feature: rooms and events implemented on the backend

public/api/rooms/:room_id/README.md

@@ -0,0 +1,23 @@
+# /api/rooms/:room_id
+
+Interact with a specific room.
+
+## GET /api/rooms/:room_id
+
+Get the room specified by `:room_id`.
+
+## PUT /api/rooms/:room_id
+
+Update the rooms specified by `:room_id`.
+
+Eg:
+
+```
+{
+	name?: string;
+}
+```
+
+## DELETE /api/rooms/:room_id
+
+Delete the room specified by `:room_id`.

public/api/rooms/:room_id/events/:event_id/index.ts

@@ -0,0 +1,162 @@
+import { EVENT, EVENTS } from '../../../../../../models/event.ts';
+import { ROOM, ROOMS } from '../../../../../../models/room.ts';
+import parse_body from '../../../../../../utils/bodyparser.ts';
+import * as CANNED_RESPONSES from '../../../../../../utils/canned_responses.ts';
+import { get_session, get_user, PRECHECK_TABLE, require_user } from '../../../../../../utils/prechecks.ts';
+
+export const PRECHECKS: PRECHECK_TABLE = {};
+
+// GET /api/rooms/:room_id/events/:id - Get an event
+PRECHECKS.GET = [get_session, get_user, require_user, async (_req: Request, meta: Record<string, any>): Promise<Response | undefined> => {
+	const room_id: string = meta.params?.room_id?.toLowerCase().trim() ?? '';
+
+	// lurid is 49 chars as we use them, eg: "also-play-flow-want-form-wide-thus-work-burn-same"
+	const room: ROOM | null = room_id.length === 49 ? await ROOMS.get(room_id) : null;
+
+	if (!room) {
+		return CANNED_RESPONSES.not_found();
+	}
+
+	meta.room = room;
+	const room_is_public = room.permissions.read.length === 0;
+	const user_has_read_for_room = room_is_public || room.permissions.read.includes(meta.user.id);
+	const room_has_public_events = user_has_read_for_room && (room.permissions.read_events.length === 0);
+	const user_has_read_events_for_room = user_has_read_for_room &&
+		(room_has_public_events || room.permissions.read_events.includes(meta.user.id));
+
+	if (!user_has_read_events_for_room) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
+export async function GET(_req: Request, meta: Record<string, any>): Promise<Response> {
+	const event: EVENT | null = await EVENTS.get(meta.params.event_id);
+
+	if (!event) {
+		return CANNED_RESPONSES.not_found();
+	}
+
+	return Response.json(event, {
+		status: 200
+	});
+}
+
+// PUT /api/rooms/:room_id/events/:event_id - Update event
+PRECHECKS.PUT = [
+	get_session,
+	get_user,
+	require_user,
+	(_req: Request, _meta: Record<string, any>): Response | undefined => {
+		if (Deno.env.get('APPEND_ONLY_EVENTS')) {
+			return CANNED_RESPONSES.append_only_events();
+		}
+	},
+	async (_req: Request, meta: Record<string, any>): Promise<Response | undefined> => {
+		const room_id: string = meta.params?.room_id?.toLowerCase().trim() ?? '';
+
+		// lurid is 49 chars as we use them, eg: "also-play-flow-want-form-wide-thus-work-burn-same"
+		const room: ROOM | null = room_id.length === 49 ? await ROOMS.get(room_id) : null;
+
+		if (!room) {
+			return CANNED_RESPONSES.not_found();
+		}
+
+		meta.room = room;
+		const room_is_public: boolean = meta.room.permissions.read.length === 0;
