m/KanzlAI-mGMT
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: m:mai/pike/p0-role-based
Branches Tags
m:main m:mai/knuth/build-patentprozesskosten m:mai/ritchie/build-patentprozesskosten m:mai/knuth/redesign-fristenrechner m:mai/knuth/implement-direct-smtp m:mai/knuth/write-integration-tests m:mai/brunel/fix-timeline-404 m:mai/ritchie/group-proceeding-types m:mai/ritchie/migration-t2-update m:mai/brunel/fix-wire-all-missing m:mai/carmack/upc-deadline-determinatio m:mai/ritchie/p1-document-templates m:mai/linus/p2-ai-powered-features m:mai/gosling/hl-tenant-setup-email m:mai/pike/p1-reporting-dashboard m:mai/knuth/p1-time-tracking-billing m:mai/pike/p0-role-based m:mai/ritchie/p0-email-notifications m:mai/knuth/p0-audit-trail-append m:mai/brunel/critical-fix-tenant m:mai/cronus/invent-full-kanzlai-mgmt m:mai/athena/consult-evaluate-mvp m:mai/ritchie/phase-b-frontend m:mai/pike/phase-c-frontend-detail m:mai/linus/phase-d-frontend-case m:mai/knuth/phase-a-backend-notes m:mai/cronus/redesign-dashboard-add m:mai/brunel/fix-frontend-crash-add m:mai/knuth/write-e2e-and-api-test m:mai/ritchie/phase-4-production m:mai/knuth/phase-3p-frontend-caldav m:mai/linus/phase-3q-ui-polish m:mai/pike/phase-3o-caldav m:mai/knuth/phase-1h-frontend m:mai/ritchie/phase-2n-frontend m:mai/pike/phase-1g-frontend m:mai/ritchie/phase-1f-frontend-case m:mai/knuth/phase-2l-frontend m:mai/linus/phase-2m-frontend-ai m:mai/pike/phase-2j-ai-deadline m:mai/linus/phase-2k-document-upload m:mai/knuth/phase-1e-frontend-auth m:mai/ritchie/phase-2i-dashboard m:mai/pike/phase-1c-deadline-crud m:mai/knuth/phase-1a-tenant-auth m:mai/ritchie/phase-1b-case-party-case m:mai/linus/phase-1d-appointment m:mai/knuth/phase-0-database-schema m:mai/knuth/deploy-mvp-docker m:mai/knuth/project-scaffolding
...
pull from: m:mai/knuth/p1-time-tracking-billing
Branches Tags
m:main m:mai/knuth/build-patentprozesskosten m:mai/ritchie/build-patentprozesskosten m:mai/knuth/redesign-fristenrechner m:mai/knuth/implement-direct-smtp m:mai/knuth/write-integration-tests m:mai/brunel/fix-timeline-404 m:mai/ritchie/group-proceeding-types m:mai/ritchie/migration-t2-update m:mai/brunel/fix-wire-all-missing m:mai/carmack/upc-deadline-determinatio m:mai/ritchie/p1-document-templates m:mai/linus/p2-ai-powered-features m:mai/gosling/hl-tenant-setup-email m:mai/pike/p1-reporting-dashboard m:mai/knuth/p1-time-tracking-billing m:mai/pike/p0-role-based m:mai/ritchie/p0-email-notifications m:mai/knuth/p0-audit-trail-append m:mai/brunel/critical-fix-tenant m:mai/cronus/invent-full-kanzlai-mgmt m:mai/athena/consult-evaluate-mvp m:mai/ritchie/phase-b-frontend m:mai/pike/phase-c-frontend-detail m:mai/linus/phase-d-frontend-case m:mai/knuth/phase-a-backend-notes m:mai/cronus/redesign-dashboard-add m:mai/brunel/fix-frontend-crash-add m:mai/knuth/write-e2e-and-api-test m:mai/ritchie/phase-4-production m:mai/knuth/phase-3p-frontend-caldav m:mai/linus/phase-3q-ui-polish m:mai/pike/phase-3o-caldav m:mai/knuth/phase-1h-frontend m:mai/ritchie/phase-2n-frontend m:mai/pike/phase-1g-frontend m:mai/ritchie/phase-1f-frontend-case m:mai/knuth/phase-2l-frontend m:mai/linus/phase-2m-frontend-ai m:mai/pike/phase-2j-ai-deadline m:mai/linus/phase-2k-document-upload m:mai/knuth/phase-1e-frontend-auth m:mai/ritchie/phase-2i-dashboard m:mai/pike/phase-1c-deadline-crud m:mai/knuth/phase-1a-tenant-auth m:mai/ritchie/phase-1b-case-party-case m:mai/linus/phase-1d-appointment m:mai/knuth/phase-0-database-schema m:mai/knuth/deploy-mvp-docker m:mai/knuth/project-scaffolding

8 Commits
mai/pike/p ... mai/knuth/

Author SHA1 Message Date
m
238811727d feat: time tracking + billing — hourly rates, time entries, invoices (P1) 
Database: time_entries, billing_rates, invoices tables with RLS.
Backend: CRUD services+handlers for time entries, billing rates, invoices.
  - Time entries: list/create/update/delete, summary by case/user/month
  - Billing rates: upsert with auto-close previous, current rate lookup
  - Invoices: create with auto-number (RE-YYYY-NNN), status transitions
    (draft->sent->paid, cancellation), link time entries on invoice create
API: 11 new endpoints under /api/time-entries, /api/billing-rates, /api/invoices
Frontend: Zeiterfassung tab on case detail, /abrechnung overview with filters,
  /abrechnung/rechnungen list+detail with status actions, billing rates settings
Also: resolved merge conflicts between audit-trail and role-based branches,
  added missing types (Notification, AuditLogResponse, NotificationPreferences)
 2026-03-30 11:24:36 +02:00
m
8e65463130 feat: role-based permissions — owner/partner/associate/paralegal/secretary (P0) 2026-03-30 11:09:05 +02:00
m
a307b29db8 feat: email notifications + deadline reminder system (P0) 2026-03-30 11:08:53 +02:00
m
5e88384fab feat: append-only audit trail for all mutations (P0) 2026-03-30 11:08:41 +02:00
m
ac20c03f01 feat: email notifications + deadline reminder system 
Database:
- notification_preferences table (user_id, tenant_id, reminder days, email/digest toggles)
- notifications table (type, entity link, read/sent tracking, dedup index)

Backend:
- NotificationService with background goroutine checking reminders hourly
- CheckDeadlineReminders: finds deadlines due in N days per user prefs, creates notifications
- Overdue deadline detection and notification
- Daily digest at 8am: compiles pending notifications into one email
- SendEmail via `m mail send` CLI command
- Deduplication: same notification type + entity + day = skip
- API: GET/PATCH notifications, unread count, mark read/all-read
- API: GET/PUT notification-preferences with upsert

Frontend:
- NotificationBell in header with unread count badge (polls every 30s)
- Dropdown panel with notification list, type-colored dots, time-ago, entity links
- Mark individual/all as read
- NotificationSettings in Einstellungen page: reminder day toggles, email toggle, digest toggle
 2026-03-30 11:03:17 +02:00
m
c324a2b5c7 fix: critical security hardening — tenant isolation, CORS, error masking, input validation 2026-03-30 11:02:52 +02:00
m
b36247dfb9 feat: append-only audit trail for all mutations (P0) 
- Database: kanzlai.audit_log table with RLS, append-only policies
  (no UPDATE/DELETE), indexes for entity, user, and time queries
- Backend: AuditService.Log() with context-based tenant/user/IP/UA
  extraction, wired into all 7 services (case, deadline, appointment,
  document, note, party, tenant)
- API: GET /api/audit-log with entity_type, entity_id, user_id,
  from/to date, and pagination filters
- Frontend: Protokoll tab on case detail page with chronological
  audit entries, diff preview, and pagination

Required by § 50 BRAO and DSGVO Art. 5(2).
 2026-03-30 11:02:28 +02:00
m
c15d5b72f2 fix: critical security hardening — tenant isolation, CORS, error leaking, input validation 
1. Tenant isolation bypass (CRITICAL): TenantResolver now verifies user
   has access to X-Tenant-ID via user_tenants lookup before setting context.
   Added VerifyAccess method to TenantLookup interface and TenantService.

2. Consolidated tenant resolution: Removed duplicate resolveTenant() from
   helpers.go and tenant resolution from auth middleware. TenantResolver is
   now the single source of truth. Deadlines and AI handlers use
   auth.TenantFromContext() instead of direct DB queries.

3. CalDAV credential masking: tenant settings responses now mask CalDAV
   passwords with "********" via maskSettingsPassword helper. Applied to
   GetTenant, ListTenants, and UpdateSettings responses.

4. CORS + security headers: New middleware/security.go with CORS
   (restricted to FRONTEND_ORIGIN) and security headers (X-Frame-Options,
   X-Content-Type-Options, HSTS, Referrer-Policy, X-XSS-Protection).

5. Internal error leaking: All writeError(w, 500, err.Error()) replaced
   with internalError() that logs via slog and returns generic "internal
   error" to client. Same for jsonError in tenant handler.

6. Input validation: Max length on title (500), description (10000),
   case_number (100), search (200). Pagination clamped to max 100.
   Content-Disposition filename sanitized against header injection.

Regression test added for tenant access denial (403 on unauthorized
X-Tenant-ID). All existing tests pass, go vet clean.
 2026-03-30 11:01:14 +02:00
56 changed files with 4307 additions and 216 deletions
Expand all files Collapse all files

7
backend/cmd/server/main.go
View File

@@ -36,7 +36,12 @@ func main() {
calDAVSvc.Start()
defer calDAVSvc.Stop()
handler := router.New(database, authMW, cfg, calDAVSvc)
// Start notification reminder service
notifSvc := services.NewNotificationService(database)
notifSvc.Start()
defer notifSvc.Stop()
handler := router.New(database, authMW, cfg, calDAVSvc, notifSvc)
slog.Info("starting KanzlAI API server", "port", cfg.Port)
if err := http.ListenAndServe(":"+cfg.Port, handler); err != nil {

28
backend/internal/auth/context.go
View File

@@ -9,9 +9,11 @@ import (
type contextKey string
const (
userIDKey contextKey = "user_id"
tenantIDKey contextKey = "tenant_id"
userRoleKey contextKey = "user_role"
userIDKey contextKey = "user_id"
tenantIDKey contextKey = "tenant_id"
userRoleKey contextKey = "user_role"
ipKey contextKey = "ip_address"
userAgentKey contextKey = "user_agent"
)
func ContextWithUserID(ctx context.Context, userID uuid.UUID) context.Context {
@@ -40,3 +42,23 @@ func UserRoleFromContext(ctx context.Context) string {
role, _ := ctx.Value(userRoleKey).(string)
return role
}
func ContextWithRequestInfo(ctx context.Context, ip, userAgent string) context.Context {
ctx = context.WithValue(ctx, ipKey, ip)
ctx = context.WithValue(ctx, userAgentKey, userAgent)
return ctx
}
func IPFromContext(ctx context.Context) *string {
if v, ok := ctx.Value(ipKey).(string); ok && v != "" {
return &v
}
return nil
}
func UserAgentFromContext(ctx context.Context) *string {
if v, ok := ctx.Value(userAgentKey).(string); ok && v != "" {
return &v
}
return nil
}

24
backend/internal/auth/middleware.go
View File

@@ -24,31 +24,27 @@ func (m *Middleware) RequireAuth(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
token := extractBearerToken(r)
if token == "" {
http.Error(w, "missing authorization token", http.StatusUnauthorized)
http.Error(w, `{"error":"missing authorization token"}`, http.StatusUnauthorized)
return
}
userID, err := m.verifyJWT(token)
if err != nil {
http.Error(w, fmt.Sprintf("invalid token: %v", err), http.StatusUnauthorized)
http.Error(w, `{"error":"invalid token"}`, http.StatusUnauthorized)
return
}
ctx := ContextWithUserID(r.Context(), userID)
// Resolve tenant and role from user_tenants
var membership struct {
TenantID uuid.UUID `db:"tenant_id"`
Role string `db:"role"`
// Capture IP and user-agent for audit logging
ip := r.Header.Get("X-Forwarded-For")
if ip == "" {
ip = r.RemoteAddr
}
err = m.db.GetContext(r.Context(), &membership,
"SELECT tenant_id, role FROM user_tenants WHERE user_id = $1 LIMIT 1", userID)
if err != nil {
http.Error(w, "no tenant found for user", http.StatusForbidden)
return
}
ctx = ContextWithTenantID(ctx, membership.TenantID)
ctx = ContextWithUserRole(ctx, membership.Role)
ctx = ContextWithRequestInfo(ctx, ip, r.UserAgent())
// Tenant resolution is handled by TenantResolver middleware for scoped routes.
// Tenant management routes handle their own access control.
next.ServeHTTP(w, r.WithContext(ctx))
})

35
backend/internal/auth/tenant_resolver.go
View File

@@ -2,21 +2,22 @@ package auth
import (
"context"
"fmt"
"log/slog"
"net/http"
"github.com/google/uuid"
)
// TenantLookup resolves the default tenant for a user.
// TenantLookup resolves and verifies tenant access for a user.
// Defined as an interface to avoid circular dependency with services.
type TenantLookup interface {
FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error)
VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error)
GetUserRole(ctx context.Context, userID, tenantID uuid.UUID) (string, error)
}
// TenantResolver is middleware that resolves the tenant from X-Tenant-ID header
// or defaults to the user's first tenant.
// or defaults to the user's first tenant. Always verifies user has access.
type TenantResolver struct {
lookup TenantLookup
}
@@ -29,7 +30,7 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
userID, ok := UserFromContext(r.Context())
if !ok {
http.Error(w, "unauthorized", http.StatusUnauthorized)
http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized)
return
}
@@ -38,34 +39,46 @@ func (tr *TenantResolver) Resolve(next http.Handler) http.Handler {
if header := r.Header.Get("X-Tenant-ID"); header != "" {
parsed, err := uuid.Parse(header)
if err != nil {
http.Error(w, fmt.Sprintf("invalid X-Tenant-ID: %v", err), http.StatusBadRequest)
http.Error(w, `{"error":"invalid X-Tenant-ID"}`, http.StatusBadRequest)
return
}
// Verify user has access and get their role
role, err := tr.lookup.GetUserRole(r.Context(), userID, parsed)
if err != nil {
http.Error(w, "error checking tenant access", http.StatusInternalServerError)
slog.Error("tenant access check failed", "error", err, "user_id", userID, "tenant_id", parsed)
http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
return
}
if role == "" {
http.Error(w, "no access to this tenant", http.StatusForbidden)
http.Error(w, `{"error":"no access to tenant"}`, http.StatusForbidden)
return
}
tenantID = parsed
// Override the role from middleware with the correct one for this tenant
r = r.WithContext(ContextWithUserRole(r.Context(), role))
} else {
// Default to user's first tenant (role already set by middleware)
// Default to user's first tenant
first, err := tr.lookup.FirstTenantForUser(r.Context(), userID)
if err != nil {
http.Error(w, fmt.Sprintf("resolving tenant: %v", err), http.StatusInternalServerError)
slog.Error("failed to resolve default tenant", "error", err, "user_id", userID)
http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
return
}
if first == nil {
http.Error(w, "no tenant found for user", http.StatusBadRequest)
http.Error(w, `{"error":"no tenant found for user"}`, http.StatusBadRequest)
return
}
tenantID = *first
// Also resolve role for default tenant
role, err := tr.lookup.GetUserRole(r.Context(), userID, tenantID)
if err != nil {
slog.Error("failed to get role for default tenant", "error", err, "user_id", userID, "tenant_id", tenantID)
http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
return
}
r = r.WithContext(ContextWithUserRole(r.Context(), role))
}
ctx := ContextWithTenantID(r.Context(), tenantID)

41
backend/internal/auth/tenant_resolver_test.go
View File

@@ -10,25 +10,34 @@ import (
)
type mockTenantLookup struct {
tenantID *uuid.UUID
role string
err error
tenantID *uuid.UUID
err error
hasAccess bool
accessErr error
role string
}
func (m *mockTenantLookup) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
return m.tenantID, m.err
}
func (m *mockTenantLookup) VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error) {
return m.hasAccess, m.accessErr
}
func (m *mockTenantLookup) GetUserRole(ctx context.Context, userID, tenantID uuid.UUID) (string, error) {
if m.role != "" {
return m.role, m.err
}
return "associate", m.err
if m.hasAccess {
return "associate", m.err
}
return "", m.err
}
func TestTenantResolver_FromHeader(t *testing.T) {
tenantID := uuid.New()
tr := NewTenantResolver(&mockTenantLookup{role: "partner"})
tr := NewTenantResolver(&mockTenantLookup{hasAccess: true, role: "partner"})
var gotTenantID uuid.UUID
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -55,9 +64,29 @@ func TestTenantResolver_FromHeader(t *testing.T) {
}
}
func TestTenantResolver_FromHeader_NoAccess(t *testing.T) {
tenantID := uuid.New()
tr := NewTenantResolver(&mockTenantLookup{hasAccess: false})
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next should not be called")
})
r := httptest.NewRequest("GET", "/api/cases", nil)
r.Header.Set("X-Tenant-ID", tenantID.String())
r = r.WithContext(ContextWithUserID(r.Context(), uuid.New()))
w := httptest.NewRecorder()
tr.Resolve(next).ServeHTTP(w, r)
if w.Code != http.StatusForbidden {
t.Errorf("expected 403, got %d", w.Code)
}
}
func TestTenantResolver_DefaultsToFirst(t *testing.T) {
tenantID := uuid.New()
tr := NewTenantResolver(&mockTenantLookup{tenantID: &tenantID})
tr := NewTenantResolver(&mockTenantLookup{tenantID: &tenantID, role: "owner"})
var gotTenantID uuid.UUID
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

2
backend/internal/config/config.go
View File

@@ -13,6 +13,7 @@ type Config struct {
SupabaseServiceKey string
SupabaseJWTSecret string
AnthropicAPIKey string
FrontendOrigin string
}
func Load() (*Config, error) {
@@ -24,6 +25,7 @@ func Load() (*Config, error) {
SupabaseServiceKey: os.Getenv("SUPABASE_SERVICE_KEY"),
SupabaseJWTSecret: os.Getenv("SUPABASE_JWT_SECRET"),
AnthropicAPIKey: os.Getenv("ANTHROPIC_API_KEY"),
FrontendOrigin: getEnv("FRONTEND_ORIGIN", "https://kanzlai.msbls.de"),
}
if cfg.DatabaseURL == "" {

22
backend/internal/handlers/ai.go
View File

@@ -5,18 +5,16 @@ import (
"io"
"net/http"
"github.com/jmoiron/sqlx"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
)
type AIHandler struct {
ai *services.AIService
db *sqlx.DB
}
func NewAIHandler(ai *services.AIService, db *sqlx.DB) *AIHandler {
return &AIHandler{ai: ai, db: db}
func NewAIHandler(ai *services.AIService) *AIHandler {
return &AIHandler{ai: ai}
}
// ExtractDeadlines handles POST /api/ai/extract-deadlines
@@ -61,10 +59,14 @@ func (h *AIHandler) ExtractDeadlines(w http.ResponseWriter, r *http.Request) {
writeError(w, http.StatusBadRequest, "provide either a PDF file or text")
return
}
if len(text) > maxDescriptionLen {
writeError(w, http.StatusBadRequest, "text exceeds maximum length")
return
}
deadlines, err := h.ai.ExtractDeadlines(r.Context(), pdfData, text)
if err != nil {
writeError(w, http.StatusInternalServerError, "AI extraction failed: "+err.Error())
internalError(w, "AI deadline extraction failed", err)
return
}
@@ -77,9 +79,9 @@ func (h *AIHandler) ExtractDeadlines(w http.ResponseWriter, r *http.Request) {
// SummarizeCase handles POST /api/ai/summarize-case
// Accepts JSON {"case_id": "uuid"}.
func (h *AIHandler) SummarizeCase(w http.ResponseWriter, r *http.Request) {
tenantID, err := resolveTenant(r, h.db)
if err != nil {
handleTenantError(w, err)
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
@@ -104,7 +106,7 @@ func (h *AIHandler) SummarizeCase(w http.ResponseWriter, r *http.Request) {
summary, err := h.ai.SummarizeCase(r.Context(), tenantID, caseID)
if err != nil {
writeError(w, http.StatusInternalServerError, "AI summarization failed: "+err.Error())
internalError(w, "AI case summarization failed", err)
return
}

14
backend/internal/handlers/ai_handler_test.go
View File

@@ -42,7 +42,7 @@ func TestAIExtractDeadlines_InvalidJSON(t *testing.T) {
}
}
func TestAISummarizeCase_MissingCaseID(t *testing.T) {
func TestAISummarizeCase_MissingTenant(t *testing.T) {
h := &AIHandler{}
body := `{"case_id":""}`
@@ -52,9 +52,9 @@ func TestAISummarizeCase_MissingCaseID(t *testing.T) {
h.SummarizeCase(w, r)
// Without auth context, the resolveTenant will fail first
if w.Code != http.StatusUnauthorized {
t.Errorf("expected 401, got %d", w.Code)
// Without tenant context, TenantFromContext returns !ok → 403
if w.Code != http.StatusForbidden {
t.Errorf("expected 403, got %d", w.Code)
}
}
@@ -67,8 +67,8 @@ func TestAISummarizeCase_InvalidJSON(t *testing.T) {
h.SummarizeCase(w, r)
// Without auth context, the resolveTenant will fail first
if w.Code != http.StatusUnauthorized {
t.Errorf("expected 401, got %d", w.Code)
// Without tenant context, TenantFromContext returns !ok → 403
if w.Code != http.StatusForbidden {
t.Errorf("expected 403, got %d", w.Code)
}
}

8
backend/internal/handlers/appointments.go
View File

@@ -121,6 +121,10 @@ func (h *AppointmentHandler) Create(w http.ResponseWriter, r *http.Request) {
writeError(w, http.StatusBadRequest, "title is required")
return
}
if msg := validateStringLength("title", req.Title, maxTitleLen); msg != "" {
writeError(w, http.StatusBadRequest, msg)
return
}
if req.StartAt.IsZero() {
writeError(w, http.StatusBadRequest, "start_at is required")
return
@@ -188,6 +192,10 @@ func (h *AppointmentHandler) Update(w http.ResponseWriter, r *http.Request) {
writeError(w, http.StatusBadRequest, "title is required")
return
}
if msg := validateStringLength("title", req.Title, maxTitleLen); msg != "" {
writeError(w, http.StatusBadRequest, msg)
return
}
if req.StartAt.IsZero() {
writeError(w, http.StatusBadRequest, "start_at is required")
return

