import path from 'path'; import fs from 'fs'; import { db, canAccessTrip } from '../db/database'; import { CollabNote, CollabPoll, CollabMessage, TripFile } from '../types'; import { checkSsrf, createPinnedAgent } from '../utils/ssrfGuard'; /* ------------------------------------------------------------------ */ /* Internal row types */ /* ------------------------------------------------------------------ */ export interface ReactionRow { emoji: string; user_id: number; username: string; message_id?: number; } export interface PollVoteRow { option_index: number; user_id: number; username: string; avatar: string | null; } export interface NoteFileRow { id: number; filename: string; original_name?: string; file_size?: number; mime_type?: string; } export interface GroupedReaction { emoji: string; users: { user_id: number; username: string }[]; count: number; } export interface LinkPreviewResult { title: string | null; description: string | null; image: string | null; site_name?: string | null; url: string; } /* ------------------------------------------------------------------ */ /* Helpers */ /* ------------------------------------------------------------------ */ export function avatarUrl(user: { avatar?: string | null }): string | null { return user.avatar ? `/uploads/avatars/${user.avatar}` : null; } export function verifyTripAccess(tripId: string | number, userId: number) { return canAccessTrip(tripId, userId); } /* ------------------------------------------------------------------ */ /* Reactions */ /* ------------------------------------------------------------------ */ export function loadReactions(messageId: number | string): ReactionRow[] { return db.prepare(` SELECT r.emoji, r.user_id, u.username FROM collab_message_reactions r JOIN users u ON r.user_id = u.id WHERE r.message_id = ? `).all(messageId) as ReactionRow[]; } export function groupReactions(reactions: ReactionRow[]): GroupedReaction[] { const map: Record = {}; for (const r of reactions) { if (!map[r.emoji]) map[r.emoji] = []; map[r.emoji].push({ user_id: r.user_id, username: r.username }); } return Object.entries(map).map(([emoji, users]) => ({ emoji, users, count: users.length })); } export function addOrRemoveReaction(messageId: number | string, tripId: number | string, userId: number, emoji: string): { found: boolean; reactions: GroupedReaction[] } { const msg = db.prepare('SELECT id FROM collab_messages WHERE id = ? AND trip_id = ?').get(messageId, tripId); if (!msg) return { found: false, reactions: [] }; const existing = db.prepare('SELECT id FROM collab_message_reactions WHERE message_id = ? AND user_id = ? AND emoji = ?').get(messageId, userId, emoji) as { id: number } | undefined; if (existing) { db.prepare('DELETE FROM collab_message_reactions WHERE id = ?').run(existing.id); } else { db.prepare('INSERT INTO collab_message_reactions (message_id, user_id, emoji) VALUES (?, ?, ?)').run(messageId, userId, emoji); } return { found: true, reactions: groupReactions(loadReactions(messageId)) }; } /* ------------------------------------------------------------------ */ /* Notes */ /* ------------------------------------------------------------------ */ export function formatNote(note: CollabNote) { const attachments = db.prepare('SELECT id, filename, original_name, file_size, mime_type FROM trip_files WHERE note_id = ?').all(note.id) as NoteFileRow[]; return { ...note, avatar_url: avatarUrl(note), attachments: attachments.map(a => ({ ...a, url: `/api/trips/${note.trip_id}/files/${a.id}/download` })), }; } export function listNotes(tripId: string | number) { const notes = db.prepare(` SELECT n.*, u.username, u.avatar FROM collab_notes n JOIN users u ON n.user_id = u.id WHERE n.trip_id = ? ORDER BY n.pinned DESC, n.updated_at DESC `).all(tripId) as CollabNote[]; return notes.map(formatNote); } export function createNote(tripId: string | number, userId: number, data: { title: string; content?: string; category?: string; color?: string; website?: string }) { const result = db.prepare(` INSERT INTO collab_notes (trip_id, user_id, title, content, category, color, website) VALUES (?, ?, ?, ?, ?, ?, ?) `).run(tripId, userId, data.title, data.content || null, data.category || 'General', data.color || '#6366f1', data.website || null); const note = db.prepare(` SELECT n.