feat(api/v2): add notifications list/mark-read + mark-all on /api/v2

Ports the v1 DatabaseNotifications routes to the Huma /api/v2 API:
- GET /notifications lists the caller's own notifications (paginated)
- PUT /notifications/{notificationid} marks one (un-)read
- POST /notifications is a custom action marking all as read; the
  link-share guard, session and commit live in the handler since there
  is no CRUDable Do* for a bulk mark.

Adds fixture rows and a webtest matrix mirroring the v1 model behaviour
(own-only visibility, mark-(un)read, link-share refusal on every route).
This commit is contained in:
kolaente 2026-06-06 23:29:59 +02:00 committed by kolaente
parent 05c9c07e19
commit 1ca5367f27
3 changed files with 316 additions and 1 deletions

View File

@ -1 +1,21 @@
[]
- id: 1
notifiable_id: 1
notification: '{"test":"notification one"}'
name: test.notification
subject_id: 1
read_at: null
created: 2022-01-01 00:00:00
- id: 2
notifiable_id: 1
notification: '{"test":"notification two"}'
name: test.notification
subject_id: 2
read_at: null
created: 2022-01-02 00:00:00
- id: 3
notifiable_id: 2
notification: '{"test":"other user"}'
name: test.notification
subject_id: 3
read_at: null
created: 2022-01-03 00:00:00

View File

@ -0,0 +1,139 @@
// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package apiv2
import (
"context"
"fmt"
"net/http"
"code.vikunja.io/api/pkg/db"
"code.vikunja.io/api/pkg/models"
"code.vikunja.io/api/pkg/notifications"
"code.vikunja.io/api/pkg/web/handler"
"github.com/danielgtaylor/huma/v2"
)
// Element type is the foreign notifications.DatabaseNotification because that's
// what models.DatabaseNotifications.ReadAll returns directly, not a models wrapper.
type notificationListBody struct {
Body Paginated[*notifications.DatabaseNotification]
}
// markAllReadBody is the mark-all-as-read confirmation. The action has no
// resource to return, so it carries a short status message rather than reusing
// emptyBody (204) — mirrors v1's {"message":"success"} response.
type markAllReadBody struct {
Body struct {
Message string `json:"message" readOnly:"true" doc:"A confirmation message."`
}
}
// RegisterNotificationRoutes wires notification list / mark-read / mark-all onto the Huma API.
func RegisterNotificationRoutes(api huma.API) {
tags := []string{"notifications"}
Register(api, huma.Operation{
OperationID: "notifications-list",
Summary: "List notifications",
Description: "Returns the authenticated user's own notifications, newest first. Link shares have no notifications and are refused.",
Method: http.MethodGet,
Path: "/notifications",
Tags: tags,
}, notificationsList)
Register(api, huma.Operation{
OperationID: "notifications-mark-read",
Summary: "Mark a notification as (un-)read",
Description: "Marks one of the authenticated user's notifications as read or unread. A user can only mark their own notifications.",
Method: http.MethodPut,
Path: "/notifications/{notificationid}",
Tags: tags,
}, notificationsMarkRead)
Register(api, huma.Operation{
OperationID: "notifications-mark-all-read",
Summary: "Mark all notifications as read",
Description: "Marks every notification of the authenticated user as read. Link shares have no notifications and are refused.",
Method: http.MethodPost,
Path: "/notifications",
Tags: tags,
}, notificationsMarkAllRead)
}
func init() { AddRouteRegistrar(RegisterNotificationRoutes) }
func notificationsList(ctx context.Context, in *ListParams) (*notificationListBody, error) {
a, err := authFromCtx(ctx)
if err != nil {
return nil, err
}
result, _, total, err := handler.DoReadAll(ctx, &models.DatabaseNotifications{}, a, in.Q, in.Page, in.PerPage)
if err != nil {
return nil, translateDomainError(err)
}
items, ok := result.([]*notifications.DatabaseNotification)
if !ok {
return nil, fmt.Errorf("notifications.ReadAll returned unexpected type %T (expected []*notifications.DatabaseNotification)", result)
}
return &notificationListBody{Body: NewPaginated(items, total, in.Page, in.PerPage)}, nil
}
func notificationsMarkRead(ctx context.Context, in *struct {
ID int64 `path:"notificationid"`
Body models.DatabaseNotifications
}) (*singleBody[models.DatabaseNotifications], error) {
a, err := authFromCtx(ctx)
if err != nil {
return nil, err
}
n := &in.Body
n.ID = in.ID // URL wins over body
if err := handler.DoUpdate(ctx, n, a); err != nil {
return nil, translateDomainError(err)
}
return &singleBody[models.DatabaseNotifications]{Body: n}, nil
}
// notificationsMarkAllRead is a custom action: there is no CRUDable Do* for a
// bulk mark, so the handler owns the link-share guard, the session and the
// commit. Mirrors apiv1.MarkAllNotificationsAsRead.
func notificationsMarkAllRead(ctx context.Context, _ *struct{}) (*markAllReadBody, error) {
a, err := authFromCtx(ctx)
if err != nil {
return nil, err
}
if _, is := a.(*models.LinkSharing); is {
return nil, huma.Error403Forbidden("link shares cannot have notifications")
}
s := db.NewSession()
defer s.Close()
if err := notifications.MarkAllNotificationsAsRead(s, a.GetID()); err != nil {
_ = s.Rollback()
return nil, translateDomainError(err)
}
if err := s.Commit(); err != nil {
return nil, translateDomainError(err)
}
out := &markAllReadBody{}
out.Body.Message = "success"
return out, nil
}

