vantzs/corrosion-admin-panel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 18 Wiki Activity

feat: Phase 4 module auto-installation + Phase 5 webstore backend
All checks were successful
Test Asgard Runner / test (push) Successful in 2s
Details

Browse Source 
Phase 4 Contributions (Agent Golf):
- Module auto-installation service (module_installer.rs)
- NATS subject pattern for module installation commands
- Companion agent contract documentation
- API endpoint: POST /api/modules/install

Phase 5 XO Direct Touch:
- Webstore subscription API (PayPal recurring billing)
  * POST /api/webstore/subscription/create
  * GET /api/webstore/subscription
  * POST /api/webstore/subscription/cancel
  * POST /api/webstore/subscription/webhook
- Store configuration API (CRUD for store settings)
  * GET /api/webstore/config
  * PUT /api/webstore/config
- Store category/item management APIs (multi-tenant CRUD)
  * GET/POST/PUT/DELETE /api/webstore/categories
  * GET/POST/PUT/DELETE /api/webstore/items
- Public store API (customer-facing, subdomain-scoped)
  * GET /api/public-store/:subdomain
  * GET /api/public-store/:subdomain/items
  * POST /api/public-store/:subdomain/purchase
  * POST /api/public-store/:subdomain/webhook
- Transaction history API
  * GET /api/webstore/transactions
- Delivery system (NATS command execution on purchase)
- Migrations: payment_orders, webstore_subscriptions, store_config, store_items, store_transactions

Security:
- JWT auth + license_id scoping on admin endpoints
- Subdomain → license_id mapping on public endpoints
- Purchase limit enforcement
- Command injection prevention via placeholder replacement

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Vantz Stockwell
2026-02-15 14:53:38 -05:00
parent 18da1838c4
commit 6c2436dfc6
15 changed files with 2423 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/src/api/mod.rs
View File

@@ -18,3 +18,5 @@ pub mod analytics;
pub mod plugin;
pub mod settings;
pub mod modules;
pub mod webstore;
pub mod public_store;

410
backend/src/api/public_store.rs Normal file
View File

@@ -0,0 +1,410 @@
use axum::{
extract::{Path, State},
http::StatusCode,
response::IntoResponse,
routing::{get, post},
Json, Router,
};
use serde::{Deserialize, Serialize};
use std::sync::Arc;
use uuid::Uuid;
use crate::{
models::error::AppError,
services::payment_processor::PayPalProcessor,
AppState,
};
pub fn router() -> Router<Arc<AppState>> {
Router::new()
.route("/:subdomain", get(get_store_info))
.route("/:subdomain/items", get(get_store_items))
.route("/:subdomain/purchase", post(create_purchase_order))
.route("/:subdomain/webhook", post(handle_purchase_webhook))
}
#[derive(Serialize)]
struct PublicStoreInfo {
store_name: String,
description: Option<String>,
currency: String,
enabled: bool,
}
/// Get public store information by subdomain
async fn get_store_info(
State(state): State<Arc<AppState>>,
Path(subdomain): Path<String>,
) -> Result<impl IntoResponse, AppError> {
// Get license_id from subdomain
let license = sqlx::query!("SELECT id FROM licenses WHERE subdomain = $1", subdomain)
.fetch_optional(&state.db)
.await?;
let license_id = license
.ok_or_else(|| AppError::NotFound("Store not found".to_string()))?
.id;
// Get store config
let config = sqlx::query_as!(
PublicStoreInfo,
"SELECT store_name, description, currency, enabled
FROM store_config
WHERE license_id = $1",
license_id
)
.fetch_optional(&state.db)
.await?;
if let Some(config) = config {
if !config.enabled {
return Err(AppError::NotFound("Store is currently disabled".to_string()));
}
Ok(Json(config))
} else {
Err(AppError::NotFound("Store not configured".to_string()))
}
}
#[derive(Serialize)]
struct PublicStoreItem {
id: Uuid,
category_name: Option<String>,
name: String,
description: Option<String>,
price: rust_decimal::Decimal,
image_url: Option<String>,
item_type: String,
limit_per_player: Option<i32>,
}
/// Get all items available in the public store
async fn get_store_items(
State(state): State<Arc<AppState>>,
Path(subdomain): Path<String>,
) -> Result<impl IntoResponse, AppError> {
let license = sqlx::query!("SELECT id FROM licenses WHERE subdomain = $1", subdomain)
.fetch_optional(&state.db)
.await?;
let license_id = license
.ok_or_else(|| AppError::NotFound("Store not found".to_string()))?