63
backend/internal/handlers/audit_log.go Normal file
View File

@@ -0,0 +1,63 @@
package handlers
import (
"net/http"
"strconv"
"github.com/google/uuid"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
)
type AuditLogHandler struct {
svc *services.AuditService
}
func NewAuditLogHandler(svc *services.AuditService) *AuditLogHandler {
return &AuditLogHandler{svc: svc}
}
func (h *AuditLogHandler) List(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
q := r.URL.Query()
page, _ := strconv.Atoi(q.Get("page"))
limit, _ := strconv.Atoi(q.Get("limit"))
filter := services.AuditFilter{
EntityType: q.Get("entity_type"),
From: q.Get("from"),
To: q.Get("to"),
Page: page,
Limit: limit,
}
if idStr := q.Get("entity_id"); idStr != "" {
if id, err := uuid.Parse(idStr); err == nil {
filter.EntityID = &id
}
}
if idStr := q.Get("user_id"); idStr != "" {
if id, err := uuid.Parse(idStr); err == nil {
filter.UserID = &id
}
}
entries, total, err := h.svc.List(r.Context(), tenantID, filter)
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to fetch audit log")
return
}
writeJSON(w, http.StatusOK, map[string]any{
"entries": entries,
"total": total,
"page": filter.Page,
"limit": filter.Limit,
})
}

66
backend/internal/handlers/billing_rates.go Normal file
View File

@@ -0,0 +1,66 @@
package handlers
import (
"encoding/json"
"net/http"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
)
type BillingRateHandler struct {
svc *services.BillingRateService
}
func NewBillingRateHandler(svc *services.BillingRateService) *BillingRateHandler {
return &BillingRateHandler{svc: svc}
}
// List handles GET /api/billing-rates
func (h *BillingRateHandler) List(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
rates, err := h.svc.List(r.Context(), tenantID)
if err != nil {
internalError(w, "failed to list billing rates", err)
return
}
writeJSON(w, http.StatusOK, map[string]any{"billing_rates": rates})
}
// Upsert handles PUT /api/billing-rates
func (h *BillingRateHandler) Upsert(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
var input services.UpsertBillingRateInput
if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
writeError(w, http.StatusBadRequest, "invalid JSON body")
return
}
if input.Rate < 0 {
writeError(w, http.StatusBadRequest, "rate must be non-negative")
return
}
if input.ValidFrom == "" {
writeError(w, http.StatusBadRequest, "valid_from is required")
return
}
rate, err := h.svc.Upsert(r.Context(), tenantID, input)
if err != nil {
internalError(w, "failed to upsert billing rate", err)
return
}
writeJSON(w, http.StatusOK, rate)
}

2
backend/internal/handlers/caldav.go
View File

@@ -27,7 +27,7 @@ func (h *CalDAVHandler) TriggerSync(w http.ResponseWriter, r *http.Request) {
cfg, err := h.svc.LoadTenantConfig(tenantID)
if err != nil {
writeError(w, http.StatusBadRequest, err.Error())
writeError(w, http.StatusBadRequest, "CalDAV not configured for this tenant")
return
}

37
backend/internal/handlers/cases.go
View File

@@ -28,18 +28,25 @@ func (h *CaseHandler) List(w http.ResponseWriter, r *http.Request) {
limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
offset, _ := strconv.Atoi(r.URL.Query().Get("offset"))
limit, offset = clampPagination(limit, offset)
search := r.URL.Query().Get("search")
if msg := validateStringLength("search", search, maxSearchLen); msg != "" {
writeError(w, http.StatusBadRequest, msg)
return
}
filter := services.CaseFilter{
Status: r.URL.Query().Get("status"),
Type: r.URL.Query().Get("type"),
Search: r.URL.Query().Get("search"),
Search: search,
Limit: limit,
Offset: offset,
}
cases, total, err := h.svc.List(r.Context(), tenantID, filter)
if err != nil {
writeError(w, http.StatusInternalServerError, err.Error())
internalError(w, "failed to list cases", err)
return
}
@@ -66,10 +73,18 @@ func (h *CaseHandler) Create(w http.ResponseWriter, r *http.Request) {
writeError(w, http.StatusBadRequest, "case_number and title are required")
return
}
if msg := validateStringLength("case_number", input.CaseNumber, maxCaseNumberLen); msg != "" {
writeError(w, http.StatusBadRequest, msg)
return
}
if msg := validateStringLength("title", input.Title, maxTitleLen); msg != "" {
writeError(w, http.StatusBadRequest, msg)
return
}
c, err := h.svc.Create(r.Context(), tenantID, userID, input)
if err != nil {
writeError(w, http.StatusInternalServerError, err.Error())
internalError(w, "failed to create case", err)
return
}
@@ -91,7 +106,7 @@ func (h *CaseHandler) Get(w http.ResponseWriter, r *http.Request) {
detail, err := h.svc.GetByID(r.Context(), tenantID, caseID)
if err != nil {
writeError(w, http.StatusInternalServerError, err.Error())
internalError(w, "failed to get case", err)
return
}
if detail == nil {
@@ -121,10 +136,22 @@ func (h *CaseHandler) Update(w http.ResponseWriter, r *http.Request) {
writeError(w, http.StatusBadRequest, "invalid JSON body")
return
}
if input.Title != nil {
if msg := validateStringLength("title", *input.Title, maxTitleLen); msg != "" {
writeError(w, http.StatusBadRequest, msg)
return
}
}
if input.CaseNumber != nil {
if msg := validateStringLength("case_number", *input.CaseNumber, maxCaseNumberLen); msg != "" {
writeError(w, http.StatusBadRequest, msg)
return
}
}
updated, err := h.svc.Update(r.Context(), tenantID, caseID, userID, input)
if err != nil {
writeError(w, http.StatusInternalServerError, err.Error())
internalError(w, "failed to update case", err)
return
}
if updated == nil {

2
backend/internal/handlers/dashboard.go
View File

@@ -24,7 +24,7 @@ func (h *DashboardHandler) Get(w http.ResponseWriter, r *http.Request) {
data, err := h.svc.Get(r.Context(), tenantID)
if err != nil {
writeError(w, http.StatusInternalServerError, err.Error())
internalError(w, "failed to load dashboard", err)
return
}

74
backend/internal/handlers/deadlines.go
View File

@@ -4,27 +4,25 @@ import (
"encoding/json"
"net/http"
"github.com/jmoiron/sqlx"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
)
// DeadlineHandlers holds handlers for deadline CRUD endpoints
type DeadlineHandlers struct {
deadlines *services.DeadlineService
db *sqlx.DB
}
// NewDeadlineHandlers creates deadline handlers
func NewDeadlineHandlers(ds *services.DeadlineService, db *sqlx.DB) *DeadlineHandlers {
return &DeadlineHandlers{deadlines: ds, db: db}
func NewDeadlineHandlers(ds *services.DeadlineService) *DeadlineHandlers {
return &DeadlineHandlers{deadlines: ds}
}
// Get handles GET /api/deadlines/{deadlineID}
func (h *DeadlineHandlers) Get(w http.ResponseWriter, r *http.Request) {
tenantID, err := resolveTenant(r, h.db)
if err != nil {
handleTenantError(w, err)
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
@@ -36,7 +34,7 @@ func (h *DeadlineHandlers) Get(w http.ResponseWriter, r *http.Request) {
deadline, err := h.deadlines.GetByID(tenantID, deadlineID)
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to fetch deadline")
internalError(w, "failed to fetch deadline", err)
return
}
if deadline == nil {
@@ -49,15 +47,15 @@ func (h *DeadlineHandlers) Get(w http.ResponseWriter, r *http.Request) {
// ListAll handles GET /api/deadlines
func (h *DeadlineHandlers) ListAll(w http.ResponseWriter, r *http.Request) {
tenantID, err := resolveTenant(r, h.db)
if err != nil {
handleTenantError(w, err)
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
deadlines, err := h.deadlines.ListAll(tenantID)
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to list deadlines")
internalError(w, "failed to list deadlines", err)
return
}
@@ -66,9 +64,9 @@ func (h *DeadlineHandlers) ListAll(w http.ResponseWriter, r *http.Request) {
// ListForCase handles GET /api/cases/{caseID}/deadlines
func (h *DeadlineHandlers) ListForCase(w http.ResponseWriter, r *http.Request) {
tenantID, err := resolveTenant(r, h.db)
if err != nil {
handleTenantError(w, err)
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
@@ -80,7 +78,7 @@ func (h *DeadlineHandlers) ListForCase(w http.ResponseWriter, r *http.Request) {
deadlines, err := h.deadlines.ListForCase(tenantID, caseID)
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to list deadlines")
internalError(w, "failed to list deadlines for case", err)
return
}
@@ -89,9 +87,9 @@ func (h *DeadlineHandlers) ListForCase(w http.ResponseWriter, r *http.Request) {
// Create handles POST /api/cases/{caseID}/deadlines
func (h *DeadlineHandlers) Create(w http.ResponseWriter, r *http.Request) {
tenantID, err := resolveTenant(r, h.db)
if err != nil {
handleTenantError(w, err)
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
@@ -112,10 +110,14 @@ func (h *DeadlineHandlers) Create(w http.ResponseWriter, r *http.Request) {
writeError(w, http.StatusBadRequest, "title and due_date are required")
return
}
if msg := validateStringLength("title", input.Title, maxTitleLen); msg != "" {
writeError(w, http.StatusBadRequest, msg)
return
}
deadline, err := h.deadlines.Create(tenantID, input)
deadline, err := h.deadlines.Create(r.Context(), tenantID, input)
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to create deadline")
internalError(w, "failed to create deadline", err)
return
}
@@ -124,9 +126,9 @@ func (h *DeadlineHandlers) Create(w http.ResponseWriter, r *http.Request) {
// Update handles PUT /api/deadlines/{deadlineID}
func (h *DeadlineHandlers) Update(w http.ResponseWriter, r *http.Request) {
tenantID, err := resolveTenant(r, h.db)
if err != nil {
handleTenantError(w, err)
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
@@ -142,9 +144,9 @@ func (h *DeadlineHandlers) Update(w http.ResponseWriter, r *http.Request) {
return
}
deadline, err := h.deadlines.Update(tenantID, deadlineID, input)
deadline, err := h.deadlines.Update(r.Context(), tenantID, deadlineID, input)
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to update deadline")
internalError(w, "failed to update deadline", err)
return
}
if deadline == nil {
@@ -157,9 +159,9 @@ func (h *DeadlineHandlers) Update(w http.ResponseWriter, r *http.Request) {
// Complete handles PATCH /api/deadlines/{deadlineID}/complete
func (h *DeadlineHandlers) Complete(w http.ResponseWriter, r *http.Request) {
tenantID, err := resolveTenant(r, h.db)
if err != nil {
handleTenantError(w, err)
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
@@ -169,9 +171,9 @@ func (h *DeadlineHandlers) Complete(w http.ResponseWriter, r *http.Request) {
return
}
deadline, err := h.deadlines.Complete(tenantID, deadlineID)
deadline, err := h.deadlines.Complete(r.Context(), tenantID, deadlineID)
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to complete deadline")
internalError(w, "failed to complete deadline", err)
return
}
if deadline == nil {
@@ -184,9 +186,9 @@ func (h *DeadlineHandlers) Complete(w http.ResponseWriter, r *http.Request) {
// Delete handles DELETE /api/deadlines/{deadlineID}
func (h *DeadlineHandlers) Delete(w http.ResponseWriter, r *http.Request) {
tenantID, err := resolveTenant(r, h.db)
if err != nil {
handleTenantError(w, err)
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
@@ -196,7 +198,7 @@ func (h *DeadlineHandlers) Delete(w http.ResponseWriter, r *http.Request) {
return
}
err = h.deadlines.Delete(tenantID, deadlineID)
err = h.deadlines.Delete(r.Context(), tenantID, deadlineID)
if err != nil {
writeError(w, http.StatusNotFound, err.Error())
return

12
backend/internal/handlers/documents.go
View File

@@ -36,7 +36,7 @@ func (h *DocumentHandler) ListByCase(w http.ResponseWriter, r *http.Request) {
docs, err := h.svc.ListByCase(r.Context(), tenantID, caseID)
if err != nil {
writeError(w, http.StatusInternalServerError, err.Error())
internalError(w, "failed to list documents", err)
return
}
@@ -98,7 +98,7 @@ func (h *DocumentHandler) Upload(w http.ResponseWriter, r *http.Request) {
writeError(w, http.StatusNotFound, "case not found")
return
}
writeError(w, http.StatusInternalServerError, err.Error())
internalError(w, "failed to upload document", err)
return
}
@@ -121,16 +121,16 @@ func (h *DocumentHandler) Download(w http.ResponseWriter, r *http.Request) {
body, contentType, title, err := h.svc.Download(r.Context(), tenantID, docID)
if err != nil {
if err.Error() == "document not found" || err.Error() == "document has no file" {
writeError(w, http.StatusNotFound, err.Error())
writeError(w, http.StatusNotFound, "document not found")
return
}
writeError(w, http.StatusInternalServerError, err.Error())
internalError(w, "failed to download document", err)
return
}
defer body.Close()
w.Header().Set("Content-Type", contentType)
w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, title))
w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, sanitizeFilename(title)))
io.Copy(w, body)
}
@@ -149,7 +149,7 @@ func (h *DocumentHandler) GetMeta(w http.ResponseWriter, r *http.Request) {
doc, err := h.svc.GetByID(r.Context(), tenantID, docID)
if err != nil {
writeError(w, http.StatusInternalServerError, err.Error())
internalError(w, "failed to get document metadata", err)
return
}
if doc == nil {

136
backend/internal/handlers/helpers.go
View File

@@ -2,12 +2,12 @@ package handlers
import (
"encoding/json"
"log/slog"
"net/http"
"strings"
"unicode/utf8"
"github.com/google/uuid"
"github.com/jmoiron/sqlx"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
)
func writeJSON(w http.ResponseWriter, status int, v any) {
@@ -20,62 +20,9 @@ func writeError(w http.ResponseWriter, status int, msg string) {
writeJSON(w, status, map[string]string{"error": msg})
}
// resolveTenant gets the tenant ID for the authenticated user.
// Checks X-Tenant-ID header first, then falls back to user's first tenant.
func resolveTenant(r *http.Request, db *sqlx.DB) (uuid.UUID, error) {
userID, ok := auth.UserFromContext(r.Context())
if !ok {
return uuid.Nil, errUnauthorized
}
// Check header first
if headerVal := r.Header.Get("X-Tenant-ID"); headerVal != "" {
tenantID, err := uuid.Parse(headerVal)
if err != nil {
return uuid.Nil, errInvalidTenant
}
// Verify user has access to this tenant
var count int
err = db.Get(&count,
`SELECT COUNT(*) FROM user_tenants WHERE user_id = $1 AND tenant_id = $2`,
userID, tenantID)
if err != nil || count == 0 {
return uuid.Nil, errTenantAccess
}
return tenantID, nil
}
// Fall back to user's first tenant
var tenantID uuid.UUID
err := db.Get(&tenantID,
`SELECT tenant_id FROM user_tenants WHERE user_id = $1 ORDER BY created_at LIMIT 1`,
userID)
if err != nil {
return uuid.Nil, errNoTenant
}
return tenantID, nil
}
type apiError struct {
msg string
status int
}
func (e *apiError) Error() string { return e.msg }
var (
errUnauthorized = &apiError{msg: "unauthorized", status: http.StatusUnauthorized}
errInvalidTenant = &apiError{msg: "invalid tenant ID", status: http.StatusBadRequest}
errTenantAccess = &apiError{msg: "no access to tenant", status: http.StatusForbidden}
errNoTenant = &apiError{msg: "no tenant found for user", status: http.StatusBadRequest}
)
// handleTenantError writes the appropriate error response for tenant resolution errors
func handleTenantError(w http.ResponseWriter, err error) {
if ae, ok := err.(*apiError); ok {
writeError(w, ae.status, ae.msg)
return
}
// internalError logs the real error and returns a generic message to the client.
func internalError(w http.ResponseWriter, msg string, err error) {
slog.Error(msg, "error", err)
writeError(w, http.StatusInternalServerError, "internal error")
}
@@ -88,3 +35,74 @@ func parsePathUUID(r *http.Request, key string) (uuid.UUID, error) {
func parseUUID(s string) (uuid.UUID, error) {
return uuid.Parse(s)
}
// --- Input validation helpers ---
const (
maxTitleLen = 500
maxDescriptionLen = 10000
maxCaseNumberLen = 100
maxSearchLen = 200
maxPaginationLimit = 100
)
// validateStringLength checks if a string exceeds the given max length.
func validateStringLength(field, value string, maxLen int) string {
if utf8.RuneCountInString(value) > maxLen {
return field + " exceeds maximum length"
}
return ""
}
// clampPagination enforces sane pagination defaults and limits.
func clampPagination(limit, offset int) (int, int) {
if limit <= 0 {
limit = 20
}
if limit > maxPaginationLimit {
limit = maxPaginationLimit
}
if offset < 0 {
offset = 0
}
return limit, offset
}
// sanitizeFilename removes characters unsafe for Content-Disposition headers.
func sanitizeFilename(name string) string {
// Remove control characters, quotes, and backslashes
var b strings.Builder
for _, r := range name {
if r < 32 || r == '"' || r == '\\' || r == '/' {
b.WriteRune('_')
} else {
b.WriteRune(r)
}
}
return b.String()
}
// maskSettingsPassword masks the CalDAV password in tenant settings JSON before returning to clients.
func maskSettingsPassword(settings json.RawMessage) json.RawMessage {
if len(settings) == 0 {
return settings
}
var m map[string]json.RawMessage
if err := json.Unmarshal(settings, &m); err != nil {
return settings
}
caldavRaw, ok := m["caldav"]
if !ok {
return settings
}
var caldav map[string]json.RawMessage
if err := json.Unmarshal(caldavRaw, &caldav); err != nil {
return settings
}
if _, ok := caldav["password"]; ok {
caldav["password"], _ = json.Marshal("********")
}
m["caldav"], _ = json.Marshal(caldav)
result, _ := json.Marshal(m)
return result
}

170
backend/internal/handlers/invoices.go Normal file
View File

@@ -0,0 +1,170 @@
package handlers
import (
"encoding/json"
"net/http"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
"github.com/google/uuid"
)
type InvoiceHandler struct {
svc *services.InvoiceService
}
func NewInvoiceHandler(svc *services.InvoiceService) *InvoiceHandler {
return &InvoiceHandler{svc: svc}
}
// List handles GET /api/invoices?case_id=&status=
func (h *InvoiceHandler) List(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
var caseID *uuid.UUID
if caseStr := r.URL.Query().Get("case_id"); caseStr != "" {
parsed, err := uuid.Parse(caseStr)
if err != nil {
writeError(w, http.StatusBadRequest, "invalid case_id")
return
}
caseID = &parsed
}
invoices, err := h.svc.List(r.Context(), tenantID, caseID, r.URL.Query().Get("status"))
if err != nil {
internalError(w, "failed to list invoices", err)
return
}
writeJSON(w, http.StatusOK, map[string]any{"invoices": invoices})
}
// Get handles GET /api/invoices/{id}
func (h *InvoiceHandler) Get(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
invoiceID, err := parsePathUUID(r, "id")
if err != nil {
writeError(w, http.StatusBadRequest, "invalid invoice ID")
return
}
inv, err := h.svc.GetByID(r.Context(), tenantID, invoiceID)
if err != nil {
internalError(w, "failed to get invoice", err)
return
}
if inv == nil {
writeError(w, http.StatusNotFound, "invoice not found")
return
}
writeJSON(w, http.StatusOK, inv)
}
// Create handles POST /api/invoices
func (h *InvoiceHandler) Create(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
userID, _ := auth.UserFromContext(r.Context())
var input services.CreateInvoiceInput
if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
writeError(w, http.StatusBadRequest, "invalid JSON body")
return
}
if input.ClientName == "" {
writeError(w, http.StatusBadRequest, "client_name is required")
return
}
if input.CaseID == uuid.Nil {
writeError(w, http.StatusBadRequest, "case_id is required")
return
}
inv, err := h.svc.Create(r.Context(), tenantID, userID, input)
if err != nil {
internalError(w, "failed to create invoice", err)
return
}
writeJSON(w, http.StatusCreated, inv)
}
// Update handles PUT /api/invoices/{id}
func (h *InvoiceHandler) Update(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
invoiceID, err := parsePathUUID(r, "id")
if err != nil {
writeError(w, http.StatusBadRequest, "invalid invoice ID")
return
}
var input services.UpdateInvoiceInput
if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
writeError(w, http.StatusBadRequest, "invalid JSON body")
return
}
inv, err := h.svc.Update(r.Context(), tenantID, invoiceID, input)
if err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
writeJSON(w, http.StatusOK, inv)
}
// UpdateStatus handles PATCH /api/invoices/{id}/status
func (h *InvoiceHandler) UpdateStatus(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
invoiceID, err := parsePathUUID(r, "id")
if err != nil {
writeError(w, http.StatusBadRequest, "invalid invoice ID")
return
}
var body struct {
Status string `json:"status"`
}
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
writeError(w, http.StatusBadRequest, "invalid JSON body")
return
}
if body.Status == "" {
writeError(w, http.StatusBadRequest, "status is required")
return
}
inv, err := h.svc.UpdateStatus(r.Context(), tenantID, invoiceID, body.Status)
if err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
writeJSON(w, http.StatusOK, inv)
}

8
backend/internal/handlers/notes.go
View File

@@ -60,6 +60,10 @@ func (h *NoteHandler) Create(w http.ResponseWriter, r *http.Request) {
writeError(w, http.StatusBadRequest, "content is required")
return
}
if msg := validateStringLength("content", input.Content, maxDescriptionLen); msg != "" {
writeError(w, http.StatusBadRequest, msg)
return
}
var createdBy *uuid.UUID
if userID != uuid.Nil {
@@ -100,6 +104,10 @@ func (h *NoteHandler) Update(w http.ResponseWriter, r *http.Request) {
writeError(w, http.StatusBadRequest, "content is required")
return
}
if msg := validateStringLength("content", req.Content, maxDescriptionLen); msg != "" {
writeError(w, http.StatusBadRequest, msg)
return
}
note, err := h.svc.Update(r.Context(), tenantID, noteID, req.Content)
if err != nil {

