status = project.Status
}
resp = append(resp, pr)
}
writeJSON(w, http.StatusOK, resp)
}
func (h *Handler) CreatePin(w http.ResponseWriter, r *http.Request) {
userID, ok := requireUserID(w, r)
if !ok {
return
}
workspaceID := h.resolveWorkspaceID(r)
var req CreatePinRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "invalid request body")
return
}
if req.ItemType != "issue" && req.ItemType != "project" {
writeError(w, http.StatusBadRequest, "item_type must be 'issue' or 'project'")
return
}
if req.ItemID == "" {
writeError(w, http.StatusBadRequest, "item_id is required")
return
}
// Verify the item exists in this workspace
switch req.ItemType {
case "issue":
if _, err := h.Queries.GetIssueInWorkspace(r.Context(), db.GetIssueInWorkspaceParams{
ID: parseUUID(req.ItemID), WorkspaceID: parseUUID(workspaceID),
}); err != nil {
writeError(w, http.StatusNotFound, "issue not found")
return
}
case "project":
if _, err := h.Queries.GetProjectInWorkspace(r.Context(), db.GetProjectInWorkspaceParams{
ID: parseUUID(req.ItemID), WorkspaceID: parseUUID(workspaceID),
}); err != nil {
writeError(w, http.StatusNotFound, "project not found")
return
}
}
// Get max position to append at end
maxPos, err := h.Queries.GetMaxPinnedItemPosition(r.Context(), db.GetMaxPinnedItemPositionParams{
WorkspaceID: parseUUID(workspaceID),
UserID: parseUUID(userID),
})
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to get position")
return
}
pin, err := h.Queries.CreatePinnedItem(r.Context(), db.CreatePinnedItemParams{
WorkspaceID: parseUUID(workspaceID),
UserID: parseUUID(userID),
ItemType: req.ItemType,
ItemID: parseUUID(req.ItemID),
Position: maxPos + 1,
})
if err != nil {
if isUniqueViolation(err) {
writeError(w, http.StatusConflict, "item already pinned")
return
}
writeError(w, http.StatusInternalServerError, "failed to create pin")
return
}
resp := pinnedItemToResponse(pin)
h.publish(protocol.EventPinCreated, workspaceID, "member", userID, map[string]any{"pin": resp})
writeJSON(w, http.StatusCreated, resp)
}
func (h *Handler) DeletePin(w http.ResponseWriter, r *http.Request) {
userID, ok := requireUserID(w, r)
if !ok {
return
}
workspaceID := h.resolveWorkspaceID(r)
itemType := chi.URLParam(r, "itemType")
itemID := chi.URLParam(r, "itemId")
err := h.Queries.DeletePinnedItem(r.Context(), db.DeletePinnedItemParams{
WorkspaceID: parseUUID(workspaceID),
UserID: parseUUID(userID),
ItemType: itemType,
ItemID: parseUUID(itemID),
})
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to delete pin")
return
}
h.publish(protocol.EventPinDeleted, workspaceID, "member", userID, map[string]any{
"item_type": itemType,
"item_id": itemID,
})
w.WriteHeader(http.StatusNoContent)
}
func (h *Handler) ReorderPins(w http.ResponseWriter, r *http.Request) {
userID, ok := requireUserID(w, r)
if !ok {
return
}
workspaceID := h.resolveWorkspaceID(r)
var req ReorderPinsRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "invalid request body")
return
}
for _, item := range req.Items {
if err := h.Queries.UpdatePinnedItemPosition(r.Context(), db.UpdatePinnedItemPositionParams{
Position: item.Position,
ID: parseUUID(item.ID),
WorkspaceID: parseUUID(workspaceID),
UserID: parseUUID(userID),
}); err != nil {
writeError(w, http.StatusInternalServerError, "failed to reorder pins")
return
}
}
w.WriteHeader(http.StatusNoContent)
}
func formatIdentifier(prefix string, number int32) string {
if prefix == "" {
prefix = "ISS"
}
return prefix + "-" + strconv.Itoa(int(number))
}