refactor imports to use api

Author: jamesholcombe

package-lock.json

@@ -6,6 +6,12 @@ import {
 } from "@common/db/schema/enterprise/organization";
 import { project, userProject } from "@common/db/schema/project";
 import { ApiError } from "../types";
+import {
+  verifyAgsImportOwnership,
+  verifyExcelImportOwnership,
+  verifyAgsFileUploadOwnership,
+  verifyExcelImportFileOwnership,
+} from "../services/db/imports";
 
 export type ProjectVisibility = "internal" | "private";
 
@@ -200,6 +206,38 @@ export class AuthorizationService {
     }
   }
 
+  /**
+   * Verify that an entity belongs to a specific project
+   */
+  async verifyEntityOwnership(
+    entityType:
+      | "agsImport"
+      | "excelImport"
+      | "agsFileUpload"
+      | "excelImportFile",
+    entityId: string,
+    projectId: string,
+  ): Promise<boolean> {
+    try {
+      switch (entityType) {
+        case "agsImport":
+          return await verifyAgsImportOwnership(entityId, projectId);
+        case "excelImport":
+          return await verifyExcelImportOwnership(entityId, projectId);
+        case "agsFileUpload":
+          return await verifyAgsFileUploadOwnership(entityId, projectId);
+        case "excelImportFile":
+          return await verifyExcelImportFileOwnership(entityId, projectId);
+        default:
+          console.error(`Unknown entity type: ${entityType}`);
+          return false;
+      }
+    } catch (error) {
+      console.error(`Error verifying ${entityType} ownership:`, error);
+      return false;
+    }
+  }
+
   /**
    * Check if user can access organization with specific action
    */

packages/api/src/authz/service.ts

@@ -55,10 +55,12 @@ app.get("/health", (req, res) => {
 import projectsRouter from "./routes/projects";
 import organizationsRouter from "./routes/organizations";
 import notificationsRouter from "./routes/notifications";
+import importsRouter from "./routes/imports";
 
 // API routes with nested organization structure
 app.use("/api/orgs", organizationsRouter);
 app.use("/api/orgs/:organizationId/projects", projectsRouter);
+app.use("/api/orgs", importsRouter);
 app.use("/api/notifications", notificationsRouter);
 
 app.get("/api", (req, res) => {

packages/api/src/index.ts

@@ -125,6 +125,53 @@ export function requireProjectView() {
   return requireProjectAccess("read");
 }
 
+/**
+ * Middleware to require entity ownership validation
+ * This ensures that the requested entity actually belongs to the specified project
+ */
+export function requireEntityOwnership(
+  entityType: "agsImport" | "excelImport" | "agsFileUpload" | "excelImportFile",
+  getEntityId: (_req: AuthenticatedRequest) => string,
+) {
+  return async (
+    req: AuthenticatedRequest,
+    _res: Response,
+    next: NextFunction,
+  ): Promise<void> => {
+    try {
+      if (!req.user) {
+        throw new ApiError("Authentication required", 401);
+      }
+
+      const projectId = req.params.projectId as string;
+      const entityId = getEntityId(req);
+
+      if (!projectId || !entityId) {
+        throw new ApiError("Missing required parameters", 400);
+      }
+
+      // Verify entity belongs to project
+      const belongsToProject = await authzService.verifyEntityOwnership(
+        entityType,
+        entityId,
+        projectId,
+      );
+
+      if (!belongsToProject) {
+        throw new ApiError("Entity not found or access denied", 404);
+      }
+
+      next();
+    } catch (error) {
+      if (error instanceof ApiError) {
+        next(error);
+      } else {
+        next(new ApiError("Entity ownership validation failed", 500));
+      }
+    }
+  };
+}
+
 /**
  * Middleware to extract organization context from request
  */