171
backend/internal/handlers/notifications.go Normal file
View File

@@ -0,0 +1,171 @@
package handlers
import (
"encoding/json"
"net/http"
"strconv"
"github.com/jmoiron/sqlx"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
)
// NotificationHandler handles notification API endpoints.
type NotificationHandler struct {
svc *services.NotificationService
db *sqlx.DB
}
// NewNotificationHandler creates a new notification handler.
func NewNotificationHandler(svc *services.NotificationService, db *sqlx.DB) *NotificationHandler {
return &NotificationHandler{svc: svc, db: db}
}
// List returns paginated notifications for the authenticated user.
func (h *NotificationHandler) List(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusUnauthorized, "unauthorized")
return
}
userID, ok := auth.UserFromContext(r.Context())
if !ok {
writeError(w, http.StatusUnauthorized, "unauthorized")
return
}
limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
offset, _ := strconv.Atoi(r.URL.Query().Get("offset"))
notifications, total, err := h.svc.ListForUser(r.Context(), tenantID, userID, limit, offset)
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to list notifications")
return
}
writeJSON(w, http.StatusOK, map[string]any{
"data": notifications,
"total": total,
})
}
// UnreadCount returns the count of unread notifications.
func (h *NotificationHandler) UnreadCount(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusUnauthorized, "unauthorized")
return
}
userID, ok := auth.UserFromContext(r.Context())
if !ok {
writeError(w, http.StatusUnauthorized, "unauthorized")
return
}
count, err := h.svc.UnreadCount(r.Context(), tenantID, userID)
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to count notifications")
return
}
writeJSON(w, http.StatusOK, map[string]int{"unread_count": count})
}
// MarkRead marks a single notification as read.
func (h *NotificationHandler) MarkRead(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusUnauthorized, "unauthorized")
return
}
userID, ok := auth.UserFromContext(r.Context())
if !ok {
writeError(w, http.StatusUnauthorized, "unauthorized")
return
}
notifID, err := parsePathUUID(r, "id")
if err != nil {
writeError(w, http.StatusBadRequest, "invalid notification ID")
return
}
if err := h.svc.MarkRead(r.Context(), tenantID, userID, notifID); err != nil {
writeError(w, http.StatusNotFound, err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
}
// MarkAllRead marks all notifications as read.
func (h *NotificationHandler) MarkAllRead(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusUnauthorized, "unauthorized")
return
}
userID, ok := auth.UserFromContext(r.Context())
if !ok {
writeError(w, http.StatusUnauthorized, "unauthorized")
return
}
if err := h.svc.MarkAllRead(r.Context(), tenantID, userID); err != nil {
writeError(w, http.StatusInternalServerError, "failed to mark all read")
return
}
writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
}
// GetPreferences returns notification preferences for the authenticated user.
func (h *NotificationHandler) GetPreferences(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusUnauthorized, "unauthorized")
return
}
userID, ok := auth.UserFromContext(r.Context())
if !ok {
writeError(w, http.StatusUnauthorized, "unauthorized")
return
}
pref, err := h.svc.GetPreferences(r.Context(), tenantID, userID)
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to get preferences")
return
}
writeJSON(w, http.StatusOK, pref)
}
// UpdatePreferences updates notification preferences for the authenticated user.
func (h *NotificationHandler) UpdatePreferences(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusUnauthorized, "unauthorized")
return
}
userID, ok := auth.UserFromContext(r.Context())
if !ok {
writeError(w, http.StatusUnauthorized, "unauthorized")
return
}
var input services.UpdatePreferencesInput
if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
writeError(w, http.StatusBadRequest, "invalid request body")
return
}
pref, err := h.svc.UpdatePreferences(r.Context(), tenantID, userID, input)
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to update preferences")
return
}
writeJSON(w, http.StatusOK, pref)
}

11
backend/internal/handlers/parties.go
View File

@@ -34,7 +34,7 @@ func (h *PartyHandler) List(w http.ResponseWriter, r *http.Request) {
parties, err := h.svc.ListByCase(r.Context(), tenantID, caseID)
if err != nil {
writeError(w, http.StatusInternalServerError, err.Error())
internalError(w, "failed to list parties", err)
return
}
@@ -67,13 +67,18 @@ func (h *PartyHandler) Create(w http.ResponseWriter, r *http.Request) {
return
}
if msg := validateStringLength("name", input.Name, maxTitleLen); msg != "" {
writeError(w, http.StatusBadRequest, msg)
return
}
party, err := h.svc.Create(r.Context(), tenantID, caseID, userID, input)
if err != nil {
if err == sql.ErrNoRows {
writeError(w, http.StatusNotFound, "case not found")
return
}
writeError(w, http.StatusInternalServerError, err.Error())
internalError(w, "failed to create party", err)
return
}
@@ -101,7 +106,7 @@ func (h *PartyHandler) Update(w http.ResponseWriter, r *http.Request) {
updated, err := h.svc.Update(r.Context(), tenantID, partyID, input)
if err != nil {
writeError(w, http.StatusInternalServerError, err.Error())
internalError(w, "failed to update party", err)
return
}
if updated == nil {

48
backend/internal/handlers/tenant_handler.go
View File

@@ -2,6 +2,7 @@ package handlers
import (
"encoding/json"
"log/slog"
"net/http"
"github.com/google/uuid"
@@ -41,7 +42,8 @@ func (h *TenantHandler) CreateTenant(w http.ResponseWriter, r *http.Request) {
tenant, err := h.svc.Create(r.Context(), userID, req.Name, req.Slug)
if err != nil {
jsonError(w, err.Error(), http.StatusInternalServerError)
slog.Error("failed to create tenant", "error", err)
jsonError(w, "internal error", http.StatusInternalServerError)
return
}
@@ -58,10 +60,16 @@ func (h *TenantHandler) ListTenants(w http.ResponseWriter, r *http.Request) {
tenants, err := h.svc.ListForUser(r.Context(), userID)
if err != nil {
jsonError(w, err.Error(), http.StatusInternalServerError)
slog.Error("failed to list tenants", "error", err)
jsonError(w, "internal error", http.StatusInternalServerError)
return
}
// Mask CalDAV passwords in tenant settings
for i := range tenants {
tenants[i].Settings = maskSettingsPassword(tenants[i].Settings)
}
jsonResponse(w, tenants, http.StatusOK)
}
@@ -82,7 +90,8 @@ func (h *TenantHandler) GetTenant(w http.ResponseWriter, r *http.Request) {
// Verify user has access to this tenant
role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
if err != nil {
jsonError(w, err.Error(), http.StatusInternalServerError)
slog.Error("failed to get user role", "error", err)
jsonError(w, "internal error", http.StatusInternalServerError)
return
}
if role == "" {
@@ -92,7 +101,8 @@ func (h *TenantHandler) GetTenant(w http.ResponseWriter, r *http.Request) {
tenant, err := h.svc.GetByID(r.Context(), tenantID)
if err != nil {
jsonError(w, err.Error(), http.StatusInternalServerError)
slog.Error("failed to get tenant", "error", err)
jsonError(w, "internal error", http.StatusInternalServerError)
return
}
if tenant == nil {
@@ -100,6 +110,9 @@ func (h *TenantHandler) GetTenant(w http.ResponseWriter, r *http.Request) {
return
}
// Mask CalDAV password before returning
tenant.Settings = maskSettingsPassword(tenant.Settings)
jsonResponse(w, tenant, http.StatusOK)
}
@@ -120,7 +133,8 @@ func (h *TenantHandler) InviteUser(w http.ResponseWriter, r *http.Request) {
// Only owners and partners can invite
role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
if err != nil {
jsonError(w, err.Error(), http.StatusInternalServerError)
slog.Error("failed to get user role", "error", err)
jsonError(w, "internal error", http.StatusInternalServerError)
return
}
if role != "owner" && role != "partner" {
@@ -155,7 +169,8 @@ func (h *TenantHandler) InviteUser(w http.ResponseWriter, r *http.Request) {
ut, err := h.svc.InviteByEmail(r.Context(), tenantID, req.Email, req.Role)
if err != nil {
jsonError(w, err.Error(), http.StatusBadRequest)
// These are user-facing validation errors (user not found, already member)
jsonError(w, "failed to invite user", http.StatusBadRequest)
return
}
@@ -185,7 +200,8 @@ func (h *TenantHandler) RemoveMember(w http.ResponseWriter, r *http.Request) {
// Only owners and partners can remove members (or user removing themselves)
role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
if err != nil {
jsonError(w, err.Error(), http.StatusInternalServerError)
slog.Error("failed to get user role", "error", err)
jsonError(w, "internal error", http.StatusInternalServerError)
return
}
if role != "owner" && role != "partner" && userID != memberID {
@@ -194,7 +210,8 @@ func (h *TenantHandler) RemoveMember(w http.ResponseWriter, r *http.Request) {
}
if err := h.svc.RemoveMember(r.Context(), tenantID, memberID); err != nil {
jsonError(w, err.Error(), http.StatusBadRequest)
// These are user-facing validation errors (not a member, last owner, etc.)
jsonError(w, "failed to remove member", http.StatusBadRequest)
return
}
@@ -218,7 +235,8 @@ func (h *TenantHandler) UpdateSettings(w http.ResponseWriter, r *http.Request) {
// Only owners and partners can update settings
role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
if err != nil {
jsonError(w, err.Error(), http.StatusInternalServerError)
slog.Error("failed to get user role", "error", err)
jsonError(w, "internal error", http.StatusInternalServerError)
return
}
if role != "owner" && role != "partner" {
@@ -234,10 +252,14 @@ func (h *TenantHandler) UpdateSettings(w http.ResponseWriter, r *http.Request) {
tenant, err := h.svc.UpdateSettings(r.Context(), tenantID, settings)
if err != nil {
jsonError(w, err.Error(), http.StatusInternalServerError)
slog.Error("failed to update settings", "error", err)
jsonError(w, "internal error", http.StatusInternalServerError)
return
}
// Mask CalDAV password before returning
tenant.Settings = maskSettingsPassword(tenant.Settings)
jsonResponse(w, tenant, http.StatusOK)
}
@@ -258,7 +280,8 @@ func (h *TenantHandler) ListMembers(w http.ResponseWriter, r *http.Request) {
// Verify user has access
role, err := h.svc.GetUserRole(r.Context(), userID, tenantID)
if err != nil {
jsonError(w, err.Error(), http.StatusInternalServerError)
slog.Error("failed to get user role", "error", err)
jsonError(w, "internal error", http.StatusInternalServerError)
return
}
if role == "" {
@@ -268,7 +291,8 @@ func (h *TenantHandler) ListMembers(w http.ResponseWriter, r *http.Request) {
members, err := h.svc.ListMembers(r.Context(), tenantID)
if err != nil {
jsonError(w, err.Error(), http.StatusInternalServerError)
slog.Error("failed to list members", "error", err)
jsonError(w, "internal error", http.StatusInternalServerError)
return
}

209
backend/internal/handlers/time_entries.go Normal file
View File

@@ -0,0 +1,209 @@
package handlers
import (
"encoding/json"
"net/http"
"strconv"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
"github.com/google/uuid"
)
type TimeEntryHandler struct {
svc *services.TimeEntryService
}
func NewTimeEntryHandler(svc *services.TimeEntryService) *TimeEntryHandler {
return &TimeEntryHandler{svc: svc}
}
// ListForCase handles GET /api/cases/{id}/time-entries
func (h *TimeEntryHandler) ListForCase(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
caseID, err := parsePathUUID(r, "id")
if err != nil {
writeError(w, http.StatusBadRequest, "invalid case ID")
return
}
entries, err := h.svc.ListForCase(r.Context(), tenantID, caseID)
if err != nil {
internalError(w, "failed to list time entries", err)
return
}
writeJSON(w, http.StatusOK, map[string]any{"time_entries": entries})
}
// List handles GET /api/time-entries?case_id=&user_id=&from=&to=
func (h *TimeEntryHandler) List(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
limit, _ := strconv.Atoi(r.URL.Query().Get("limit"))
offset, _ := strconv.Atoi(r.URL.Query().Get("offset"))
limit, offset = clampPagination(limit, offset)
filter := services.TimeEntryFilter{
From: r.URL.Query().Get("from"),
To: r.URL.Query().Get("to"),
Limit: limit,
Offset: offset,
}
if caseStr := r.URL.Query().Get("case_id"); caseStr != "" {
caseID, err := uuid.Parse(caseStr)
if err != nil {
writeError(w, http.StatusBadRequest, "invalid case_id")
return
}
filter.CaseID = &caseID
}
if userStr := r.URL.Query().Get("user_id"); userStr != "" {
userID, err := uuid.Parse(userStr)
if err != nil {
writeError(w, http.StatusBadRequest, "invalid user_id")
return
}
filter.UserID = &userID
}
entries, total, err := h.svc.List(r.Context(), tenantID, filter)
if err != nil {
internalError(w, "failed to list time entries", err)
return
}
writeJSON(w, http.StatusOK, map[string]any{
"time_entries": entries,
"total": total,
})
}
// Create handles POST /api/cases/{id}/time-entries
func (h *TimeEntryHandler) Create(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
userID, _ := auth.UserFromContext(r.Context())
caseID, err := parsePathUUID(r, "id")
if err != nil {
writeError(w, http.StatusBadRequest, "invalid case ID")
return
}
var input services.CreateTimeEntryInput
if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
writeError(w, http.StatusBadRequest, "invalid JSON body")
return
}
input.CaseID = caseID
if input.Description == "" {
writeError(w, http.StatusBadRequest, "description is required")
return
}
if input.DurationMinutes <= 0 {
writeError(w, http.StatusBadRequest, "duration_minutes must be positive")
return
}
if input.Date == "" {
writeError(w, http.StatusBadRequest, "date is required")
return
}
entry, err := h.svc.Create(r.Context(), tenantID, userID, input)
if err != nil {
internalError(w, "failed to create time entry", err)
return
}
writeJSON(w, http.StatusCreated, entry)
}
// Update handles PUT /api/time-entries/{id}
func (h *TimeEntryHandler) Update(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
entryID, err := parsePathUUID(r, "id")
if err != nil {
writeError(w, http.StatusBadRequest, "invalid time entry ID")
return
}
var input services.UpdateTimeEntryInput
if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
writeError(w, http.StatusBadRequest, "invalid JSON body")
return
}
entry, err := h.svc.Update(r.Context(), tenantID, entryID, input)
if err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
writeJSON(w, http.StatusOK, entry)
}
// Delete handles DELETE /api/time-entries/{id}
func (h *TimeEntryHandler) Delete(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
entryID, err := parsePathUUID(r, "id")
if err != nil {
writeError(w, http.StatusBadRequest, "invalid time entry ID")
return
}
if err := h.svc.Delete(r.Context(), tenantID, entryID); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]string{"status": "deleted"})
}
// Summary handles GET /api/time-entries/summary?group_by=case|user|month&from=&to=
func (h *TimeEntryHandler) Summary(w http.ResponseWriter, r *http.Request) {
tenantID, ok := auth.TenantFromContext(r.Context())
if !ok {
writeError(w, http.StatusForbidden, "missing tenant")
return
}
groupBy := r.URL.Query().Get("group_by")
if groupBy == "" {
groupBy = "case"
}
summaries, err := h.svc.Summary(r.Context(), tenantID, groupBy,
r.URL.Query().Get("from"), r.URL.Query().Get("to"))
if err != nil {
internalError(w, "failed to get summary", err)
return
}
writeJSON(w, http.StatusOK, map[string]any{"summary": summaries})
}

2
backend/internal/integration_test.go
View File

@@ -46,7 +46,7 @@ func testServer(t *testing.T) (http.Handler, func()) {
}
authMW := auth.NewMiddleware(jwtSecret, database)
handler := router.New(database, authMW, cfg, nil)
handler := router.New(database, authMW, cfg, nil, nil)
return handler, func() { database.Close() }
}

49
backend/internal/middleware/security.go Normal file
View File

@@ -0,0 +1,49 @@
package middleware
import (
"net/http"
"strings"
)
// SecurityHeaders adds standard security headers to all responses.
func SecurityHeaders(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-Frame-Options", "DENY")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("X-XSS-Protection", "1; mode=block")
w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
next.ServeHTTP(w, r)
})
}
// CORS returns middleware that restricts cross-origin requests to the given origin.
// If allowedOrigin is empty, CORS headers are not set (same-origin only).
func CORS(allowedOrigin string) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
origin := r.Header.Get("Origin")
if allowedOrigin != "" && origin != "" && matchOrigin(origin, allowedOrigin) {
w.Header().Set("Access-Control-Allow-Origin", allowedOrigin)
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Tenant-ID")
w.Header().Set("Access-Control-Max-Age", "86400")
w.Header().Set("Vary", "Origin")
}
// Handle preflight
if r.Method == http.MethodOptions {
w.WriteHeader(http.StatusNoContent)
return
}
next.ServeHTTP(w, r)
})
}
}
// matchOrigin checks if the request origin matches the allowed origin.
func matchOrigin(origin, allowed string) bool {
return strings.EqualFold(strings.TrimRight(origin, "/"), strings.TrimRight(allowed, "/"))
}

22
backend/internal/models/audit_log.go Normal file
View File

@@ -0,0 +1,22 @@
package models
import (
"encoding/json"
"time"
"github.com/google/uuid"
)
type AuditLog struct {
ID int64 `db:"id" json:"id"`
TenantID uuid.UUID `db:"tenant_id" json:"tenant_id"`
UserID *uuid.UUID `db:"user_id" json:"user_id,omitempty"`
Action string `db:"action" json:"action"`
EntityType string `db:"entity_type" json:"entity_type"`
EntityID *uuid.UUID `db:"entity_id" json:"entity_id,omitempty"`
OldValues *json.RawMessage `db:"old_values" json:"old_values,omitempty"`
NewValues *json.RawMessage `db:"new_values" json:"new_values,omitempty"`
IPAddress *string `db:"ip_address" json:"ip_address,omitempty"`
UserAgent *string `db:"user_agent" json:"user_agent,omitempty"`
CreatedAt time.Time `db:"created_at" json:"created_at"`
}

18
backend/internal/models/billing_rate.go Normal file
View File

@@ -0,0 +1,18 @@
package models
import (
"time"
"github.com/google/uuid"
)
type BillingRate struct {
ID uuid.UUID `db:"id" json:"id"`
TenantID uuid.UUID `db:"tenant_id" json:"tenant_id"`
UserID *uuid.UUID `db:"user_id" json:"user_id,omitempty"`
Rate float64 `db:"rate" json:"rate"`
Currency string `db:"currency" json:"currency"`
ValidFrom string `db:"valid_from" json:"valid_from"`
ValidTo *string `db:"valid_to" json:"valid_to,omitempty"`
CreatedAt time.Time `db:"created_at" json:"created_at"`
}

38
backend/internal/models/invoice.go Normal file
View File

@@ -0,0 +1,38 @@
package models
import (
"encoding/json"
"time"
"github.com/google/uuid"
)
type Invoice struct {
ID uuid.UUID `db:"id" json:"id"`
TenantID uuid.UUID `db:"tenant_id" json:"tenant_id"`
CaseID uuid.UUID `db:"case_id" json:"case_id"`
InvoiceNumber string `db:"invoice_number" json:"invoice_number"`
ClientName string `db:"client_name" json:"client_name"`
ClientAddress *string `db:"client_address" json:"client_address,omitempty"`
Items json.RawMessage `db:"items" json:"items"`
Subtotal float64 `db:"subtotal" json:"subtotal"`
TaxRate float64 `db:"tax_rate" json:"tax_rate"`
TaxAmount float64 `db:"tax_amount" json:"tax_amount"`
Total float64 `db:"total" json:"total"`
Status string `db:"status" json:"status"`
IssuedAt *string `db:"issued_at" json:"issued_at,omitempty"`
DueAt *string `db:"due_at" json:"due_at,omitempty"`
PaidAt *time.Time `db:"paid_at" json:"paid_at,omitempty"`
Notes *string `db:"notes" json:"notes,omitempty"`
CreatedBy uuid.UUID `db:"created_by" json:"created_by"`
CreatedAt time.Time `db:"created_at" json:"created_at"`
UpdatedAt time.Time `db:"updated_at" json:"updated_at"`
}
type InvoiceItem struct {
Description string `json:"description"`
DurationMinutes int `json:"duration_minutes,omitempty"`
HourlyRate float64 `json:"hourly_rate,omitempty"`
Amount float64 `json:"amount"`
TimeEntryID *string `json:"time_entry_id,omitempty"`
}

32
backend/internal/models/notification.go Normal file
View File

@@ -0,0 +1,32 @@
package models
import (
"time"
"github.com/google/uuid"
"github.com/lib/pq"
)
type Notification struct {
ID uuid.UUID `db:"id" json:"id"`
TenantID uuid.UUID `db:"tenant_id" json:"tenant_id"`
UserID uuid.UUID `db:"user_id" json:"user_id"`
Type string `db:"type" json:"type"`
EntityType *string `db:"entity_type" json:"entity_type,omitempty"`
EntityID *uuid.UUID `db:"entity_id" json:"entity_id,omitempty"`
Title string `db:"title" json:"title"`
Body *string `db:"body" json:"body,omitempty"`
SentAt *time.Time `db:"sent_at" json:"sent_at,omitempty"`
ReadAt *time.Time `db:"read_at" json:"read_at,omitempty"`
CreatedAt time.Time `db:"created_at" json:"created_at"`
}
type NotificationPreferences struct {
UserID uuid.UUID `db:"user_id" json:"user_id"`
TenantID uuid.UUID `db:"tenant_id" json:"tenant_id"`
DeadlineReminderDays pq.Int64Array `db:"deadline_reminder_days" json:"deadline_reminder_days"`
EmailEnabled bool `db:"email_enabled" json:"email_enabled"`
DailyDigest bool `db:"daily_digest" json:"daily_digest"`
CreatedAt time.Time `db:"created_at" json:"created_at"`
UpdatedAt time.Time `db:"updated_at" json:"updated_at"`
}

24
backend/internal/models/time_entry.go Normal file
View File

@@ -0,0 +1,24 @@
package models
import (
"time"
"github.com/google/uuid"
)
type TimeEntry struct {
ID uuid.UUID `db:"id" json:"id"`
TenantID uuid.UUID `db:"tenant_id" json:"tenant_id"`
CaseID uuid.UUID `db:"case_id" json:"case_id"`
UserID uuid.UUID `db:"user_id" json:"user_id"`
Date string `db:"date" json:"date"`
DurationMinutes int `db:"duration_minutes" json:"duration_minutes"`
Description string `db:"description" json:"description"`
Activity *string `db:"activity" json:"activity,omitempty"`
Billable bool `db:"billable" json:"billable"`
Billed bool `db:"billed" json:"billed"`
InvoiceID *uuid.UUID `db:"invoice_id" json:"invoice_id,omitempty"`
HourlyRate *float64 `db:"hourly_rate" json:"hourly_rate,omitempty"`
CreatedAt time.Time `db:"created_at" json:"created_at"`
UpdatedAt time.Time `db:"updated_at" json:"updated_at"`
}

