crewli/api/app/Http/Controllers/Api/V1/InvitationController.php

<?php

declare(strict_types=1);

namespace App\Http\Controllers\Api\V1;

use App\Http\Controllers\Api\V1\Traits\SetAuthCookie;
use App\Http\Controllers\Controller;
use App\Http\Requests\Api\V1\AcceptInvitationRequest;
use App\Http\Requests\Api\V1\StoreInvitationRequest;
use App\Http\Resources\Api\V1\InvitationResource;
use App\Models\Organisation;
use App\Models\UserInvitation;
use App\Services\InvitationService;
use Illuminate\Http\JsonResponse;
use Illuminate\Support\Facades\Gate;

final class InvitationController extends Controller
{
    use SetAuthCookie;

    public function __construct(
        private readonly InvitationService $invitationService,
    ) {}

    public function invite(StoreInvitationRequest $request, Organisation $organisation): JsonResponse
    {
        Gate::authorize('invite', $organisation);

        $invitation = $this->invitationService->invite(
            $organisation,
            $request->validated('email'),
            $request->validated('role'),
            $request->user(),
        );

        return $this->created(
            new InvitationResource($invitation->load(['organisation', 'invitedBy'])),
            'Uitnodiging verstuurd',
        );
    }

    public function show(string $token): JsonResponse
    {
        $hashedToken = hash('sha256', $token);

        $invitation = UserInvitation::where('token', $hashedToken)
            ->with(['organisation', 'invitedBy'])
            ->first();

        if (! $invitation) {
            return $this->notFound('Uitnodiging niet gevonden');
        }

        return $this->success(new InvitationResource($invitation));
    }

    public function accept(AcceptInvitationRequest $request, string $token): JsonResponse
    {
        $hashedToken = hash('sha256', $token);
        $invitation = UserInvitation::where('token', $hashedToken)->firstOrFail();

        $user = $this->invitationService->accept(
            $invitation,
            $request->validated('password'),
        );

        $sanctumToken = $user->createToken('auth-token')->plainTextToken;

        return $this->success([
            'user' => [
                'id' => $user->id,
                'first_name' => $user->first_name,
                'last_name' => $user->last_name,
                'full_name' => $user->full_name,
                'email' => $user->email,
            ],
        ], 'Uitnodiging geaccepteerd')
            ->withCookie($this->makeAuthCookie($sanctumToken));
    }

    public function revoke(Organisation $organisation, UserInvitation $invitation): JsonResponse
    {
        // Verify invitation belongs to this organisation
        if ($invitation->organisation_id !== $organisation->id) {
            return $this->notFound('Uitnodiging niet gevonden');
        }

        Gate::authorize('invite', $organisation);

        if (! $invitation->isPending()) {
            return $this->error('Alleen openstaande uitnodigingen kunnen worden ingetrokken.', 422);
        }

        $invitation->markAsExpired();

        return response()->json(null, 204);
    }
}