*, u.username, u.avatar FROM collab_notes n JOIN users u ON n.user_id = u.id WHERE n.id = ? `).get(result.lastInsertRowid) as CollabNote; return formatNote(note); } export function updateNote(tripId: string | number, noteId: string | number, data: { title?: string; content?: string; category?: string; color?: string; pinned?: number | boolean; website?: string }): ReturnType | null { const existing = db.prepare('SELECT * FROM collab_notes WHERE id = ? AND trip_id = ?').get(noteId, tripId); if (!existing) return null; db.prepare(` UPDATE collab_notes SET title = COALESCE(?, title), content = CASE WHEN ? THEN ? ELSE content END, category = COALESCE(?, category), color = COALESCE(?, color), pinned = CASE WHEN ? IS NOT NULL THEN ? ELSE pinned END, website = CASE WHEN ? THEN ? ELSE website END, updated_at = CURRENT_TIMESTAMP WHERE id = ? `).run( data.title || null, data.content !== undefined ? 1 : 0, data.content !== undefined ? data.content : null, data.category || null, data.color || null, data.pinned !== undefined ? 1 : null, data.pinned ? 1 : 0, data.website !== undefined ? 1 : 0, data.website !== undefined ? data.website : null, noteId ); const note = db.prepare(` SELECT n.*, u.username, u.avatar FROM collab_notes n JOIN users u ON n.user_id = u.id WHERE n.id = ? `).get(noteId) as CollabNote; return formatNote(note); } export function deleteNote(tripId: string | number, noteId: string | number): boolean { const existing = db.prepare('SELECT id FROM collab_notes WHERE id = ? AND trip_id = ?').get(noteId, tripId); if (!existing) return false; // Clean up attached files from disk const noteFiles = db.prepare('SELECT id, filename FROM trip_files WHERE note_id = ?').all(noteId) as NoteFileRow[]; for (const f of noteFiles) { const filePath = path.join(__dirname, '../../uploads', f.filename); try { fs.unlinkSync(filePath); } catch { /* ignore */ } } db.prepare('DELETE FROM trip_files WHERE note_id = ?').run(noteId); db.prepare('DELETE FROM collab_notes WHERE id = ?').run(noteId); return true; } /* ------------------------------------------------------------------ */ /* Note files */ /* ------------------------------------------------------------------ */ export function addNoteFile(tripId: string | number, noteId: string | number, file: { filename: string; originalname: string; size: number; mimetype: string }): { file: TripFile & { url: string } } | null { const note = db.prepare('SELECT id FROM collab_notes WHERE id = ? AND trip_id = ?').get(noteId, tripId); if (!note) return null; const result = db.prepare( 'INSERT INTO trip_files (trip_id, note_id, filename, original_name, file_size, mime_type) VALUES (?, ?, ?, ?, ?, ?)' ).run(tripId, noteId, `files/${file.filename}`, file.originalname, file.size, file.mimetype); const saved = db.prepare('SELECT * FROM trip_files WHERE id = ?').get(result.lastInsertRowid) as TripFile; return { file: { ...saved, url: `/api/trips/${tripId}/files/${saved.id}/download` } }; } export function getFormattedNoteById(noteId: string | number) { const note = db.prepare('SELECT n.*, u.username, u.avatar FROM collab_notes n JOIN users u ON n.user_id = u.id WHERE n.id = ?').get(noteId) as CollabNote; return formatNote(note); } export function deleteNoteFile(noteId: string | number, fileId: string | number): boolean { const file = db.prepare('SELECT * FROM trip_files WHERE id = ? AND note_id = ?').get(fileId, noteId) as TripFile | undefined; if (!file) return false; const filePath = path.join(__dirname, '../../uploads', file.filename); try { fs.unlinkSync(filePath); } catch { /* ignore */ } db.prepare('DELETE FROM trip_files WHERE id = ?').run(fileId); return true; } /* ------------------------------------------------------------------ */ /* Polls */ /* ------------------------------------------------------------------ */ export function getPollWithVotes(pollId: number | bigint | string) { const poll = db.prepare(` SELECT p.