+		const user_has_read_for_room = room_is_public || meta.room.permissions.read.includes(meta.user.id);
+		const room_events_are_publicly_writable = meta.room.permissions.write_events.length === 0;
+		const user_has_write_events_for_room = user_has_read_for_room &&
+			(room_events_are_publicly_writable || meta.room.permissions.write_events.includes(meta.user.id));
+
+		if (!user_has_write_events_for_room) {
+			return CANNED_RESPONSES.permission_denied();
+		}
+	}
+];
+export async function PUT(req: Request, meta: Record<string, any>): Promise<Response> {
+	const now = new Date().toISOString();
+
+	try {
+		const event: EVENT | null = await EVENTS.get(meta.params.event_id);
+
+		if (!event) {
+			return CANNED_RESPONSES.not_found();
+		}
+
+		if (event.creator_id !== meta.user.id) {
+			return CANNED_RESPONSES.permission_denied();
+		}
+
+		const body = await parse_body(req);
+		const updated = {
+			...event,
+			...body,
+			id: event.id,
+			creator_id: event.creator_id,
+			timestamps: {
+				created: event.timestamps.created,
+				updated: now
+			}
+		};
+
+		await EVENTS.update(updated);
+		return Response.json(updated, {
+			status: 200
+		});
+	} catch (err) {
+		return Response.json({
+			error: {
+				message: (err as Error)?.message ?? 'Unknown error due to invalid data.',
+				cause: (err as Error)?.cause ?? 'invalid_data'
+			}
+		}, {
+			status: 400
+		});
+	}
+}
+
+// DELETE /api/rooms/:room_id/events/:event_id - Delete event
+PRECHECKS.DELETE = [
+	get_session,
+	get_user,
+	require_user,
+	(_req: Request, _meta: Record<string, any>): Response | undefined => {
+		if (Deno.env.get('APPEND_ONLY_EVENTS')) {
+			return CANNED_RESPONSES.append_only_events();
+		}
+	},
+	async (_req: Request, meta: Record<string, any>): Promise<Response | undefined> => {
+		const room_id: string = meta.params?.room_id?.toLowerCase().trim() ?? '';
+
+		// lurid is 49 chars as we use them, eg: "also-play-flow-want-form-wide-thus-work-burn-same"
+		const room: ROOM | null = room_id.length === 49 ? await ROOMS.get(room_id) : null;
+
+		if (!room) {
+			return CANNED_RESPONSES.not_found();
+		}
+
+		meta.room = room;
+		const room_is_public: boolean = meta.room.permissions.read.length === 0;
+		const user_has_read_for_room = room_is_public || meta.room.permissions.read.includes(meta.user.id);
+		const room_events_are_publicly_writable = meta.room.permissions.write_events.length === 0;
+		const user_has_write_events_for_room = user_has_read_for_room &&
+			(room_events_are_publicly_writable || meta.room.permissions.write_events.includes(meta.user.id));
+
+		if (!user_has_write_events_for_room) {
+			return CANNED_RESPONSES.permission_denied();
+		}
+	}
+];
+export async function DELETE(_req: Request, meta: Record<string, any>): Promise<Response> {
+	const event: EVENT | null = await EVENTS.get(meta.params.event_id);
+	if (!event) {
+		return CANNED_RESPONSES.not_found();
+	}
+
+	await EVENTS.delete(event);
+
+	return Response.json({
+		deleted: true
+	}, {
+		status: 200
+	});
+}

