vapor-po/Sources/App/Controllers/Api/UserApiController.swift

import Fluent
import Vapor

// TODO: Add update and get by id.
struct UserApiController: RouteCollection {
  let users = UserDB()

  func boot(routes: any RoutesBuilder) throws {
    let unProtected = routes.apiUnprotected(route: "users")
    let protected = routes.apiProtected(route: "users")

    unProtected.post(use: create(req:))
    protected.get(use: index(req:))
    protected.post("login", use: login(req:))
    protected.group(":id") {
      $0.delete(use: delete(req:))
    }
  }

  @Sendable
  func index(req: Request) async throws -> [User.DTO] {
    try await users.fetchAll(on: req.db)
  }

  @Sendable
  func create(req: Request) async throws -> User.DTO {
    // Allow the first user to be created without authentication.
    let count = try await User.query(on: req.db).count()
    if count > 0 {
      guard req.auth.get(User.self) != nil else {
        throw Abort(.unauthorized)
      }
    }
    try User.Create.validate(content: req)
    let model = try req.content.decode(User.Create.self)
    return try await users.create(model, on: req.db)
  }

  @Sendable
  func login(req: Request) async throws -> UserToken {
    let user = try req.auth.require(User.self)
    return try await users.login(user: user, on: req.db)
  }

  // @Sendable
  // func get(req: Request) async throws -> User.DTO {
  //   guard let id = req.parameters.get("id", as: User.IDValue.self),
  //   let user = users.
  // }

  @Sendable
  func delete(req: Request) async throws -> HTTPStatus {
    guard let id = req.parameters.get("id", as: User.IDValue.self) else {
      throw Abort(.badRequest, reason: "User id not provided")
    }
    try await users.delete(id: id, on: req.db)
    return .ok
  }
}