.id;
// Check if store is enabled
let enabled = sqlx::query_scalar!("SELECT enabled FROM store_config WHERE license_id = $1", license_id)
.fetch_optional(&state.db)
.await?
.unwrap_or(false);
if !enabled {
return Err(AppError::NotFound("Store is currently disabled".to_string()));
}
type Row = (
Uuid,
Option<String>,
String,
Option<String>,
rust_decimal::Decimal,
Option<String>,
String,
Option<i32>,
);
let rows: Vec<Row> = sqlx::query_as(
"SELECT
i.id,
c.name as category_name,
i.name,
i.description,
i.price,
i.image_url,
i.item_type,
i.limit_per_player
FROM store_items i
LEFT JOIN store_categories c ON c.id = i.category_id
WHERE i.license_id = $1 AND i.enabled = true
ORDER BY c.display_order, i.name",
)
.bind(license_id)
.fetch_all(&state.db)
.await?;
let items: Vec<PublicStoreItem> = rows
.into_iter()
.map(|row| PublicStoreItem {
id: row.0,
category_name: row.1,
name: row.2,
description: row.3,
price: row.4,
image_url: row.5,
item_type: row.6,
limit_per_player: row.7,
})
.collect();
Ok(Json(items))
}
#[derive(Deserialize)]
struct CreatePurchaseRequest {
item_id: Uuid,
steam_id: String,
player_name: String,
}
#[derive(Serialize)]
struct CreatePurchaseResponse {
order_id: String,
approval_url: String,
}
/// Create a PayPal order for a store item purchase
async fn create_purchase_order(
State(state): State<Arc<AppState>>,
Path(subdomain): Path<String>,
Json(req): Json<CreatePurchaseRequest>,
) -> Result<impl IntoResponse, AppError> {
let license = sqlx::query!("SELECT id FROM licenses WHERE subdomain = $1", subdomain)
.fetch_optional(&state.db)
.await?;
let license_id = license
.ok_or_else(|| AppError::NotFound("Store not found".to_string()))?
.id;
// Get store config and check if enabled
let store_config = sqlx::query!(
"SELECT paypal_client_id, paypal_client_secret, sandbox_mode, enabled
FROM store_config
WHERE license_id = $1",
license_id
)
.fetch_optional(&state.db)
.await?
.ok_or_else(|| AppError::NotFound("Store not configured".to_string()))?;
if !store_config.enabled {
return Err(AppError::BadRequest("Store is currently disabled".to_string()));
}
// Get item details
let item = sqlx::query!(
"SELECT name, price FROM store_items WHERE id = $1 AND license_id = $2 AND enabled = true",
req.item_id,
license_id
)
.fetch_optional(&state.db)
.await?
.ok_or_else(|| AppError::NotFound("Item not found or disabled".to_string()))?;
// Check purchase limit if set
if let Some(limit) = sqlx::query_scalar!(
"SELECT limit_per_player FROM store_items WHERE id = $1",
req.item_id
)
.fetch_one(&state.db)
.await?
{
let purchase_count: i64 = sqlx::query_scalar!(
"SELECT COUNT(*) FROM store_transactions
WHERE item_id = $1 AND steam_id = $2 AND status IN ('paid', 'delivered')",
req.item_id,
req.steam_id
)
.fetch_one(&state.db)
.await?