public/api/rooms/:room_id/events/README.md

@@ -0,0 +1,15 @@
+# /api/rooms/:room_id/events/:event_id
+
+Interact with a specific event.
+
+## GET /api/rooms/:room_id/events/:event_id
+
+Get the event specified by the tuple [ `:room_id`, `:event_id` ].
+
+## PUT /api/rooms/:room_id/events/:event_id
+
+Update an event.
+
+## DELETE /api/rooms/:room_id/events/:event_id
+
+Delete an event.

public/api/rooms/:room_id/events/index.ts

@@ -0,0 +1,111 @@
+import lurid from 'jsr:@andyburke/lurid';
+import { get_session, get_user, PRECHECK_TABLE, require_user } from '../../../../../utils/prechecks.ts';
+import { ROOM, ROOMS } from '../../../../../models/room.ts';
+import * as CANNED_RESPONSES from '../../../../../utils/canned_responses.ts';
+import { EVENT, EVENTS } from '../../../../../models/event.ts';
+import parse_body from '../../../../../utils/bodyparser.ts';
+
+export const PRECHECKS: PRECHECK_TABLE = {};
+
+// GET /api/rooms/:room_id/events - get room events
+// query parameters:
+//   partial_id: the partial id subset you would like to match (remember, lurids are lexigraphically sorted)
+PRECHECKS.GET = [get_session, get_user, require_user, async (_req: Request, meta: Record<string, any>): Promise<Response | undefined> => {
+	const room_id: string = meta.params?.room_id?.toLowerCase().trim() ?? '';
+
+	// lurid is 49 chars as we use them, eg: "also-play-flow-want-form-wide-thus-work-burn-same"
+	const room: ROOM | null = room_id.length === 49 ? await ROOMS.get(room_id) : null;
+
+	if (!room) {
+		return CANNED_RESPONSES.not_found();
+	}
+
+	meta.room = room;
+	const room_is_public: boolean = meta.room.permissions.read.length === 0;
+	const user_has_read_for_room = room_is_public || meta.room.permissions.read.includes(meta.user.id);
+	const room_events_are_public = meta.room.permissions.read_events.length === 0;
+	const user_has_read_events_for_room = user_has_read_for_room &&
+		(room_events_are_public || meta.room.permissions.read_events.includes(meta.user.id));
+
+	if (!user_has_read_events_for_room) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
+export async function GET(_req: Request, meta: Record<string, any>): Promise<Response> {
+	const query: URLSearchParams = meta.query;
+	const partial_id: string | undefined = query.get('partial_id')?.toLowerCase().trim();
+
+	const has_partial_id = typeof partial_id === 'string' && partial_id.length >= 2;
+	if (!has_partial_id) {
+		return Response.json({
+			error: {
+				message: 'You must specify a `partial_id` query parameter.',
+				cause: 'missing_query_parameter'
+			}
+		}, {
+			status: 400
+		});
+	}
+
+	const limit = Math.min(parseInt(query.get('limit') ?? '10'), 100);
+	const events = await EVENTS.all({
+		id_after: partial_id,
+		limit
+	});
+
+	return Response.json(events, {
+		status: 200
+	});
+}
+
+// POST /api/rooms/:room_id/events - Create an event
+PRECHECKS.POST = [get_session, get_user, require_user, async (_req: Request, meta: Record<string, any>): Promise<Response | undefined> => {
+	const room_id: string = meta.params?.room_id?.toLowerCase().trim() ?? '';
+
+	// lurid is 49 chars as we use them, eg: "also-play-flow-want-form-wide-thus-work-burn-same"
+	const room: ROOM | null = room_id.length === 49 ? await ROOMS.get(room_id) : null;
+
+	if (!room) {
+		return CANNED_RESPONSES.not_found();
+	}
+
+	meta.room = room;
+	const room_is_public: boolean = meta.room.permissions.read.length === 0;
+	const user_has_read_for_room = room_is_public || meta.room.permissions.read.includes(meta.user.id);
+	const room_events_are_publicly_writable = meta.room.permissions.write_events.length === 0;
+	const user_has_write_events_for_room = user_has_read_for_room &&
+		(room_events_are_publicly_writable || meta.room.permissions.write_events.includes(meta.user.id));
+
+	if (!user_has_write_events_for_room) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
+export async function POST(req: Request, meta: Record<string, any>): Promise<Response> {
+	try {
+		const now = new Date().toISOString();
+		const body = await parse_body(req);
+		const new_event: EVENT = {
+			type: 'unknown',
+			...body,
+			id: `${meta.params.room_id}:${lurid()}`,
+			creator_id: meta.user.id,
+			timestamps: {
+				created: now,
+				updated: now
+			}
+		};
+
+		await EVENTS.create(new_event);
+
+		return Response.json(new_event, {
+			status: 201
+		});
+	} catch (error) {
+		return Response.json({
+			error: {
+				message: (error as Error).message ?? 'Unknown Error!',
+				cause: (error as Error).cause ?? 'unknown'
+			}
+		}, { status: 500 });
+	}
+}