*, u.username, u.avatar FROM collab_polls p JOIN users u ON p.user_id = u.id WHERE p.id = ? `).get(pollId) as CollabPoll | undefined; if (!poll) return null; const options: (string | { label: string })[] = JSON.parse(poll.options); const votes = db.prepare(` SELECT v.option_index, v.user_id, u.username, u.avatar FROM collab_poll_votes v JOIN users u ON v.user_id = u.id WHERE v.poll_id = ? `).all(pollId) as PollVoteRow[]; const formattedOptions = options.map((label: string | { label: string }, idx: number) => ({ label: typeof label === 'string' ? label : label.label || label, voters: votes .filter(v => v.option_index === idx) .map(v => ({ id: v.user_id, user_id: v.user_id, username: v.username, avatar: v.avatar, avatar_url: avatarUrl(v) })), })); return { ...poll, avatar_url: avatarUrl(poll), options: formattedOptions, is_closed: !!poll.closed, multiple_choice: !!poll.multiple, }; } export function listPolls(tripId: string | number) { const rows = db.prepare(` SELECT id FROM collab_polls WHERE trip_id = ? ORDER BY created_at DESC `).all(tripId) as { id: number }[]; return rows.map(row => getPollWithVotes(row.id)).filter(Boolean); } export function createPoll(tripId: string | number, userId: number, data: { question: string; options: unknown[]; multiple?: boolean; multiple_choice?: boolean; deadline?: string }) { const isMultiple = data.multiple || data.multiple_choice; const result = db.prepare(` INSERT INTO collab_polls (trip_id, user_id, question, options, multiple, deadline) VALUES (?, ?, ?, ?, ?, ?) `).run(tripId, userId, data.question, JSON.stringify(data.options), isMultiple ? 1 : 0, data.deadline || null); return getPollWithVotes(result.lastInsertRowid); } export function votePoll(tripId: string | number, pollId: string | number, userId: number, optionIndex: number): { error?: string; poll?: ReturnType } { const poll = db.prepare('SELECT * FROM collab_polls WHERE id = ? AND trip_id = ?').get(pollId, tripId) as CollabPoll | undefined; if (!poll) return { error: 'not_found' }; if (poll.closed) return { error: 'closed' }; const options = JSON.parse(poll.options); if (optionIndex < 0 || optionIndex >= options.length) { return { error: 'invalid_index' }; } const existingVote = db.prepare( 'SELECT id FROM collab_poll_votes WHERE poll_id = ? AND user_id = ? AND option_index = ?' ).get(pollId, userId, optionIndex) as { id: number } | undefined; if (existingVote) { db.prepare('DELETE FROM collab_poll_votes WHERE id = ?').run(existingVote.id); } else { if (!poll.multiple) { db.prepare('DELETE FROM collab_poll_votes WHERE poll_id = ? AND user_id = ?').run(pollId, userId); } db.prepare('INSERT INTO collab_poll_votes (poll_id, user_id, option_index) VALUES (?, ?, ?)').run(pollId, userId, optionIndex); } return { poll: getPollWithVotes(pollId) }; } export function closePoll(tripId: string | number, pollId: string | number): ReturnType | null { const poll = db.prepare('SELECT * FROM collab_polls WHERE id = ? AND trip_id = ?').get(pollId, tripId); if (!poll) return null; db.prepare('UPDATE collab_polls SET closed = 1 WHERE id = ?').run(pollId); return getPollWithVotes(pollId); } export function deletePoll(tripId: string | number, pollId: string | number): boolean { const poll = db.prepare('SELECT id FROM collab_polls WHERE id = ? AND trip_id = ?').get(pollId, tripId); if (!poll) return false; db.prepare('DELETE FROM collab_polls WHERE id = ?').run(pollId); return true; } /* ------------------------------------------------------------------ */ /* Messages */ /* ------------------------------------------------------------------ */ export function formatMessage(msg: CollabMessage, reactions?: GroupedReaction[]) { return { ...msg, user_avatar: avatarUrl(msg), avatar_url: avatarUrl(msg), reactions: reactions || [] }; } export function listMessages(tripId: string | number, before?: string | number) { const query = ` SELECT m.*, u.username, u.avatar, rm.text AS reply_text, ru.username AS reply_username FROM collab_messages m JOIN users u ON m.user_id = u.id LEFT JOIN collab_messages rm ON m.reply_to = rm.id LEFT JOIN users ru ON rm.user_id = ru.id WHERE m.trip_id = ?