81
backend/internal/router/router.go
View File

@@ -15,41 +15,52 @@ import (
"mgit.msbls.de/m/KanzlAI-mGMT/internal/services"
)
func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *services.CalDAVService) http.Handler {
func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *services.CalDAVService, notifSvc *services.NotificationService) http.Handler {
mux := http.NewServeMux()
// Services
tenantSvc := services.NewTenantService(db)
caseSvc := services.NewCaseService(db)
partySvc := services.NewPartyService(db)
appointmentSvc := services.NewAppointmentService(db)
auditSvc := services.NewAuditService(db)
tenantSvc := services.NewTenantService(db, auditSvc)
caseSvc := services.NewCaseService(db, auditSvc)
partySvc := services.NewPartyService(db, auditSvc)
appointmentSvc := services.NewAppointmentService(db, auditSvc)
holidaySvc := services.NewHolidayService(db)
deadlineSvc := services.NewDeadlineService(db)
deadlineSvc := services.NewDeadlineService(db, auditSvc)
deadlineRuleSvc := services.NewDeadlineRuleService(db)
calculator := services.NewDeadlineCalculator(holidaySvc)
storageCli := services.NewStorageClient(cfg.SupabaseURL, cfg.SupabaseServiceKey)
documentSvc := services.NewDocumentService(db, storageCli)
documentSvc := services.NewDocumentService(db, storageCli, auditSvc)
assignmentSvc := services.NewCaseAssignmentService(db)
timeEntrySvc := services.NewTimeEntryService(db, auditSvc)
billingRateSvc := services.NewBillingRateService(db, auditSvc)
invoiceSvc := services.NewInvoiceService(db, auditSvc)
// AI service (optional — only if API key is configured)
var aiH *handlers.AIHandler
if cfg.AnthropicAPIKey != "" {
aiSvc := services.NewAIService(cfg.AnthropicAPIKey, db)
aiH = handlers.NewAIHandler(aiSvc, db)
aiH = handlers.NewAIHandler(aiSvc)
}
// Middleware
tenantResolver := auth.NewTenantResolver(tenantSvc)
noteSvc := services.NewNoteService(db)
noteSvc := services.NewNoteService(db, auditSvc)
dashboardSvc := services.NewDashboardService(db)
// Notification handler (optional — nil in tests)
var notifH *handlers.NotificationHandler
if notifSvc != nil {
notifH = handlers.NewNotificationHandler(notifSvc, db)
}
// Handlers
auditH := handlers.NewAuditLogHandler(auditSvc)
tenantH := handlers.NewTenantHandler(tenantSvc)
caseH := handlers.NewCaseHandler(caseSvc)
partyH := handlers.NewPartyHandler(partySvc)
apptH := handlers.NewAppointmentHandler(appointmentSvc)
deadlineH := handlers.NewDeadlineHandlers(deadlineSvc, db)
deadlineH := handlers.NewDeadlineHandlers(deadlineSvc)
ruleH := handlers.NewDeadlineRuleHandlers(deadlineRuleSvc)
calcH := handlers.NewCalculateHandlers(calculator, deadlineRuleSvc)
dashboardH := handlers.NewDashboardHandler(dashboardSvc)
@@ -57,6 +68,9 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
eventH := handlers.NewCaseEventHandler(db)
docH := handlers.NewDocumentHandler(documentSvc)
assignmentH := handlers.NewCaseAssignmentHandler(assignmentSvc)
timeEntryH := handlers.NewTimeEntryHandler(timeEntrySvc)
billingRateH := handlers.NewBillingRateHandler(billingRateSvc)
invoiceH := handlers.NewInvoiceHandler(invoiceSvc)
// Public routes
mux.HandleFunc("GET /health", handleHealth(db))
@@ -98,7 +112,7 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
scoped.HandleFunc("GET /api/cases", caseH.List)
scoped.HandleFunc("POST /api/cases", perm(auth.PermCreateCase, caseH.Create))
scoped.HandleFunc("GET /api/cases/{id}", caseH.Get)
scoped.HandleFunc("PUT /api/cases/{id}", caseH.Update) // case-level access checked in handler
scoped.HandleFunc("PUT /api/cases/{id}", caseH.Update)
scoped.HandleFunc("DELETE /api/cases/{id}", perm(auth.PermCreateCase, caseH.Delete))
// Parties — same access as case editing
@@ -148,12 +162,15 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
// Dashboard — all can view
scoped.HandleFunc("GET /api/dashboard", dashboardH.Get)
// Audit log — view requires PermViewAuditLog
scoped.HandleFunc("GET /api/audit-log", perm(auth.PermViewAuditLog, auditH.List))
// Documents — all can upload, delete checked in handler (own vs all)
scoped.HandleFunc("GET /api/cases/{id}/documents", docH.ListByCase)
scoped.HandleFunc("POST /api/cases/{id}/documents", perm(auth.PermUploadDocuments, docH.Upload))
scoped.HandleFunc("GET /api/documents/{docId}", docH.Download)
scoped.HandleFunc("GET /api/documents/{docId}/meta", docH.GetMeta)
scoped.HandleFunc("DELETE /api/documents/{docId}", docH.Delete) // permission check inside handler
scoped.HandleFunc("DELETE /api/documents/{docId}", docH.Delete)
// AI endpoints (rate limited: 5 req/min burst 10 per IP)
if aiH != nil {
@@ -162,6 +179,16 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
scoped.HandleFunc("POST /api/ai/summarize-case", perm(auth.PermAIExtraction, aiLimiter.LimitFunc(aiH.SummarizeCase)))
}
// Notifications
if notifH != nil {
scoped.HandleFunc("GET /api/notifications", notifH.List)
scoped.HandleFunc("GET /api/notifications/unread-count", notifH.UnreadCount)
scoped.HandleFunc("PATCH /api/notifications/{id}/read", notifH.MarkRead)
scoped.HandleFunc("PATCH /api/notifications/read-all", notifH.MarkAllRead)
scoped.HandleFunc("GET /api/notification-preferences", notifH.GetPreferences)
scoped.HandleFunc("PUT /api/notification-preferences", notifH.UpdatePreferences)
}
// CalDAV sync endpoints — settings permission required
if calDAVSvc != nil {
calDAVH := handlers.NewCalDAVHandler(calDAVSvc)
@@ -169,19 +196,44 @@ func New(db *sqlx.DB, authMW *auth.Middleware, cfg *config.Config, calDAVSvc *se
scoped.HandleFunc("GET /api/caldav/status", calDAVH.GetStatus)
}
// Time entries — billing permission for create/update/delete
scoped.HandleFunc("GET /api/cases/{id}/time-entries", timeEntryH.ListForCase)
scoped.HandleFunc("POST /api/cases/{id}/time-entries", perm(auth.PermManageBilling, timeEntryH.Create))
scoped.HandleFunc("GET /api/time-entries", timeEntryH.List)
scoped.HandleFunc("GET /api/time-entries/summary", perm(auth.PermManageBilling, timeEntryH.Summary))
scoped.HandleFunc("PUT /api/time-entries/{id}", perm(auth.PermManageBilling, timeEntryH.Update))
scoped.HandleFunc("DELETE /api/time-entries/{id}", perm(auth.PermManageBilling, timeEntryH.Delete))
// Billing rates — billing permission required
scoped.HandleFunc("GET /api/billing-rates", perm(auth.PermManageBilling, billingRateH.List))
scoped.HandleFunc("PUT /api/billing-rates", perm(auth.PermManageBilling, billingRateH.Upsert))
// Invoices — billing permission required
scoped.HandleFunc("GET /api/invoices", perm(auth.PermManageBilling, invoiceH.List))
scoped.HandleFunc("POST /api/invoices", perm(auth.PermManageBilling, invoiceH.Create))
scoped.HandleFunc("GET /api/invoices/{id}", perm(auth.PermManageBilling, invoiceH.Get))
scoped.HandleFunc("PUT /api/invoices/{id}", perm(auth.PermManageBilling, invoiceH.Update))
scoped.HandleFunc("PATCH /api/invoices/{id}/status", perm(auth.PermManageBilling, invoiceH.UpdateStatus))
// Wire: auth -> tenant routes go directly, scoped routes get tenant resolver
api.Handle("/api/", tenantResolver.Resolve(scoped))
mux.Handle("/api/", authMW.RequireAuth(api))
return requestLogger(mux)
// Apply security middleware stack: CORS -> Security Headers -> Request Logger -> Routes
var handler http.Handler = mux
handler = requestLogger(handler)
handler = middleware.SecurityHeaders(handler)
handler = middleware.CORS(cfg.FrontendOrigin)(handler)
return handler
}
func handleHealth(db *sqlx.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
if err := db.Ping(); err != nil {
w.WriteHeader(http.StatusServiceUnavailable)
json.NewEncoder(w).Encode(map[string]string{"status": "error", "error": err.Error()})
json.NewEncoder(w).Encode(map[string]string{"status": "error"})
return
}
w.Header().Set("Content-Type", "application/json")
@@ -219,4 +271,3 @@ func requestLogger(next http.Handler) http.Handler {
)
})
}

10
backend/internal/services/appointment_service.go
View File

@@ -12,11 +12,12 @@ import (
)
type AppointmentService struct {
db *sqlx.DB
db *sqlx.DB
audit *AuditService
}
func NewAppointmentService(db *sqlx.DB) *AppointmentService {
return &AppointmentService{db: db}
func NewAppointmentService(db *sqlx.DB, audit *AuditService) *AppointmentService {
return &AppointmentService{db: db, audit: audit}
}
type AppointmentFilter struct {
@@ -86,6 +87,7 @@ func (s *AppointmentService) Create(ctx context.Context, a *models.Appointment)
if err != nil {
return fmt.Errorf("creating appointment: %w", err)
}
s.audit.Log(ctx, "create", "appointment", &a.ID, nil, a)
return nil
}
@@ -116,6 +118,7 @@ func (s *AppointmentService) Update(ctx context.Context, a *models.Appointment)
if rows == 0 {
return fmt.Errorf("appointment not found")
}
s.audit.Log(ctx, "update", "appointment", &a.ID, nil, a)
return nil
}
@@ -131,5 +134,6 @@ func (s *AppointmentService) Delete(ctx context.Context, tenantID, id uuid.UUID)
if rows == 0 {
return fmt.Errorf("appointment not found")
}
s.audit.Log(ctx, "delete", "appointment", &id, nil, nil)
return nil
}

141
backend/internal/services/audit_service.go Normal file
View File

@@ -0,0 +1,141 @@
package services
import (
"context"
"encoding/json"
"fmt"
"log/slog"
"github.com/google/uuid"
"github.com/jmoiron/sqlx"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/auth"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
)
type AuditService struct {
db *sqlx.DB
}
func NewAuditService(db *sqlx.DB) *AuditService {
return &AuditService{db: db}
}
// Log records an audit entry. It extracts tenant, user, IP, and user-agent from context.
// Errors are logged but not returned — audit logging must not break business operations.
func (s *AuditService) Log(ctx context.Context, action, entityType string, entityID *uuid.UUID, oldValues, newValues any) {
tenantID, ok := auth.TenantFromContext(ctx)
if !ok {
slog.Warn("audit: missing tenant_id in context", "action", action, "entity_type", entityType)
return
}
var userID *uuid.UUID
if uid, ok := auth.UserFromContext(ctx); ok {
userID = &uid
}
var oldJSON, newJSON *json.RawMessage
if oldValues != nil {
if b, err := json.Marshal(oldValues); err == nil {
raw := json.RawMessage(b)
oldJSON = &raw
}
}
if newValues != nil {
if b, err := json.Marshal(newValues); err == nil {
raw := json.RawMessage(b)
newJSON = &raw
}
}
ip := auth.IPFromContext(ctx)
ua := auth.UserAgentFromContext(ctx)
_, err := s.db.ExecContext(ctx,
`INSERT INTO audit_log (tenant_id, user_id, action, entity_type, entity_id, old_values, new_values, ip_address, user_agent)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)`,
tenantID, userID, action, entityType, entityID, oldJSON, newJSON, ip, ua)
if err != nil {
slog.Error("audit: failed to write log entry",
"error", err,
"action", action,
"entity_type", entityType,
"entity_id", entityID,
)
}
}
// AuditFilter holds query parameters for listing audit log entries.
type AuditFilter struct {
EntityType string
EntityID *uuid.UUID
UserID *uuid.UUID
From string // RFC3339 date
To string // RFC3339 date
Page int
Limit int
}
// List returns paginated audit log entries for a tenant.
func (s *AuditService) List(ctx context.Context, tenantID uuid.UUID, filter AuditFilter) ([]models.AuditLog, int, error) {
if filter.Limit <= 0 {
filter.Limit = 50
}
if filter.Limit > 200 {
filter.Limit = 200
}
if filter.Page <= 0 {
filter.Page = 1
}
offset := (filter.Page - 1) * filter.Limit
where := "WHERE tenant_id = $1"
args := []any{tenantID}
argIdx := 2
if filter.EntityType != "" {
where += fmt.Sprintf(" AND entity_type = $%d", argIdx)
args = append(args, filter.EntityType)
argIdx++
}
if filter.EntityID != nil {
where += fmt.Sprintf(" AND entity_id = $%d", argIdx)
args = append(args, *filter.EntityID)
argIdx++
}
if filter.UserID != nil {
where += fmt.Sprintf(" AND user_id = $%d", argIdx)
args = append(args, *filter.UserID)
argIdx++
}
if filter.From != "" {
where += fmt.Sprintf(" AND created_at >= $%d", argIdx)
args = append(args, filter.From)
argIdx++
}
if filter.To != "" {
where += fmt.Sprintf(" AND created_at <= $%d", argIdx)
args = append(args, filter.To)
argIdx++
}
var total int
if err := s.db.GetContext(ctx, &total, "SELECT COUNT(*) FROM audit_log "+where, args...); err != nil {
return nil, 0, fmt.Errorf("counting audit entries: %w", err)
}
query := fmt.Sprintf("SELECT * FROM audit_log %s ORDER BY created_at DESC LIMIT $%d OFFSET $%d",
where, argIdx, argIdx+1)
args = append(args, filter.Limit, offset)
var entries []models.AuditLog
if err := s.db.SelectContext(ctx, &entries, query, args...); err != nil {
return nil, 0, fmt.Errorf("listing audit entries: %w", err)
}
if entries == nil {
entries = []models.AuditLog{}
}
return entries, total, nil
}

88
backend/internal/services/billing_rate_service.go Normal file
View File

@@ -0,0 +1,88 @@
package services
import (
"context"
"fmt"
"github.com/google/uuid"
"github.com/jmoiron/sqlx"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
)
type BillingRateService struct {
db *sqlx.DB
audit *AuditService
}
func NewBillingRateService(db *sqlx.DB, audit *AuditService) *BillingRateService {
return &BillingRateService{db: db, audit: audit}
}
type UpsertBillingRateInput struct {
UserID *uuid.UUID `json:"user_id,omitempty"`
Rate float64 `json:"rate"`
Currency string `json:"currency"`
ValidFrom string `json:"valid_from"`
ValidTo *string `json:"valid_to,omitempty"`
}
func (s *BillingRateService) List(ctx context.Context, tenantID uuid.UUID) ([]models.BillingRate, error) {
var rates []models.BillingRate
err := s.db.SelectContext(ctx, &rates,
`SELECT id, tenant_id, user_id, rate, currency, valid_from, valid_to, created_at
FROM billing_rates
WHERE tenant_id = $1
ORDER BY valid_from DESC, user_id NULLS LAST`,
tenantID)
if err != nil {
return nil, fmt.Errorf("list billing rates: %w", err)
}
return rates, nil
}
func (s *BillingRateService) Upsert(ctx context.Context, tenantID uuid.UUID, input UpsertBillingRateInput) (*models.BillingRate, error) {
if input.Currency == "" {
input.Currency = "EUR"
}
// Close any existing open-ended rate for this user
_, err := s.db.ExecContext(ctx,
`UPDATE billing_rates SET valid_to = $3
WHERE tenant_id = $1
AND (($2::uuid IS NULL AND user_id IS NULL) OR user_id = $2)
AND valid_to IS NULL
AND valid_from < $3`,
tenantID, input.UserID, input.ValidFrom)
if err != nil {
return nil, fmt.Errorf("close existing rate: %w", err)
}
var rate models.BillingRate
err = s.db.QueryRowxContext(ctx,
`INSERT INTO billing_rates (tenant_id, user_id, rate, currency, valid_from, valid_to)
VALUES ($1, $2, $3, $4, $5, $6)
RETURNING id, tenant_id, user_id, rate, currency, valid_from, valid_to, created_at`,
tenantID, input.UserID, input.Rate, input.Currency, input.ValidFrom, input.ValidTo,
).StructScan(&rate)
if err != nil {
return nil, fmt.Errorf("upsert billing rate: %w", err)
}
s.audit.Log(ctx, "create", "billing_rate", &rate.ID, nil, rate)
return &rate, nil
}
func (s *BillingRateService) GetCurrentRate(ctx context.Context, tenantID uuid.UUID, userID uuid.UUID, date string) (*float64, error) {
var rate float64
err := s.db.GetContext(ctx, &rate,
`SELECT rate FROM billing_rates
WHERE tenant_id = $1 AND (user_id = $2 OR user_id IS NULL)
AND valid_from <= $3 AND (valid_to IS NULL OR valid_to >= $3)
ORDER BY user_id NULLS LAST LIMIT 1`,
tenantID, userID, date)
if err != nil {
return nil, err
}
return &rate, nil
}

14
backend/internal/services/case_service.go
View File

@@ -13,11 +13,12 @@ import (
)
type CaseService struct {
db *sqlx.DB
db *sqlx.DB
audit *AuditService
}
func NewCaseService(db *sqlx.DB) *CaseService {
return &CaseService{db: db}
func NewCaseService(db *sqlx.DB, audit *AuditService) *CaseService {
return &CaseService{db: db, audit: audit}
}
type CaseFilter struct {
@@ -162,6 +163,9 @@ func (s *CaseService) Create(ctx context.Context, tenantID uuid.UUID, userID uui
if err := s.db.GetContext(ctx, &c, "SELECT * FROM cases WHERE id = $1", id); err != nil {
return nil, fmt.Errorf("fetching created case: %w", err)
}
s.audit.Log(ctx, "create", "case", &id, nil, c)
return &c, nil
}
@@ -239,6 +243,9 @@ func (s *CaseService) Update(ctx context.Context, tenantID, caseID uuid.UUID, us
if err := s.db.GetContext(ctx, &updated, "SELECT * FROM cases WHERE id = $1", caseID); err != nil {
return nil, fmt.Errorf("fetching updated case: %w", err)
}
s.audit.Log(ctx, "update", "case", &caseID, current, updated)
return &updated, nil
}
@@ -254,6 +261,7 @@ func (s *CaseService) Delete(ctx context.Context, tenantID, caseID uuid.UUID, us
return sql.ErrNoRows
}
createEvent(ctx, s.db, tenantID, caseID, userID, "case_archived", "Case archived", nil)
s.audit.Log(ctx, "delete", "case", &caseID, map[string]string{"status": "active"}, map[string]string{"status": "archived"})
return nil
}

20
backend/internal/services/deadline_service.go
View File

@@ -1,6 +1,7 @@
package services
import (
"context"
"database/sql"
"fmt"
"time"
@@ -13,12 +14,13 @@ import (
// DeadlineService handles CRUD operations for case deadlines
type DeadlineService struct {
db *sqlx.DB
db *sqlx.DB
audit *AuditService
}
// NewDeadlineService creates a new deadline service
func NewDeadlineService(db *sqlx.DB) *DeadlineService {
return &DeadlineService{db: db}
func NewDeadlineService(db *sqlx.DB, audit *AuditService) *DeadlineService {
return &DeadlineService{db: db, audit: audit}
}
// ListAll returns all deadlines for a tenant, ordered by due_date
@@ -87,7 +89,7 @@ type CreateDeadlineInput struct {
}
// Create inserts a new deadline
func (s *DeadlineService) Create(tenantID uuid.UUID, input CreateDeadlineInput) (*models.Deadline, error) {
func (s *DeadlineService) Create(ctx context.Context, tenantID uuid.UUID, input CreateDeadlineInput) (*models.Deadline, error) {
id := uuid.New()
source := input.Source
if source == "" {
@@ -108,6 +110,7 @@ func (s *DeadlineService) Create(tenantID uuid.UUID, input CreateDeadlineInput)
if err != nil {
return nil, fmt.Errorf("creating deadline: %w", err)
}
s.audit.Log(ctx, "create", "deadline", &id, nil, d)
return &d, nil
}
@@ -123,7 +126,7 @@ type UpdateDeadlineInput struct {
}
// Update modifies an existing deadline
func (s *DeadlineService) Update(tenantID, deadlineID uuid.UUID, input UpdateDeadlineInput) (*models.Deadline, error) {
func (s *DeadlineService) Update(ctx context.Context, tenantID, deadlineID uuid.UUID, input UpdateDeadlineInput) (*models.Deadline, error) {
// First check it exists and belongs to tenant
existing, err := s.GetByID(tenantID, deadlineID)
if err != nil {
@@ -154,11 +157,12 @@ func (s *DeadlineService) Update(tenantID, deadlineID uuid.UUID, input UpdateDea
if err != nil {
return nil, fmt.Errorf("updating deadline: %w", err)
}
s.audit.Log(ctx, "update", "deadline", &deadlineID, existing, d)
return &d, nil
}
// Complete marks a deadline as completed
func (s *DeadlineService) Complete(tenantID, deadlineID uuid.UUID) (*models.Deadline, error) {
func (s *DeadlineService) Complete(ctx context.Context, tenantID, deadlineID uuid.UUID) (*models.Deadline, error) {
query := `UPDATE deadlines SET
status = 'completed',
completed_at = $1,
@@ -176,11 +180,12 @@ func (s *DeadlineService) Complete(tenantID, deadlineID uuid.UUID) (*models.Dead
}
return nil, fmt.Errorf("completing deadline: %w", err)
}
s.audit.Log(ctx, "update", "deadline", &deadlineID, map[string]string{"status": "pending"}, map[string]string{"status": "completed"})
return &d, nil
}
// Delete removes a deadline
func (s *DeadlineService) Delete(tenantID, deadlineID uuid.UUID) error {
func (s *DeadlineService) Delete(ctx context.Context, tenantID, deadlineID uuid.UUID) error {
query := `DELETE FROM deadlines WHERE id = $1 AND tenant_id = $2`
result, err := s.db.Exec(query, deadlineID, tenantID)
if err != nil {
@@ -193,5 +198,6 @@ func (s *DeadlineService) Delete(tenantID, deadlineID uuid.UUID) error {
if rows == 0 {
return fmt.Errorf("deadline not found")
}
s.audit.Log(ctx, "delete", "deadline", &deadlineID, nil, nil)
return nil
}

7
backend/internal/services/document_service.go
View File

@@ -18,10 +18,11 @@ const documentBucket = "kanzlai-documents"
type DocumentService struct {
db *sqlx.DB
storage *StorageClient
audit *AuditService
}
func NewDocumentService(db *sqlx.DB, storage *StorageClient) *DocumentService {
return &DocumentService{db: db, storage: storage}
func NewDocumentService(db *sqlx.DB, storage *StorageClient, audit *AuditService) *DocumentService {
return &DocumentService{db: db, storage: storage, audit: audit}
}
type CreateDocumentInput struct {
@@ -97,6 +98,7 @@ func (s *DocumentService) Create(ctx context.Context, tenantID, caseID, userID u
if err := s.db.GetContext(ctx, &doc, "SELECT * FROM documents WHERE id = $1", id); err != nil {
return nil, fmt.Errorf("fetching created document: %w", err)
}
s.audit.Log(ctx, "create", "document", &id, nil, doc)
return &doc, nil
}
@@ -151,6 +153,7 @@ func (s *DocumentService) Delete(ctx context.Context, tenantID, docID, userID uu
// Log case event
createEvent(ctx, s.db, tenantID, doc.CaseID, userID, "document_deleted",
fmt.Sprintf("Document deleted: %s", doc.Title), nil)
s.audit.Log(ctx, "delete", "document", &docID, doc, nil)
return nil
}

