use axum::extract::{Multipart, Path, Query, State}; use axum::http::StatusCode; use axum::routing::{delete, get, post}; use axum::{Json, Router}; use serde::Deserialize; use serde_json::json; use uuid::Uuid; use crate::api::pagination::PagedResponse; use crate::app::AppState; use crate::auth::extractor::CurrentUser; use crate::domain::manga::{MangaCard, MangaDetail, MangaPatch, NewManga}; use crate::domain::patch::Patch; use crate::domain::tag::TagRef; use crate::error::{AppError, AppResult}; use crate::repo; use crate::upload::{parse_image, UploadedImage}; pub fn routes() -> Router { Router::new() .route("/mangas", get(list).post(create)) .route("/mangas/:id", get(get_one).patch(update)) .route("/mangas/:id/tags", post(attach_tag)) .route("/mangas/:id/tags/:tag_id", delete(detach_tag)) } #[derive(Debug, Deserialize, Default)] pub struct ListParams { #[serde(default)] pub search: Option, #[serde(default)] pub status: Option, /// Comma-separated UUIDs. AND across the list — every id must be /// attached to the manga for it to match. #[serde(default)] pub author_id: Option, #[serde(default)] pub genre_id: Option, #[serde(default)] pub tag_id: Option, #[serde(default = "default_limit")] pub limit: i64, #[serde(default)] pub offset: i64, #[serde(default)] pub sort: repo::manga::ListSort, } fn default_limit() -> i64 { 50 } fn parse_uuid_csv(field: &str, raw: Option<&str>) -> AppResult> { let Some(raw) = raw else { return Ok(Vec::new()) }; let mut out = Vec::new(); for piece in raw.split(',') { let s = piece.trim(); if s.is_empty() { continue; } let id = Uuid::parse_str(s).map_err(|_| AppError::ValidationFailed { message: format!("{field} contained an invalid UUID"), details: json!({ field: "comma-separated UUIDs" }), })?; out.push(id); } Ok(out) } async fn list( State(state): State, Query(params): Query, ) -> AppResult>> { let limit = params.limit.clamp(1, 200); let offset = params.offset.max(0); let status = match params.status.as_deref().map(str::trim) { None | Some("") => None, Some(s) => { if !repo::manga::STATUSES.contains(&s) { return Err(AppError::ValidationFailed { message: "invalid status filter".into(), details: json!({ "status": format!("must be one of {:?}", repo::manga::STATUSES) }), }); } Some(s.to_string()) } }; let q = repo::manga::ListQuery { search: params.search.filter(|s| !s.trim().is_empty()), status, author_ids: parse_uuid_csv("author_id", params.author_id.as_deref())?, genre_ids: parse_uuid_csv("genre_id", params.genre_id.as_deref())?, tag_ids: parse_uuid_csv("tag_id", params.tag_id.as_deref())?, limit, offset, sort: params.sort, }; let (items, total) = repo::manga::list_cards(&state.db, &q).await?; Ok(Json(PagedResponse::with_total(items, limit, offset, total))) } async fn get_one( State(state): State, Path(id): Path, ) -> AppResult> { Ok(Json(repo::manga::get_detail(&state.db, id).await?)) } /// `POST /api/v1/mangas` is multipart/form-data. Parts: /// /// - `metadata` (required): JSON body matching `NewManga` — title, optional /// status, optional authors (array of names), optional alt_titles /// (array), optional description, optional genre_ids (array of UUIDs). /// - `cover` (optional): image bytes. MIME is sniffed from magic bytes /// (jpeg/png/webp/gif/avif); size capped at `upload.max_file_bytes`. /// /// Anything else is ignored. Authors are upserted into the global /// authors table (case-insensitive de-dup); genre_ids are validated /// against the curated genres list. async fn create( State(state): State, CurrentUser(_user): CurrentUser, mut multipart: Multipart, ) -> AppResult<(StatusCode, Json)> { let mut metadata: Option = None; let mut cover: Option = None; while let Some(field) = next_field(&mut multipart).await? { match field.name() { Some("metadata") => { let bytes = read_field_bytes(field).await?; metadata = Some(parse_metadata_json(&bytes)?); } Some("cover") => { let bytes = read_field_bytes(field).await?.to_vec(); cover = Some(parse_image(bytes, state.upload.max_file_bytes, "cover")?); } _ => continue, } } let metadata = metadata.ok_or_else(|| AppError::ValidationFailed { message: "metadata part is required".into(), details: json!