phase 2 initial test

internal/api/router.go

@@ -9,13 +9,14 @@ import (
 	"github.com/go-chi/cors"
 	gcsrf "github.com/gorilla/csrf"
 	"github.com/gorilla/sessions"
+	"xorm.io/xorm"
 
 	"github.com/forgeo/forgebucket/internal/api/handlers"
 	"github.com/forgeo/forgebucket/internal/api/middleware"
 	"github.com/forgeo/forgebucket/internal/config"
 )
 
-func New(cfg *config.Config, store sessions.Store, staticFiles fs.FS) http.Handler {
+func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, staticFiles fs.FS) http.Handler {
 	r := chi.NewRouter()
 
 	r.Use(chimiddleware.Logger)
@@ -34,38 +35,39 @@ func New(cfg *config.Config, store sessions.Store, staticFiles fs.FS) http.Handl
 		gcsrf.Secure(!cfg.Debug),
 		gcsrf.SameSite(gcsrf.SameSiteLaxMode),
 		gcsrf.ErrorHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			http.Error(w, "CSRF validation failed", http.StatusForbidden)
+			http.Error(w, `{"error":"CSRF validation failed"}`, http.StatusForbidden)
 		})),
 	)
 
 	auth := middleware.NewAuth(store)
 
-	repoH := handlers.NewRepoHandler()
-	userH := handlers.NewUserHandler(store)
-	prH := handlers.NewPRHandler()
-	pipeH := handlers.NewPipelineHandler()
+	repoH := handlers.NewRepoHandler(engine, cfg)
+	userH := handlers.NewUserHandler(engine, store)
+	prH := handlers.NewPRHandler(engine)
+	pipeH := handlers.NewPipelineHandler(engine)
 	wsH := handlers.NewWSHandler()
 
-	// Health check (no auth, no CSRF)
+	// Health — no auth, no CSRF
 	r.Get("/api/v1/health", func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		w.Write([]byte(`{"status":"ok"}`))
 	})
 
-	// CSRF token endpoint for SPA bootstrap
+	// CSRF token bootstrap for SPA
 	r.With(csrfMiddleware).Get("/api/v1/csrf", func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("X-CSRF-Token", gcsrf.Token(r))
 		w.Header().Set("Content-Type", "application/json")
 		w.Write([]byte(`{"ok":true}`))
 	})
 
-	// Auth routes (CSRF protected, no session required)
+	// Auth (CSRF protected, no session required)
 	r.With(csrfMiddleware).Route("/api/v1/auth", func(r chi.Router) {
 		r.Post("/login", userH.Login)
 		r.Post("/logout", userH.Logout)
+		r.Post("/register", userH.Register)
 	})
 
-	// Authenticated API routes
+	// Authenticated API
 	r.With(csrfMiddleware).With(auth.Require).Route("/api/v1", func(r chi.Router) {
 		r.Get("/me", userH.Me)
 
@@ -76,11 +78,13 @@ func New(cfg *config.Config, store sessions.Store, staticFiles fs.FS) http.Handl
 				r.Get("/", repoH.Get)
 				r.Get("/tree", repoH.Tree)
 				r.Get("/blob", repoH.Blob)
+				r.Get("/commits", repoH.Commits)
 				r.Route("/pulls", func(r chi.Router) {
 					r.Get("/", prH.List)
 					r.Post("/", prH.Create)
 					r.Get("/{prID}", prH.Get)
 					r.Post("/{prID}/merge", prH.Merge)
+					r.Post("/{prID}/close", prH.Close)
 				})
 				r.Route("/pipelines", func(r chi.Router) {
 					r.Get("/", pipeH.List)
@@ -90,10 +94,10 @@ func New(cfg *config.Config, store sessions.Store, staticFiles fs.FS) http.Handl
 		})
 	})
 
-	// WebSocket hub (auth via session cookie, no CSRF needed for WS)
+	// WebSocket — session auth only, no CSRF needed for WS upgrades
 	r.With(auth.Optional).Get("/ws", wsH.Hub)
 
-	// SPA fallback — serve embedded React app for all other routes
+	// SPA fallback
 	r.Handle("/*", spaHandler(staticFiles))
 
 	return r
@@ -104,13 +108,6 @@ func spaHandler(staticFiles fs.FS) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		_, err := staticFiles.Open(r.URL.Path)
 		if err != nil {
-			// Unknown path → serve index.html for client-side routing
-			index, err := staticFiles.Open("index.html")
-			if err != nil {
-				http.Error(w, "not found", http.StatusNotFound)
-				return
-			}
-			index.Close()
 			r.URL.Path = "/"
 		}
 		fileServer.ServeHTTP(w, r)