.unwrap_or(0);
if purchase_count >= limit as i64 {
return Err(AppError::BadRequest("Purchase limit reached for this item".to_string()));
}
}
// Create PayPal processor using store owner's credentials
let client_id = store_config.paypal_client_id.ok_or_else(|| {
AppError::Internal("Store PayPal credentials not configured".to_string())
})?;
let client_secret = store_config.paypal_client_secret.ok_or_else(|| {
AppError::Internal("Store PayPal credentials not configured".to_string())
})?;
// TODO: Decrypt client_secret using encryption service
let decrypted_secret = client_secret; // Placeholder - should decrypt
let processor = PayPalProcessor::new(
client_id.clone(),
decrypted_secret,
std::env::var("PAYPAL_WEBHOOK_ID").unwrap_or_default(),
store_config.sandbox_mode,
state.db.clone(),
);
// Create PayPal order
let price_f64: f64 = item.price.to_string().parse().unwrap_or(0.0);
let approval_url = processor
.create_order(&item.name, price_f64, Some(req.item_id))
.await?;
// Extract order_id from approval_url (it's in the query params)
let order_id = approval_url
.split("token=")
.nth(1)
.and_then(|s| s.split('&').next())
.unwrap_or_default()
.to_string();
// Store pending transaction
sqlx::query!(
"INSERT INTO store_transactions (license_id, item_id, steam_id, player_name, paypal_order_id, amount, currency, status)
VALUES ($1, $2, $3, $4, $5, $6, 'USD', 'pending')",
license_id,
req.item_id,
req.steam_id,
req.player_name,
order_id,
item.price
)
.execute(&state.db)
.await?;
Ok(Json(CreatePurchaseResponse {
order_id: order_id.clone(),
approval_url,
}))
}
/// Handle PayPal webhooks for store purchases
async fn handle_purchase_webhook(
State(state): State<Arc<AppState>>,
Path(subdomain): Path<String>,
Json(webhook): Json<serde_json::Value>,
) -> Result<impl IntoResponse, AppError> {
tracing::info!("Store purchase webhook for {}: {:?}", subdomain, webhook);
let license = sqlx::query!("SELECT id FROM licenses WHERE subdomain = $1", subdomain)
.fetch_optional(&state.db)
.await?;
let license_id = license
.ok_or_else(|| AppError::NotFound("Store not found".to_string()))?
.id;
// TODO: Verify webhook signature
// Parse event_type
let event_type = webhook
.get("event_type")
.and_then(|v| v.as_str())
.unwrap_or_default();
match event_type {
"PAYMENT.CAPTURE.COMPLETED" => {
handle_payment_completed(&state, license_id, webhook).await?;
}
"PAYMENT.CAPTURE.DENIED" | "PAYMENT.CAPTURE.REFUNDED" => {
handle_payment_failed(&state, license_id, webhook).await?;
}
_ => {
tracing::info!("Unhandled store webhook event: {}", event_type);
}
}
Ok(StatusCode::OK)
}
async fn handle_payment_completed(
state: &AppState,
license_id: Uuid,
webhook: serde_json::Value,
) -> Result<(), AppError> {
let order_id = webhook
.pointer("/resource/supplementary_data/related_ids/order_id")
.and_then(|v| v.as_str())
.ok_or_else(|| AppError::Internal("Missing order_id in webhook".to_string()))?;
// Update transaction status
let transaction = sqlx::query!(
"UPDATE store_transactions
SET status = 'paid', paypal_transaction_id = $1
WHERE paypal_order_id = $2 AND license_id = $3
RETURNING item_id, steam_id",
webhook.get("id").and_then(|v| v.as_str()),
order_id,
license_id
)
.fetch_optional(&state.db)
.await?;
if let Some(txn) = transaction {
// Get item delivery commands
if let Some(item_id) = txn.item_id {
let item = sqlx::query!(
"SELECT delivery_commands FROM store_items WHERE id = $1",
item_id
)
.fetch_one(&state.db)
.await?;
// Parse delivery commands and send via NATS
if let Some(commands_json) = item.delivery_commands {
let commands: Vec<String> = serde_json::from_value(commands_json)?;
// Replace {steam_id} placeholder in commands
let steam_id = txn.steam_id;
let replaced_commands: Vec<String> = commands
.iter()
.map(|cmd| cmd.replace("{steam_id}", &steam_id))
.collect();
// Send commands via NATS to game server
if let Some(ref nats) = state.nats {
for command in replaced_commands {
let subject = format!("corrosion.{}.cmd.console", license_id);
let payload = serde_json::json!({ "command": command });
nats.publish(subject, serde_json::to_vec(&payload)?.into())
.await