public/api/rooms/:room_id/index.ts

@@ -0,0 +1,113 @@
+import { get_session, get_user, PRECHECK_TABLE, require_user } from '../../../../utils/prechecks.ts';
+import parse_body from '../../../../utils/bodyparser.ts';
+import * as CANNED_RESPONSES from '../../../../utils/canned_responses.ts';
+import { ROOM, ROOMS } from '../../../../models/room.ts';
+
+export const PRECHECKS: PRECHECK_TABLE = {};
+
+// GET /api/rooms/:id - Get a room
+PRECHECKS.GET = [get_session, get_user, require_user, async (_req: Request, meta: Record<string, any>): Promise<Response | undefined> => {
+	const room_id: string = meta.params?.room_id?.toLowerCase().trim() ?? '';
+
+	// lurid is 49 chars as we use them, eg: "also-play-flow-want-form-wide-thus-work-burn-same"
+	const room: ROOM | null = room_id.length === 49 ? await ROOMS.get(room_id) : null;
+
+	if (!room) {
+		return CANNED_RESPONSES.not_found();
+	}
+
+	meta.room = room;
+	const room_is_public = room.permissions.read.length === 0;
+	const user_has_read_for_room = room_is_public || room.permissions.read.includes(meta.user.id);
+
+	if (!user_has_read_for_room) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
+export function GET(_req: Request, meta: Record<string, any>): Response {
+	return Response.json(meta.room, {
+		status: 200
+	});
+}
+
+// PUT /api/rooms/:id - Update room
+PRECHECKS.PUT = [get_session, get_user, require_user, async (_req: Request, meta: Record<string, any>): Promise<Response | undefined> => {
+	const room_id: string = meta.params?.room_id?.toLowerCase().trim() ?? '';
+
+	// lurid is 49 chars as we use them, eg: "also-play-flow-want-form-wide-thus-work-burn-same"
+	const room: ROOM | null = room_id.length === 49 ? await ROOMS.get(room_id) : null;
+
+	if (!room) {
+		return CANNED_RESPONSES.not_found();
+	}
+
+	meta.room = room;
+	const user_has_write_for_room = room.permissions.write.includes(meta.user.id);
+
+	if (!user_has_write_for_room) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
+export async function PUT(req: Request, meta: Record<string, any>): Promise<Response> {
+	const now = new Date().toISOString();
+
+	try {
+		const body = await parse_body(req);
+		const updated = {
+			...meta.room,
+			...body,
+			id: meta.room.id,
+			timestamps: {
+				created: meta.room.timestamps.created,
+				updated: now
+			}
+		};
+
+		await ROOMS.update(updated);
+		return Response.json(updated, {
+			status: 200
+		});
+	} catch (err) {
+		return Response.json({
+			error: {
+				message: (err as Error)?.message ?? 'Unknown error due to invalid data.',
+				cause: (err as Error)?.cause ?? 'invalid_data'
+			}
+		}, {
+			status: 400
+		});
+	}
+}
+
+// DELETE /api/rooms/:id - Delete room
+PRECHECKS.DELETE = [
+	get_session,
+	get_user,
+	require_user,
+	async (_req: Request, meta: Record<string, any>): Promise<Response | undefined> => {
+		const room_id: string = meta.params?.room_id?.toLowerCase().trim() ?? '';
+
+		// lurid is 49 chars as we use them, eg: "also-play-flow-want-form-wide-thus-work-burn-same"
+		const room: ROOM | null = room_id.length === 49 ? await ROOMS.get(room_id) : null;
+
+		if (!room) {
+			return CANNED_RESPONSES.not_found();
+		}
+
+		meta.room = room;
+		const user_has_write_for_room = room.permissions.write.includes(meta.user.id);
+
+		if (!user_has_write_for_room) {
+			return CANNED_RESPONSES.permission_denied();
+		}
+	}
+];
+export async function DELETE(_req: Request, meta: Record<string, any>): Promise<Response> {
+	await ROOMS.delete(meta.room);
+
+	return Response.json({
+		deleted: true
+	}, {
+		status: 200
+	});
+}