View File

@ -0,0 +1,156 @@
// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package webtests
import (
"encoding/json"
"net/http"
"testing"
"code.vikunja.io/api/pkg/models"
"code.vikunja.io/api/pkg/modules/auth"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
// TestHumaNotification mirrors v1's notification routes (notifications.yml has
// no v1 webtest, so this is ported 1:1 from the v1 handler/model behaviour).
// Link-share guards and mark-all live in separate top-level funcs below because
// they need a dedicated echo.Echo — interleaving setupTestEnv() inside the
// webHandlerTestV2 matrix rotates the JWT key out from under its cached env.
//
// Fixture topology (see pkg/db/fixtures/notifications.yml):
// - #1, #2: belong to user1, both unread.
// - #3: belongs to user2, unread — must stay invisible/untouched for user1.
func TestHumaNotification(t *testing.T) {
testHandler := webHandlerTestV2{
user: &testuser1,
basePath: "/api/v2/notifications",
idParam: "notificationid",
t: t,
}
t.Run("ReadAll", func(t *testing.T) {
t.Run("Own notifications only", func(t *testing.T) {
rec, err := testHandler.testReadAllWithUser(nil, nil)
require.NoError(t, err)
ids := notificationIDsFromReadAll(t, rec.Body.Bytes())
// Exact set: user1 sees only their own notifications, not user2's #3.
assert.ElementsMatch(t, []int64{1, 2}, ids,
"ReadAll must return exactly {1,2}; body: %s", rec.Body.String())
assert.NotContains(t, ids, int64(3), "user2's notification #3 must be hidden")
})
})
t.Run("MarkAsRead", func(t *testing.T) {
t.Run("Normal - mark own as read", func(t *testing.T) {
rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"notificationid": "1"}, `{"read":true}`)
require.NoError(t, err)
assert.Contains(t, rec.Body.String(), `"id":1`)
// A read notification carries a non-zero read_at timestamp.
assert.NotContains(t, rec.Body.String(), `"read_at":"0001-01-01T00:00:00Z"`,
"read_at must be set after marking read; body: %s", rec.Body.String())
})
t.Run("Mark own as unread", func(t *testing.T) {
rec, err := testHandler.testUpdateWithUser(nil, map[string]string{"notificationid": "2"}, `{"read":false}`)
require.NoError(t, err)
assert.Contains(t, rec.Body.String(), `"read_at":"0001-01-01T00:00:00Z"`,
"read_at must be zeroed when marking unread; body: %s", rec.Body.String())
})
t.Run("Forbidden - other user's notification (#3)", func(t *testing.T) {
// CanUpdate scopes by notifiable_id; #3 belongs to user2.
_, err := testHandler.testUpdateWithUser(nil, map[string]string{"notificationid": "3"}, `{"read":true}`)
require.Error(t, err)
assert.Equal(t, http.StatusForbidden, getHTTPErrorCode(err))
})
t.Run("Forbidden - nonexistent", func(t *testing.T) {
_, err := testHandler.testUpdateWithUser(nil, map[string]string{"notificationid": "9999"}, `{"read":true}`)
require.Error(t, err)
assert.Equal(t, http.StatusForbidden, getHTTPErrorCode(err))