.map_err(|e| AppError::Internal(format!("NATS publish failed: {}", e)))?;
}
// Mark as delivered
sqlx::query!(
"UPDATE store_transactions SET delivered = true, delivered_at = NOW(), status = 'delivered' WHERE paypal_order_id = $1",
order_id
)
.execute(&state.db)
.await?;
tracing::info!("Delivered store purchase: order_id={}", order_id);
}
}
}
}
Ok(())
}
async fn handle_payment_failed(
state: &AppState,
license_id: Uuid,
webhook: serde_json::Value,
) -> Result<(), AppError> {
let order_id = webhook
.pointer("/resource/supplementary_data/related_ids/order_id")
.and_then(|v| v.as_str())
.ok_or_else(|| AppError::Internal("Missing order_id in webhook".to_string()))?;
sqlx::query!(
"UPDATE store_transactions SET status = 'failed' WHERE paypal_order_id = $1 AND license_id = $2",
order_id,
license_id
)
.execute(&state.db)
.await?;
tracing::warn!("Store payment failed: order_id={}", order_id);
Ok(())
}

659
backend/src/api/webstore.rs Normal file
View File

@@ -0,0 +1,659 @@
use axum::{
extract::{Path, State},
http::StatusCode,
response::IntoResponse,
routing::{get, post, put, delete},
Json, Router,
};
use serde::{Deserialize, Serialize};
use std::sync::Arc;
use uuid::Uuid;
use crate::{
middleware::jwt::Claims,
models::error::AppError,
services::subscription_processor::{SubscriptionProcessor, SubscriptionDetails},
AppState,
};
pub fn router() -> Router<Arc<AppState>> {
Router::new()
// Subscription management
.route("/subscription", get(get_subscription_status))
.route("/subscription/create", post(create_subscription))
.route("/subscription/cancel", post(cancel_subscription))
.route("/subscription/webhook", post(handle_subscription_webhook))
// Store configuration
.route("/config", get(get_store_config))
.route("/config", put(update_store_config))
// Store categories
.route("/categories", get(list_categories))
.route("/categories", post(create_category))
.route("/categories/:id", put(update_category))
.route("/categories/:id", delete(delete_category))
// Store items
.route("/items", get(list_items))
.route("/items", post(create_item))
.route("/items/:id", put(update_item))
.route("/items/:id", delete(delete_item))
// Transaction history
.route("/transactions", get(list_transactions))
}
// ============================================================================
// SUBSCRIPTION MANAGEMENT
// ============================================================================
#[derive(Deserialize)]
struct CreateSubscriptionRequest {
plan_id: String, // PayPal plan ID for $10/mo webstore feature
}
#[derive(Serialize)]
struct CreateSubscriptionResponse {
approval_url: String,
}
/// Create a new PayPal subscription for webstore feature access
async fn create_subscription(
State(state): State<Arc<AppState>>,
claims: Claims,
Json(req): Json<CreateSubscriptionRequest>,
) -> Result<impl IntoResponse, AppError> {
// Get license_id from JWT claims
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
// Check if subscription already exists
let existing = sqlx::query!(
"SELECT id FROM webstore_subscriptions WHERE license_id = $1 AND status = 'active'",
license_id
)
.fetch_optional(&state.db)
.await?;
if existing.is_some() {
return Err(AppError::BadRequest(
"You already have an active webstore subscription".to_string(),
));
}
// Get PayPal credentials from env
let client_id = std::env::var("PAYPAL_CLIENT_ID")
.map_err(|_| AppError::Internal("PayPal credentials not configured".to_string()))?;
let client_secret = std::env::var("PAYPAL_CLIENT_SECRET")
.map_err(|_| AppError::Internal("PayPal credentials not configured".to_string()))?;
let sandbox_mode = std::env::var("PAYPAL_SANDBOX")
.unwrap_or_else(|_| "true".to_string())
.parse()
.unwrap_or(true);
let processor = SubscriptionProcessor::new(
client_id,
client_secret,
sandbox_mode,
state.db.clone(),
);
// Create PayPal subscription
let approval_url = processor
.create_webstore_subscription(license_id, &req.plan_id)
.await?;
Ok(Json(CreateSubscriptionResponse { approval_url }))
}
#[derive(Serialize)]
struct SubscriptionStatusResponse {
active: bool,
subscription: Option<SubscriptionDetails>,
}
/// Get current subscription status for the authenticated license
