arbret/backend/routes/audit.py

"""Audit routes for viewing action records."""

from collections.abc import Callable
from typing import TypeVar

from fastapi import APIRouter, Depends, Query
from pydantic import BaseModel
from sqlalchemy import desc, func, select
from sqlalchemy.ext.asyncio import AsyncSession

from auth import require_permission
from database import get_db
from models import (
    CounterRecord,
    Permission,
    PriceHistory,
    RandomNumberOutcome,
    SumRecord,
    User,
)
from pagination import (
    calculate_offset,
    calculate_total_pages,
    create_paginated_response,
)
from price_fetcher import fetch_btc_eur_price
from schemas import (
    CounterRecordResponse,
    PaginatedCounterRecords,
    PaginatedSumRecords,
    PriceHistoryResponse,
    RandomNumberOutcomeResponse,
    SumRecordResponse,
)

router = APIRouter(prefix="/api/audit", tags=["audit"])

R = TypeVar("R", bound=BaseModel)


async def paginate_with_user_email(
    db: AsyncSession,
    model: type[SumRecord] | type[CounterRecord],
    page: int,
    per_page: int,
    row_mapper: Callable[..., R],
) -> tuple[list[R], int, int]:
    """
    Generic pagination helper for audit records that need user email.

    Returns: (records, total, total_pages)
    """
    # Get total count
    count_result = await db.execute(select(func.count(model.id)))
    total = count_result.scalar() or 0

    # Get paginated records with user email
    offset = calculate_offset(page, per_page)
    query = (
        select(model, User.email)
        .join(User, model.user_id == User.id)
        .order_by(desc(model.created_at))
        .offset(offset)
        .limit(per_page)
    )
    result = await db.execute(query)
    rows = result.all()

    records: list[R] = [row_mapper(record, email) for record, email in rows]
    return records, total, calculate_total_pages(total, per_page)


def _to_counter_record_response(
    record: CounterRecord, email: str
) -> CounterRecordResponse:
    return CounterRecordResponse(
        id=record.id,
        user_email=email,
        value_before=record.value_before,
        value_after=record.value_after,
        created_at=record.created_at,
    )


def _to_sum_record_response(record: SumRecord, email: str) -> SumRecordResponse:
    return SumRecordResponse(
        id=record.id,
        user_email=email,
        a=record.a,
        b=record.b,
        result=record.result,
        created_at=record.created_at,
    )


@router.get("/counter", response_model=PaginatedCounterRecords)
async def get_counter_records(
    page: int = Query(1, ge=1),
    per_page: int = Query(10, ge=1, le=100),
    db: AsyncSession = Depends(get_db),
    _current_user: User = Depends(require_permission(Permission.VIEW_AUDIT)),
) -> PaginatedCounterRecords:
    """Get paginated counter action records."""
    records, total, _ = await paginate_with_user_email(
        db, CounterRecord, page, per_page, _to_counter_record_response
    )
    return create_paginated_response(records, total, page, per_page)


@router.get("/sum", response_model=PaginatedSumRecords)
async def get_sum_records(
    page: int = Query(1, ge=1),
    per_page: int = Query(10, ge=1, le=100),
    db: AsyncSession = Depends(get_db),
    _current_user: User = Depends(require_permission(Permission.VIEW_AUDIT)),
) -> PaginatedSumRecords:
    """Get paginated sum action records."""
    records, total, _ = await paginate_with_user_email(
        db, SumRecord, page, per_page, _to_sum_record_response
    )
    return create_paginated_response(records, total, page, per_page)


@router.get("/random-jobs", response_model=list[RandomNumberOutcomeResponse])
async def get_random_job_outcomes(
    db: AsyncSession = Depends(get_db),
    _current_user: User = Depends(require_permission(Permission.VIEW_AUDIT)),
) -> list[RandomNumberOutcomeResponse]:
    """Get all random number job outcomes, newest first."""
    # Explicit join to avoid N+1 query
    query = (
        select(RandomNumberOutcome, User.email)
        .join(User, RandomNumberOutcome.triggered_by_user_id == User.id)
        .order_by(desc(RandomNumberOutcome.created_at))
    )
    result = await db.execute(query)
    rows = result.all()

    return [
        RandomNumberOutcomeResponse(
            id=outcome.id,
            job_id=outcome.job_id,
            triggered_by_user_id=outcome.triggered_by_user_id,
            triggered_by_email=email,
            value=outcome.value,
            duration_ms=outcome.duration_ms,
            status=outcome.status,
            created_at=outcome.created_at,
        )
        for outcome, email in rows
    ]


