Add updating devices to apiv1.
We needed a way to be able to update devices after they were created. This is
supported in the devices package, we just needed to expose it using apiv1
endpoints.
In doing so, it became apparent that allowing users to change the Owner of their
Devices wasn't properly thought through, and pending a reason to use it, I'm
just removing it. The biggest issue came when trying to return usable error
messages; we couldn't distinguish between "you don't own the device you're
trying to update" and "you're not allowed to change the owner of the device". I
also couldn't figure out _who should be able to_ change the owner of the device,
which is generally an indication that I'm building a feature before I have a use
case for it.
To support this change, the apiv1.DeviceChange type needed its Owner property
removed.
I also needed to add deviceFromAPI and devicesFromAPI helpers to return
devices.Device types from apiv1.Device types.
There's now a new validateDeviceUpdate helper that checks to ensure that a
device update request is valid and the user has the appropriate permissions.
The createRequest type now accepts a slice of Devices, not a slice of
DeviceChanges, because we want to pass the Owner in.
A new updateRequest type is created, which accepts a DeviceChange to apply.
A new handleUpdateDevice handler is created, which is assigned to the endpoint
for PATCH requests against a device ID. It checks that the user is logged in,
the Device they're trying to update exists, and that it's a valid update. If all
of that is true, the device is updated and the updated device is returned.
Finally, we had to add two new scopes to support new functionality:
ScopeUpdateOtherUserDevices allows a user to update other user's devices, and
ScopeUpdateLastSeen allows a user to update the LastSeen property of a device.
Pending some better error messages, this should be a full implementation of
updating a device, which leaves only the deletion endpoint to deal with.
7 "code.secondbit.org/api.hg"
8 "code.secondbit.org/ducky/devices.hg"
9 "code.secondbit.org/uuid.hg"
13 errUnauthorizedLastSeen = errors.New("not authorized to set last seen")
14 errUnauthorizedCreated = errors.New("not authorized to set created")
15 errUnauthorizedOwner = errors.New("not authorized to set owner")
16 errInvalidDeviceType = errors.New("device type invalid")
17 errDeviceNameTooShort = errors.New("device name too short")
18 errDeviceNameTooLong = errors.New("device name too long")
21 // Device represents a device as exposed through the API. It is its
22 // own type as the business logic and the API have different requirements
23 // for the Device type, and require different representations.
25 ID uuid.ID `json:"id"`
26 Name string `json:"name,omitempty"`
27 Owner uuid.ID `json:"owner,omitempty"`
28 Type devices.DeviceType `json:"type,omitempty"`
29 Created time.Time `json:"created,omitempty"`
30 LastSeen time.Time `json:"lastSeen,omitempty"`
31 PushToken string `json:"pushToken,omitempty"`
34 // DeviceChange represents a set of changes to a device that will be used
35 // to update that device. It is its own type as the business logic and the
36 // API have different requirements for the DeviceChange type, and require
37 // different representations.
38 type DeviceChange struct {
39 DeviceID uuid.ID `json:"id"`
40 Name *string `json:"name,omitempty"`
41 Type *devices.DeviceType `json:"type,omitempty"`
42 LastSeen *time.Time `json:"lastSeen,omitempty"`
43 PushToken *string `json:"pushToken,omitempty"`
46 func apiDeviceFromCore(d devices.Device, includePushToken bool) Device {
56 device.PushToken = d.PushToken
61 func deviceFromAPI(d Device) devices.Device {
62 return devices.Device{
68 PushToken: d.PushToken,
73 func devicesFromAPI(in []Device) []devices.Device {
74 out := make([]devices.Device, 0, len(in))
75 for _, d := range in {
76 out = append(out, deviceFromAPI(d))
81 func changeFromAPI(d DeviceChange) devices.DeviceChange {
82 return devices.DeviceChange{
87 PushToken: d.PushToken,
91 func createDevicesFromChanges(changes []DeviceChange) []devices.Device {
92 newDevices := make([]devices.Device, 0, len(changes))
93 for _, change := range changes {
94 newDevices = append(newDevices, devices.ApplyChange(devices.Device{}, changeFromAPI(change)))
99 func validateDeviceCreation(d devices.Device, scopes []string, user uuid.ID) error {
100 canImport := api.CheckScopes(scopes, ScopeImport.ID)
101 canCreateOtherUserDevices := api.CheckScopes(scopes, ScopeCreateOtherUserDevices.ID)
102 if !d.LastSeen.IsZero() && !canImport {
103 return errUnauthorizedLastSeen
105 if !d.Created.IsZero() && !canImport {
106 return errUnauthorizedCreated
108 if !d.Owner.Equal(user) && !canCreateOtherUserDevices {
109 return errUnauthorizedOwner
111 if !devices.IsValidDeviceType(d.Type) {
112 return errInvalidDeviceType
114 if len(d.Name) < devices.MinDeviceNameLength {
115 return errDeviceNameTooShort
117 if len(d.Name) > devices.MaxDeviceNameLength {
118 return errDeviceNameTooLong
123 func validateDeviceUpdate(d Device, change DeviceChange, scopes []string, user uuid.ID) error {
124 canUpdateOtherUserDevices := api.CheckScopes(scopes, ScopeUpdateOtherUserDevices.ID)
125 canUpdateLastSeen := api.CheckScopes(scopes, ScopeUpdateLastSeen.ID)
127 if !d.Owner.Equal(user) && !canUpdateOtherUserDevices {
128 return errUnauthorizedOwner
130 if change.LastSeen != nil && !change.LastSeen.IsZero() && !canUpdateLastSeen {
131 return errUnauthorizedLastSeen
133 if change.Type != nil && !devices.IsValidDeviceType(*change.Type) {
134 return errInvalidDeviceType
136 if change.Name != nil && len(*change.Name) < devices.MinDeviceNameLength {
137 return errDeviceNameTooShort
139 if change.Name != nil && len(*change.Name) > devices.MaxDeviceNameLength {
140 return errDeviceNameTooLong