public/api/rooms/README.md

@@ -0,0 +1,28 @@
+# /api/rooms
+
+Interact with rooms.
+
+## POST /api/rooms
+
+Create a new room.
+
+```
+export type ROOM = {
+	id: string; // unique id for this room
+	name: string; // the name of the room (max 128 characters)
+	icon_url?: string; // optional url for a room icon
+	topic?: string; // optional room topic
+	tags: string[]; // a list of tags for the room
+	meta: Record<string, any>;
+	limits: {
+		users: number;
+		user_messages_per_minute: number;
+	};
+	creator_id: string; // user_id of the room creator
+	emojis: Record<string, string>; // either: string: emoji eg: { 'rofl: 🤣, ... } or { 'rofl': 🤣, 'blap': 'https://somewhere.someplace/image.jpg' }
+};
+```
+
+## GET /api/rooms
+
+Get rooms.

public/api/rooms/index.ts

@@ -0,0 +1,112 @@
+import lurid from 'jsr:@andyburke/lurid';
+import parse_body from '../../../utils/bodyparser.ts';
+import { get_session, get_user, require_user } from '../../../utils/prechecks.ts';
+import * as CANNED_RESPONSES from '../../../utils/canned_responses.ts';
+import { PRECHECK_TABLE } from '../../../utils/prechecks.ts';
+import { ROOM, ROOMS } from '../../../models/room.ts';
+
+export const PRECHECKS: PRECHECK_TABLE = {};
+
+// GET /api/rooms - get rooms
+PRECHECKS.GET = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
+	const can_read_rooms = meta.user?.permissions?.includes('rooms.read');
+
+	if (!can_read_rooms) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
+export async function GET(_req: Request, meta: Record<string, any>): Promise<Response> {
+	const query: URLSearchParams = meta.query;
+	const limit = Math.min(parseInt(query.get('limit') ?? '100'), 100);
+	const rooms = await ROOMS.all({
+		limit
+	});
+
+	return Response.json(rooms, {
+		status: 200
+	});
+}
+
+// POST /api/rooms - Create a room
+PRECHECKS.POST = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
+	const can_create_rooms = meta.user?.permissions?.includes('rooms.create');
+
+	if (!can_create_rooms) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
+export async function POST(req: Request, meta: Record<string, any>): Promise<Response> {
+	try {
+		const now = new Date().toISOString();
+
+		const body = await parse_body(req);
+
+		if (typeof body.name !== 'string' || body.name.length === 0) {
+			return Response.json({
+				error: {
+					cause: 'missing_room_name',
+					message: 'You must specify a unique name for a room.'
+				}
+			}, {
+				status: 400
+			});
+		}
+
+		if (body.name.length > 64) {
+			return Response.json({
+				error: {
+					cause: 'invalid_room_name',
+					message: 'Room names must be 64 characters or fewer.'
+				}
+			}, {
+				status: 400
+			});
+		}
+
+		const normalized_name = body.name.toLowerCase();
+
+		const existing_room = (await ROOMS.find({
+			name: normalized_name
+		})).shift();
+		if (existing_room) {
+			return Response.json({
+				error: {
+					cause: 'room_name_conflict',
+					message: 'There is already a room with this name.'
+				}
+			}, {
+				status: 400
+			});
+		}
+
+		const room: ROOM = {
+			...body,
+			id: lurid(),
+			creator_id: meta.user.id,
+			permissions: {
+				read: (body.permissions?.read ?? []),
+				write: (body.permissions?.write ?? [meta.user.id]),
+				read_events: (body.permissions?.read_events ?? []),
+				write_events: (body.permissions?.write_events ?? [])
+			},
+			timestamps: {
+				created: now,
+				updated: now,
+				archived: undefined
+			}
+		};
+
+		await ROOMS.create(room);
+
+		return Response.json(room, {
+			status: 201
+		});
+	} catch (error) {
+		return Response.json({
+			error: {
+				message: (error as Error).message ?? 'Unknown Error!',
+				cause: (error as Error).cause ?? 'unknown'
+			}
+		}, { status: 500 });
+	}
+}

