148 lines
4.4 KiB
TypeScript
148 lines
4.4 KiB
TypeScript
import { Router } from 'express';
|
|
import vehicleController from '../controllers/vehicle.controller';
|
|
import { authenticate } from '../middleware/auth.middleware';
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// RBAC guard — requirePermission('vehicles:write')
|
|
// ---------------------------------------------------------------------------
|
|
// Tier 1 will deliver a full RBAC middleware. Until then, this inline guard
|
|
// enforces that only admin/kommandant/gruppenfuehrer roles can mutate vehicle
|
|
// data. The role is expected on req.user once Tier 1 is complete.
|
|
// For now it uses a conservative allowlist that can be updated via Tier 1 RBAC.
|
|
// ---------------------------------------------------------------------------
|
|
import { Request, Response, NextFunction } from 'express';
|
|
|
|
/** Roles that are allowed to write vehicle data */
|
|
const WRITE_ROLES = new Set(['admin', 'kommandant', 'gruppenfuehrer']);
|
|
|
|
/**
|
|
* requirePermission guard — temporary inline implementation.
|
|
* Replace with the Tier 1 RBAC middleware when available:
|
|
* import { requirePermission } from '../middleware/rbac.middleware';
|
|
*/
|
|
const requireVehicleWrite = (
|
|
req: Request,
|
|
res: Response,
|
|
next: NextFunction
|
|
): void => {
|
|
// Once Tier 1 RBAC is merged, replace the body with:
|
|
// return requirePermission('vehicles:write')(req, res, next);
|
|
//
|
|
// Temporary implementation: check the role field on the JWT payload.
|
|
// The role is stored in req.user once authenticate() has run (Tier 1 adds it).
|
|
const role = (req.user as any)?.role as string | undefined;
|
|
|
|
if (!role || !WRITE_ROLES.has(role)) {
|
|
res.status(403).json({
|
|
success: false,
|
|
message: 'Keine Berechtigung für diese Aktion (vehicles:write erforderlich)',
|
|
});
|
|
return;
|
|
}
|
|
|
|
next();
|
|
};
|
|
|
|
// ---------------------------------------------------------------------------
|
|
|
|
const router = Router();
|
|
|
|
// ── Read-only endpoints (any authenticated user) ──────────────────────────────
|
|
|
|
/**
|
|
* GET /api/vehicles
|
|
* Fleet overview list — inspection badges included.
|
|
*/
|
|
router.get('/', authenticate, vehicleController.listVehicles.bind(vehicleController));
|
|
|
|
/**
|
|
* GET /api/vehicles/stats
|
|
* Dashboard KPI aggregates.
|
|
* NOTE: /stats and /alerts must be declared BEFORE /:id to avoid route conflicts.
|
|
*/
|
|
router.get('/stats', authenticate, vehicleController.getStats.bind(vehicleController));
|
|
|
|
/**
|
|
* GET /api/vehicles/alerts?daysAhead=30
|
|
* Upcoming and overdue inspections for the dashboard alert panel.
|
|
*/
|
|
router.get('/alerts', authenticate, vehicleController.getAlerts.bind(vehicleController));
|
|
|
|
/**
|
|
* GET /api/vehicles/:id
|
|
* Full vehicle detail with inspection history and maintenance log.
|
|
*/
|
|
router.get('/:id', authenticate, vehicleController.getVehicle.bind(vehicleController));
|
|
|
|
/**
|
|
* GET /api/vehicles/:id/pruefungen
|
|
* Inspection history for a single vehicle.
|
|
*/
|
|
router.get('/:id/pruefungen', authenticate, vehicleController.getPruefungen.bind(vehicleController));
|
|
|
|
/**
|
|
* GET /api/vehicles/:id/wartung
|
|
* Maintenance log for a single vehicle.
|
|
*/
|
|
router.get('/:id/wartung', authenticate, vehicleController.getWartung.bind(vehicleController));
|
|
|
|
// ── Write endpoints (vehicles:write role required) ─────────────────────────────
|
|
|
|
/**
|
|
* POST /api/vehicles
|
|
* Create a new vehicle.
|
|
*/
|
|
router.post(
|
|
'/',
|
|
authenticate,
|
|
requireVehicleWrite,
|
|
vehicleController.createVehicle.bind(vehicleController)
|
|
);
|
|
|
|
/**
|
|
* PATCH /api/vehicles/:id
|
|
* Update vehicle fields.
|
|
*/
|
|
router.patch(
|
|
'/:id',
|
|
authenticate,
|
|
requireVehicleWrite,
|
|
vehicleController.updateVehicle.bind(vehicleController)
|
|
);
|
|
|
|
/**
|
|
* PATCH /api/vehicles/:id/status
|
|
* Live status change — Socket.IO hook point for Tier 3.
|
|
* The `io` instance is retrieved inside the controller via req.app.get('io').
|
|
*/
|
|
router.patch(
|
|
'/:id/status',
|
|
authenticate,
|
|
requireVehicleWrite,
|
|
vehicleController.updateVehicleStatus.bind(vehicleController)
|
|
);
|
|
|
|
/**
|
|
* POST /api/vehicles/:id/pruefungen
|
|
* Record an inspection (scheduled or completed).
|
|
*/
|
|
router.post(
|
|
'/:id/pruefungen',
|
|
authenticate,
|
|
requireVehicleWrite,
|
|
vehicleController.addPruefung.bind(vehicleController)
|
|
);
|
|
|
|
/**
|
|
* POST /api/vehicles/:id/wartung
|
|
* Add a maintenance log entry.
|
|
*/
|
|
router.post(
|
|
'/:id/wartung',
|
|
authenticate,
|
|
requireVehicleWrite,
|
|
vehicleController.addWartung.bind(vehicleController)
|
|
);
|
|
|
|
export default router;
|