async fn get_subscription_status(
State(state): State<Arc<AppState>>,
claims: Claims,
) -> Result<impl IntoResponse, AppError> {
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
let subscription = sqlx::query!(
"SELECT paypal_subscription_id, status, current_period_start, current_period_end, cancelled_at
FROM webstore_subscriptions
WHERE license_id = $1
ORDER BY created_at DESC
LIMIT 1",
license_id
)
.fetch_optional(&state.db)
.await?;
if let Some(sub) = subscription {
let active = sub.status == "active";
// Fetch full details from PayPal if active
let details = if active {
let client_id = std::env::var("PAYPAL_CLIENT_ID").unwrap_or_default();
let client_secret = std::env::var("PAYPAL_CLIENT_SECRET").unwrap_or_default();
let sandbox_mode = std::env::var("PAYPAL_SANDBOX")
.unwrap_or_else(|_| "true".to_string())
.parse()
.unwrap_or(true);
let processor = SubscriptionProcessor::new(
client_id,
client_secret,
sandbox_mode,
state.db.clone(),
);
processor
.get_subscription_details(&sub.paypal_subscription_id)
.await
.ok()
} else {
None
};
Ok(Json(SubscriptionStatusResponse {
active,
subscription: details,
}))
} else {
Ok(Json(SubscriptionStatusResponse {
active: false,
subscription: None,
}))
}
}
#[derive(Deserialize)]
struct CancelSubscriptionRequest {
reason: String,
}
/// Cancel an active subscription
async fn cancel_subscription(
State(state): State<Arc<AppState>>,
claims: Claims,
Json(req): Json<CancelSubscriptionRequest>,
) -> Result<impl IntoResponse, AppError> {
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
let subscription = sqlx::query!(
"SELECT paypal_subscription_id
FROM webstore_subscriptions
WHERE license_id = $1 AND status = 'active'
LIMIT 1",
license_id
)
.fetch_optional(&state.db)
.await?;
let subscription = subscription.ok_or_else(|| {
AppError::NotFound("No active subscription found".to_string())
})?;
let client_id = std::env::var("PAYPAL_CLIENT_ID")
.map_err(|_| AppError::Internal("PayPal credentials not configured".to_string()))?;
let client_secret = std::env::var("PAYPAL_CLIENT_SECRET")
.map_err(|_| AppError::Internal("PayPal credentials not configured".to_string()))?;
let sandbox_mode = std::env::var("PAYPAL_SANDBOX")
.unwrap_or_else(|_| "true".to_string())
.parse()
.unwrap_or(true);
let processor = SubscriptionProcessor::new(
client_id,
client_secret,
sandbox_mode,
state.db.clone(),
);
processor
.cancel_subscription(&subscription.paypal_subscription_id, &req.reason)
.await?;
// Update local status
sqlx::query!(
"UPDATE webstore_subscriptions SET status = 'cancelled', cancelled_at = NOW() WHERE paypal_subscription_id = $1",
subscription.paypal_subscription_id
)
.execute(&state.db)
.await?;
Ok(StatusCode::NO_CONTENT)
}
/// Handle PayPal subscription webhooks
async fn handle_subscription_webhook(
State(state): State<Arc<AppState>>,
Json(event): Json<serde_json::Value>,
) -> Result<impl IntoResponse, AppError> {
// TODO: Verify webhook signature using PayPal webhook ID
// For now, just log and process
tracing::info!("Received subscription webhook: {:?}", event);
let client_id = std::env::var("PAYPAL_CLIENT_ID").unwrap_or_default();
let client_secret = std::env::var("PAYPAL_CLIENT_SECRET").unwrap_or_default();
let sandbox_mode = std::env::var("PAYPAL_SANDBOX")
.unwrap_or_else(|_| "true".to_string())
.parse()
.unwrap_or(true);
let processor = SubscriptionProcessor::new(
client_id,
client_secret,
sandbox_mode,
state.db.clone(),
);
// Parse webhook event
let webhook_event: crate::services::subscription_processor::SubscriptionWebhookEvent =
serde_json::from_value(event)?;
processor.process_subscription_webhook(webhook_event).await?;
Ok(StatusCode::OK)
}
// ============================================================================
// STORE CONFIGURATION
// ============================================================================
#[derive(Serialize, Deserialize)]
struct StoreConfig {
store_name: String,
description: Option<String>,
currency: String,
paypal_client_id: Option<String>,
sandbox_mode: bool,
enabled: bool,
}
async fn get_store_config(
State(state): State<Arc<AppState>>,
