feat: « Au fil de l'eau » — Reels mobile + uploader pro + favoris

src/app/api/favorites/route.ts

@@ -0,0 +1,61 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+
+export const runtime = "nodejs";
+
+const schema = z.object({
+  carbetId: z.string().min(1),
+});
+
+async function requireSelf() {
+  const session = await auth();
+  if (!session?.user?.id) throw new Error("Unauth");
+  return session.user.id;
+}
+
+export async function GET() {
+  try {
+    const userId = await requireSelf();
+    const rows = await prisma.favorite.findMany({
+      where: { userId },
+      orderBy: { createdAt: "desc" },
+      select: { carbetId: true },
+    });
+    return NextResponse.json({ ids: rows.map((r) => r.carbetId) });
+  } catch {
+    return NextResponse.json({ ids: [] });
+  }
+}
+
+export async function POST(req: Request) {
+  try {
+    const userId = await requireSelf();
+    const parsed = schema.safeParse(await req.json().catch(() => ({})));
+    if (!parsed.success) return NextResponse.json({ error: "Payload invalide" }, { status: 400 });
+    await prisma.favorite.upsert({
+      where: { userId_carbetId: { userId, carbetId: parsed.data.carbetId } },
+      create: { userId, carbetId: parsed.data.carbetId },
+      update: {},
+    });
+    return NextResponse.json({ ok: true });
+  } catch {
+    return NextResponse.json({ error: "Non authentifié" }, { status: 401 });
+  }
+}
+
+export async function DELETE(req: Request) {
+  try {
+    const userId = await requireSelf();
+    const parsed = schema.safeParse(await req.json().catch(() => ({})));
+    if (!parsed.success) return NextResponse.json({ error: "Payload invalide" }, { status: 400 });
+    await prisma.favorite
+      .delete({ where: { userId_carbetId: { userId, carbetId: parsed.data.carbetId } } })
+      .catch(() => null);
+    return NextResponse.json({ ok: true });
+  } catch {
+    return NextResponse.json({ error: "Non authentifié" }, { status: 401 });
+  }
+}

src/app/api/media/[id]/route.ts

@@ -0,0 +1,41 @@
+import { NextResponse } from "next/server";
+
+import { auth } from "@/auth";
+import { UserRole } from "@/generated/prisma/enums";
+import { prisma } from "@/lib/prisma";
+import { recordAudit } from "@/lib/admin/audit";
+
+export const runtime = "nodejs";
+
+async function requireOwnership(mediaId: string) {
+  const session = await auth();
+  if (!session?.user?.id) throw new Error("Non authentifié");
+  const m = await prisma.media.findUnique({
+    where: { id: mediaId },
+    select: { id: true, carbetId: true, carbet: { select: { ownerId: true } } },
+  });
+  if (!m) throw new Error("Média introuvable");
+  const isAdmin = session.user.role === UserRole.ADMIN;
+  if (!isAdmin && m.carbet.ownerId !== session.user.id) throw new Error("Accès refusé");
+  return { session, media: m };
+}
+
+export async function DELETE(_req: Request, ctx: { params: Promise<{ id: string }> }) {
+  const { id } = await ctx.params;
+  try {
+    const { session, media } = await requireOwnership(id);
+    await prisma.media.delete({ where: { id } });
+    await recordAudit({
+      scope: "uploads",
+      event: "media.delete",
+      target: id,
+      actorEmail: session.user.email ?? null,
+      details: { carbetId: media.carbetId },
+    });
+    return NextResponse.json({ ok: true });
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    const status = msg === "Non authentifié" ? 401 : msg === "Accès refusé" ? 403 : 404;
+    return NextResponse.json({ error: msg }, { status });
+  }
+}

src/app/api/media/reorder/route.ts

@@ -0,0 +1,55 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+
+import { auth } from "@/auth";
+import { UserRole } from "@/generated/prisma/enums";
+import { prisma } from "@/lib/prisma";
+import { recordAudit } from "@/lib/admin/audit";
+
+export const runtime = "nodejs";
+
+const schema = z.object({
+  carbetId: z.string().min(1),
+  orderedIds: z.array(z.string()).min(1).max(50),
+});
+
+export async function POST(req: Request) {
+  const session = await auth();
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: "Non authentifié" }, { status: 401 });
+  }
+  const parsed = schema.safeParse(await req.json().catch(() => ({})));
+  if (!parsed.success) {
+    return NextResponse.json({ error: "Payload invalide" }, { status: 400 });
+  }
+  const { carbetId, orderedIds } = parsed.data;
+  const carbet = await prisma.carbet.findUnique({
+    where: { id: carbetId },
+    select: { ownerId: true },
+  });
+  if (!carbet) return NextResponse.json({ error: "Carbet introuvable" }, { status: 404 });
+  const isAdmin = session.user.role === UserRole.ADMIN;
+  if (!isAdmin && carbet.ownerId !== session.user.id) {
+    return NextResponse.json({ error: "Accès refusé" }, { status: 403 });
+  }
+  const existing = await prisma.media.findMany({
+    where: { carbetId, id: { in: orderedIds } },
+    select: { id: true },
+  });
+  if (existing.length !== orderedIds.length) {
+    return NextResponse.json({ error: "Certains médias n'appartiennent pas au carbet." }, { status: 400 });
+  }
+  await prisma.$transaction(
+    orderedIds.map((id, idx) =>
+      prisma.media.update({ where: { id }, data: { sortOrder: idx } }),
+    ),
+  );
+  await recordAudit({
+    scope: "uploads",
+    event: "media.reorder",
+    target: carbetId,
+    actorEmail: session.user.email ?? null,
+    details: { count: orderedIds.length },
+  });
+  return NextResponse.json({ ok: true });
+}