# =============================================================================
# Price History Endpoints
# =============================================================================

PRICE_HISTORY_LIMIT = 20


@router.get("/price-history", response_model=list[PriceHistoryResponse])
async def get_price_history(
    db: AsyncSession = Depends(get_db),
    _current_user: User = Depends(require_permission(Permission.VIEW_AUDIT)),
) -> list[PriceHistoryResponse]:
    """Get the 20 most recent price history records."""
    query = (
        select(PriceHistory)
        .order_by(desc(PriceHistory.timestamp))
        .limit(PRICE_HISTORY_LIMIT)
    )
    result = await db.execute(query)
    records = result.scalars().all()

    return [
        PriceHistoryResponse(
            id=record.id,
            source=record.source,
            pair=record.pair,
            price=record.price,
            timestamp=record.timestamp,
            created_at=record.created_at,
        )
        for record in records
    ]


@router.post("/price-history/fetch", response_model=PriceHistoryResponse)
async def fetch_price_now(
    db: AsyncSession = Depends(get_db),
    _current_user: User = Depends(require_permission(Permission.VIEW_AUDIT)),
) -> PriceHistoryResponse:
    """Manually trigger a price fetch from Bitfinex."""
    price, timestamp = await fetch_btc_eur_price()

    record = PriceHistory(
        source="bitfinex",
        pair="BTC/EUR",
        price=price,
        timestamp=timestamp,
    )
    db.add(record)
    await db.commit()
    await db.refresh(record)

    return PriceHistoryResponse(
        id=record.id,
        source=record.source,
        pair=record.pair,
        price=record.price,
        timestamp=record.timestamp,
        created_at=record.created_at,
    )
first implementation 2025-12-20 22:18:14 +01:00			`"""Audit routes for viewing action records."""`
Add ruff linter/formatter for Python - Add ruff as dev dependency - Configure ruff in pyproject.toml with strict 88-char line limit - Ignore B008 (FastAPI Depends pattern is standard) - Allow longer lines in tests for readability - Fix all lint issues in source files - Add Makefile targets: lint-backend, format-backend, fix-backend 2025-12-21 21:54:26 +01:00
			`from collections.abc import Callable`
			`from typing import TypeVar`
first implementation 2025-12-20 22:18:14 +01:00
			`from fastapi import APIRouter, Depends, Query`
			`from pydantic import BaseModel`
Add ruff linter/formatter for Python - Add ruff as dev dependency - Configure ruff in pyproject.toml with strict 88-char line limit - Ignore B008 (FastAPI Depends pattern is standard) - Allow longer lines in tests for readability - Fix all lint issues in source files - Add Makefile targets: lint-backend, format-backend, fix-backend 2025-12-21 21:54:26 +01:00			`from sqlalchemy import desc, func, select`
first implementation 2025-12-20 22:18:14 +01:00			`from sqlalchemy.ext.asyncio import AsyncSession`

