cyberrapists/cg_api_secure-webshare
SHA256
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
beff08fefbb827db0d00d650c2223b8a72126acda60d13a5a410730e008be725
cg_api_secure-webshare/agent1_batch2.md

65 lines
3.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Agent 1 — Batch 2 Implementation Report
## Task
Implement `POST /api/content/:cxid/report` in `crates/cgcx-server/src/main.rs`.
## Changes Made
### 1. `crates/cgcx-server/Cargo.toml`
- Added dependency:
```toml
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
```
### 2. `crates/cgcx-server/src/main.rs`
- **Imports**: Added `ReportRepo` to the `cgcx_db` import list.
- **AppState**: Added `http_client: reqwest::Client` field.
- **Main initialization**: Created `reqwest::Client::new()` and included it in `AppState`.
- **Route**: Added `.route("/api/content/:cxid/report", post(report_content))` to the main router.
- The route is automatically covered by the existing `tower_governor::GovernorLayer` applied to the whole app.
- **Structs**:
- Added `ReportRequest { reason: String }` for JSON deserialization.
- **Handler `report_content`**:
1. Parses `cxid` from path parameter.
2. Looks up content via `ContentRepo::get`; returns `404 Not Found` if missing.
3. Validates content is active (not `Deleted` or `Blacklisted`); returns `404` otherwise.
4. Counts associated files via `ContentFileRepo::list_by_content`.
5. Inserts a report row via `ReportRepo::insert` with `reporter_user_id = 0`.
6. Constructs an HTML notification message matching the bots report format:
```
<b>[ NEW REPORT ]</b> #{report_id}
CXID: <code>{cxid}</code>
Reporter: <i>web</i>
Owner: <code>{content.user_id}</code>
Uploaded: <i>{content.created_at}</i>
Files: <b>{file_count}</b>
```
7. Sends the message to **all** configured `review_group_ids` via direct HTTPS `POST` to the Telegram Bot API (`{api_base}/bot{token}/sendMessage`).
8. Includes an inline keyboard with the same admin actions as bot reports:
- `[ Rmv + Ban ]` → `v1:admin:delblk:{report_id}`
- `[ Delete Only ]` → `v1:admin:del:{report_id}`
- `[ Blacklist Only ]` → `v1:admin:blk:{report_id}`
- `[ Ignore ]` → `v1:admin:ign:{report_id}`
9. If any HTTPS call fails, logs a `tracing::warn` but **does not** fail the HTTP request.
10. Returns `204 No Content` on success.
## Validation
- `cargo check -p cgcx-server` — **PASSED** (clean compile, no warnings).
- The router merge order places the new route inside the same `Router` that gets the general governor layer, so rate limiting applies automatically.
## Open Risks / Notes
1. **Foreign Key for `reporter_user_id = 0`**: The `reports` table has `FOREIGN KEY (reporter_user_id) REFERENCES users(id)`. If SQLite `PRAGMA foreign_keys = ON` is active and no user with `id = 0` exists, the insert will fail with a database error (returned as `500 Internal Server Error`). This matches the explicit instruction to use `0` for web submissions, but the project may need a dummy user row or a schema adjustment if this becomes an issue in production.
2. **Telegram API failures are non-blocking**: As required, a failed notification is only logged; the caller still receives `204`. This means review groups could miss reports if the network or Telegram API is down.
3. **No dedicated rate limit for reports**: The endpoint shares the general API rate-limit bucket. If high report volume is expected, a separate governor config (like the password route) could be considered later.
## Recommended Next Step
- Verify the frontend report submission flow end-to-end against the new endpoint.
- Optionally seed a user with `id = 0` (or relax the FK) if web reports trigger foreign-key violations.
---
**Date**: 2026-05-24
Reference in New Issue View Git Blame Copy Permalink