Add updating devices to apiv1.
We needed a way to be able to update devices after they were created. This is
supported in the devices package, we just needed to expose it using apiv1
endpoints.
In doing so, it became apparent that allowing users to change the Owner of their
Devices wasn't properly thought through, and pending a reason to use it, I'm
just removing it. The biggest issue came when trying to return usable error
messages; we couldn't distinguish between "you don't own the device you're
trying to update" and "you're not allowed to change the owner of the device". I
also couldn't figure out _who should be able to_ change the owner of the device,
which is generally an indication that I'm building a feature before I have a use
case for it.
To support this change, the apiv1.DeviceChange type needed its Owner property
removed.
I also needed to add deviceFromAPI and devicesFromAPI helpers to return
devices.Device types from apiv1.Device types.
There's now a new validateDeviceUpdate helper that checks to ensure that a
device update request is valid and the user has the appropriate permissions.
The createRequest type now accepts a slice of Devices, not a slice of
DeviceChanges, because we want to pass the Owner in.
A new updateRequest type is created, which accepts a DeviceChange to apply.
A new handleUpdateDevice handler is created, which is assigned to the endpoint
for PATCH requests against a device ID. It checks that the user is logged in,
the Device they're trying to update exists, and that it's a valid update. If all
of that is true, the device is updated and the updated device is returned.
Finally, we had to add two new scopes to support new functionality:
ScopeUpdateOtherUserDevices allows a user to update other user's devices, and
ScopeUpdateLastSeen allows a user to update the LastSeen property of a device.
Pending some better error messages, this should be a full implementation of
updating a device, which leaves only the deletion endpoint to deal with.
3 import "code.secondbit.org/scopes.hg/types"
6 // ScopeViewPushToken is a Scope that grants access to viewing pushTokens for
8 ScopeViewPushToken = scopeTypes.Scope{
9 ID: "https://scopes.useducky.com/devices/pushToken/view",
10 Name: "View device push tokens.",
11 Description: "View the push tokens that allow sending messages and notifications to your device. This can be used to force your device to open links, and should be granted with extreme caution.",
14 // ScopeViewDevices is a Scope that grants access to viewing the Devices
15 // that belong to a user.
16 ScopeViewDevices = scopeTypes.Scope{
17 ID: "https://scopes.useducky.com/devices/view",
18 Name: "View devices.",
19 Description: "View the devices that are associated with your account.",
22 // ScopeImport is a Scope that grants access to bulk importing Devices. It grants
23 // what equates to admin permissions, including the ability to create Devices for
24 // other users, and thus should be granted with extreme caution.
25 ScopeImport = scopeTypes.Scope{
26 ID: "https://scopes.useducky.com/devices/import",
27 Name: "Import devices.",
28 Description: "Import devices into the system, including creating devices for other users. This should only ever be granted to system resources.",
31 // ScopeCreateOtherUserDevices is a Scope that grants the user the ability to create
32 // Devices with an Owner property that doesn't match the authenticated user's ID.
33 ScopeCreateOtherUserDevices = scopeTypes.Scope{
34 ID: "https://scopes.useducky.com/devices/otherUser/create",
35 Name: "Create devices for other users.",
36 Description: "Create devices like usual, but make a different user the owner of the device.",
39 // ScopeUpdateOtherUserDevices is a Scope that grants the user the ability to update
40 // Devices with an Owner property that doesn't match the authenticated user's ID.
41 ScopeUpdateOtherUserDevices = scopeTypes.Scope{
42 ID: "https://scopes.useducky.com/devices/otherUser/update",
43 Name: "Update devices for other users.",
44 Description: "Update devices like usual, but don't check if you're the owner of the device.",
47 // ScopeUpdateLastSeen is a Scope that grants the user the ability to update the
48 // LastSeen property of their Devices.
49 ScopeUpdateLastSeen = scopeTypes.Scope{
50 ID: "https://scopes.useducky.com/devices/lastSeen/update",
51 Name: "Update when a device was last seen.",
52 Description: "Update the timestamp tracking when a device was last seen.",