			`from auth import require_permission`
			`from database import get_db`
feat: add price history GET and POST endpoints 2025-12-22 15:43:46 +01:00			`from models import (`
			`CounterRecord,`
			`Permission,`
			`PriceHistory,`
			`RandomNumberOutcome,`
			`SumRecord,`
			`User,`
			`)`
refactor(backend): extract pagination utilities Issue #4: Pagination logic was repeated across multiple routes. Changes: - Add pagination.py with reusable utilities: - calculate_total_pages: computes page count from total/per_page - calculate_offset: computes offset for given page - create_paginated_response: builds PaginatedResponse with metadata - Update routes/audit.py to use pagination utilities - Update routes/booking.py to use pagination utilities - Update routes/invites.py to use pagination utilities The utilities handle the common pagination math while routes still manage their own query logic (filters, joins, ordering). 2025-12-22 00:00:24 +01:00			`from pagination import (`
			`calculate_offset,`
			`calculate_total_pages,`
			`create_paginated_response,`
			`)`
feat: add price history GET and POST endpoints 2025-12-22 15:43:46 +01:00			`from price_fetcher import fetch_btc_eur_price`
first implementation 2025-12-20 22:18:14 +01:00			`from schemas import (`
			`CounterRecordResponse,`
			`PaginatedCounterRecords,`
			`PaginatedSumRecords,`
feat: add price history GET and POST endpoints 2025-12-22 15:43:46 +01:00			`PriceHistoryResponse,`
Phase 4: API Endpoint - Add RandomNumberOutcomeResponse schema to schemas.py - Add GET /api/audit/random-jobs endpoint to routes/audit.py - Returns list of outcomes (newest first, no pagination) - Requires VIEW_AUDIT permission - Add tests: admin can access, regular user forbidden, unauthenticated 401 2025-12-21 22:53:54 +01:00			`RandomNumberOutcomeResponse,`
Add ruff linter/formatter for Python - Add ruff as dev dependency - Configure ruff in pyproject.toml with strict 88-char line limit - Ignore B008 (FastAPI Depends pattern is standard) - Allow longer lines in tests for readability - Fix all lint issues in source files - Add Makefile targets: lint-backend, format-backend, fix-backend 2025-12-21 21:54:26 +01:00			`SumRecordResponse,`
first implementation 2025-12-20 22:18:14 +01:00			`)`

			`router = APIRouter(prefix="/api/audit", tags=["audit"])`

			`R = TypeVar("R", bound=BaseModel)`


			`async def paginate_with_user_email(`
			`db: AsyncSession,`
			`model: type[SumRecord] \| type[CounterRecord],`
			`page: int,`
			`per_page: int,`
			`row_mapper: Callable[..., R],`
			`) -> tuple[list[R], int, int]:`
			`"""`
			`Generic pagination helper for audit records that need user email.`

			`Returns: (records, total, total_pages)`
			`"""`
			`# Get total count`
			`count_result = await db.execute(select(func.count(model.id)))`
			`total = count_result.scalar() or 0`

			`# Get paginated records with user email`
refactor(backend): extract pagination utilities Issue #4: Pagination logic was repeated across multiple routes. Changes: - Add pagination.py with reusable utilities: - calculate_total_pages: computes page count from total/per_page - calculate_offset: computes offset for given page - create_paginated_response: builds PaginatedResponse with metadata - Update routes/audit.py to use pagination utilities - Update routes/booking.py to use pagination utilities - Update routes/invites.py to use pagination utilities The utilities handle the common pagination math while routes still manage their own query logic (filters, joins, ordering). 2025-12-22 00:00:24 +01:00			`offset = calculate_offset(page, per_page)`
first implementation 2025-12-20 22:18:14 +01:00			`query = (`
			`select(model, User.email)`
			`.join(User, model.user_id == User.id)`
			`.order_by(desc(model.created_at))`
			`.offset(offset)`
			`.limit(per_page)`
			`)`
			`result = await db.execute(query)`
			`rows = result.all()`

			`records: list[R] = [row_mapper(record, email) for record, email in rows]`
refactor(backend): extract pagination utilities Issue #4: Pagination logic was repeated across multiple routes. Changes: - Add pagination.py with reusable utilities: - calculate_total_pages: computes page count from total/per_page - calculate_offset: computes offset for given page - create_paginated_response: builds PaginatedResponse with metadata - Update routes/audit.py to use pagination utilities - Update routes/booking.py to use pagination utilities - Update routes/invites.py to use pagination utilities The utilities handle the common pagination math while routes still manage their own query logic (filters, joins, ordering). 2025-12-22 00:00:24 +01:00			`return records, total, calculate_total_pages(total, per_page)`
first implementation 2025-12-20 22:18:14 +01:00