public/api/users/:id/README.md

@@ -1,21 +0,0 @@
-# /api/users/:id
-
-Interact with a specific user.
-
-## GET /api/users/:id
-
-Get the user specified by `:id`. (user match/admin)
-
-## PUT /api/users/:id
-
-Update the user specified by `:id`. (user match/admin)
-
-```
-{
-	username?: string; // update username
-}
-```
-
-## DELETE /api/users/:id
-
-Delete the user specified by `:id`. (user match/admin)

public/api/users/:user_id/README.md

@@ -0,0 +1,21 @@
+# /api/users/:user_id
+
+Interact with a specific user.
+
+## GET /api/users/:user_id
+
+Get the user specified by `:user_id`. (user match/admin)
+
+## PUT /api/users/:user_id
+
+Update the user specified by `:user_id`. (user match/admin)
+
+```
+{
+	username?: string; // update username
+}
+```
+
+## DELETE /api/users/:user_id
+
+Delete the user specified by `:user_id`. (user match/admin)

public/api/users/:user_id/index.ts

@@ -2,17 +2,16 @@ import { get_session, get_user, PRECHECK_TABLE, require_user } from '../../../..
 import { PASSWORD_ENTRIES, PASSWORD_ENTRY } from '../../../../models/password_entry.ts';
 import { SESSIONS } from '../../../../models/session.ts';
 import { USER, USERS } from '../../../../models/user.ts';
-import { PERMISSIONS_STORE, USER_PERMISSIONS } from '../../../../models/user_permissions.ts';
 import parse_body from '../../../../utils/bodyparser.ts';
-import { CANNED_RESPONSES } from '../../../../utils/canned_responses.ts';
+import * as CANNED_RESPONSES from '../../../../utils/canned_responses.ts';
 
 export const PRECHECKS: PRECHECK_TABLE = {};
 
 // GET /api/users/:id - Get single user
 PRECHECKS.GET = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
-	const user_is_self = !!meta.user && !!meta.params && meta.user.id === meta.params.id;
-	const can_read_self = meta.user_permissions?.permissions.includes('self.read');
-	const can_read_others = meta.user_permissions?.permissions?.includes('users.read');
+	const user_is_self = !!meta.user && !!meta.params && meta.user.id === meta.params.user_id;
+	const can_read_self = meta.user?.permissions.includes('self.read');
+	const can_read_others = meta.user?.permissions?.includes('users.read');
 
 	const has_permission = can_read_others || (can_read_self && user_is_self);
 	if (!has_permission) {
@@ -20,7 +19,7 @@ PRECHECKS.GET = [get_session, get_user, require_user, (_req: Request, meta: Reco
 	}
 }];
 export async function GET(_req: Request, meta: Record<string, any>): Promise<Response> {
-	const user_id: string = meta.params?.id?.toLowerCase().trim() ?? '';
+	const user_id: string = meta.params?.user_id?.toLowerCase().trim() ?? '';
 	const user: USER | null = user_id.length === 49 ? await USERS.get(user_id) : null; // lurid is 49 chars as we use them, eg: "also-play-flow-want-form-wide-thus-work-burn-same"
 
 	if (!user) {
@@ -40,19 +39,20 @@ export async function GET(_req: Request, meta: Record<string, any>): Promise<Res
 }
 
