Closer/functions/dist/couples/leaveCoupleCallable.js

109 lines
5.0 KiB
JavaScript

"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || (function () {
var ownKeys = function(o) {
ownKeys = Object.getOwnPropertyNames || function (o) {
var ar = [];
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
return ar;
};
return ownKeys(o);
};
return function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
__setModuleDefault(result, mod);
return result;
};
})();
Object.defineProperty(exports, "__esModule", { value: true });
exports.leaveCoupleCallable = void 0;
const functions = __importStar(require("firebase-functions"));
const admin = __importStar(require("firebase-admin"));
/**
* HTTPS callable that atomically unlinks a couple.
*
* The client cannot do this directly because Firestore rules prevent a user
* from writing the partner's user document. The Admin SDK bypasses those rules.
*
* Steps:
* 1. Verify the caller is a member of their current couple.
* 2. Clear coupleId on both user docs (batch — atomic).
* 3. Recursively delete the couple doc and all its subcollections.
*
* The existing onCoupleLeave Firestore trigger fires after step 2 and handles
* partner notification, so we don't duplicate that here.
*/
exports.leaveCoupleCallable = functions.https.onCall(async (_data, context) => {
var _a, _b;
const callerId = (_a = context.auth) === null || _a === void 0 ? void 0 : _a.uid;
if (!callerId) {
throw new functions.https.HttpsError('unauthenticated', 'Must be signed in.');
}
if (!context.app) {
throw new functions.https.HttpsError('failed-precondition', 'App Check verification required.');
}
const db = admin.firestore();
const userDoc = await db.collection('users').doc(callerId).get();
const coupleId = (_b = userDoc.data()) === null || _b === void 0 ? void 0 : _b.coupleId;
if (!coupleId) {
// Already unpaired — idempotent success.
return { success: true };
}
const coupleRef = db.collection('couples').doc(coupleId);
// Security review Batch 2: do the membership check, member-clearing, and couple-doc
// delete in one transaction so two partners leaving concurrently can't clobber state.
// Critically, only clear a member's coupleId if it STILL points at this couple — a
// stale concurrent call must never wipe a coupleId set by a fresh re-pair.
const result = await db.runTransaction(async (tx) => {
var _a, _b, _c;
const coupleSnap = await tx.get(coupleRef);
if (!coupleSnap.exists) {
const callerRef = db.collection('users').doc(callerId);
const callerSnap = await tx.get(callerRef);
if (((_a = callerSnap.data()) === null || _a === void 0 ? void 0 : _a.coupleId) === coupleId) {
tx.update(callerRef, { coupleId: null });
}
return { membership: true };
}
const userIds = ((_c = (_b = coupleSnap.data()) === null || _b === void 0 ? void 0 : _b.userIds) !== null && _c !== void 0 ? _c : []);
if (!userIds.includes(callerId)) {
return { membership: false };
}
// Reads must precede writes in a transaction: snapshot every member first.
const memberSnaps = await Promise.all(userIds.map((uid) => tx.get(db.collection('users').doc(uid))));
memberSnaps.forEach((snap, i) => {
var _a;
if (((_a = snap.data()) === null || _a === void 0 ? void 0 : _a.coupleId) === coupleId) {
tx.update(db.collection('users').doc(userIds[i]), { coupleId: null });
}
});
tx.delete(coupleRef);
return { membership: true };
});
if (!result.membership) {
throw new functions.https.HttpsError('permission-denied', 'Not a member of this couple.');
}
// Couple doc is deleted in the transaction; sweep any subcollections left behind.
// Idempotent if a concurrent caller already removed them.
await db.recursiveDelete(coupleRef);
console.log(`[leaveCoupleCallable] user ${callerId} left couple ${coupleId}`);
return { success: true };
});
//# sourceMappingURL=leaveCoupleCallable.js.map