({ "metadata": "required" }), })?; validate_new_manga(&metadata)?; validate_genre_ids(&state, &metadata.genre_ids).await?; let status = metadata .status .as_deref() .map(str::trim) .filter(|s| !s.is_empty()) .unwrap_or(repo::manga::DEFAULT_STATUS) .to_string(); let alt_titles = normalize_alt_titles(metadata.alt_titles); let authors = normalize_string_list(metadata.authors); // Transactional create. If the cover put or any relation write // fails, the manga row and its relations are rolled back so a // half-uploaded cover doesn't leave a manga without one stuck // pointing at it. Bytes already written to storage on a rolled-back // transaction become orphans on disk — a future reaper can sweep // them; we prioritise DB consistency over storage tidiness here. let mut tx = state.db.begin().await?; let mut manga = repo::manga::create( &mut *tx, metadata.title.trim(), &status, metadata.description.as_deref(), &alt_titles, Some(_user.id), ) .await?; let author_refs = repo::author::set_for_manga(&mut *tx, manga.id, &authors).await?; repo::genre::set_for_manga(&mut *tx, manga.id, &metadata.genre_ids).await?; if let Some(img) = cover { let key = format!("mangas/{}/cover.{}", manga.id, img.ext); state.storage.put(&key, &img.bytes).await?; repo::manga::set_cover_image_path(&mut *tx, manga.id, &key).await?; manga.cover_image_path = Some(key); } tx.commit().await?; // Re-read so the genres list reflects the canonical sort order // and any future trigger-driven defaults. let detail = repo::manga::get_detail(&state.db, manga.id).await?; let _ = author_refs; // returned for free via detail Ok((StatusCode::CREATED, Json(detail))) } async fn update( State(state): State, CurrentUser(_user): CurrentUser, Path(id): Path, Json(patch): Json, ) -> AppResult> { // TODO(auth): until uploaders are tracked (Phase 5), any signed-in // user can edit any manga. Restrict to uploader + admin once that // column lands. if !repo::manga::exists(&state.db, id).await? { return Err(AppError::NotFound); } if let Some(ref status) = patch.status { let trimmed = status.trim(); if !repo::manga::STATUSES.contains(&trimmed) { return Err(AppError::ValidationFailed { message: "invalid status".into(), details: json!({ "status": format!("must be one of {:?}", repo::manga::STATUSES) }), }); } } if let Some(ref title) = patch.title { if title.trim().is_empty() { return Err(AppError::ValidationFailed { message: "title cannot be blank".into(), details: json!({ "title": "non-empty" }), }); } } if let Some(ref ids) = patch.genre_ids { validate_genre_ids(&state, ids).await?; } let alt_titles_owned: Option> = patch.alt_titles.map(normalize_alt_titles); let authors_owned: Option> = patch.authors.map(normalize_string_list); let description_provided = patch.description.is_provided(); let description_value: Option<&str> = match &patch.description { Patch::Set(s) => Some(s.as_str()), Patch::Clear | Patch::Unchanged => None, }; let mut tx = state.db.begin().await?; let _updated = repo::manga::update_basics( &mut *tx, id, patch.title.as_deref().map(str::trim), patch.status.as_deref().map(str::trim), description_provided, description_value, alt_titles_owned.as_deref(), ) .await?; if let Some(ref names) = authors_owned { repo::author::set_for_manga(&mut *tx, id, names).await?; } if let Some(ref ids) = patch.genre_ids { repo::genre::set_for_manga(&mut *tx, id, ids).await?; } tx.commit().await?; Ok(Json(repo::manga::get_detail(&state.db, id).await?)) } #[derive(Debug, Deserialize)] pub struct AttachTagBody { pub name: String, } async fn attach_tag( State(state): State, CurrentUser(user): CurrentUser, Path(id): Path, Json(body): Json, ) -> AppResult<(StatusCode, Json)> { if !repo::manga::exists(&state.db, id).await? { return Err(AppError::NotFound); } let