import { Router } from 'express'; import eventsController from '../controllers/events.controller'; import { authenticate, optionalAuth } from '../middleware/auth.middleware'; import { requireGroups } from '../middleware/rbac.middleware'; const router = Router(); /** Groups that may create, update, or cancel events */ const WRITE_GROUPS = ['dashboard_admin', 'dashboard_moderator']; // --------------------------------------------------------------------------- // Categories // --------------------------------------------------------------------------- /** * GET /api/events/kategorien * List all event categories. Any authenticated user can read. */ router.get('/kategorien', authenticate, eventsController.listKategorien.bind(eventsController)); /** * POST /api/events/kategorien * Create a new category. Requires admin or moderator. */ router.post( '/kategorien', authenticate, requireGroups(WRITE_GROUPS), eventsController.createKategorie.bind(eventsController) ); /** * PATCH /api/events/kategorien/:id * Update an existing category. Requires admin or moderator. */ router.patch( '/kategorien/:id', authenticate, requireGroups(WRITE_GROUPS), eventsController.updateKategorie.bind(eventsController) ); /** * DELETE /api/events/kategorien/:id * Delete a category (only if no events reference it). Requires admin or moderator. */ router.delete( '/kategorien/:id', authenticate, requireGroups(WRITE_GROUPS), eventsController.deleteKategorie.bind(eventsController) ); // --------------------------------------------------------------------------- // Known groups list (used by frontend to populate zielgruppen picker) // --------------------------------------------------------------------------- /** * GET /api/events/groups * Returns the list of known Authentik groups with human-readable labels. */ router.get('/groups', authenticate, eventsController.getAvailableGroups.bind(eventsController)); // --------------------------------------------------------------------------- // Calendar & upcoming — specific routes must come before /:id // --------------------------------------------------------------------------- /** * GET /api/events/calendar?from=&to= * Events in a date range, filtered by the requesting user's groups. * Optional auth — unauthenticated callers only see alle_gruppen events. */ router.get('/calendar', optionalAuth, eventsController.getCalendarRange.bind(eventsController)); /** * GET /api/events/upcoming?limit=10 * Next N upcoming events visible to the requesting user. */ router.get('/upcoming', optionalAuth, eventsController.getUpcoming.bind(eventsController)); /** * GET /api/events/calendar-token * Returns (or creates) the user's personal iCal subscribe token + URL. * Requires authentication. */ router.get( '/calendar-token', authenticate, eventsController.getCalendarToken.bind(eventsController) ); /** * GET /api/events/calendar.ics?token= * iCal feed — authenticated via per-user opaque token. * No Bearer token required; calendar clients use the token query param. */ router.get( '/calendar.ics', optionalAuth, eventsController.getIcalExport.bind(eventsController) ); // --------------------------------------------------------------------------- // Events CRUD // --------------------------------------------------------------------------- /** * POST /api/events * Create a new event. Requires admin or moderator. */ router.post( '/', authenticate, requireGroups(WRITE_GROUPS), eventsController.createEvent.bind(eventsController) ); /** * GET /api/events/:id * Single event detail. Any authenticated user. */ router.get('/:id', authenticate, eventsController.getById.bind(eventsController)); /** * PATCH /api/events/:id * Update an existing event. Requires admin or moderator. */ router.patch( '/:id', authenticate, requireGroups(WRITE_GROUPS), eventsController.updateEvent.bind(eventsController) ); /** * DELETE /api/events/:id * Soft-cancel an event (sets abgesagt=TRUE + reason). Requires admin or moderator. */ router.delete( '/:id', authenticate, requireGroups(WRITE_GROUPS), eventsController.cancelEvent.bind(eventsController) ); /** * POST /api/events/:id/delete * Hard-delete an event permanently. Requires admin or moderator. */ router.post( '/:id/delete', authenticate, requireGroups(WRITE_GROUPS), eventsController.deleteEvent.bind(eventsController) ); export default router;