 // PUT /api/users/:id - Update user
-PRECHECKS.PUT = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
-	const user_is_self = !!meta.user && !!meta.params && meta.user.id === meta.params.id;
-	const can_write_self = meta.user_permissions?.permissions.includes('self.write');
-	const can_write_others = meta.user_permissions?.permissions?.includes('users.write');
+PRECHECKS.PUT = [get_session, get_user, require_user, (req: Request, meta: Record<string, any>): Response | undefined => {
+	const user_is_self = !!meta.user && !!meta.params && meta.user.id === meta.params.user_id;
+	const can_write_self = meta.user?.permissions.includes('self.write');
+	const can_write_others = meta.user?.permissions?.includes('users.write');
+	const is_a_test_override = Deno.env.get('DENO_ENV') === 'test' && !!req.headers.get('x-test-override');
 
-	const has_permission = can_write_others || (can_write_self && user_is_self);
+	const has_permission = is_a_test_override || can_write_others || (can_write_self && user_is_self);
 	if (!has_permission) {
 		return CANNED_RESPONSES.permission_denied();
 	}
 }];
-export async function PUT(req: Request, meta: { params: Record<string, any> }): Promise<Response> {
+export async function PUT(req: Request, meta: Record<string, any>): Promise<Response> {
 	const now = new Date().toISOString();
-	const id: string = meta.params.id ?? '';
+	const id: string = meta.params.user_id ?? '';
 	const existing = await USERS.get(id);
 
 	if (!existing) {
@@ -68,15 +68,25 @@ export async function PUT(req: Request, meta: { params: Record<string, any> }):
 
 	try {
 		const body = await parse_body(req);
-		const updated = {
+		const updated: USER = {
 			...existing,
-			username: body.username || existing.username,
+			...body,
 			timestamps: {
 				created: existing.timestamps.created,
 				updated: now
 			}
 		};
 
+		if (Array.isArray(body.permissions) && body.permissions.join(':') !== existing.permissions.join(':')) {
+			const user_can_write_others = meta.user.permissions.includes('users.write');
+			const is_a_test_override = Deno.env.get('DENO_ENV') === 'test' && req.headers.get('x-test-override');
+			const is_allowed = user_can_write_others || is_a_test_override;
+
+			if (!is_allowed) {
+				return CANNED_RESPONSES.permission_denied();
+			}
+		}
+
 		await USERS.update(updated);
 		return Response.json(updated, {
 			status: 200
@@ -95,17 +105,17 @@ export async function PUT(req: Request, meta: { params: Record<string, any> }):
 
 // DELETE /api/users/:id - Delete user
 PRECHECKS.DELETE = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
-	const user_is_self = !!meta.user && !!meta.params && meta.user.id === meta.params.id;
-	const can_write_self = meta.user_permissions?.permissions.includes('self.write');
-	const can_write_others = meta.user_permissions?.permissions?.includes('users.write');
+	const user_is_self = !!meta.user && !!meta.params && meta.user.id === meta.params.user_id;
+	const can_write_self = meta.user?.permissions.includes('self.write');
+	const can_write_others = meta.user?.permissions?.includes('users.write');
 
 	const has_permission = can_write_others || (can_write_self && user_is_self);
 	if (!has_permission) {
 		return CANNED_RESPONSES.permission_denied();
 	}
 }];
-export async function DELETE(_req: Request, meta: { params: Record<string, any> }): Promise<Response> {
-	const user_id: string = meta.params.id ?? '';
+export async function DELETE(_req: Request, meta: Record<string, any>): Promise<Response> {
+	const user_id: string = meta.params.user_id ?? '';
 