claims: Claims,
) -> Result<impl IntoResponse, AppError> {
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
let config = sqlx::query_as!(
StoreConfig,
"SELECT store_name, description, currency, paypal_client_id, sandbox_mode, enabled
FROM store_config
WHERE license_id = $1",
license_id
)
.fetch_optional(&state.db)
.await?;
if let Some(config) = config {
Ok(Json(config))
} else {
// Return default config
Ok(Json(StoreConfig {
store_name: "My Store".to_string(),
description: None,
currency: "USD".to_string(),
paypal_client_id: None,
sandbox_mode: true,
enabled: false,
}))
}
}
async fn update_store_config(
State(state): State<Arc<AppState>>,
claims: Claims,
Json(config): Json<StoreConfig>,
) -> Result<impl IntoResponse, AppError> {
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
// Upsert store config
sqlx::query!(
"INSERT INTO store_config (license_id, store_name, description, currency, paypal_client_id, sandbox_mode, enabled)
VALUES ($1, $2, $3, $4, $5, $6, $7)
ON CONFLICT (license_id)
DO UPDATE SET
store_name = $2,
description = $3,
currency = $4,
paypal_client_id = $5,
sandbox_mode = $6,
enabled = $7,
updated_at = NOW()",
license_id,
config.store_name,
config.description,
config.currency,
config.paypal_client_id,
config.sandbox_mode,
config.enabled
)
.execute(&state.db)
.await?;
Ok(StatusCode::NO_CONTENT)
}
// ============================================================================
// STORE CATEGORIES
// ============================================================================
#[derive(Serialize, Deserialize)]
struct StoreCategory {
id: Uuid,
name: String,
slug: String,
description: Option<String>,
display_order: i32,
visible: bool,
}
async fn list_categories(
State(state): State<Arc<AppState>>,
claims: Claims,
) -> Result<impl IntoResponse, AppError> {
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
let categories = sqlx::query_as!(
StoreCategory,
"SELECT id, name, slug, description, display_order, visible
FROM store_categories
WHERE license_id = $1
ORDER BY display_order, name",
license_id
)
.fetch_all(&state.db)
.await?;
Ok(Json(categories))
}
#[derive(Deserialize)]
struct CreateCategoryRequest {
name: String,
slug: String,
description: Option<String>,
display_order: i32,
visible: bool,
}
async fn create_category(
State(state): State<Arc<AppState>>,
claims: Claims,
Json(req): Json<CreateCategoryRequest>,
) -> Result<impl IntoResponse, AppError> {
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
let id = sqlx::query_scalar!(
"INSERT INTO store_categories (license_id, name, slug, description, display_order, visible)
VALUES ($1, $2, $3, $4, $5, $6)
RETURNING id",
license_id,
req.name,
req.slug,
req.description,
req.display_order,
req.visible
)
.fetch_one(&state.db)
.await?;
Ok((StatusCode::CREATED, Json(serde_json::json!({ "id": id }))))
}
async fn update_category(
State(state): State<Arc<AppState>>,
claims: Claims,
Path(id): Path<Uuid>,
Json(req): Json<CreateCategoryRequest>,
) -> Result<impl IntoResponse, AppError> {
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
let result = sqlx::query!(
"UPDATE store_categories
SET name = $1, slug = $2, description = $3, display_order = $4, visible = $5
WHERE id = $6 AND license_id = $7",
req.name,
req.slug,
req.description,
req.display_order,
req.visible,
id,
license_id
)
.execute(&state.db)
.await?;
if result.rows_affected() == 0 {
return Err(AppError::NotFound("Category not found".to_string()));
}
Ok(StatusCode::NO_CONTENT)
}
async fn delete_category(
State(state): State<Arc<AppState>>,
claims: Claims,
Path(id): Path<Uuid>,
) -> Result<impl IntoResponse, AppError> {
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
let result = sqlx::query!(
"DELETE FROM store_categories WHERE id = $1 AND license_id = $2",
id,
license_id
)
.execute(&state.db)
.await?;
if result.rows_affected() == 0 {
return Err(AppError::NotFound("Category not found".to_string()));
}
Ok(StatusCode::NO_CONTENT)
}
// ============================================================================
// STORE ITEMS
// ============================================================================