292
backend/internal/services/invoice_service.go Normal file
View File

@@ -0,0 +1,292 @@
package services
import (
"context"
"database/sql"
"encoding/json"
"fmt"
"time"
"github.com/google/uuid"
"github.com/jmoiron/sqlx"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
)
type InvoiceService struct {
db *sqlx.DB
audit *AuditService
}
func NewInvoiceService(db *sqlx.DB, audit *AuditService) *InvoiceService {
return &InvoiceService{db: db, audit: audit}
}
type CreateInvoiceInput struct {
CaseID uuid.UUID `json:"case_id"`
ClientName string `json:"client_name"`
ClientAddress *string `json:"client_address,omitempty"`
Items []models.InvoiceItem `json:"items"`
TaxRate *float64 `json:"tax_rate,omitempty"`
IssuedAt *string `json:"issued_at,omitempty"`
DueAt *string `json:"due_at,omitempty"`
Notes *string `json:"notes,omitempty"`
TimeEntryIDs []uuid.UUID `json:"time_entry_ids,omitempty"`
}
type UpdateInvoiceInput struct {
ClientName *string `json:"client_name,omitempty"`
ClientAddress *string `json:"client_address,omitempty"`
Items []models.InvoiceItem `json:"items,omitempty"`
TaxRate *float64 `json:"tax_rate,omitempty"`
IssuedAt *string `json:"issued_at,omitempty"`
DueAt *string `json:"due_at,omitempty"`
Notes *string `json:"notes,omitempty"`
}
const invoiceCols = `id, tenant_id, case_id, invoice_number, client_name, client_address,
items, subtotal, tax_rate, tax_amount, total, status, issued_at, due_at, paid_at, notes,
created_by, created_at, updated_at`
func (s *InvoiceService) List(ctx context.Context, tenantID uuid.UUID, caseID *uuid.UUID, status string) ([]models.Invoice, error) {
where := "WHERE tenant_id = $1"
args := []any{tenantID}
argIdx := 2
if caseID != nil {
where += fmt.Sprintf(" AND case_id = $%d", argIdx)
args = append(args, *caseID)
argIdx++
}
if status != "" {
where += fmt.Sprintf(" AND status = $%d", argIdx)
args = append(args, status)
argIdx++
}
var invoices []models.Invoice
err := s.db.SelectContext(ctx, &invoices,
fmt.Sprintf("SELECT %s FROM invoices %s ORDER BY created_at DESC", invoiceCols, where),
args...)
if err != nil {
return nil, fmt.Errorf("list invoices: %w", err)
}
return invoices, nil
}
func (s *InvoiceService) GetByID(ctx context.Context, tenantID, invoiceID uuid.UUID) (*models.Invoice, error) {
var inv models.Invoice
err := s.db.GetContext(ctx, &inv,
`SELECT `+invoiceCols+` FROM invoices WHERE tenant_id = $1 AND id = $2`,
tenantID, invoiceID)
if err == sql.ErrNoRows {
return nil, nil
}
if err != nil {
return nil, fmt.Errorf("get invoice: %w", err)
}
return &inv, nil
}
func (s *InvoiceService) Create(ctx context.Context, tenantID, userID uuid.UUID, input CreateInvoiceInput) (*models.Invoice, error) {
tx, err := s.db.BeginTxx(ctx, nil)
if err != nil {
return nil, fmt.Errorf("begin tx: %w", err)
}
defer tx.Rollback()
// Generate invoice number: RE-YYYY-NNN
year := time.Now().Year()
var seq int
err = tx.GetContext(ctx, &seq,
`SELECT COUNT(*) + 1 FROM invoices WHERE tenant_id = $1 AND invoice_number LIKE $2`,
tenantID, fmt.Sprintf("RE-%d-%%", year))
if err != nil {
return nil, fmt.Errorf("generate invoice number: %w", err)
}
invoiceNumber := fmt.Sprintf("RE-%d-%03d", year, seq)
// Calculate totals
taxRate := 19.00
if input.TaxRate != nil {
taxRate = *input.TaxRate
}
var subtotal float64
for _, item := range input.Items {
subtotal += item.Amount
}
taxAmount := subtotal * taxRate / 100
total := subtotal + taxAmount
itemsJSON, err := json.Marshal(input.Items)
if err != nil {
return nil, fmt.Errorf("marshal items: %w", err)
}
var inv models.Invoice
err = tx.QueryRowxContext(ctx,
`INSERT INTO invoices (tenant_id, case_id, invoice_number, client_name, client_address,
items, subtotal, tax_rate, tax_amount, total, issued_at, due_at, notes, created_by)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14)
RETURNING `+invoiceCols,
tenantID, input.CaseID, invoiceNumber, input.ClientName, input.ClientAddress,
itemsJSON, subtotal, taxRate, taxAmount, total, input.IssuedAt, input.DueAt, input.Notes, userID,
).StructScan(&inv)
if err != nil {
return nil, fmt.Errorf("create invoice: %w", err)
}
// Mark linked time entries as billed
if len(input.TimeEntryIDs) > 0 {
query, args, err := sqlx.In(
`UPDATE time_entries SET billed = true, invoice_id = ? WHERE tenant_id = ? AND id IN (?)`,
inv.ID, tenantID, input.TimeEntryIDs)
if err != nil {
return nil, fmt.Errorf("build time entry update: %w", err)
}
query = tx.Rebind(query)
_, err = tx.ExecContext(ctx, query, args...)
if err != nil {
return nil, fmt.Errorf("mark time entries billed: %w", err)
}
}
if err := tx.Commit(); err != nil {
return nil, fmt.Errorf("commit: %w", err)
}
s.audit.Log(ctx, "create", "invoice", &inv.ID, nil, inv)
return &inv, nil
}
func (s *InvoiceService) Update(ctx context.Context, tenantID, invoiceID uuid.UUID, input UpdateInvoiceInput) (*models.Invoice, error) {
old, err := s.GetByID(ctx, tenantID, invoiceID)
if err != nil {
return nil, err
}
if old == nil {
return nil, fmt.Errorf("invoice not found")
}
if old.Status != "draft" {
return nil, fmt.Errorf("can only update draft invoices")
}
// Recalculate totals if items changed
var itemsJSON json.RawMessage
var subtotal float64
taxRate := old.TaxRate
if input.Items != nil {
for _, item := range input.Items {
subtotal += item.Amount
}
itemsJSON, _ = json.Marshal(input.Items)
}
if input.TaxRate != nil {
taxRate = *input.TaxRate
}
if input.Items != nil {
taxAmount := subtotal * taxRate / 100
total := subtotal + taxAmount
var inv models.Invoice
err = s.db.QueryRowxContext(ctx,
`UPDATE invoices SET
client_name = COALESCE($3, client_name),
client_address = COALESCE($4, client_address),
items = $5,
subtotal = $6,
tax_rate = $7,
tax_amount = $8,
total = $9,
issued_at = COALESCE($10, issued_at),
due_at = COALESCE($11, due_at),
notes = COALESCE($12, notes),
updated_at = now()
WHERE tenant_id = $1 AND id = $2
RETURNING `+invoiceCols,
tenantID, invoiceID, input.ClientName, input.ClientAddress,
itemsJSON, subtotal, taxRate, subtotal*taxRate/100, total,
input.IssuedAt, input.DueAt, input.Notes,
).StructScan(&inv)
if err != nil {
return nil, fmt.Errorf("update invoice: %w", err)
}
s.audit.Log(ctx, "update", "invoice", &inv.ID, old, inv)
return &inv, nil
}
// Update without changing items
var inv models.Invoice
err = s.db.QueryRowxContext(ctx,
`UPDATE invoices SET
client_name = COALESCE($3, client_name),
client_address = COALESCE($4, client_address),
tax_rate = COALESCE($5, tax_rate),
issued_at = COALESCE($6, issued_at),
due_at = COALESCE($7, due_at),
notes = COALESCE($8, notes),
updated_at = now()
WHERE tenant_id = $1 AND id = $2
RETURNING `+invoiceCols,
tenantID, invoiceID, input.ClientName, input.ClientAddress,
input.TaxRate, input.IssuedAt, input.DueAt, input.Notes,
).StructScan(&inv)
if err != nil {
return nil, fmt.Errorf("update invoice: %w", err)
}
s.audit.Log(ctx, "update", "invoice", &inv.ID, old, inv)
return &inv, nil
}
func (s *InvoiceService) UpdateStatus(ctx context.Context, tenantID, invoiceID uuid.UUID, newStatus string) (*models.Invoice, error) {
old, err := s.GetByID(ctx, tenantID, invoiceID)
if err != nil {
return nil, err
}
if old == nil {
return nil, fmt.Errorf("invoice not found")
}
// Validate transitions
validTransitions := map[string][]string{
"draft": {"sent", "cancelled"},
"sent": {"paid", "cancelled"},
"paid": {},
"cancelled": {},
}
allowed := validTransitions[old.Status]
valid := false
for _, s := range allowed {
if s == newStatus {
valid = true
break
}
}
if !valid {
return nil, fmt.Errorf("invalid status transition from %s to %s", old.Status, newStatus)
}
var paidAt *time.Time
if newStatus == "paid" {
now := time.Now()
paidAt = &now
}
var inv models.Invoice
err = s.db.QueryRowxContext(ctx,
`UPDATE invoices SET status = $3, paid_at = COALESCE($4, paid_at), updated_at = now()
WHERE tenant_id = $1 AND id = $2
RETURNING `+invoiceCols,
tenantID, invoiceID, newStatus, paidAt,
).StructScan(&inv)
if err != nil {
return nil, fmt.Errorf("update invoice status: %w", err)
}
s.audit.Log(ctx, "update", "invoice", &inv.ID, old, inv)
return &inv, nil
}

10
backend/internal/services/note_service.go
View File

@@ -13,11 +13,12 @@ import (
)
type NoteService struct {
db *sqlx.DB
db *sqlx.DB
audit *AuditService
}
func NewNoteService(db *sqlx.DB) *NoteService {
return &NoteService{db: db}
func NewNoteService(db *sqlx.DB, audit *AuditService) *NoteService {
return &NoteService{db: db, audit: audit}
}
// ListByParent returns all notes for a given parent entity, scoped to tenant.
@@ -68,6 +69,7 @@ func (s *NoteService) Create(ctx context.Context, tenantID uuid.UUID, createdBy
if err != nil {
return nil, fmt.Errorf("creating note: %w", err)
}
s.audit.Log(ctx, "create", "note", &id, nil, n)
return &n, nil
}
@@ -85,6 +87,7 @@ func (s *NoteService) Update(ctx context.Context, tenantID, noteID uuid.UUID, co
}
return nil, fmt.Errorf("updating note: %w", err)
}
s.audit.Log(ctx, "update", "note", &noteID, nil, n)
return &n, nil
}
@@ -101,6 +104,7 @@ func (s *NoteService) Delete(ctx context.Context, tenantID, noteID uuid.UUID) er
if rows == 0 {
return fmt.Errorf("note not found")
}
s.audit.Log(ctx, "delete", "note", &noteID, nil, nil)
return nil
}

501
backend/internal/services/notification_service.go Normal file
View File

@@ -0,0 +1,501 @@
package services
import (
"context"
"fmt"
"log/slog"
"os/exec"
"strings"
"sync"
"time"
"github.com/google/uuid"
"github.com/jmoiron/sqlx"
"github.com/lib/pq"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
)
// NotificationService handles notification CRUD, deadline reminders, and email sending.
type NotificationService struct {
db *sqlx.DB
stopCh chan struct{}
wg sync.WaitGroup
}
// NewNotificationService creates a new notification service.
func NewNotificationService(db *sqlx.DB) *NotificationService {
return &NotificationService{
db: db,
stopCh: make(chan struct{}),
}
}
// Start launches the background reminder checker (every hour) and daily digest (8am).
func (s *NotificationService) Start() {
s.wg.Add(1)
go s.backgroundLoop()
}
// Stop gracefully shuts down background workers.
func (s *NotificationService) Stop() {
close(s.stopCh)
s.wg.Wait()
}
func (s *NotificationService) backgroundLoop() {
defer s.wg.Done()
// Check reminders on startup
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
s.CheckDeadlineReminders(ctx)
cancel()
reminderTicker := time.NewTicker(1 * time.Hour)
defer reminderTicker.Stop()
// Digest ticker: check every 15 minutes, send at 8am
digestTicker := time.NewTicker(15 * time.Minute)
defer digestTicker.Stop()
var lastDigestDate string
for {
select {
case <-s.stopCh:
return
case <-reminderTicker.C:
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
s.CheckDeadlineReminders(ctx)
cancel()
case now := <-digestTicker.C:
today := now.Format("2006-01-02")
hour := now.Hour()
if hour >= 8 && lastDigestDate != today {
lastDigestDate = today
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
s.SendDailyDigests(ctx)
cancel()
}
}
}
}
// CheckDeadlineReminders finds deadlines due in N days matching user preferences and creates notifications.
func (s *NotificationService) CheckDeadlineReminders(ctx context.Context) {
slog.Info("checking deadline reminders")
// Get all user preferences with email enabled
var prefs []models.NotificationPreferences
err := s.db.SelectContext(ctx, &prefs,
`SELECT user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at
FROM notification_preferences`)
if err != nil {
slog.Error("failed to load notification preferences", "error", err)
return
}
if len(prefs) == 0 {
return
}
// Collect all unique reminder day values across all users
daySet := make(map[int64]bool)
for _, p := range prefs {
for _, d := range p.DeadlineReminderDays {
daySet[d] = true
}
}
if len(daySet) == 0 {
return
}
// Build array of target dates
today := time.Now().Truncate(24 * time.Hour)
var targetDates []string
dayToDate := make(map[string]int64)
for d := range daySet {
target := today.AddDate(0, 0, int(d))
dateStr := target.Format("2006-01-02")
targetDates = append(targetDates, dateStr)
dayToDate[dateStr] = d
}
// Also check overdue deadlines
todayStr := today.Format("2006-01-02")
// Find pending deadlines matching target dates
type deadlineRow struct {
models.Deadline
CaseTitle string `db:"case_title"`
CaseNumber string `db:"case_number"`
}
// Reminder deadlines (due in N days)
var reminderDeadlines []deadlineRow
query, args, err := sqlx.In(
`SELECT d.*, c.title AS case_title, c.case_number
FROM deadlines d
JOIN cases c ON c.id = d.case_id
WHERE d.status = 'pending' AND d.due_date IN (?)`,
targetDates)
if err == nil {
query = s.db.Rebind(query)
err = s.db.SelectContext(ctx, &reminderDeadlines, query, args...)
}
if err != nil {
slog.Error("failed to query reminder deadlines", "error", err)
}
// Overdue deadlines
var overdueDeadlines []deadlineRow
err = s.db.SelectContext(ctx, &overdueDeadlines,
`SELECT d.*, c.title AS case_title, c.case_number
FROM deadlines d
JOIN cases c ON c.id = d.case_id
WHERE d.status = 'pending' AND d.due_date < $1`, todayStr)
if err != nil {
slog.Error("failed to query overdue deadlines", "error", err)
}
// Create notifications for each user based on their tenant and preferences
for _, pref := range prefs {
// Reminder notifications
for _, dl := range reminderDeadlines {
if dl.TenantID != pref.TenantID {
continue
}
daysUntil := dayToDate[dl.DueDate]
// Check if this user cares about this many days
if !containsDay(pref.DeadlineReminderDays, daysUntil) {
continue
}
title := fmt.Sprintf("Frist in %d Tagen: %s", daysUntil, dl.Title)
body := fmt.Sprintf("Akte %s — %s\nFällig am %s", dl.CaseNumber, dl.CaseTitle, dl.DueDate)
entityType := "deadline"
s.CreateNotification(ctx, CreateNotificationInput{
TenantID: pref.TenantID,
UserID: pref.UserID,
Type: "deadline_reminder",
EntityType: &entityType,
EntityID: &dl.ID,
Title: title,
Body: &body,
SendEmail: pref.EmailEnabled && !pref.DailyDigest,
})
}
// Overdue notifications
for _, dl := range overdueDeadlines {
if dl.TenantID != pref.TenantID {
continue
}
title := fmt.Sprintf("Frist überfällig: %s", dl.Title)
body := fmt.Sprintf("Akte %s — %s\nFällig seit %s", dl.CaseNumber, dl.CaseTitle, dl.DueDate)
entityType := "deadline"
s.CreateNotification(ctx, CreateNotificationInput{
TenantID: pref.TenantID,
UserID: pref.UserID,
Type: "deadline_overdue",
EntityType: &entityType,
EntityID: &dl.ID,
Title: title,
Body: &body,
SendEmail: pref.EmailEnabled && !pref.DailyDigest,
})
}
}
}
// SendDailyDigests compiles pending notifications into one email per user.
func (s *NotificationService) SendDailyDigests(ctx context.Context) {
slog.Info("sending daily digests")
// Find users with daily_digest enabled
var prefs []models.NotificationPreferences
err := s.db.SelectContext(ctx, &prefs,
`SELECT user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at
FROM notification_preferences
WHERE daily_digest = true AND email_enabled = true`)
if err != nil {
slog.Error("failed to load digest preferences", "error", err)
return
}
for _, pref := range prefs {
// Get unsent notifications for this user from the last 24 hours
var notifications []models.Notification
err := s.db.SelectContext(ctx, &notifications,
`SELECT id, tenant_id, user_id, type, entity_type, entity_id, title, body, sent_at, read_at, created_at
FROM notifications
WHERE user_id = $1 AND tenant_id = $2 AND sent_at IS NULL
AND created_at > now() - interval '24 hours'
ORDER BY created_at DESC`,
pref.UserID, pref.TenantID)
if err != nil {
slog.Error("failed to load unsent notifications", "error", err, "user_id", pref.UserID)
continue
}
if len(notifications) == 0 {
continue
}
// Get user email
email := s.getUserEmail(ctx, pref.UserID)
if email == "" {
continue
}
// Build digest
var lines []string
lines = append(lines, fmt.Sprintf("Guten Morgen! Hier ist Ihre Tagesübersicht mit %d Benachrichtigungen:\n", len(notifications)))
for _, n := range notifications {
body := ""
if n.Body != nil {
body = " — " + *n.Body
}
lines = append(lines, fmt.Sprintf("• %s%s", n.Title, body))
}
lines = append(lines, "\n---\nKanzlAI Kanzleimanagement")
subject := fmt.Sprintf("KanzlAI Tagesübersicht — %d Benachrichtigungen", len(notifications))
bodyText := strings.Join(lines, "\n")
if err := SendEmail(email, subject, bodyText); err != nil {
slog.Error("failed to send digest email", "error", err, "user_id", pref.UserID)
continue
}
// Mark all as sent
ids := make([]uuid.UUID, len(notifications))
for i, n := range notifications {
ids[i] = n.ID
}
query, args, err := sqlx.In(
`UPDATE notifications SET sent_at = now() WHERE id IN (?)`, ids)
if err == nil {
query = s.db.Rebind(query)
_, err = s.db.ExecContext(ctx, query, args...)
}
if err != nil {
slog.Error("failed to mark digest notifications sent", "error", err)
}
slog.Info("sent daily digest", "user_id", pref.UserID, "count", len(notifications))
}
}
// CreateNotificationInput holds the data for creating a notification.
type CreateNotificationInput struct {
TenantID uuid.UUID
UserID uuid.UUID
Type string
EntityType *string
EntityID *uuid.UUID
Title string
Body *string
SendEmail bool
}
// CreateNotification stores a notification in the DB and optionally sends an email.
func (s *NotificationService) CreateNotification(ctx context.Context, input CreateNotificationInput) (*models.Notification, error) {
// Dedup: check if we already sent this notification today
if input.EntityID != nil {
var count int
err := s.db.GetContext(ctx, &count,
`SELECT COUNT(*) FROM notifications
WHERE user_id = $1 AND entity_id = $2 AND type = $3
AND created_at::date = CURRENT_DATE`,
input.UserID, input.EntityID, input.Type)
if err == nil && count > 0 {
return nil, nil // Already notified today
}
}
var n models.Notification
err := s.db.QueryRowxContext(ctx,
`INSERT INTO notifications (tenant_id, user_id, type, entity_type, entity_id, title, body)
VALUES ($1, $2, $3, $4, $5, $6, $7)
RETURNING id, tenant_id, user_id, type, entity_type, entity_id, title, body, sent_at, read_at, created_at`,
input.TenantID, input.UserID, input.Type, input.EntityType, input.EntityID,
input.Title, input.Body).StructScan(&n)
if err != nil {
slog.Error("failed to create notification", "error", err)
return nil, fmt.Errorf("create notification: %w", err)
}
// Send email immediately if requested (non-digest users)
if input.SendEmail {
email := s.getUserEmail(ctx, input.UserID)
if email != "" {
go func() {
if err := SendEmail(email, input.Title, derefStr(input.Body)); err != nil {
slog.Error("failed to send notification email", "error", err, "user_id", input.UserID)
} else {
// Mark as sent
_, _ = s.db.Exec(`UPDATE notifications SET sent_at = now() WHERE id = $1`, n.ID)
}
}()
}
}
return &n, nil
}
// ListForUser returns notifications for a user in a tenant, paginated.
func (s *NotificationService) ListForUser(ctx context.Context, tenantID, userID uuid.UUID, limit, offset int) ([]models.Notification, int, error) {
if limit <= 0 {
limit = 50
}
if limit > 200 {
limit = 200
}
var total int
err := s.db.GetContext(ctx, &total,
`SELECT COUNT(*) FROM notifications WHERE user_id = $1 AND tenant_id = $2`,
userID, tenantID)
if err != nil {
return nil, 0, fmt.Errorf("count notifications: %w", err)
}
var notifications []models.Notification
err = s.db.SelectContext(ctx, &notifications,
`SELECT id, tenant_id, user_id, type, entity_type, entity_id, title, body, sent_at, read_at, created_at
FROM notifications
WHERE user_id = $1 AND tenant_id = $2
ORDER BY created_at DESC
LIMIT $3 OFFSET $4`,
userID, tenantID, limit, offset)
if err != nil {
return nil, 0, fmt.Errorf("list notifications: %w", err)
}
return notifications, total, nil
}
// UnreadCount returns the number of unread notifications for a user.
func (s *NotificationService) UnreadCount(ctx context.Context, tenantID, userID uuid.UUID) (int, error) {
var count int
err := s.db.GetContext(ctx, &count,
`SELECT COUNT(*) FROM notifications WHERE user_id = $1 AND tenant_id = $2 AND read_at IS NULL`,
userID, tenantID)
return count, err
}
// MarkRead marks a single notification as read.
func (s *NotificationService) MarkRead(ctx context.Context, tenantID, userID, notificationID uuid.UUID) error {
result, err := s.db.ExecContext(ctx,
`UPDATE notifications SET read_at = now()
WHERE id = $1 AND user_id = $2 AND tenant_id = $3 AND read_at IS NULL`,
notificationID, userID, tenantID)
if err != nil {
return fmt.Errorf("mark notification read: %w", err)
}
rows, _ := result.RowsAffected()
if rows == 0 {
return fmt.Errorf("notification not found or already read")
}
return nil
}
// MarkAllRead marks all notifications as read for a user.
func (s *NotificationService) MarkAllRead(ctx context.Context, tenantID, userID uuid.UUID) error {
_, err := s.db.ExecContext(ctx,
`UPDATE notifications SET read_at = now()
WHERE user_id = $1 AND tenant_id = $2 AND read_at IS NULL`,
userID, tenantID)
return err
}
// GetPreferences returns notification preferences for a user, creating defaults if needed.
func (s *NotificationService) GetPreferences(ctx context.Context, tenantID, userID uuid.UUID) (*models.NotificationPreferences, error) {
var pref models.NotificationPreferences
err := s.db.GetContext(ctx, &pref,
`SELECT user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at
FROM notification_preferences
WHERE user_id = $1 AND tenant_id = $2`,
userID, tenantID)
if err != nil {
// Return defaults if no preferences set
return &models.NotificationPreferences{
UserID: userID,
TenantID: tenantID,
DeadlineReminderDays: pq.Int64Array{7, 3, 1},
EmailEnabled: true,
DailyDigest: false,
}, nil
}
return &pref, nil
}
// UpdatePreferences upserts notification preferences for a user.
func (s *NotificationService) UpdatePreferences(ctx context.Context, tenantID, userID uuid.UUID, input UpdatePreferencesInput) (*models.NotificationPreferences, error) {
var pref models.NotificationPreferences
err := s.db.QueryRowxContext(ctx,
`INSERT INTO notification_preferences (user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest)
VALUES ($1, $2, $3, $4, $5)
ON CONFLICT (user_id, tenant_id)
DO UPDATE SET deadline_reminder_days = $3, email_enabled = $4, daily_digest = $5, updated_at = now()
RETURNING user_id, tenant_id, deadline_reminder_days, email_enabled, daily_digest, created_at, updated_at`,
userID, tenantID, pq.Int64Array(input.DeadlineReminderDays), input.EmailEnabled, input.DailyDigest).StructScan(&pref)
if err != nil {
return nil, fmt.Errorf("update preferences: %w", err)
}
return &pref, nil
}
// UpdatePreferencesInput holds the data for updating notification preferences.
type UpdatePreferencesInput struct {
DeadlineReminderDays []int64 `json:"deadline_reminder_days"`
EmailEnabled bool `json:"email_enabled"`
DailyDigest bool `json:"daily_digest"`
}
// SendEmail sends an email using the `m mail send` CLI command.
func SendEmail(to, subject, body string) error {
cmd := exec.Command("m", "mail", "send",
"--to", to,
"--subject", subject,
"--body", body,
"--yes")
output, err := cmd.CombinedOutput()
if err != nil {
return fmt.Errorf("m mail send failed: %w (output: %s)", err, string(output))
}
slog.Info("email sent", "to", to, "subject", subject)
return nil
}
// getUserEmail looks up the email for a user from Supabase auth.users.
func (s *NotificationService) getUserEmail(ctx context.Context, userID uuid.UUID) string {
var email string
err := s.db.GetContext(ctx, &email,
`SELECT email FROM auth.users WHERE id = $1`, userID)
if err != nil {
slog.Error("failed to get user email", "error", err, "user_id", userID)
return ""
}
return email
}
func containsDay(arr pq.Int64Array, day int64) bool {
for _, d := range arr {
if d == day {
return true
}
}
return false
}
func derefStr(s *string) string {
if s == nil {
return ""
}
return *s
}