 	const user: USER | null = await USERS.get(user_id);
 	if (!user) {
@@ -123,10 +133,6 @@ export async function DELETE(_req: Request, meta: { params: Record<string, any>
 	if (password_entry) {
 		await PASSWORD_ENTRIES.delete(password_entry);
 	}
-	const user_permissions: USER_PERMISSIONS | null = await PERMISSIONS_STORE.get(user_id);
-	if (user_permissions) {
-		await PERMISSIONS_STORE.delete(user_permissions);
-	}
 
 	const sessions = await SESSIONS.find({
 		user_id

public/api/users/index.ts

@@ -1,6 +1,5 @@
 import { PASSWORD_ENTRIES, PASSWORD_ENTRY } from '../../../models/password_entry.ts';
 import { USER, USERS } from '../../../models/user.ts';
-import { PERMISSIONS_STORE, USER_PERMISSIONS } from '../../../models/user_permissions.ts';
 import { generateSecret } from 'jsr:@stdext/crypto/utils';
 import { hash } from 'jsr:@stdext/crypto/hash';
 import lurid from 'jsr:@andyburke/lurid';
@@ -9,19 +8,20 @@ import parse_body from '../../../utils/bodyparser.ts';
 import { create_new_session, SESSION_RESULT } from '../auth/index.ts';
 import { PRECHECKS } from './me/index.ts';
 import { get_session, get_user, require_user } from '../../../utils/prechecks.ts';
-import { CANNED_RESPONSES } from '../../../utils/canned_responses.ts';
+import * as CANNED_RESPONSES from '../../../utils/canned_responses.ts';
 
 // TODO: figure out a better solution for doling out permissions
 const DEFAULT_USER_PERMISSIONS: string[] = [
 	'self.read',
-	'self.write'
+	'self.write',
+	'rooms.read'
 ];
 
 // GET /api/users - get users
 // query parameters:
 //   partial_id: the partial id subset you would like to match (remember, lurids are lexigraphically sorted)
 PRECHECKS.GET = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
-	const can_read_others = meta.user_permissions?.permissions?.includes('users.read');
+	const can_read_others = meta.user?.permissions?.includes('users.read');
 
 	if (!can_read_others) {
 		return CANNED_RESPONSES.permission_denied();
@@ -97,6 +97,7 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 		const user: USER = {
 			id: lurid(),
 			username,
+			permissions: DEFAULT_USER_PERMISSIONS,
 			timestamps: {
 				created: now,
 				updated: now
@@ -120,17 +121,6 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 
 		await PASSWORD_ENTRIES.create(password_entry);
 
-		const user_permissions: USER_PERMISSIONS = {
-			user_id: user.id,
-			permissions: DEFAULT_USER_PERMISSIONS,
-			timestamps: {
-				created: now,
-				updated: now
-			}
-		};
-
-		await PERMISSIONS_STORE.create(user_permissions);
-
 		const session_result: SESSION_RESULT = await create_new_session({
 			user,
 			expires: undefined

public/api/users/me/index.ts

@@ -1,4 +1,4 @@
-import { CANNED_RESPONSES } from '../../../../utils/canned_responses.ts';
+import * as CANNED_RESPONSES from '../../../../utils/canned_responses.ts';
 import { get_session, get_user, PRECHECK_TABLE, require_user } from '../../../../utils/prechecks.ts';
 
 export const PERMISSIONS: Record<string, (req: Request, meta: Record<string, any>) => Promise<boolean>> = {};
@@ -6,15 +6,9 @@ export const PRECHECKS: PRECHECK_TABLE = {};
 
 // GET /api/users/me - Get the current user
 PRECHECKS.GET = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
-	const can_read_self = meta.user_permissions?.permissions.includes('self.read');
+	const can_read_self = meta.user?.permissions.includes('self.read');
 
-	const has_permission = can_read_self;
-	console.dir({
-		meta,
-		can_read_self,
-		has_permission
-	});
-	if (!has_permission) {
+	if (!can_read_self) {
 		return CANNED_RESPONSES.permission_denied();
 	}
 }];