import { Router } from 'express'; import vehicleController from '../controllers/vehicle.controller'; import { authenticate } from '../middleware/auth.middleware'; // --------------------------------------------------------------------------- // RBAC guard — requirePermission('vehicles:write') // --------------------------------------------------------------------------- // Tier 1 will deliver a full RBAC middleware. Until then, this inline guard // enforces that only admin/kommandant/gruppenfuehrer roles can mutate vehicle // data. The role is expected on req.user once Tier 1 is complete. // For now it uses a conservative allowlist that can be updated via Tier 1 RBAC. // --------------------------------------------------------------------------- import { Request, Response, NextFunction } from 'express'; /** Roles that are allowed to write vehicle data */ const WRITE_ROLES = new Set(['admin', 'kommandant', 'gruppenfuehrer']); /** * requirePermission guard — temporary inline implementation. * Replace with the Tier 1 RBAC middleware when available: * import { requirePermission } from '../middleware/rbac.middleware'; */ const requireVehicleWrite = ( req: Request, res: Response, next: NextFunction ): void => { // Once Tier 1 RBAC is merged, replace the body with: // return requirePermission('vehicles:write')(req, res, next); // // Temporary implementation: check the role field on the JWT payload. // The role is stored in req.user once authenticate() has run (Tier 1 adds it). const role = (req.user as any)?.role as string | undefined; if (!role || !WRITE_ROLES.has(role)) { res.status(403).json({ success: false, message: 'Keine Berechtigung für diese Aktion (vehicles:write erforderlich)', }); return; } next(); }; // --------------------------------------------------------------------------- const router = Router(); // ── Read-only endpoints (any authenticated user) ────────────────────────────── /** * GET /api/vehicles * Fleet overview list — inspection badges included. */ router.get('/', authenticate, vehicleController.listVehicles.bind(vehicleController)); /** * GET /api/vehicles/stats * Dashboard KPI aggregates. * NOTE: /stats and /alerts must be declared BEFORE /:id to avoid route conflicts. */ router.get('/stats', authenticate, vehicleController.getStats.bind(vehicleController)); /** * GET /api/vehicles/alerts?daysAhead=30 * Upcoming and overdue inspections for the dashboard alert panel. */ router.get('/alerts', authenticate, vehicleController.getAlerts.bind(vehicleController)); /** * GET /api/vehicles/:id * Full vehicle detail with inspection history and maintenance log. */ router.get('/:id', authenticate, vehicleController.getVehicle.bind(vehicleController)); /** * GET /api/vehicles/:id/pruefungen * Inspection history for a single vehicle. */ router.get('/:id/pruefungen', authenticate, vehicleController.getPruefungen.bind(vehicleController)); /** * GET /api/vehicles/:id/wartung * Maintenance log for a single vehicle. */ router.get('/:id/wartung', authenticate, vehicleController.getWartung.bind(vehicleController)); // ── Write endpoints (vehicles:write role required) ───────────────────────────── /** * POST /api/vehicles * Create a new vehicle. */ router.post( '/', authenticate, requireVehicleWrite, vehicleController.createVehicle.bind(vehicleController) ); /** * PATCH /api/vehicles/:id * Update vehicle fields. */ router.patch( '/:id', authenticate, requireVehicleWrite, vehicleController.updateVehicle.bind(vehicleController) ); /** * PATCH /api/vehicles/:id/status * Live status change — Socket.IO hook point for Tier 3. * The `io` instance is retrieved inside the controller via req.app.get('io'). */ router.patch( '/:id/status', authenticate, requireVehicleWrite, vehicleController.updateVehicleStatus.bind(vehicleController) ); /** * POST /api/vehicles/:id/pruefungen * Record an inspection (scheduled or completed). */ router.post( '/:id/pruefungen', authenticate, requireVehicleWrite, vehicleController.addPruefung.bind(vehicleController) ); /** * POST /api/vehicles/:id/wartung * Add a maintenance log entry. */ router.post( '/:id/wartung', authenticate, requireVehicleWrite, vehicleController.addWartung.bind(vehicleController) ); export default router;