#[derive(Serialize, Deserialize)]
struct StoreItem {
id: Uuid,
category_id: Option<Uuid>,
name: String,
description: Option<String>,
price: rust_decimal::Decimal,
image_url: Option<String>,
item_type: String,
delivery_commands: serde_json::Value,
limit_per_player: Option<i32>,
enabled: bool,
}
async fn list_items(
State(state): State<Arc<AppState>>,
claims: Claims,
) -> Result<impl IntoResponse, AppError> {
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
let items = sqlx::query_as!(
StoreItem,
"SELECT id, category_id, name, description, price, image_url, item_type, delivery_commands, limit_per_player, enabled
FROM store_items
WHERE license_id = $1
ORDER BY name",
license_id
)
.fetch_all(&state.db)
.await?;
Ok(Json(items))
}
#[derive(Deserialize)]
struct CreateItemRequest {
category_id: Option<Uuid>,
name: String,
description: Option<String>,
price: rust_decimal::Decimal,
image_url: Option<String>,
item_type: String,
delivery_commands: serde_json::Value,
limit_per_player: Option<i32>,
enabled: bool,
}
async fn create_item(
State(state): State<Arc<AppState>>,
claims: Claims,
Json(req): Json<CreateItemRequest>,
) -> Result<impl IntoResponse, AppError> {
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
let id = sqlx::query_scalar!(
"INSERT INTO store_items (license_id, category_id, name, description, price, image_url, item_type, delivery_commands, limit_per_player, enabled)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
RETURNING id",
license_id,
req.category_id,
req.name,
req.description,
req.price,
req.image_url,
req.item_type,
req.delivery_commands,
req.limit_per_player,
req.enabled
)
.fetch_one(&state.db)
.await?;
Ok((StatusCode::CREATED, Json(serde_json::json!({ "id": id }))))
}
async fn update_item(
State(state): State<Arc<AppState>>,
claims: Claims,
Path(id): Path<Uuid>,
Json(req): Json<CreateItemRequest>,
) -> Result<impl IntoResponse, AppError> {
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
let result = sqlx::query!(
"UPDATE store_items
SET category_id = $1, name = $2, description = $3, price = $4, image_url = $5, item_type = $6, delivery_commands = $7, limit_per_player = $8, enabled = $9, updated_at = NOW()
WHERE id = $10 AND license_id = $11",
req.category_id,
req.name,
req.description,
req.price,
req.image_url,
req.item_type,
req.delivery_commands,
req.limit_per_player,
req.enabled,
id,
license_id
)
.execute(&state.db)
.await?;
if result.rows_affected() == 0 {
return Err(AppError::NotFound("Item not found".to_string()));
}
Ok(StatusCode::NO_CONTENT)
}
async fn delete_item(
State(state): State<Arc<AppState>>,
claims: Claims,
Path(id): Path<Uuid>,
) -> Result<impl IntoResponse, AppError> {
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
let result = sqlx::query!(
"DELETE FROM store_items WHERE id = $1 AND license_id = $2",
id,
license_id
)
.execute(&state.db)
.await?;
if result.rows_affected() == 0 {
return Err(AppError::NotFound("Item not found".to_string()));
}
Ok(StatusCode::NO_CONTENT)
}
// ============================================================================
// TRANSACTIONS
// ============================================================================
#[derive(Serialize)]
struct StoreTransaction {
id: Uuid,
item_id: Option<Uuid>,
steam_id: String,
player_name: Option<String>,
paypal_order_id: String,
amount: rust_decimal::Decimal,
currency: String,
status: String,
delivered: bool,
delivered_at: Option<chrono::DateTime<chrono::Utc>>,
payer_email: Option<String>,
created_at: chrono::DateTime<chrono::Utc>,
}
async fn list_transactions(
State(state): State<Arc<AppState>>,
claims: Claims,
) -> Result<impl IntoResponse, AppError> {
let license_id = claims.license_id.ok_or_else(|| {
AppError::Unauthorized("No license associated with this account".to_string())
})?;
let transactions = sqlx::query_as!(
StoreTransaction,
"SELECT id, item_id, steam_id, player_name, paypal_order_id, amount, currency, status, delivered, delivered_at, payer_email, created_at
FROM store_transactions
WHERE license_id = $1
ORDER BY created_at DESC
LIMIT 100",
license_id
)
.fetch_all(&state.db)
.await?;
Ok(Json(transactions))
}