refactor(backend): standardize model-to-response conversion naming Issue #8: Inconsistent naming for model-to-response conversion functions. Changes: - Rename build_invite_response to _to_invite_response (invites.py) - Rename _map_counter_record to _to_counter_record_response (audit.py) - Rename _map_sum_record to _to_sum_record_response (audit.py) All conversion functions now follow the _to_X_response pattern, using underscore prefix for module-private functions. 2025-12-22 09:16:05 +01:00			`def _to_counter_record_response(`
			`record: CounterRecord, email: str`
			`) -> CounterRecordResponse:`
first implementation 2025-12-20 22:18:14 +01:00			`return CounterRecordResponse(`
			`id=record.id,`
			`user_email=email,`
			`value_before=record.value_before,`
			`value_after=record.value_after,`
			`created_at=record.created_at,`
			`)`


refactor(backend): standardize model-to-response conversion naming Issue #8: Inconsistent naming for model-to-response conversion functions. Changes: - Rename build_invite_response to _to_invite_response (invites.py) - Rename _map_counter_record to _to_counter_record_response (audit.py) - Rename _map_sum_record to _to_sum_record_response (audit.py) All conversion functions now follow the _to_X_response pattern, using underscore prefix for module-private functions. 2025-12-22 09:16:05 +01:00			`def _to_sum_record_response(record: SumRecord, email: str) -> SumRecordResponse:`
first implementation 2025-12-20 22:18:14 +01:00			`return SumRecordResponse(`
			`id=record.id,`
			`user_email=email,`
			`a=record.a,`
			`b=record.b,`
			`result=record.result,`
			`created_at=record.created_at,`
			`)`


			`@router.get("/counter", response_model=PaginatedCounterRecords)`
			`async def get_counter_records(`
			`page: int = Query(1, ge=1),`
			`per_page: int = Query(10, ge=1, le=100),`
			`db: AsyncSession = Depends(get_db),`
			`_current_user: User = Depends(require_permission(Permission.VIEW_AUDIT)),`
			`) -> PaginatedCounterRecords:`
			`"""Get paginated counter action records."""`
refactor(backend): extract pagination utilities Issue #4: Pagination logic was repeated across multiple routes. Changes: - Add pagination.py with reusable utilities: - calculate_total_pages: computes page count from total/per_page - calculate_offset: computes offset for given page - create_paginated_response: builds PaginatedResponse with metadata - Update routes/audit.py to use pagination utilities - Update routes/booking.py to use pagination utilities - Update routes/invites.py to use pagination utilities The utilities handle the common pagination math while routes still manage their own query logic (filters, joins, ordering). 2025-12-22 00:00:24 +01:00			`records, total, _ = await paginate_with_user_email(`
refactor(backend): standardize model-to-response conversion naming Issue #8: Inconsistent naming for model-to-response conversion functions. Changes: - Rename build_invite_response to _to_invite_response (invites.py) - Rename _map_counter_record to _to_counter_record_response (audit.py) - Rename _map_sum_record to _to_sum_record_response (audit.py) All conversion functions now follow the _to_X_response pattern, using underscore prefix for module-private functions. 2025-12-22 09:16:05 +01:00			`db, CounterRecord, page, per_page, _to_counter_record_response`
first implementation 2025-12-20 22:18:14 +01:00			`)`
refactor(backend): extract pagination utilities Issue #4: Pagination logic was repeated across multiple routes. Changes: - Add pagination.py with reusable utilities: - calculate_total_pages: computes page count from total/per_page - calculate_offset: computes offset for given page - create_paginated_response: builds PaginatedResponse with metadata - Update routes/audit.py to use pagination utilities - Update routes/booking.py to use pagination utilities - Update routes/invites.py to use pagination utilities The utilities handle the common pagination math while routes still manage their own query logic (filters, joins, ordering). 2025-12-22 00:00:24 +01:00			`return create_paginated_response(records, total, page, per_page)`
first implementation 2025-12-20 22:18:14 +01:00