})
})
}
// TestHumaNotification_MarkAllAsRead covers the custom bulk action: it marks
// every notification of the caller as read and leaves other users untouched.
func TestHumaNotification_MarkAllAsRead(t *testing.T) {
e, err := setupTestEnv()
require.NoError(t, err)
token := humaTokenFor(t, &testuser1)
rec := humaRequest(t, e, http.MethodPost, "/api/v2/notifications", "", token, "")
require.Equal(t, http.StatusCreated, rec.Code, "body: %s", rec.Body.String())
assert.Contains(t, rec.Body.String(), `"message":"success"`)
// Re-list and confirm all of user1's notifications are now read.
list := humaRequest(t, e, http.MethodGet, "/api/v2/notifications", "", token, "")
require.Equal(t, http.StatusOK, list.Code, "body: %s", list.Body.String())
assert.NotContains(t, list.Body.String(), `"read_at":"0001-01-01T00:00:00Z"`,
"every notification must be read after mark-all; body: %s", list.Body.String())
// user2's notification #3 must remain untouched (unread).
otherList := humaRequest(t, e, http.MethodGet, "/api/v2/notifications", "", humaTokenFor(t, &testuser2), "")
require.Equal(t, http.StatusOK, otherList.Code, "body: %s", otherList.Body.String())
assert.Contains(t, otherList.Body.String(), `"read_at":"0001-01-01T00:00:00Z"`,
"another user's notifications must stay unread; body: %s", otherList.Body.String())
}
// TestHumaNotification_LinkShareForbidden ports v1's guard: a link-share auth
// has no notifications, so list / mark-read / mark-all all refuse it (403).
func TestHumaNotification_LinkShareForbidden(t *testing.T) {
e, err := setupTestEnv()
require.NoError(t, err)
token, err := auth.NewLinkShareJWTAuthtoken(&models.LinkSharing{
ID: 1,
Hash: "test",
ProjectID: 1,
Permission: models.PermissionRead,
SharingType: models.SharingTypeWithoutPassword,
SharedByID: 1,
})
require.NoError(t, err)
t.Run("list", func(t *testing.T) {
rec := humaRequest(t, e, http.MethodGet, "/api/v2/notifications", "", token, "")
assert.Equal(t, http.StatusForbidden, rec.Code, "body: %s", rec.Body.String())
})
t.Run("mark read", func(t *testing.T) {
rec := humaRequest(t, e, http.MethodPut, "/api/v2/notifications/1", `{"read":true}`, token, "")
assert.Equal(t, http.StatusForbidden, rec.Code, "body: %s", rec.Body.String())
})
t.Run("mark all read", func(t *testing.T) {
rec := humaRequest(t, e, http.MethodPost, "/api/v2/notifications", "", token, "")
assert.Equal(t, http.StatusForbidden, rec.Code, "body: %s", rec.Body.String())
})
}
func notificationIDsFromReadAll(t *testing.T, body []byte) []int64 {
t.Helper()
var resp struct {
Items []struct {
ID int64 `json:"id"`
} `json:"items"`
}
require.NoError(t, json.Unmarshal(body, &resp), "ReadAll body must be a paginated envelope: %s", string(body))
ids := make([]int64, 0, len(resp.Items))
for _, it := range resp.Items {
ids = append(ids, it.ID)
}
return ids
}