veza/veza-backend-api/internal/api/routes_moderation.go

package api

import (
	"veza-backend-api/internal/core/moderation"
	"veza-backend-api/internal/services"

	"github.com/gin-gonic/gin"
)

// setupModerationRoutes registers advanced moderation routes (v0.11.2 F411-F420)
func (r *APIRouter) setupModerationRoutes(router *gin.RouterGroup) {
	moderationService := services.NewModerationService(r.db.GormDB, r.logger)
	moderationHandler := moderation.NewModerationHandler(moderationService, r.logger)

	// Admin moderation routes (require auth + admin + MFA)
	admin := router.Group("/admin/moderation")
	{
		if r.config.AuthMiddleware != nil {
			admin.Use(r.config.AuthMiddleware.RequireAuth())
			admin.Use(r.config.AuthMiddleware.RequireAdmin())
			admin.Use(r.config.AuthMiddleware.RequireMFA()) // SFIX-001: MFA obligatoire pour admin
		}

		// F411: Moderation queue
		admin.GET("/queue", moderationHandler.GetModerationQueue)
		admin.POST("/reports/:id/process", moderationHandler.ProcessReport)
		admin.POST("/reports/:id/assign", moderationHandler.AssignReport)

		// F413: Spam detections
		admin.GET("/spam", moderationHandler.GetSpamDetections)

		// F414: Audio fingerprints
		admin.GET("/fingerprints", moderationHandler.GetPendingFingerprints)
		admin.POST("/fingerprints/:trackId/review", moderationHandler.ReviewFingerprint)

		// F415: Strikes & appeals (admin view)
		admin.GET("/users/:userId/strikes", moderationHandler.GetUserStrikes)
		admin.GET("/appeals", moderationHandler.GetPendingAppeals)
		admin.POST("/appeals/:strikeId/resolve", moderationHandler.ResolveAppeal)

		// Stats
		admin.GET("/stats", moderationHandler.GetModerationStats)
	}

	// User-facing routes (require auth only)
	protected := router.Group("")
	{
		if r.config.AuthMiddleware != nil {
			protected.Use(r.config.AuthMiddleware.RequireAuth())
		}

		// F412: Enhanced reporting (any authenticated user)
		protected.POST("/reports", moderationHandler.CreateEnhancedReport)

		// F415: User's own strikes and appeals
		protected.GET("/me/strikes", moderationHandler.GetMyStrikes)
		protected.POST("/strikes/:strikeId/appeal", moderationHandler.AppealStrike)
	}
}
feat(v0.11.2): F411-F420 moderation handler and routes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-10 16:49:51 +00:00			`package api`

			`import (`
			`"veza-backend-api/internal/core/moderation"`
			`"veza-backend-api/internal/services"`

			`"github.com/gin-gonic/gin"`
			`)`

			`// setupModerationRoutes registers advanced moderation routes (v0.11.2 F411-F420)`
			`func (r APIRouter) setupModerationRoutes(router gin.RouterGroup) {`
			`moderationService := services.NewModerationService(r.db.GormDB, r.logger)`
			`moderationHandler := moderation.NewModerationHandler(moderationService, r.logger)`