10
backend/internal/services/party_service.go
View File

@@ -13,11 +13,12 @@ import (
)
type PartyService struct {
db *sqlx.DB
db *sqlx.DB
audit *AuditService
}
func NewPartyService(db *sqlx.DB) *PartyService {
return &PartyService{db: db}
func NewPartyService(db *sqlx.DB, audit *AuditService) *PartyService {
return &PartyService{db: db, audit: audit}
}
type CreatePartyInput struct {
@@ -79,6 +80,7 @@ func (s *PartyService) Create(ctx context.Context, tenantID, caseID uuid.UUID, u
if err := s.db.GetContext(ctx, &party, "SELECT * FROM parties WHERE id = $1", id); err != nil {
return nil, fmt.Errorf("fetching created party: %w", err)
}
s.audit.Log(ctx, "create", "party", &id, nil, party)
return &party, nil
}
@@ -135,6 +137,7 @@ func (s *PartyService) Update(ctx context.Context, tenantID, partyID uuid.UUID,
if err := s.db.GetContext(ctx, &updated, "SELECT * FROM parties WHERE id = $1", partyID); err != nil {
return nil, fmt.Errorf("fetching updated party: %w", err)
}
s.audit.Log(ctx, "update", "party", &partyID, current, updated)
return &updated, nil
}
@@ -148,5 +151,6 @@ func (s *PartyService) Delete(ctx context.Context, tenantID, partyID uuid.UUID)
if rows == 0 {
return sql.ErrNoRows
}
s.audit.Log(ctx, "delete", "party", &partyID, nil, nil)
return nil
}

24
backend/internal/services/tenant_service.go
View File

@@ -13,11 +13,12 @@ import (
)
type TenantService struct {
db *sqlx.DB
db *sqlx.DB
audit *AuditService
}
func NewTenantService(db *sqlx.DB) *TenantService {
return &TenantService{db: db}
func NewTenantService(db *sqlx.DB, audit *AuditService) *TenantService {
return &TenantService{db: db, audit: audit}
}
// Create creates a new tenant and assigns the creator as owner.
@@ -49,6 +50,7 @@ func (s *TenantService) Create(ctx context.Context, userID uuid.UUID, name, slug
return nil, fmt.Errorf("commit: %w", err)
}
s.audit.Log(ctx, "create", "tenant", &tenant.ID, nil, tenant)
return &tenant, nil
}
@@ -101,6 +103,19 @@ func (s *TenantService) GetUserRole(ctx context.Context, userID, tenantID uuid.U
return role, nil
}
// VerifyAccess checks if a user has access to a given tenant.
func (s *TenantService) VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error) {
var exists bool
err := s.db.GetContext(ctx, &exists,
`SELECT EXISTS(SELECT 1 FROM user_tenants WHERE user_id = $1 AND tenant_id = $2)`,
userID, tenantID,
)
if err != nil {
return false, fmt.Errorf("verify tenant access: %w", err)
}
return exists, nil
}
// FirstTenantForUser returns the user's first tenant (by name), used as default.
func (s *TenantService) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
var tenantID uuid.UUID
@@ -171,6 +186,7 @@ func (s *TenantService) InviteByEmail(ctx context.Context, tenantID uuid.UUID, e
return nil, fmt.Errorf("invite user: %w", err)
}
s.audit.Log(ctx, "create", "membership", &tenantID, nil, ut)
return &ut, nil
}
@@ -186,6 +202,7 @@ func (s *TenantService) UpdateSettings(ctx context.Context, tenantID uuid.UUID,
if err != nil {
return nil, fmt.Errorf("update settings: %w", err)
}
s.audit.Log(ctx, "update", "settings", &tenantID, nil, settings)
return &tenant, nil
}
@@ -257,5 +274,6 @@ func (s *TenantService) RemoveMember(ctx context.Context, tenantID, userID uuid.
return fmt.Errorf("remove member: %w", err)
}
s.audit.Log(ctx, "delete", "membership", &tenantID, map[string]any{"user_id": userID, "role": role}, nil)
return nil
}

276
backend/internal/services/time_entry_service.go Normal file
View File

@@ -0,0 +1,276 @@
package services
import (
"context"
"database/sql"
"fmt"
"github.com/google/uuid"
"github.com/jmoiron/sqlx"
"mgit.msbls.de/m/KanzlAI-mGMT/internal/models"
)
type TimeEntryService struct {
db *sqlx.DB
audit *AuditService
}
func NewTimeEntryService(db *sqlx.DB, audit *AuditService) *TimeEntryService {
return &TimeEntryService{db: db, audit: audit}
}
type CreateTimeEntryInput struct {
CaseID uuid.UUID `json:"case_id"`
Date string `json:"date"`
DurationMinutes int `json:"duration_minutes"`
Description string `json:"description"`
Activity *string `json:"activity,omitempty"`
Billable *bool `json:"billable,omitempty"`
HourlyRate *float64 `json:"hourly_rate,omitempty"`
}
type UpdateTimeEntryInput struct {
Date *string `json:"date,omitempty"`
DurationMinutes *int `json:"duration_minutes,omitempty"`
Description *string `json:"description,omitempty"`
Activity *string `json:"activity,omitempty"`
Billable *bool `json:"billable,omitempty"`
HourlyRate *float64 `json:"hourly_rate,omitempty"`
}
type TimeEntryFilter struct {
CaseID *uuid.UUID
UserID *uuid.UUID
From string
To string
Limit int
Offset int
}
type TimeEntrySummary struct {
GroupKey string `db:"group_key" json:"group_key"`
TotalMinutes int `db:"total_minutes" json:"total_minutes"`
BillableMinutes int `db:"billable_minutes" json:"billable_minutes"`
TotalAmount float64 `db:"total_amount" json:"total_amount"`
EntryCount int `db:"entry_count" json:"entry_count"`
}
const timeEntryCols = `id, tenant_id, case_id, user_id, date, duration_minutes, description,
activity, billable, billed, invoice_id, hourly_rate, created_at, updated_at`
func (s *TimeEntryService) ListForCase(ctx context.Context, tenantID, caseID uuid.UUID) ([]models.TimeEntry, error) {
var entries []models.TimeEntry
err := s.db.SelectContext(ctx, &entries,
`SELECT `+timeEntryCols+` FROM time_entries
WHERE tenant_id = $1 AND case_id = $2
ORDER BY date DESC, created_at DESC`,
tenantID, caseID)
if err != nil {
return nil, fmt.Errorf("list time entries for case: %w", err)
}
return entries, nil
}
func (s *TimeEntryService) List(ctx context.Context, tenantID uuid.UUID, filter TimeEntryFilter) ([]models.TimeEntry, int, error) {
if filter.Limit <= 0 {
filter.Limit = 20
}
if filter.Limit > 100 {
filter.Limit = 100
}
where := "WHERE tenant_id = $1"
args := []any{tenantID}
argIdx := 2
if filter.CaseID != nil {
where += fmt.Sprintf(" AND case_id = $%d", argIdx)
args = append(args, *filter.CaseID)
argIdx++
}
if filter.UserID != nil {
where += fmt.Sprintf(" AND user_id = $%d", argIdx)
args = append(args, *filter.UserID)
argIdx++
}
if filter.From != "" {
where += fmt.Sprintf(" AND date >= $%d", argIdx)
args = append(args, filter.From)
argIdx++
}
if filter.To != "" {
where += fmt.Sprintf(" AND date <= $%d", argIdx)
args = append(args, filter.To)
argIdx++
}
var total int
err := s.db.GetContext(ctx, &total,
"SELECT COUNT(*) FROM time_entries "+where, args...)
if err != nil {
return nil, 0, fmt.Errorf("count time entries: %w", err)
}
query := fmt.Sprintf("SELECT %s FROM time_entries %s ORDER BY date DESC, created_at DESC LIMIT $%d OFFSET $%d",
timeEntryCols, where, argIdx, argIdx+1)
args = append(args, filter.Limit, filter.Offset)
var entries []models.TimeEntry
err = s.db.SelectContext(ctx, &entries, query, args...)
if err != nil {
return nil, 0, fmt.Errorf("list time entries: %w", err)
}
return entries, total, nil
}
func (s *TimeEntryService) GetByID(ctx context.Context, tenantID, entryID uuid.UUID) (*models.TimeEntry, error) {
var entry models.TimeEntry
err := s.db.GetContext(ctx, &entry,
`SELECT `+timeEntryCols+` FROM time_entries WHERE tenant_id = $1 AND id = $2`,
tenantID, entryID)
if err == sql.ErrNoRows {
return nil, nil
}
if err != nil {
return nil, fmt.Errorf("get time entry: %w", err)
}
return &entry, nil
}
func (s *TimeEntryService) Create(ctx context.Context, tenantID, userID uuid.UUID, input CreateTimeEntryInput) (*models.TimeEntry, error) {
billable := true
if input.Billable != nil {
billable = *input.Billable
}
// If no hourly rate provided, look up the current billing rate
hourlyRate := input.HourlyRate
if hourlyRate == nil {
var rate float64
err := s.db.GetContext(ctx, &rate,
`SELECT rate FROM billing_rates
WHERE tenant_id = $1 AND (user_id = $2 OR user_id IS NULL)
AND valid_from <= $3 AND (valid_to IS NULL OR valid_to >= $3)
ORDER BY user_id NULLS LAST LIMIT 1`,
tenantID, userID, input.Date)
if err == nil {
hourlyRate = &rate
}
}
var entry models.TimeEntry
err := s.db.QueryRowxContext(ctx,
`INSERT INTO time_entries (tenant_id, case_id, user_id, date, duration_minutes, description, activity, billable, hourly_rate)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
RETURNING `+timeEntryCols,
tenantID, input.CaseID, userID, input.Date, input.DurationMinutes, input.Description, input.Activity, billable, hourlyRate,
).StructScan(&entry)
if err != nil {
return nil, fmt.Errorf("create time entry: %w", err)
}
s.audit.Log(ctx, "create", "time_entry", &entry.ID, nil, entry)
return &entry, nil
}
func (s *TimeEntryService) Update(ctx context.Context, tenantID, entryID uuid.UUID, input UpdateTimeEntryInput) (*models.TimeEntry, error) {
old, err := s.GetByID(ctx, tenantID, entryID)
if err != nil {
return nil, err
}
if old == nil {
return nil, fmt.Errorf("time entry not found")
}
if old.Billed {
return nil, fmt.Errorf("cannot update a billed time entry")
}
var entry models.TimeEntry
err = s.db.QueryRowxContext(ctx,
`UPDATE time_entries SET
date = COALESCE($3, date),
duration_minutes = COALESCE($4, duration_minutes),
description = COALESCE($5, description),
activity = COALESCE($6, activity),
billable = COALESCE($7, billable),
hourly_rate = COALESCE($8, hourly_rate),
updated_at = now()
WHERE tenant_id = $1 AND id = $2
RETURNING `+timeEntryCols,
tenantID, entryID, input.Date, input.DurationMinutes, input.Description, input.Activity, input.Billable, input.HourlyRate,
).StructScan(&entry)
if err != nil {
return nil, fmt.Errorf("update time entry: %w", err)
}
s.audit.Log(ctx, "update", "time_entry", &entry.ID, old, entry)
return &entry, nil
}
func (s *TimeEntryService) Delete(ctx context.Context, tenantID, entryID uuid.UUID) error {
old, err := s.GetByID(ctx, tenantID, entryID)
if err != nil {
return err
}
if old == nil {
return fmt.Errorf("time entry not found")
}
if old.Billed {
return fmt.Errorf("cannot delete a billed time entry")
}
_, err = s.db.ExecContext(ctx,
`DELETE FROM time_entries WHERE tenant_id = $1 AND id = $2`,
tenantID, entryID)
if err != nil {
return fmt.Errorf("delete time entry: %w", err)
}
s.audit.Log(ctx, "delete", "time_entry", &entryID, old, nil)
return nil
}
func (s *TimeEntryService) Summary(ctx context.Context, tenantID uuid.UUID, groupBy string, from, to string) ([]TimeEntrySummary, error) {
var groupExpr string
switch groupBy {
case "user":
groupExpr = "user_id::text"
case "month":
groupExpr = "to_char(date, 'YYYY-MM')"
default:
groupExpr = "case_id::text"
}
where := "WHERE tenant_id = $1"
args := []any{tenantID}
argIdx := 2
if from != "" {
where += fmt.Sprintf(" AND date >= $%d", argIdx)
args = append(args, from)
argIdx++
}
if to != "" {
where += fmt.Sprintf(" AND date <= $%d", argIdx)
args = append(args, to)
argIdx++
}
query := fmt.Sprintf(`SELECT %s AS group_key,
SUM(duration_minutes) AS total_minutes,
SUM(CASE WHEN billable THEN duration_minutes ELSE 0 END) AS billable_minutes,
SUM(CASE WHEN billable AND hourly_rate IS NOT NULL THEN duration_minutes * hourly_rate / 60.0 ELSE 0 END) AS total_amount,
COUNT(*) AS entry_count
FROM time_entries %s
GROUP BY %s
ORDER BY %s`,
groupExpr, where, groupExpr, groupExpr)
var summaries []TimeEntrySummary
err := s.db.SelectContext(ctx, &summaries, query, args...)
if err != nil {
return nil, fmt.Errorf("time entry summary: %w", err)
}
return summaries, nil
}

164
frontend/src/app/(app)/abrechnung/page.tsx Normal file
View File

@@ -0,0 +1,164 @@
"use client";
import { useQuery } from "@tanstack/react-query";
import { api } from "@/lib/api";
import type { TimeEntry } from "@/lib/types";
import { format } from "date-fns";
import { de } from "date-fns/locale";
import { Timer, Loader2 } from "lucide-react";
import { useState } from "react";
import Link from "next/link";
import { Breadcrumb } from "@/components/layout/Breadcrumb";
function formatDuration(minutes: number): string {
const h = Math.floor(minutes / 60);
const m = minutes % 60;
if (h === 0) return `${m}min`;
if (m === 0) return `${h}h`;
return `${h}h ${m}min`;
}
export default function AbrechnungPage() {
const [from, setFrom] = useState(() => {
const d = new Date();
d.setDate(1);
return format(d, "yyyy-MM-dd");
});
const [to, setTo] = useState(() => format(new Date(), "yyyy-MM-dd"));
const { data, isLoading } = useQuery({
queryKey: ["time-entries", from, to],
queryFn: () =>
api.get<{ time_entries: TimeEntry[]; total: number }>(
`/time-entries?from=${from}&to=${to}&limit=100`,
),
});
const entries = data?.time_entries ?? [];
const totalMinutes = entries.reduce((s, e) => s + e.duration_minutes, 0);
const billableMinutes = entries
.filter((e) => e.billable)
.reduce((s, e) => s + e.duration_minutes, 0);
const totalAmount = entries
.filter((e) => e.billable && e.hourly_rate)
.reduce((s, e) => s + (e.duration_minutes / 60) * (e.hourly_rate ?? 0), 0);
return (
<div className="animate-fade-in">
<Breadcrumb
items={[
{ label: "Dashboard", href: "/dashboard" },
{ label: "Abrechnung" },
]}
/>
<div className="mt-4 flex flex-col gap-3 sm:flex-row sm:items-center sm:justify-between">
<h1 className="text-lg font-semibold text-neutral-900">
Zeiterfassung
</h1>
<Link
href="/abrechnung/rechnungen"
className="text-sm text-neutral-500 transition-colors hover:text-neutral-700"
>
Rechnungen ansehen &rarr;
</Link>
</div>
{/* Filters */}
<div className="mt-4 flex flex-wrap items-center gap-3">
<div className="flex items-center gap-2">
<label className="text-xs text-neutral-500">Von</label>
<input
type="date"
value={from}
onChange={(e) => setFrom(e.target.value)}
className="rounded-md border border-neutral-300 px-2 py-1 text-sm focus:border-neutral-500 focus:outline-none"
/>
</div>
<div className="flex items-center gap-2">
<label className="text-xs text-neutral-500">Bis</label>
<input
type="date"
value={to}
onChange={(e) => setTo(e.target.value)}
className="rounded-md border border-neutral-300 px-2 py-1 text-sm focus:border-neutral-500 focus:outline-none"
/>
</div>
</div>
{/* Summary cards */}
<div className="mt-4 grid grid-cols-1 gap-3 sm:grid-cols-3">
<div className="rounded-md border border-neutral-200 bg-white p-4">
<p className="text-xs text-neutral-500">Gesamt</p>
<p className="mt-1 text-xl font-semibold text-neutral-900">
{formatDuration(totalMinutes)}
</p>
</div>
<div className="rounded-md border border-neutral-200 bg-white p-4">
<p className="text-xs text-neutral-500">Abrechenbar</p>
<p className="mt-1 text-xl font-semibold text-neutral-900">
{formatDuration(billableMinutes)}
</p>
</div>
<div className="rounded-md border border-neutral-200 bg-white p-4">
<p className="text-xs text-neutral-500">Betrag</p>
<p className="mt-1 text-xl font-semibold text-neutral-900">
{totalAmount.toFixed(2)} EUR
</p>
</div>
</div>
{/* Entries */}
{isLoading ? (
<div className="flex items-center justify-center py-8">
<Loader2 className="h-5 w-5 animate-spin text-neutral-400" />
</div>
) : entries.length === 0 ? (
<div className="flex flex-col items-center py-12 text-center">
<div className="rounded-xl bg-neutral-100 p-3">
<Timer className="h-5 w-5 text-neutral-400" />
</div>
<p className="mt-2 text-sm text-neutral-500">
Keine Zeiteintraege im gewaehlten Zeitraum.
</p>
</div>
) : (
<div className="mt-4 space-y-2">
{entries.map((entry) => (
<div
key={entry.id}
className="flex items-center justify-between rounded-md border border-neutral-200 bg-white px-4 py-3"
>
<div className="min-w-0 flex-1">
<p className="text-sm font-medium text-neutral-900 truncate">
{entry.description}
</p>
<div className="mt-0.5 flex gap-3 text-xs text-neutral-500">
<span>
{format(new Date(entry.date), "d. MMM yyyy", { locale: de })}
</span>
<Link
href={`/cases/${entry.case_id}/zeiterfassung`}
className="hover:text-neutral-700"
>
Akte ansehen
</Link>
</div>
</div>
<div className="flex items-center gap-4 ml-4 text-sm">
{entry.billable ? (
<span className="text-emerald-600">abrechenbar</span>
) : (
<span className="text-neutral-400">intern</span>
)}
<span className="font-medium text-neutral-900 whitespace-nowrap">
{formatDuration(entry.duration_minutes)}
</span>
</div>
</div>
))}
</div>
)}
</div>
);
}

225
frontend/src/app/(app)/abrechnung/rechnungen/[id]/page.tsx Normal file
View File