${before ? ' AND m.id < ?' : ''} ORDER BY m.id DESC LIMIT 100 `; const messages = before ? db.prepare(query).all(tripId, before) as CollabMessage[] : db.prepare(query).all(tripId) as CollabMessage[]; messages.reverse(); const msgIds = messages.map(m => m.id); const reactionsByMsg: Record = {}; if (msgIds.length > 0) { const allReactions = db.prepare(` SELECT r.message_id, r.emoji, r.user_id, u.username FROM collab_message_reactions r JOIN users u ON r.user_id = u.id WHERE r.message_id IN (${msgIds.map(() => '?').join(',')}) `).all(...msgIds) as (ReactionRow & { message_id: number })[]; for (const r of allReactions) { if (!reactionsByMsg[r.message_id]) reactionsByMsg[r.message_id] = []; reactionsByMsg[r.message_id].push(r); } } return messages.map(m => formatMessage(m, groupReactions(reactionsByMsg[m.id] || []))); } export function createMessage(tripId: string | number, userId: number, text: string, replyTo?: number | null): { error?: string; message?: ReturnType } { if (replyTo) { const replyMsg = db.prepare('SELECT id FROM collab_messages WHERE id = ? AND trip_id = ?').get(replyTo, tripId); if (!replyMsg) return { error: 'reply_not_found' }; } const result = db.prepare(` INSERT INTO collab_messages (trip_id, user_id, text, reply_to) VALUES (?, ?, ?, ?) `).run(tripId, userId, text.trim(), replyTo || null); const message = db.prepare(` SELECT m.*, u.username, u.avatar, rm.text AS reply_text, ru.username AS reply_username FROM collab_messages m JOIN users u ON m.user_id = u.id LEFT JOIN collab_messages rm ON m.reply_to = rm.id LEFT JOIN users ru ON rm.user_id = ru.id WHERE m.id = ? `).get(result.lastInsertRowid) as CollabMessage; return { message: formatMessage(message) }; } export function deleteMessage(tripId: string | number, messageId: string | number, userId: number): { error?: string; username?: string } { const message = db.prepare('SELECT * FROM collab_messages WHERE id = ? AND trip_id = ?').get(messageId, tripId) as CollabMessage | undefined; if (!message) return { error: 'not_found' }; if (Number(message.user_id) !== Number(userId)) return { error: 'not_owner' }; db.prepare('UPDATE collab_messages SET deleted = 1 WHERE id = ?').run(messageId); return { username: message.username }; } /* ------------------------------------------------------------------ */ /* Link preview */ /* ------------------------------------------------------------------ */ export async function fetchLinkPreview(url: string): Promise { const fallback: LinkPreviewResult = { title: null, description: null, image: null, url }; const parsed = new URL(url); const ssrf = await checkSsrf(url, true); if (!ssrf.allowed) { return { ...fallback, error: ssrf.error } as LinkPreviewResult & { error?: string }; } try { const nodeFetch = require('node-fetch'); const controller = new AbortController(); const timeout = setTimeout(() => controller.abort(), 5000); try { const r: { ok: boolean; text: () => Promise } = await nodeFetch(url, { redirect: 'error', signal: controller.signal, agent: createPinnedAgent(ssrf.resolvedIp!, parsed.protocol), headers: { 'User-Agent': 'Mozilla/5.0 (compatible; NOMAD/1.0; +https://github.com/mauriceboe/NOMAD)' }, }); clearTimeout(timeout); if (!r.ok) throw new Error('Fetch failed'); const html = await r.text(); const get = (prop: string) => { const m = html.match(new RegExp(`]*property=["']og:${prop}["'][^>]*content=["']([^"']*)["']`, 'i')) || html.match(new RegExp(`]*content=["']([^"']*)["'][^>]*property=["']og:${prop}["']`, 'i')); return m ? m[1] : null; }; const titleTag = html.match(/]*>([^<]*)<\/title>/i); const descMeta = html.match(/]*name=["']description["'][^>]*content=["']([^"']*)["']/i) || html.match(/]*content=["']([^"']*)["'][^>]*name=["']description["']/i); return { title: get('title') || (titleTag ? titleTag[1].trim() : null), description: get('description') || (descMeta ? descMeta[1].trim() : null), image: get('image') || null, site_name: get('site_name') || null, url, }; } catch { clearTimeout(timeout); return fallback; } } catch { return fallback; } }