src/app/api/uploads/finalize/route.ts

@@ -0,0 +1,66 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+
+import { auth } from "@/auth";
+import { MediaType, UserRole } from "@/generated/prisma/enums";
+import { prisma } from "@/lib/prisma";
+import { classifyMime } from "@/lib/uploads";
+import { recordAudit } from "@/lib/admin/audit";
+
+export const runtime = "nodejs";
+
+const schema = z.object({
+  carbetId: z.string().min(1),
+  s3Key: z.string().min(5).max(500),
+  s3Url: z.string().url(),
+  mime: z.string().min(3).max(100),
+});
+
+export async function POST(req: Request) {
+  const session = await auth();
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: "Non authentifié" }, { status: 401 });
+  }
+  const parsed = schema.safeParse(await req.json().catch(() => ({})));
+  if (!parsed.success) {
+    return NextResponse.json({ error: parsed.error.issues[0]?.message ?? "Payload invalide" }, { status: 400 });
+  }
+  const kind = classifyMime(parsed.data.mime);
+  if (!kind) return NextResponse.json({ error: "Type non supporté" }, { status: 400 });
+
+  const carbet = await prisma.carbet.findUnique({
+    where: { id: parsed.data.carbetId },
+    select: { id: true, ownerId: true },
+  });
+  if (!carbet) return NextResponse.json({ error: "Carbet introuvable" }, { status: 404 });
+  const isOwner = carbet.ownerId === session.user.id;
+  const isAdmin = session.user.role === UserRole.ADMIN;
+  if (!isOwner && !isAdmin) {
+    return NextResponse.json({ error: "Accès refusé" }, { status: 403 });
+  }
+
+  // S3Key doit appartenir au carbet — verrou pour éviter qu'un user finalise une key étrangère.
+  if (!parsed.data.s3Key.startsWith(`carbets/${carbet.id}/`)) {
+    return NextResponse.json({ error: "s3Key invalide pour ce carbet" }, { status: 400 });
+  }
+
+  const existingCount = await prisma.media.count({ where: { carbetId: carbet.id } });
+  const media = await prisma.media.create({
+    data: {
+      carbetId: carbet.id,
+      type: kind === "photo" ? MediaType.PHOTO : MediaType.VIDEO,
+      s3Key: parsed.data.s3Key,
+      s3Url: parsed.data.s3Url,
+      sortOrder: existingCount,
+    },
+    select: { id: true, type: true, s3Url: true, s3Key: true, sortOrder: true },
+  });
+  await recordAudit({
+    scope: "uploads",
+    event: "media.finalize",
+    target: media.id,
+    actorEmail: session.user.email ?? null,
+    details: { carbetId: carbet.id, kind },
+  });
+  return NextResponse.json({ media });
+}

src/app/api/uploads/presign/route.ts

@@ -0,0 +1,55 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+
+import { auth } from "@/auth";
+import { UserRole } from "@/generated/prisma/enums";
+import { prisma } from "@/lib/prisma";
+import { presignCarbetUpload } from "@/lib/uploads";
+import { rateLimitRequest } from "@/lib/rate-limit";
+
+export const runtime = "nodejs";
+
+const schema = z.object({
+  carbetId: z.string().min(1),
+  mime: z.string().min(3).max(100),
+  sizeBytes: z.coerce.number().int().min(1).max(500 * 1024 * 1024),
+});
+
+export async function POST(req: Request) {
+  const rl = rateLimitRequest(req, "presign", 60_000, 60);
+  if (!rl.ok) {
+    return NextResponse.json(
+      { error: `Trop de demandes. Réessayez dans ${rl.retryAfter}s.` },
+      { status: 429 },
+    );
+  }
+  const session = await auth();
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: "Non authentifié" }, { status: 401 });
+  }
+  const parsed = schema.safeParse(await req.json().catch(() => ({})));
+  if (!parsed.success) {
+    return NextResponse.json({ error: parsed.error.issues[0]?.message ?? "Payload invalide" }, { status: 400 });
+  }
+
+  const carbet = await prisma.carbet.findUnique({
+    where: { id: parsed.data.carbetId },
+    select: { id: true, ownerId: true },
+  });
+  if (!carbet) return NextResponse.json({ error: "Carbet introuvable" }, { status: 404 });
+  const isOwner = carbet.ownerId === session.user.id;
+  const isAdmin = session.user.role === UserRole.ADMIN;
+  if (!isOwner && !isAdmin) {
+    return NextResponse.json({ error: "Accès refusé" }, { status: 403 });
+  }
+
+  const result = await presignCarbetUpload({
+    carbetId: carbet.id,
+    mime: parsed.data.mime,
+    sizeBytes: parsed.data.sizeBytes,
+  });
+  if ("error" in result) {
+    return NextResponse.json({ error: result.error }, { status: 400 });
+  }
+  return NextResponse.json(result);
+}