oslstats/internal/handlers/player_link_slapid.go

package handlers

import (
	"context"
	"net/http"
	"strconv"

	"git.haelnorr.com/h/golib/hws"
	"git.haelnorr.com/h/oslstats/internal/db"
	"git.haelnorr.com/h/oslstats/internal/notify"
	"git.haelnorr.com/h/oslstats/internal/throw"
	playersview "git.haelnorr.com/h/oslstats/internal/view/playersview"
	"git.haelnorr.com/h/oslstats/pkg/slapshotapi"
	"github.com/pkg/errors"
	"github.com/uptrace/bun"
)

// LinkPlayerSlapID handles the HTMX POST request to link a player's Slapshot ID
// via their Discord Steam connection. Only the player's owner can trigger this.
func LinkPlayerSlapID(
	s *hws.Server,
	conn *db.DB,
	slapAPI *slapshotapi.SlapAPI,
) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		playerIDStr := r.PathValue("player_id")

		playerID, err := strconv.Atoi(playerIDStr)
		if err != nil {
			throw.NotFound(s, w, r, r.URL.Path)
			return
		}

		var player *db.Player

		if ok := conn.WithNotifyTx(s, w, r, func(ctx context.Context, tx bun.Tx) (bool, error) {
			user := db.CurrentUser(ctx)
			if user == nil {
				throw.Unauthorized(s, w, r, "You must be logged in", errors.New("user not authenticated"))
				return false, nil
			}

			var err error
			player, err = db.GetPlayer(ctx, tx, playerID)
			if err != nil {
				if db.IsBadRequest(err) {
					throw.NotFound(s, w, r, r.URL.Path)
					return false, nil
				}
				return false, errors.Wrap(err, "db.GetPlayer")
			}

			// Verify the current user owns this player
			if player.UserID == nil || *player.UserID != user.ID {
				throw.ForbiddenSecurity(s, w, r, "You can only link your own player", errors.New("user does not own player"))
				return false, nil
			}

			// Player already has a SlapID
			if player.SlapID != nil {
				notify.Info(s, w, r, "Already Linked", "Your Slapshot ID is already linked", nil)
				return false, nil
			}

			// Get the user's discord token to look up steam connection
			discordToken, err := user.GetDiscordToken(ctx, tx)
			if err != nil {
				if db.IsBadRequest(err) {
					notify.Warn(s, w, r, "Link Failed", "Discord token not found. Please log out and log back in.", nil)
					return false, nil
				}
				return false, errors.Wrap(err, "user.GetDiscordToken")
			}

			audit := db.NewAudit(r.RemoteAddr, r.UserAgent(), user)
			err = ConnectSlapID(ctx, tx, user, discordToken.Convert(), slapAPI, audit)
			if err != nil {
				return false, errors.Wrap(err, "ConnectSlapID")
			}

			// Re-fetch the player to check if SlapID was set
			player, err = db.GetPlayer(ctx, tx, playerID)
			if err != nil {
				return false, errors.Wrap(err, "db.GetPlayer")
			}

			if player.SlapID == nil {
				// ConnectSlapID returned nil (silent failure) - no steam or no slapID
				notify.Warn(s, w, r, "Link Failed",
					"Could not find your Slapshot ID. Make sure your Steam account is connected to Discord and you have played Slapshot: Rebound.",
					nil)
			} else {
				notify.Success(s, w, r, "Success", "Your Slapshot ID has been linked!", nil)
			}

			return true, nil
		}); !ok {
			return
		}

		// Re-render the slap ID section with updated state
		renderSafely(playersview.SlapIDSection(player, true), s, r, w)
	})
}