@@ -0,0 +1,225 @@
"use client";
import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
import { useParams } from "next/navigation";
import { api } from "@/lib/api";
import type { Invoice } from "@/lib/types";
import { format } from "date-fns";
import { de } from "date-fns/locale";
import { Loader2, AlertTriangle } from "lucide-react";
import { Breadcrumb } from "@/components/layout/Breadcrumb";
const STATUS_BADGE: Record<string, string> = {
draft: "bg-neutral-100 text-neutral-600",
sent: "bg-blue-50 text-blue-700",
paid: "bg-emerald-50 text-emerald-700",
cancelled: "bg-red-50 text-red-600",
};
const STATUS_LABEL: Record<string, string> = {
draft: "Entwurf",
sent: "Versendet",
paid: "Bezahlt",
cancelled: "Storniert",
};
const TRANSITIONS: Record<string, { label: string; next: string }[]> = {
draft: [
{ label: "Als versendet markieren", next: "sent" },
{ label: "Stornieren", next: "cancelled" },
],
sent: [
{ label: "Als bezahlt markieren", next: "paid" },
{ label: "Stornieren", next: "cancelled" },
],
paid: [],
cancelled: [],
};
export default function InvoiceDetailPage() {
const { id } = useParams<{ id: string }>();
const queryClient = useQueryClient();
const { data: invoice, isLoading, error } = useQuery({
queryKey: ["invoice", id],
queryFn: () => api.get<Invoice>(`/invoices/${id}`),
});
const statusMutation = useMutation({
mutationFn: (status: string) =>
api.patch<Invoice>(`/invoices/${id}/status`, { status }),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["invoice", id] });
queryClient.invalidateQueries({ queryKey: ["invoices"] });
},
});
if (isLoading) {
return (
<div className="flex items-center justify-center py-12">
<Loader2 className="h-5 w-5 animate-spin text-neutral-400" />
</div>
);
}
if (error || !invoice) {
return (
<div className="py-12 text-center">
<AlertTriangle className="mx-auto h-6 w-6 text-red-500" />
<p className="mt-2 text-sm text-neutral-500">
Rechnung nicht gefunden.
</p>
</div>
);
}
const items = Array.isArray(invoice.items) ? invoice.items : [];
const actions = TRANSITIONS[invoice.status] ?? [];
return (
<div className="animate-fade-in">
<Breadcrumb
items={[
{ label: "Dashboard", href: "/dashboard" },
{ label: "Abrechnung", href: "/abrechnung" },
{ label: "Rechnungen", href: "/abrechnung/rechnungen" },
{ label: invoice.invoice_number },
]}
/>
<div className="mt-4 flex flex-col gap-3 sm:flex-row sm:items-start sm:justify-between">
<div>
<div className="flex items-center gap-3">
<h1 className="text-lg font-semibold text-neutral-900">
{invoice.invoice_number}
</h1>
<span
className={`rounded-full px-2 py-0.5 text-xs font-medium ${STATUS_BADGE[invoice.status]}`}
>
{STATUS_LABEL[invoice.status]}
</span>
</div>
<p className="mt-1 text-sm text-neutral-500">
{invoice.client_name}
</p>
</div>
<div className="flex gap-2">
{actions.map((action) => (
<button
key={action.next}
onClick={() => statusMutation.mutate(action.next)}
disabled={statusMutation.isPending}
className="rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white transition-colors hover:bg-neutral-800 disabled:opacity-50"
>
{action.label}
</button>
))}
</div>
</div>
{/* Invoice details */}
<div className="mt-6 rounded-md border border-neutral-200 bg-white">
{/* Client info */}
<div className="border-b border-neutral-100 p-4">
<p className="text-xs text-neutral-500">Empfaenger</p>
<p className="mt-1 text-sm font-medium text-neutral-900">
{invoice.client_name}
</p>
{invoice.client_address && (
<p className="mt-0.5 text-sm text-neutral-500 whitespace-pre-line">
{invoice.client_address}
</p>
)}
</div>
{/* Dates */}
<div className="flex flex-wrap gap-6 border-b border-neutral-100 p-4">
{invoice.issued_at && (
<div>
<p className="text-xs text-neutral-500">Rechnungsdatum</p>
<p className="mt-0.5 text-sm text-neutral-900">
{format(new Date(invoice.issued_at), "d. MMMM yyyy", { locale: de })}
</p>
</div>
)}
{invoice.due_at && (
<div>
<p className="text-xs text-neutral-500">Faellig am</p>
<p className="mt-0.5 text-sm text-neutral-900">
{format(new Date(invoice.due_at), "d. MMMM yyyy", { locale: de })}
</p>
</div>
)}
{invoice.paid_at && (
<div>
<p className="text-xs text-neutral-500">Bezahlt am</p>
<p className="mt-0.5 text-sm text-neutral-900">
{format(new Date(invoice.paid_at), "d. MMMM yyyy", { locale: de })}
</p>
</div>
)}
</div>
{/* Line items */}
<div className="p-4">
<table className="w-full text-sm">
<thead>
<tr className="border-b border-neutral-100 text-left text-xs text-neutral-500">
<th className="pb-2 font-medium">Beschreibung</th>
<th className="pb-2 font-medium text-right">Betrag</th>
</tr>
</thead>
<tbody>
{items.map((item, i) => (
<tr key={i} className="border-b border-neutral-50">
<td className="py-2 text-neutral-900">
{item.description}
{item.duration_minutes && item.hourly_rate && (
<span className="ml-2 text-xs text-neutral-400">
({Math.floor(item.duration_minutes / 60)}h{" "}
{item.duration_minutes % 60}min x {item.hourly_rate} EUR/h)
</span>
)}
</td>
<td className="py-2 text-right text-neutral-900">
{item.amount.toFixed(2)} EUR
</td>
</tr>
))}
</tbody>
</table>
</div>
{/* Totals */}
<div className="border-t border-neutral-200 p-4">
<div className="flex justify-end">
<div className="w-48 space-y-1">
<div className="flex justify-between text-sm">
<span className="text-neutral-500">Netto</span>
<span>{invoice.subtotal.toFixed(2)} EUR</span>
</div>
<div className="flex justify-between text-sm">
<span className="text-neutral-500">
USt. {invoice.tax_rate}%
</span>
<span>{invoice.tax_amount.toFixed(2)} EUR</span>
</div>
<div className="flex justify-between border-t border-neutral-200 pt-1 text-sm font-semibold">
<span>Gesamt</span>
<span>{invoice.total.toFixed(2)} EUR</span>
</div>
</div>
</div>
</div>
{/* Notes */}
{invoice.notes && (
<div className="border-t border-neutral-100 p-4">
<p className="text-xs text-neutral-500">Anmerkungen</p>
<p className="mt-1 text-sm text-neutral-700">{invoice.notes}</p>
</div>
)}
</div>
</div>
);
}

118
frontend/src/app/(app)/abrechnung/rechnungen/page.tsx Normal file
View File

@@ -0,0 +1,118 @@
"use client";
import { useQuery } from "@tanstack/react-query";
import { api } from "@/lib/api";
import type { Invoice } from "@/lib/types";
import { format } from "date-fns";
import { de } from "date-fns/locale";
import { Receipt, Loader2 } from "lucide-react";
import Link from "next/link";
import { useState } from "react";
import { Breadcrumb } from "@/components/layout/Breadcrumb";
const STATUS_BADGE: Record<string, string> = {
draft: "bg-neutral-100 text-neutral-600",
sent: "bg-blue-50 text-blue-700",
paid: "bg-emerald-50 text-emerald-700",
cancelled: "bg-red-50 text-red-600",
};
const STATUS_LABEL: Record<string, string> = {
draft: "Entwurf",
sent: "Versendet",
paid: "Bezahlt",
cancelled: "Storniert",
};
export default function RechnungenPage() {
const [statusFilter, setStatusFilter] = useState("");
const { data, isLoading } = useQuery({
queryKey: ["invoices", statusFilter],
queryFn: () => {
const params = statusFilter ? `?status=${statusFilter}` : "";
return api.get<{ invoices: Invoice[] }>(`/invoices${params}`);
},
});
const invoices = data?.invoices ?? [];
return (
<div className="animate-fade-in">
<Breadcrumb
items={[
{ label: "Dashboard", href: "/dashboard" },
{ label: "Abrechnung", href: "/abrechnung" },
{ label: "Rechnungen" },
]}
/>
<div className="mt-4 flex items-center justify-between">
<h1 className="text-lg font-semibold text-neutral-900">Rechnungen</h1>
</div>
{/* Filters */}
<div className="mt-4 flex gap-2">
{["", "draft", "sent", "paid", "cancelled"].map((s) => (
<button
key={s}
onClick={() => setStatusFilter(s)}
className={`rounded-md px-2.5 py-1 text-xs font-medium transition-colors ${
statusFilter === s
? "bg-neutral-900 text-white"
: "bg-neutral-100 text-neutral-600 hover:bg-neutral-200"
}`}
>
{s === "" ? "Alle" : STATUS_LABEL[s]}
</button>
))}
</div>
{isLoading ? (
<div className="flex items-center justify-center py-8">
<Loader2 className="h-5 w-5 animate-spin text-neutral-400" />
</div>
) : invoices.length === 0 ? (
<div className="flex flex-col items-center py-12 text-center">
<div className="rounded-xl bg-neutral-100 p-3">
<Receipt className="h-5 w-5 text-neutral-400" />
</div>
<p className="mt-2 text-sm text-neutral-500">
Keine Rechnungen vorhanden.
</p>
</div>
) : (
<div className="mt-4 space-y-2">
{invoices.map((inv) => (
<Link
key={inv.id}
href={`/abrechnung/rechnungen/${inv.id}`}
className="flex items-center justify-between rounded-md border border-neutral-200 bg-white px-4 py-3 transition-colors hover:bg-neutral-50"
>
<div>
<div className="flex items-center gap-2">
<p className="text-sm font-medium text-neutral-900">
{inv.invoice_number}
</p>
<span
className={`rounded-full px-2 py-0.5 text-xs font-medium ${STATUS_BADGE[inv.status]}`}
>
{STATUS_LABEL[inv.status]}
</span>
</div>
<p className="mt-0.5 text-xs text-neutral-500">
{inv.client_name}
{inv.issued_at &&
`${format(new Date(inv.issued_at), "d. MMM yyyy", { locale: de })}`}
</p>
</div>
<p className="text-sm font-semibold text-neutral-900">
{inv.total.toFixed(2)} EUR
</p>
</Link>
))}
</div>
)}
</div>
);
}

6
frontend/src/app/(app)/cases/[id]/layout.tsx
View File

@@ -16,6 +16,8 @@ import {
UserCheck,
StickyNote,
AlertTriangle,
ScrollText,
Timer,
} from "lucide-react";
import { format } from "date-fns";
import { de } from "date-fns/locale";
@@ -45,7 +47,9 @@ const TABS = [
{ segment: "dokumente", label: "Dokumente", icon: FileText },
{ segment: "parteien", label: "Parteien", icon: Users },
{ segment: "mitarbeiter", label: "Mitarbeiter", icon: UserCheck },
{ segment: "zeiterfassung", label: "Zeiterfassung", icon: Timer },
{ segment: "notizen", label: "Notizen", icon: StickyNote },
{ segment: "protokoll", label: "Protokoll", icon: ScrollText },
] as const;
const TAB_LABELS: Record<string, string> = {
@@ -54,7 +58,9 @@ const TAB_LABELS: Record<string, string> = {
dokumente: "Dokumente",
parteien: "Parteien",
mitarbeiter: "Mitarbeiter",
zeiterfassung: "Zeiterfassung",
notizen: "Notizen",
protokoll: "Protokoll",
};
function CaseDetailSkeleton() {

178
frontend/src/app/(app)/cases/[id]/protokoll/page.tsx Normal file
View File

@@ -0,0 +1,178 @@
"use client";
import { useQuery } from "@tanstack/react-query";
import { useParams, useSearchParams } from "next/navigation";
import { api } from "@/lib/api";
import type { AuditLogResponse } from "@/lib/types";
import { format } from "date-fns";
import { de } from "date-fns/locale";
import { Loader2, ChevronLeft, ChevronRight } from "lucide-react";
const ACTION_LABELS: Record<string, string> = {
create: "Erstellt",
update: "Aktualisiert",
delete: "Geloescht",
};
const ACTION_COLORS: Record<string, string> = {
create: "bg-emerald-50 text-emerald-700",
update: "bg-blue-50 text-blue-700",
delete: "bg-red-50 text-red-700",
};
const ENTITY_LABELS: Record<string, string> = {
case: "Akte",
deadline: "Frist",
appointment: "Termin",
document: "Dokument",
party: "Partei",
note: "Notiz",
settings: "Einstellungen",
membership: "Mitgliedschaft",
};
function DiffPreview({
oldValues,
newValues,
}: {
oldValues?: Record<string, unknown>;
newValues?: Record<string, unknown>;
}) {
if (!oldValues && !newValues) return null;
const allKeys = new Set([
...Object.keys(oldValues ?? {}),
...Object.keys(newValues ?? {}),
]);
const changes: { key: string; from?: unknown; to?: unknown }[] = [];
for (const key of allKeys) {
const oldVal = oldValues?.[key];
const newVal = newValues?.[key];
if (JSON.stringify(oldVal) !== JSON.stringify(newVal)) {
changes.push({ key, from: oldVal, to: newVal });
}
}
if (changes.length === 0) return null;
return (
<div className="mt-2 space-y-1">
{changes.slice(0, 5).map((c) => (
<div key={c.key} className="flex items-baseline gap-2 text-xs">
<span className="font-medium text-neutral-500">{c.key}:</span>
{c.from !== undefined && (
<span className="rounded bg-red-50 px-1 text-red-600 line-through">
{String(c.from)}
</span>
)}
{c.to !== undefined && (
<span className="rounded bg-emerald-50 px-1 text-emerald-600">
{String(c.to)}
</span>
)}
</div>
))}
{changes.length > 5 && (
<span className="text-xs text-neutral-400">
+{changes.length - 5} weitere Aenderungen
</span>
)}
</div>
);
}
export default function ProtokollPage() {
const { id } = useParams<{ id: string }>();
const searchParams = useSearchParams();
const page = Number(searchParams.get("page")) || 1;
const { data, isLoading } = useQuery({
queryKey: ["audit-log", id, page],
queryFn: () =>
api.get<AuditLogResponse>(
`/audit-log?entity_id=${id}&page=${page}&limit=50`,
),
});
if (isLoading) {
return (
<div className="flex items-center justify-center py-8">
<Loader2 className="h-5 w-5 animate-spin text-neutral-400" />
</div>
);
}
const entries = data?.entries ?? [];
const total = data?.total ?? 0;
const totalPages = Math.ceil(total / 50);
if (entries.length === 0) {
return (
<div className="py-8 text-center text-sm text-neutral-400">
Keine Protokolleintraege vorhanden.
</div>
);
}
return (
<div>
<div className="space-y-3">
{entries.map((entry) => (
<div
key={entry.id}
className="rounded-md border border-neutral-100 bg-white px-4 py-3"
>
<div className="flex items-start justify-between gap-3">
<div className="flex items-center gap-2">
<span
className={`inline-block rounded-full px-2 py-0.5 text-xs font-medium ${ACTION_COLORS[entry.action] ?? "bg-neutral-100 text-neutral-600"}`}
>
{ACTION_LABELS[entry.action] ?? entry.action}
</span>
<span className="text-sm font-medium text-neutral-700">
{ENTITY_LABELS[entry.entity_type] ?? entry.entity_type}
</span>
</div>
<span className="shrink-0 text-xs text-neutral-400">
{format(new Date(entry.created_at), "d. MMM yyyy, HH:mm", {
locale: de,
})}
</span>
</div>
<DiffPreview
oldValues={entry.old_values}
newValues={entry.new_values}
/>
</div>
))}
</div>
{totalPages > 1 && (
<div className="mt-4 flex items-center justify-between">
<span className="text-xs text-neutral-400">
{total} Eintraege, Seite {page} von {totalPages}
</span>
<div className="flex gap-1">
{page > 1 && (
<a
href={`?page=${page - 1}`}
className="inline-flex items-center gap-1 rounded-md border border-neutral-200 px-2 py-1 text-xs text-neutral-600 hover:bg-neutral-50"
>
<ChevronLeft className="h-3 w-3" /> Zurueck
</a>
)}
{page < totalPages && (
<a
href={`?page=${page + 1}`}
className="inline-flex items-center gap-1 rounded-md border border-neutral-200 px-2 py-1 text-xs text-neutral-600 hover:bg-neutral-50"
>
Weiter <ChevronRight className="h-3 w-3" />
</a>
)}
</div>
</div>
)}
</div>
);
}

306
frontend/src/app/(app)/cases/[id]/zeiterfassung/page.tsx Normal file
View File

@@ -0,0 +1,306 @@
"use client";
import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
import { useParams } from "next/navigation";
import { api } from "@/lib/api";
import type { TimeEntry } from "@/lib/types";
import { format } from "date-fns";
import { de } from "date-fns/locale";
import { Timer, Loader2, Plus, Trash2 } from "lucide-react";
import { useState } from "react";
function formatDuration(minutes: number): string {
const h = Math.floor(minutes / 60);
const m = minutes % 60;
if (h === 0) return `${m}min`;
if (m === 0) return `${h}h`;
return `${h}h ${m}min`;
}
function formatAmount(minutes: number, rate?: number): string {
if (!rate) return "-";
return `${((minutes / 60) * rate).toFixed(2)} EUR`;
}
const ACTIVITIES = [
{ value: "", label: "Keine Kategorie" },
{ value: "research", label: "Recherche" },
{ value: "drafting", label: "Entwurf" },
{ value: "hearing", label: "Verhandlung" },
{ value: "call", label: "Telefonat" },
{ value: "review", label: "Prüfung" },
{ value: "travel", label: "Reise" },
{ value: "meeting", label: "Besprechung" },
];
export default function ZeiterfassungPage() {
const { id } = useParams<{ id: string }>();
const queryClient = useQueryClient();
const [showForm, setShowForm] = useState(false);
const [desc, setDesc] = useState("");
const [hours, setHours] = useState("");
const [minutes, setMinutes] = useState("");
const [date, setDate] = useState(format(new Date(), "yyyy-MM-dd"));
const [activity, setActivity] = useState("");
const [billable, setBillable] = useState(true);
const { data, isLoading } = useQuery({
queryKey: ["case-time-entries", id],
queryFn: () =>
api.get<{ time_entries: TimeEntry[] }>(`/cases/${id}/time-entries`),
});
const createMutation = useMutation({
mutationFn: (input: {
description: string;
duration_minutes: number;
date: string;
activity?: string;
billable: boolean;
}) => api.post<TimeEntry>(`/cases/${id}/time-entries`, input),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["case-time-entries", id] });
setShowForm(false);
setDesc("");
setHours("");
setMinutes("");
setActivity("");
setBillable(true);
},
});
const deleteMutation = useMutation({
mutationFn: (entryId: string) =>
api.delete(`/time-entries/${entryId}`),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["case-time-entries", id] });
},
});
function handleSubmit(e: React.FormEvent) {
e.preventDefault();
const totalMinutes = (parseInt(hours || "0") * 60) + parseInt(minutes || "0");
if (totalMinutes <= 0 || !desc.trim()) return;
createMutation.mutate({
description: desc.trim(),
duration_minutes: totalMinutes,
date,
activity: activity || undefined,
billable,
});
}
if (isLoading) {
return (
<div className="flex items-center justify-center py-8">
<Loader2 className="h-5 w-5 animate-spin text-neutral-400" />
</div>
);
}
const entries = data?.time_entries ?? [];
const totalMinutes = entries.reduce((s, e) => s + e.duration_minutes, 0);
const billableMinutes = entries
.filter((e) => e.billable)
.reduce((s, e) => s + e.duration_minutes, 0);
return (
<div className="space-y-4">
{/* Summary bar */}
<div className="flex flex-wrap items-center justify-between gap-3">
<div className="flex gap-6 text-sm text-neutral-500">
<span>
Gesamt: <span className="font-medium text-neutral-900">{formatDuration(totalMinutes)}</span>
</span>
<span>
Abrechenbar: <span className="font-medium text-neutral-900">{formatDuration(billableMinutes)}</span>
</span>
</div>
<button
onClick={() => setShowForm(!showForm)}
className="inline-flex items-center gap-1.5 rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white transition-colors hover:bg-neutral-800"
>
<Plus className="h-3.5 w-3.5" />
Eintrag
</button>
</div>
{/* Quick add form */}
{showForm && (
<form
onSubmit={handleSubmit}
className="rounded-md border border-neutral-200 bg-neutral-50 p-4 space-y-3"
>
<div>
<label className="block text-xs font-medium text-neutral-600 mb-1">
Beschreibung
</label>
<input
type="text"
value={desc}
onChange={(e) => setDesc(e.target.value)}
placeholder="Was wurde getan?"
className="w-full rounded-md border border-neutral-300 px-3 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
required
/>
</div>
<div className="flex flex-wrap gap-3">
<div className="flex-1 min-w-[120px]">
<label className="block text-xs font-medium text-neutral-600 mb-1">
Dauer
</label>
<div className="flex gap-2">
<div className="flex items-center gap-1">
<input
type="number"
min="0"
value={hours}
onChange={(e) => setHours(e.target.value)}
placeholder="0"
className="w-16 rounded-md border border-neutral-300 px-2 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
/>
<span className="text-xs text-neutral-500">h</span>
</div>
<div className="flex items-center gap-1">
<input
type="number"
min="0"
max="59"
value={minutes}
onChange={(e) => setMinutes(e.target.value)}
placeholder="0"
className="w-16 rounded-md border border-neutral-300 px-2 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
/>
<span className="text-xs text-neutral-500">min</span>
</div>
</div>
</div>
<div className="flex-1 min-w-[120px]">
<label className="block text-xs font-medium text-neutral-600 mb-1">
Datum
</label>
<input
type="date"
value={date}
onChange={(e) => setDate(e.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
/>
</div>
<div className="flex-1 min-w-[120px]">
<label className="block text-xs font-medium text-neutral-600 mb-1">
Kategorie
</label>
<select
value={activity}
onChange={(e) => setActivity(e.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
>
{ACTIVITIES.map((a) => (
<option key={a.value} value={a.value}>
{a.label}
</option>
))}
</select>
</div>
</div>
<div className="flex items-center justify-between">
<label className="flex items-center gap-2 text-sm text-neutral-600">
<input
type="checkbox"
checked={billable}
onChange={(e) => setBillable(e.target.checked)}
className="rounded border-neutral-300"
/>
Abrechenbar
</label>
<div className="flex gap-2">
<button
type="button"
onClick={() => setShowForm(false)}
className="rounded-md px-3 py-1.5 text-sm text-neutral-600 transition-colors hover:bg-neutral-100"
>
Abbrechen
</button>
<button
type="submit"
disabled={createMutation.isPending}
className="rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white transition-colors hover:bg-neutral-800 disabled:opacity-50"
>
{createMutation.isPending ? "Speichern..." : "Speichern"}
</button>
</div>
</div>
{createMutation.isError && (
<p className="text-sm text-red-600">Fehler beim Speichern.</p>
)}
</form>
)}
{/* Entries list */}
{entries.length === 0 ? (
<div className="flex flex-col items-center py-8 text-center">
<div className="rounded-xl bg-neutral-100 p-3">
<Timer className="h-5 w-5 text-neutral-400" />
</div>
<p className="mt-2 text-sm text-neutral-500">
Keine Zeiteintraege vorhanden.
</p>
</div>
) : (
<div className="space-y-2">
{entries.map((entry) => (
<div
key={entry.id}
className="flex items-center justify-between rounded-md border border-neutral-200 bg-white px-4 py-3"
>
<div className="min-w-0 flex-1">
<div className="flex items-center gap-2">
<p className="text-sm font-medium text-neutral-900 truncate">
{entry.description}
</p>
{entry.activity && (
<span className="shrink-0 rounded-full bg-neutral-100 px-2 py-0.5 text-xs text-neutral-500">
{ACTIVITIES.find((a) => a.value === entry.activity)?.label ?? entry.activity}
</span>
)}
{!entry.billable && (
<span className="shrink-0 rounded-full bg-neutral-100 px-2 py-0.5 text-xs text-neutral-400">
nicht abrechenbar
</span>
)}
{entry.billed && (
<span className="shrink-0 rounded-full bg-emerald-50 px-2 py-0.5 text-xs text-emerald-700">
abgerechnet
</span>
)}
</div>
<div className="mt-0.5 flex gap-4 text-xs text-neutral-500">
<span>
{format(new Date(entry.date), "d. MMM yyyy", { locale: de })}
</span>
{entry.hourly_rate && (
<span>{formatAmount(entry.duration_minutes, entry.hourly_rate)}</span>
)}
</div>
</div>
<div className="flex items-center gap-3 ml-4">
<span className="text-sm font-medium text-neutral-900 whitespace-nowrap">
{formatDuration(entry.duration_minutes)}
</span>
{!entry.billed && (
<button
onClick={() => deleteMutation.mutate(entry.id)}
className="rounded-md p-1 text-neutral-400 transition-colors hover:bg-red-50 hover:text-red-600"
title="Loeschen"
>
<Trash2 className="h-3.5 w-3.5" />
</button>
)}
</div>
</div>
))}
</div>
)}
</div>
);
}