			`@router.get("/sum", response_model=PaginatedSumRecords)`
			`async def get_sum_records(`
			`page: int = Query(1, ge=1),`
			`per_page: int = Query(10, ge=1, le=100),`
			`db: AsyncSession = Depends(get_db),`
			`_current_user: User = Depends(require_permission(Permission.VIEW_AUDIT)),`
			`) -> PaginatedSumRecords:`
			`"""Get paginated sum action records."""`
refactor(backend): extract pagination utilities Issue #4: Pagination logic was repeated across multiple routes. Changes: - Add pagination.py with reusable utilities: - calculate_total_pages: computes page count from total/per_page - calculate_offset: computes offset for given page - create_paginated_response: builds PaginatedResponse with metadata - Update routes/audit.py to use pagination utilities - Update routes/booking.py to use pagination utilities - Update routes/invites.py to use pagination utilities The utilities handle the common pagination math while routes still manage their own query logic (filters, joins, ordering). 2025-12-22 00:00:24 +01:00			`records, total, _ = await paginate_with_user_email(`
refactor(backend): standardize model-to-response conversion naming Issue #8: Inconsistent naming for model-to-response conversion functions. Changes: - Rename build_invite_response to _to_invite_response (invites.py) - Rename _map_counter_record to _to_counter_record_response (audit.py) - Rename _map_sum_record to _to_sum_record_response (audit.py) All conversion functions now follow the _to_X_response pattern, using underscore prefix for module-private functions. 2025-12-22 09:16:05 +01:00			`db, SumRecord, page, per_page, _to_sum_record_response`
first implementation 2025-12-20 22:18:14 +01:00			`)`
refactor(backend): extract pagination utilities Issue #4: Pagination logic was repeated across multiple routes. Changes: - Add pagination.py with reusable utilities: - calculate_total_pages: computes page count from total/per_page - calculate_offset: computes offset for given page - create_paginated_response: builds PaginatedResponse with metadata - Update routes/audit.py to use pagination utilities - Update routes/booking.py to use pagination utilities - Update routes/invites.py to use pagination utilities The utilities handle the common pagination math while routes still manage their own query logic (filters, joins, ordering). 2025-12-22 00:00:24 +01:00			`return create_paginated_response(records, total, page, per_page)`
Phase 4: API Endpoint - Add RandomNumberOutcomeResponse schema to schemas.py - Add GET /api/audit/random-jobs endpoint to routes/audit.py - Returns list of outcomes (newest first, no pagination) - Requires VIEW_AUDIT permission - Add tests: admin can access, regular user forbidden, unauthenticated 401 2025-12-21 22:53:54 +01:00