outcome = repo::tag::attach_to_manga(&state.db, id, &body.name, user.id).await?; let status = if outcome.created_attachment { StatusCode::CREATED } else { StatusCode::OK }; // `added_by` reflects who currently owns the attachment — which is // the first attacher, not the caller. Look it up so the response // matches what subsequent list_for_manga reads will show. let added_by = repo::tag::find_attacher(&state.db, id, outcome.tag.id) .await? .flatten(); Ok(( status, Json(TagRef { id: outcome.tag.id, name: outcome.tag.name, added_by, }), )) } async fn detach_tag( State(state): State, CurrentUser(user): CurrentUser, Path((manga_id, tag_id)): Path<(Uuid, Uuid)>, ) -> AppResult { match repo::tag::find_attacher(&state.db, manga_id, tag_id).await? { None => Err(AppError::NotFound), Some(added_by) => { // `added_by` is None if the attaching user was deleted; in // that case nobody owns it, so we refuse rather than let // any user clear orphan tags (an admin role can do that // later). if added_by != Some(user.id) { return Err(AppError::Forbidden); } repo::tag::detach(&state.db, manga_id, tag_id).await?; Ok(StatusCode::NO_CONTENT) } } } fn validate_new_manga(input: &NewManga) -> AppResult<()> { if input.title.trim().is_empty() { return Err(AppError::ValidationFailed { message: "title is required".into(), details: json!({ "title": "required" }), }); } if let Some(ref status) = input.status { let trimmed = status.trim(); if !trimmed.is_empty() && !repo::manga::STATUSES.contains(&trimmed) { return Err(AppError::ValidationFailed { message: "invalid status".into(), details: json!({ "status": format!("must be one of {:?}", repo::manga::STATUSES) }), }); } } Ok(()) } async fn validate_genre_ids(state: &AppState, ids: &[Uuid]) -> AppResult<()> { if ids.is_empty() { return Ok(()); } // Dedup before counting — Postgres' `id = ANY(...)` is set-based, // so a request with `[g1, g1]` would match one row and trip the // "unknown id" branch even though the only id is real. The DB-side // insert path also dedupes via `ON CONFLICT DO NOTHING`, so we // simply silently accept duplicates from the client. let unique: std::collections::HashSet = ids.iter().copied().collect(); let (matched,): (i64,) = sqlx::query_as("SELECT count(*) FROM genres WHERE id = ANY($1)") .bind(ids) .fetch_one(&state.db) .await?; if (matched as usize) != unique.len() { return Err(AppError::ValidationFailed { message: "unknown genre id".into(), details: json!({ "genre_ids": "all ids must reference an existing genre" }), }); } Ok(()) } fn normalize_alt_titles(raw: Vec) -> Vec { let mut out = Vec::with_capacity(raw.len()); for t in raw { let trimmed = t.trim(); if trimmed.is_empty() { continue; } let s = trimmed.to_string(); if !out.contains(&s) { out.push(s); } } out } fn normalize_string_list(raw: Vec) -> Vec { let mut out = Vec::with_capacity(raw.len()); for s in raw { let trimmed = s.trim(); if trimmed.is_empty() { continue; } // Case-insensitive de-dup so ["Miura", "miura"] becomes one entry. if !out .iter() .any(|existing: &String| existing.eq_ignore_ascii_case(trimmed)) { out.push(trimmed.to_string()); } } out } fn parse_metadata_json(bytes: &[u8]) -> AppResult { serde_json::from_slice(bytes).map_err(|e| AppError::ValidationFailed { message: "metadata is not valid JSON".into(), details: json!({ "metadata": e.to_string() }), }) } pub(crate) async fn next_field( multipart: &mut Multipart, ) -> AppResult>> { multipart .next_field() .await .map_err(map_multipart_error) } pub(crate) async fn read_field_bytes( field: axum::extract::multipart::Field<'_>, ) -> AppResult { field.bytes().await.map_err(map_multipart_error) } fn map_multipart_error(e: axum::extract::multipart::MultipartError) -> AppError { let status = e.status(); if status == StatusCode::PAYLOAD_TOO_LARGE { AppError::PayloadTooLarge("upload exceeds the request size limit".into()) } else { AppError::InvalidInput(format!("multipart parse error: {e}")) } }