166
frontend/src/app/(app)/einstellungen/abrechnung/page.tsx Normal file
View File

@@ -0,0 +1,166 @@
"use client";
import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
import { api } from "@/lib/api";
import type { BillingRate } from "@/lib/types";
import { format } from "date-fns";
import { de } from "date-fns/locale";
import { Loader2, Plus } from "lucide-react";
import { useState } from "react";
import { Breadcrumb } from "@/components/layout/Breadcrumb";
export default function BillingRatesPage() {
const queryClient = useQueryClient();
const [showForm, setShowForm] = useState(false);
const [rate, setRate] = useState("");
const [validFrom, setValidFrom] = useState(format(new Date(), "yyyy-MM-dd"));
const { data, isLoading } = useQuery({
queryKey: ["billing-rates"],
queryFn: () =>
api.get<{ billing_rates: BillingRate[] }>("/billing-rates"),
});
const upsertMutation = useMutation({
mutationFn: (input: { rate: number; valid_from: string; currency: string }) =>
api.put<BillingRate>("/billing-rates", input),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["billing-rates"] });
setShowForm(false);
setRate("");
},
});
function handleSubmit(e: React.FormEvent) {
e.preventDefault();
const rateNum = parseFloat(rate);
if (isNaN(rateNum) || rateNum < 0) return;
upsertMutation.mutate({
rate: rateNum,
valid_from: validFrom,
currency: "EUR",
});
}
const rates = data?.billing_rates ?? [];
return (
<div className="animate-fade-in">
<Breadcrumb
items={[
{ label: "Dashboard", href: "/dashboard" },
{ label: "Einstellungen", href: "/einstellungen" },
{ label: "Stundensaetze" },
]}
/>
<div className="mt-4 flex items-center justify-between">
<h1 className="text-lg font-semibold text-neutral-900">
Stundensaetze
</h1>
<button
onClick={() => setShowForm(!showForm)}
className="inline-flex items-center gap-1.5 rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white transition-colors hover:bg-neutral-800"
>
<Plus className="h-3.5 w-3.5" />
Neuer Satz
</button>
</div>
{showForm && (
<form
onSubmit={handleSubmit}
className="mt-4 rounded-md border border-neutral-200 bg-neutral-50 p-4 space-y-3"
>
<div className="flex flex-wrap gap-3">
<div className="flex-1 min-w-[150px]">
<label className="block text-xs font-medium text-neutral-600 mb-1">
Stundensatz (EUR)
</label>
<input
type="number"
min="0"
step="0.01"
value={rate}
onChange={(e) => setRate(e.target.value)}
placeholder="z.B. 350.00"
className="w-full rounded-md border border-neutral-300 px-3 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
required
/>
</div>
<div className="flex-1 min-w-[150px]">
<label className="block text-xs font-medium text-neutral-600 mb-1">
Gueltig ab
</label>
<input
type="date"
value={validFrom}
onChange={(e) => setValidFrom(e.target.value)}
className="w-full rounded-md border border-neutral-300 px-3 py-1.5 text-sm focus:border-neutral-500 focus:outline-none"
required
/>
</div>
</div>
<div className="flex justify-end gap-2">
<button
type="button"
onClick={() => setShowForm(false)}
className="rounded-md px-3 py-1.5 text-sm text-neutral-600 hover:bg-neutral-100"
>
Abbrechen
</button>
<button
type="submit"
disabled={upsertMutation.isPending}
className="rounded-md bg-neutral-900 px-3 py-1.5 text-sm font-medium text-white hover:bg-neutral-800 disabled:opacity-50"
>
Speichern
</button>
</div>
</form>
)}
{isLoading ? (
<div className="flex items-center justify-center py-8">
<Loader2 className="h-5 w-5 animate-spin text-neutral-400" />
</div>
) : rates.length === 0 ? (
<div className="mt-8 text-center">
<p className="text-sm text-neutral-500">
Noch keine Stundensaetze definiert.
</p>
</div>
) : (
<div className="mt-4 space-y-2">
{rates.map((r) => (
<div
key={r.id}
className="flex items-center justify-between rounded-md border border-neutral-200 bg-white px-4 py-3"
>
<div>
<p className="text-sm font-medium text-neutral-900">
{r.rate.toFixed(2)} {r.currency}/h
</p>
<p className="mt-0.5 text-xs text-neutral-500">
{r.user_id ? `Benutzer: ${r.user_id.slice(0, 8)}...` : "Standard (alle Benutzer)"}
</p>
</div>
<div className="text-right text-xs text-neutral-500">
<p>
Ab{" "}
{format(new Date(r.valid_from), "d. MMM yyyy", { locale: de })}
</p>
{r.valid_to && (
<p>
Bis{" "}
{format(new Date(r.valid_to), "d. MMM yyyy", { locale: de })}
</p>
)}
</div>
</div>
))}
</div>
)}
</div>
);
}

16
frontend/src/app/(app)/einstellungen/page.tsx
View File

@@ -1,11 +1,12 @@
"use client";
import { useQuery } from "@tanstack/react-query";
import { Settings, Calendar, Users } from "lucide-react";
import { Settings, Calendar, Users, Bell } from "lucide-react";
import Link from "next/link";
import { api } from "@/lib/api";
import type { Tenant } from "@/lib/types";
import { CalDAVSettings } from "@/components/settings/CalDAVSettings";
import { NotificationSettings } from "@/components/settings/NotificationSettings";
import { SkeletonCard } from "@/components/ui/Skeleton";
import { EmptyState } from "@/components/ui/EmptyState";
@@ -97,6 +98,19 @@ export default function EinstellungenPage() {
</div>
</section>
{/* Notification Settings */}
<section className="rounded-xl border border-neutral-200 bg-white p-5">
<div className="flex items-center gap-2.5 border-b border-neutral-100 pb-3">
<Bell className="h-4 w-4 text-neutral-500" />
<h2 className="text-sm font-semibold text-neutral-900">
Benachrichtigungen
</h2>
</div>
<div className="mt-4">
<NotificationSettings />
</div>
</section>
{/* CalDAV Settings */}
<section className="rounded-xl border border-neutral-200 bg-white p-5">
<div className="flex items-center gap-2.5 border-b border-neutral-100 pb-3">

2
frontend/src/components/layout/Header.tsx
View File

@@ -2,6 +2,7 @@
import { createClient } from "@/lib/supabase/client";
import { TenantSwitcher } from "./TenantSwitcher";
import { NotificationBell } from "@/components/notifications/NotificationBell";
import { LogOut } from "lucide-react";
import { useRouter } from "next/navigation";
import { useEffect, useState } from "react";
@@ -29,6 +30,7 @@ export function Header() {
<div className="w-8 lg:w-0" />
<div className="flex items-center gap-2 sm:gap-3">
<TenantSwitcher />
<NotificationBell />
{email && (
<span className="hidden text-sm text-neutral-500 sm:inline">
{email}

2
frontend/src/components/layout/Sidebar.tsx
View File

@@ -11,6 +11,7 @@ import {
Settings,
Menu,
X,
Receipt,
} from "lucide-react";
import { useState, useEffect } from "react";
import { usePermissions } from "@/lib/hooks/usePermissions";
@@ -27,6 +28,7 @@ const allNavigation: NavItem[] = [
{ name: "Akten", href: "/cases", icon: FolderOpen },
{ name: "Fristen", href: "/fristen", icon: Clock },
{ name: "Termine", href: "/termine", icon: Calendar },
{ name: "Abrechnung", href: "/abrechnung", icon: Receipt, permission: "manage_billing" },
{ name: "AI Analyse", href: "/ai/extract", icon: Brain, permission: "ai_extraction" },
{ name: "Einstellungen", href: "/einstellungen", icon: Settings, permission: "manage_settings" },
];

205
frontend/src/components/notifications/NotificationBell.tsx Normal file
View File

@@ -0,0 +1,205 @@
"use client";
import { useEffect, useRef, useState } from "react";
import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
import { Bell, Check, CheckCheck, ExternalLink } from "lucide-react";
import { api } from "@/lib/api";
import type { Notification, NotificationListResponse } from "@/lib/types";
function getEntityLink(n: Notification): string | null {
if (!n.entity_type || !n.entity_id) return null;
switch (n.entity_type) {
case "deadline":
return `/fristen/${n.entity_id}`;
case "appointment":
return `/termine/${n.entity_id}`;
case "case":
return `/akten/${n.entity_id}`;
default:
return null;
}
}
function getTypeColor(type: Notification["type"]): string {
switch (type) {
case "deadline_overdue":
return "bg-red-500";
case "deadline_reminder":
return "bg-amber-500";
case "case_update":
return "bg-blue-500";
case "assignment":
return "bg-violet-500";
default:
return "bg-neutral-500";
}
}
function timeAgo(dateStr: string): string {
const now = new Date();
const date = new Date(dateStr);
const diffMs = now.getTime() - date.getTime();
const diffMin = Math.floor(diffMs / 60000);
if (diffMin < 1) return "gerade eben";
if (diffMin < 60) return `vor ${diffMin} Min.`;
const diffHours = Math.floor(diffMin / 60);
if (diffHours < 24) return `vor ${diffHours} Std.`;
const diffDays = Math.floor(diffHours / 24);
if (diffDays === 1) return "gestern";
return `vor ${diffDays} Tagen`;
}
export function NotificationBell() {
const [open, setOpen] = useState(false);
const panelRef = useRef<HTMLDivElement>(null);
const queryClient = useQueryClient();
const { data: unreadData } = useQuery({
queryKey: ["notifications-unread-count"],
queryFn: () =>
api.get<{ unread_count: number }>("/api/notifications/unread-count"),
refetchInterval: 30_000,
});
const { data: notifData } = useQuery({
queryKey: ["notifications"],
queryFn: () =>
api.get<NotificationListResponse>("/api/notifications?limit=20"),
enabled: open,
});
const markRead = useMutation({
mutationFn: (id: string) =>
api.patch(`/api/notifications/${id}/read`),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["notifications"] });
queryClient.invalidateQueries({
queryKey: ["notifications-unread-count"],
});
},
});
const markAllRead = useMutation({
mutationFn: () => api.patch("/api/notifications/read-all"),
onSuccess: () => {
queryClient.invalidateQueries({ queryKey: ["notifications"] });
queryClient.invalidateQueries({
queryKey: ["notifications-unread-count"],
});
},
});
// Close on click outside
useEffect(() => {
function handleClickOutside(e: MouseEvent) {
if (panelRef.current && !panelRef.current.contains(e.target as Node)) {
setOpen(false);
}
}
if (open) {
document.addEventListener("mousedown", handleClickOutside);
}
return () => document.removeEventListener("mousedown", handleClickOutside);
}, [open]);
const unreadCount = unreadData?.unread_count ?? 0;
const notifications = notifData?.data ?? [];
return (
<div className="relative" ref={panelRef}>
<button
onClick={() => setOpen(!open)}
className="relative rounded-md p-1.5 text-neutral-400 transition-colors hover:bg-neutral-100 hover:text-neutral-600"
title="Benachrichtigungen"
>
<Bell className="h-4 w-4" />
{unreadCount > 0 && (
<span className="absolute -right-0.5 -top-0.5 flex h-4 min-w-4 items-center justify-center rounded-full bg-red-500 px-1 text-[10px] font-bold text-white">
{unreadCount > 99 ? "99+" : unreadCount}
</span>
)}
</button>
{open && (
<div className="absolute right-0 top-full z-50 mt-2 w-80 rounded-xl border border-neutral-200 bg-white shadow-lg sm:w-96">
{/* Header */}
<div className="flex items-center justify-between border-b border-neutral-100 px-4 py-3">
<h3 className="text-sm font-semibold text-neutral-900">
Benachrichtigungen
</h3>
{unreadCount > 0 && (
<button
onClick={() => markAllRead.mutate()}
className="flex items-center gap-1 text-xs text-neutral-500 hover:text-neutral-700"
>
<CheckCheck className="h-3 w-3" />
Alle gelesen
</button>
)}
</div>
{/* Notification list */}
<div className="max-h-96 overflow-y-auto">
{notifications.length === 0 ? (
<div className="p-6 text-center text-sm text-neutral-400">
Keine Benachrichtigungen
</div>
) : (
notifications.map((n) => {
const link = getEntityLink(n);
return (
<div
key={n.id}
className={`flex items-start gap-3 border-b border-neutral-50 px-4 py-3 transition-colors last:border-0 ${
n.read_at
? "bg-white"
: "bg-blue-50/50"
}`}
>
<div
className={`mt-1.5 h-2 w-2 flex-shrink-0 rounded-full ${getTypeColor(n.type)}`}
/>
<div className="min-w-0 flex-1">
<p className="text-sm font-medium text-neutral-900 leading-snug">
{n.title}
</p>
{n.body && (
<p className="mt-0.5 text-xs text-neutral-500 line-clamp-2">
{n.body}
</p>
)}
<div className="mt-1.5 flex items-center gap-2">
<span className="text-[11px] text-neutral-400">
{timeAgo(n.created_at)}
</span>
{link && (
<a
href={link}
onClick={() => setOpen(false)}
className="flex items-center gap-0.5 text-[11px] text-blue-600 hover:text-blue-700"
>
<ExternalLink className="h-2.5 w-2.5" />
Anzeigen
</a>
)}
</div>
</div>
{!n.read_at && (
<button
onClick={() => markRead.mutate(n.id)}
className="flex-shrink-0 rounded p-1 text-neutral-400 hover:bg-neutral-100 hover:text-neutral-600"
title="Als gelesen markieren"
>
<Check className="h-3 w-3" />
</button>
)}
</div>
);
})
)}
</div>
</div>
)}
</div>
);
}

167
frontend/src/components/settings/NotificationSettings.tsx Normal file
View File

@@ -0,0 +1,167 @@
"use client";
import { useState } from "react";
import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
import { api } from "@/lib/api";
import type { NotificationPreferences } from "@/lib/types";
const REMINDER_OPTIONS = [
{ value: 14, label: "14 Tage" },
{ value: 7, label: "7 Tage" },
{ value: 3, label: "3 Tage" },
{ value: 1, label: "1 Tag" },
];
export function NotificationSettings() {
const queryClient = useQueryClient();
const [saved, setSaved] = useState(false);
const { data: prefs, isLoading } = useQuery({
queryKey: ["notification-preferences"],
queryFn: () =>
api.get<NotificationPreferences>("/api/notification-preferences"),
});
const [reminderDays, setReminderDays] = useState<number[]>([]);
const [emailEnabled, setEmailEnabled] = useState(true);
const [dailyDigest, setDailyDigest] = useState(false);
const [initialized, setInitialized] = useState(false);
// Sync state from server once loaded
if (prefs && !initialized) {
setReminderDays(prefs.deadline_reminder_days);
setEmailEnabled(prefs.email_enabled);
setDailyDigest(prefs.daily_digest);
setInitialized(true);
}
const update = useMutation({
mutationFn: (input: {
deadline_reminder_days: number[];
email_enabled: boolean;
daily_digest: boolean;
}) => api.put<NotificationPreferences>("/api/notification-preferences", input),
onSuccess: () => {
queryClient.invalidateQueries({
queryKey: ["notification-preferences"],
});
setSaved(true);
setTimeout(() => setSaved(false), 2000);
},
});
function toggleDay(day: number) {
setReminderDays((prev) =>
prev.includes(day) ? prev.filter((d) => d !== day) : [...prev, day].sort((a, b) => b - a),
);
}
function handleSave() {
update.mutate({
deadline_reminder_days: reminderDays,
email_enabled: emailEnabled,
daily_digest: dailyDigest,
});
}
if (isLoading) {
return (
<div className="animate-pulse space-y-3">
<div className="h-4 w-48 rounded bg-neutral-200" />
<div className="h-8 w-full rounded bg-neutral-100" />
<div className="h-8 w-full rounded bg-neutral-100" />
</div>
);
}
return (
<div className="space-y-5">
{/* Reminder days */}
<div>
<p className="text-sm font-medium text-neutral-700">
Fristen-Erinnerungen
</p>
<p className="mt-0.5 text-xs text-neutral-500">
Erinnern Sie mich vor Fristablauf:
</p>
<div className="mt-2 flex flex-wrap gap-2">
{REMINDER_OPTIONS.map((opt) => (
<button
key={opt.value}
onClick={() => toggleDay(opt.value)}
className={`rounded-lg border px-3 py-1.5 text-sm transition-colors ${
reminderDays.includes(opt.value)
? "border-blue-500 bg-blue-50 text-blue-700"
: "border-neutral-200 bg-white text-neutral-600 hover:border-neutral-300"
}`}
>
{opt.label}
</button>
))}
</div>
</div>
{/* Email toggle */}
<label className="flex items-center justify-between">
<div>
<p className="text-sm font-medium text-neutral-700">
E-Mail-Benachrichtigungen
</p>
<p className="text-xs text-neutral-500">
Erinnerungen per E-Mail erhalten
</p>
</div>
<button
onClick={() => setEmailEnabled(!emailEnabled)}
className={`relative h-6 w-11 rounded-full transition-colors ${
emailEnabled ? "bg-blue-500" : "bg-neutral-300"
}`}
>
<span
className={`absolute left-0.5 top-0.5 h-5 w-5 rounded-full bg-white shadow transition-transform ${
emailEnabled ? "translate-x-5" : "translate-x-0"
}`}
/>
</button>
</label>
{/* Daily digest toggle */}
<label className="flex items-center justify-between">
<div>
<p className="text-sm font-medium text-neutral-700">
Tagesübersicht
</p>
<p className="text-xs text-neutral-500">
Alle Benachrichtigungen gesammelt um 8:00 Uhr per E-Mail
</p>
</div>
<button
onClick={() => setDailyDigest(!dailyDigest)}
className={`relative h-6 w-11 rounded-full transition-colors ${
dailyDigest ? "bg-blue-500" : "bg-neutral-300"
}`}
>
<span
className={`absolute left-0.5 top-0.5 h-5 w-5 rounded-full bg-white shadow transition-transform ${
dailyDigest ? "translate-x-5" : "translate-x-0"
}`}
/>
</button>
</label>
{/* Save */}
<div className="flex items-center gap-3 pt-2">
<button
onClick={handleSave}
disabled={update.isPending}
className="rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white hover:bg-neutral-800 disabled:opacity-50"
>
{update.isPending ? "Speichern..." : "Speichern"}
</button>
{saved && (
<span className="text-sm text-green-600">Gespeichert</span>
)}
</div>
</div>
);
}

119
frontend/src/lib/types.ts
View File

@@ -223,6 +223,125 @@ export const CASE_ASSIGNMENT_ROLE_LABELS: Record<CaseAssignmentRole, string> = {
viewer: "Einsicht",
};
// Time tracking & billing
export interface TimeEntry {
id: string;
tenant_id: string;
case_id: string;
user_id: string;
date: string;
duration_minutes: number;
description: string;
activity?: string;
billable: boolean;
billed: boolean;
invoice_id?: string;
hourly_rate?: number;
created_at: string;
updated_at: string;
}
export interface BillingRate {
id: string;
tenant_id: string;
user_id?: string;
rate: number;
currency: string;
valid_from: string;
valid_to?: string;
created_at: string;
}
export interface InvoiceItem {
description: string;
duration_minutes?: number;
hourly_rate?: number;
amount: number;
time_entry_id?: string;
}
export interface Invoice {
id: string;
tenant_id: string;
case_id: string;
invoice_number: string;
client_name: string;
client_address?: string;
items: InvoiceItem[];
subtotal: number;
tax_rate: number;
tax_amount: number;
total: number;
status: "draft" | "sent" | "paid" | "cancelled";
issued_at?: string;
due_at?: string;
paid_at?: string;
notes?: string;
created_by: string;
created_at: string;
updated_at: string;
}
export interface TimeEntrySummary {
group_key: string;
total_minutes: number;
billable_minutes: number;
total_amount: number;
entry_count: number;
}
// Notifications
export interface Notification {
id: string;
tenant_id: string;
user_id: string;
type: string;
title: string;
body?: string;
entity_type?: string;
entity_id?: string;
sent_at?: string;
read_at?: string;
created_at: string;
}
export interface NotificationPreferences {
user_id: string;
tenant_id: string;
deadline_reminder_days: number[];
email_enabled: boolean;
daily_digest: boolean;
created_at: string;
updated_at: string;
}
export interface NotificationListResponse {
notifications: Notification[];
data: Notification[];
total: number;
}
// Audit log
export interface AuditLogEntry {
id: number;
tenant_id: string;
user_id?: string;
action: string;
entity_type: string;
entity_id?: string;
old_values?: Record<string, unknown>;
new_values?: Record<string, unknown>;
ip_address?: string;
user_agent?: string;
created_at: string;
}
export interface AuditLogResponse {
entries: AuditLogEntry[];
total: number;
}
export interface ApiError {
error: string;
status: number;