			`@router.get("/random-jobs", response_model=list[RandomNumberOutcomeResponse])`
			`async def get_random_job_outcomes(`
			`db: AsyncSession = Depends(get_db),`
			`_current_user: User = Depends(require_permission(Permission.VIEW_AUDIT)),`
			`) -> list[RandomNumberOutcomeResponse]:`
			`"""Get all random number job outcomes, newest first."""`
Use explicit join in random-jobs endpoint to avoid potential N+1 query - Changed from using scalars().all() with lazy='joined' relationship - Now uses explicit join similar to other audit endpoints - Guarantees single query regardless of SQLAlchemy async behavior 2025-12-21 23:14:08 +01:00			`# Explicit join to avoid N+1 query`
			`query = (`
			`select(RandomNumberOutcome, User.email)`
			`.join(User, RandomNumberOutcome.triggered_by_user_id == User.id)`
			`.order_by(desc(RandomNumberOutcome.created_at))`
			`)`
Phase 4: API Endpoint - Add RandomNumberOutcomeResponse schema to schemas.py - Add GET /api/audit/random-jobs endpoint to routes/audit.py - Returns list of outcomes (newest first, no pagination) - Requires VIEW_AUDIT permission - Add tests: admin can access, regular user forbidden, unauthenticated 401 2025-12-21 22:53:54 +01:00			`result = await db.execute(query)`
Use explicit join in random-jobs endpoint to avoid potential N+1 query - Changed from using scalars().all() with lazy='joined' relationship - Now uses explicit join similar to other audit endpoints - Guarantees single query regardless of SQLAlchemy async behavior 2025-12-21 23:14:08 +01:00			`rows = result.all()`
Phase 4: API Endpoint - Add RandomNumberOutcomeResponse schema to schemas.py - Add GET /api/audit/random-jobs endpoint to routes/audit.py - Returns list of outcomes (newest first, no pagination) - Requires VIEW_AUDIT permission - Add tests: admin can access, regular user forbidden, unauthenticated 401 2025-12-21 22:53:54 +01:00
			`return [`
			`RandomNumberOutcomeResponse(`
			`id=outcome.id,`
			`job_id=outcome.job_id,`
			`triggered_by_user_id=outcome.triggered_by_user_id,`
Use explicit join in random-jobs endpoint to avoid potential N+1 query - Changed from using scalars().all() with lazy='joined' relationship - Now uses explicit join similar to other audit endpoints - Guarantees single query regardless of SQLAlchemy async behavior 2025-12-21 23:14:08 +01:00			`triggered_by_email=email,`
Phase 4: API Endpoint - Add RandomNumberOutcomeResponse schema to schemas.py - Add GET /api/audit/random-jobs endpoint to routes/audit.py - Returns list of outcomes (newest first, no pagination) - Requires VIEW_AUDIT permission - Add tests: admin can access, regular user forbidden, unauthenticated 401 2025-12-21 22:53:54 +01:00			`value=outcome.value,`
			`duration_ms=outcome.duration_ms,`
			`status=outcome.status,`
			`created_at=outcome.created_at,`
			`)`
Use explicit join in random-jobs endpoint to avoid potential N+1 query - Changed from using scalars().all() with lazy='joined' relationship - Now uses explicit join similar to other audit endpoints - Guarantees single query regardless of SQLAlchemy async behavior 2025-12-21 23:14:08 +01:00			`for outcome, email in rows`
Phase 4: API Endpoint - Add RandomNumberOutcomeResponse schema to schemas.py - Add GET /api/audit/random-jobs endpoint to routes/audit.py - Returns list of outcomes (newest first, no pagination) - Requires VIEW_AUDIT permission - Add tests: admin can access, regular user forbidden, unauthenticated 401 2025-12-21 22:53:54 +01:00			`]`
feat: add price history GET and POST endpoints 2025-12-22 15:43:46 +01:00

			`# =============================================================================`
			`# Price History Endpoints`
			`# =============================================================================`

			`PRICE_HISTORY_LIMIT = 20`


			`@router.get("/price-history", response_model=list[PriceHistoryResponse])`
			`async def get_price_history(`
			`db: AsyncSession = Depends(get_db),`
			`_current_user: User = Depends(require_permission(Permission.VIEW_AUDIT)),`
			`) -> list[PriceHistoryResponse]:`
			`"""Get the 20 most recent price history records."""`
			`query = (`
			`select(PriceHistory)`
			`.order_by(desc(PriceHistory.timestamp))`
			`.limit(PRICE_HISTORY_LIMIT)`
			`)`
			`result = await db.execute(query)`
			`records = result.scalars().all()`

			`return [`
			`PriceHistoryResponse(`
			`id=record.id,`
			`source=record.source,`
			`pair=record.pair,`
			`price=record.price,`
			`timestamp=record.timestamp,`
			`created_at=record.created_at,`
			`)`
			`for record in records`
			`]`


			`@router.post("/price-history/fetch", response_model=PriceHistoryResponse)`
			`async def fetch_price_now(`
			`db: AsyncSession = Depends(get_db),`
			`_current_user: User = Depends(require_permission(Permission.VIEW_AUDIT)),`
			`) -> PriceHistoryResponse:`
			`"""Manually trigger a price fetch from Bitfinex."""`
			`price, timestamp = await fetch_btc_eur_price()`

			`record = PriceHistory(`
			`source="bitfinex",`
			`pair="BTC/EUR",`
			`price=price,`
			`timestamp=timestamp,`
			`)`
			`db.add(record)`
			`await db.commit()`
			`await db.refresh(record)`

			`return PriceHistoryResponse(`
			`id=record.id,`
			`source=record.source,`
			`pair=record.pair,`
			`price=record.price,`
			`timestamp=record.timestamp,`
			`created_at=record.created_at,`
			`)`