feat(v0.12.6.2): enforce MFA for admin/moderator + align refresh token TTL to 7 days TASK-SFIX-001: MFA enforcement for privileged roles - Add RequireMFA() middleware, TwoFactorChecker interface, SetTwoFactorChecker() - Apply to all 3 admin route groups (platform, moderation, core) - Returns 403 "mfa_setup_required" if admin/moderator without 2FA - Regular users bypass the check - Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 5 TASK-SFIX-002: Refresh token TTL alignment - jwt_service.go: RefreshTokenTTL 14d→7d, RememberMeRefreshTokenTTL 30d→7d - handlers/auth.go: Cookie max-age and session expiresIn → 7d across Login, LoginWith2FA, Register, Refresh handlers - middleware/auth.go: Session auto-refresh default 30d→7d - Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 4 TASK-SFIX-003: 5 unit tests — all PASS - TestRequireMFA_AdminWithoutMFA, TestRequireMFA_AdminWithMFA - TestRequireMFA_RegularUserNotAffected - TestRefreshTokenTTL_Is7Days, TestAccessTokenTTL_Is5Minutes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-12 05:53:27 +00:00			`// Admin moderation routes (require auth + admin + MFA)`
feat(v0.11.2): F411-F420 moderation handler and routes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-10 16:49:51 +00:00			`admin := router.Group("/admin/moderation")`
			`{`
			`if r.config.AuthMiddleware != nil {`
			`admin.Use(r.config.AuthMiddleware.RequireAuth())`
			`admin.Use(r.config.AuthMiddleware.RequireAdmin())`
feat(v0.12.6.2): enforce MFA for admin/moderator + align refresh token TTL to 7 days TASK-SFIX-001: MFA enforcement for privileged roles - Add RequireMFA() middleware, TwoFactorChecker interface, SetTwoFactorChecker() - Apply to all 3 admin route groups (platform, moderation, core) - Returns 403 "mfa_setup_required" if admin/moderator without 2FA - Regular users bypass the check - Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 5 TASK-SFIX-002: Refresh token TTL alignment - jwt_service.go: RefreshTokenTTL 14d→7d, RememberMeRefreshTokenTTL 30d→7d - handlers/auth.go: Cookie max-age and session expiresIn → 7d across Login, LoginWith2FA, Register, Refresh handlers - middleware/auth.go: Session auto-refresh default 30d→7d - Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 4 TASK-SFIX-003: 5 unit tests — all PASS - TestRequireMFA_AdminWithoutMFA, TestRequireMFA_AdminWithMFA - TestRequireMFA_RegularUserNotAffected - TestRefreshTokenTTL_Is7Days, TestAccessTokenTTL_Is5Minutes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-12 05:53:27 +00:00			`admin.Use(r.config.AuthMiddleware.RequireMFA()) // SFIX-001: MFA obligatoire pour admin`
feat(v0.11.2): F411-F420 moderation handler and routes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-10 16:49:51 +00:00			`}`

			`// F411: Moderation queue`
			`admin.GET("/queue", moderationHandler.GetModerationQueue)`
			`admin.POST("/reports/:id/process", moderationHandler.ProcessReport)`
			`admin.POST("/reports/:id/assign", moderationHandler.AssignReport)`

			`// F413: Spam detections`
			`admin.GET("/spam", moderationHandler.GetSpamDetections)`

			`// F414: Audio fingerprints`
			`admin.GET("/fingerprints", moderationHandler.GetPendingFingerprints)`
			`admin.POST("/fingerprints/:trackId/review", moderationHandler.ReviewFingerprint)`

			`// F415: Strikes & appeals (admin view)`
			`admin.GET("/users/:userId/strikes", moderationHandler.GetUserStrikes)`
			`admin.GET("/appeals", moderationHandler.GetPendingAppeals)`
			`admin.POST("/appeals/:strikeId/resolve", moderationHandler.ResolveAppeal)`

			`// Stats`
			`admin.GET("/stats", moderationHandler.GetModerationStats)`
			`}`

			`// User-facing routes (require auth only)`
			`protected := router.Group("")`
			`{`
			`if r.config.AuthMiddleware != nil {`
			`protected.Use(r.config.AuthMiddleware.RequireAuth())`
			`}`

			`// F412: Enhanced reporting (any authenticated user)`
			`protected.POST("/reports", moderationHandler.CreateEnhancedReport)`

			`// F415: User's own strikes and appeals`
			`protected.GET("/me/strikes", moderationHandler.GetMyStrikes)`
			`protected.POST("/strikes/:strikeId/appeal", moderationHandler.AppealStrike)`
			`}`
			`}`