All files / web/src/app/api/abacus-settings route.ts

0% Statements 0/79
0% Branches 0/1
0% Functions 0/1
0% Lines 0/79

Press n or j to go to the next uncovered block, b, p or k for the previous block. 



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
import { eq } from 'drizzle-orm'
import { NextResponse } from 'next/server'
import { db } from '@/db'
import * as schema from '@/db/schema'
import { withAuth } from '@/lib/auth/withAuth'
import { getUserId } from '@/lib/viewer'

/**
 * GET /api/abacus-settings
 * Fetch abacus display settings for the current user
 */
export const GET = withAuth(async () => {
  try {
    const userId = await getUserId()

    // Find or create abacus settings
    let settings = await db.query.abacusSettings.findFirst({
      where: eq(schema.abacusSettings.userId, userId),
    })

    // If no settings exist, create with defaults
    if (!settings) {
      const [newSettings] = await db.insert(schema.abacusSettings).values({ userId }).returning()
      settings = newSettings
    }

    return NextResponse.json({ settings })
  } catch (error) {
    console.error('Failed to fetch abacus settings:', error)
    return NextResponse.json({ error: 'Failed to fetch abacus settings' }, { status: 500 })
  }
})

/**
 * PATCH /api/abacus-settings
 * Update abacus display settings for the current user
 */
export const PATCH = withAuth(async (request) => {
  try {
    const userId = await getUserId()

    // Handle empty or invalid JSON body gracefully
    let body: Record<string, unknown>
    try {
      body = await request.json()
    } catch {
      return NextResponse.json({ error: 'Invalid or empty request body' }, { status: 400 })
    }

    // Security: Strip userId from request body - it must come from session only
    const { userId: _bodyUserId, ...updates } = body

    // Ensure settings exist
    const existingSettings = await db.query.abacusSettings.findFirst({
      where: eq(schema.abacusSettings.userId, userId),
    })

    if (!existingSettings) {
      // Create new settings with updates
      const [newSettings] = await db
        .insert(schema.abacusSettings)
        .values({ userId, ...updates })
        .returning()
      return NextResponse.json({ settings: newSettings })
    }

    // Update existing settings
    const [updatedSettings] = await db
      .update(schema.abacusSettings)
      .set(updates)
      .where(eq(schema.abacusSettings.userId, userId))
      .returning()

    return NextResponse.json({ settings: updatedSettings })
  } catch (error) {
    console.error('Failed to update abacus settings:', error)
    return NextResponse.json({ error: 'Failed to update abacus settings' }, { status: 500 })
  }
})
 
Code coverage generated by istanbul at 2026-05-21T17:07:01.861Z