aperonight/app/controllers/api/v1/events_controller.rb

# API Controller for managing event resources
# Provides RESTful endpoints for CRUD operations on the Event model

module Api
  module V1
    class EventsController < ApiController
      # Skip API key authentication for store_cart action (used by frontend forms)
      skip_before_action :authenticate_api_key, only: [ :store_cart ]

      # Loads the event before certain actions to reduce duplications
      before_action :set_event, only: [ :show, :update, :destroy, :store_cart ]

      # GET /api/v1/events
      # Retrieves all events sorted by creation date (most recent first)
      def index
        @events = Event.all.order(created_at: :desc)
        render json: @events.map { |e| event_json(e) }, status: :ok
      end

      # GET /api/v1/events/:id
      # Retrieves a single event by its ID
      # Returns 404 if the event is not found
      def show
        render json: event_json(@event), status: :ok
      end

      # POST /api/v1/events
      # Creates a new event with the provided attributes
      # Returns 201 Created on success with the event data
      # Returns 422 Unprocessable Entity with error messages on failure
      def create
        @event = Event.new(event_params)
        if @event.save
          render json: event_json(@event), status: :created
        else
          render json: { errors: @event.errors.full_messages }, status: :unprocessable_entity
        end
      end

      # PATCH/PUT /api/v1/events/:id
      # Updates an existing event with the provided attributes
      # Returns 200 OK with updated data on success
      # Returns 422 Unprocessable Entity with error messages on failure
      def update
        if @event.update(event_params)
          render json: event_json(@event), status: :ok
        else
          render json: { errors: @event.errors.full_messages }, status: :unprocessable_entity
        end
      end

      # DELETE /api/v1/events/:id
      # Permanently deletes an event
      # Returns 204 No Content on success
      def destroy
        @event.destroy
        head :no_content
      end

      # POST /api/v1/events/:id/store_cart
      # Store cart data in session (AJAX endpoint)
      def store_cart
        cart_data = params[:cart] || {}
        session[:pending_cart] = cart_data
        session[:event_id] = @event.id

        render json: { status: "success", message: "Cart stored successfully" }
      rescue => e
        error_message = e.message.present? ? e.message : "Unknown error"
        Rails.logger.error "Error storing cart: #{error_message}"
        render json: { status: "error", message: "Failed to store cart" }, status: 500
      end

      private

      # Helper method to serialize event data safely
      def event_json(event)
        {
          id: event.id,
          name: event.name,
          slug: event.slug,
          description: event.description,
          state: event.state,
          venue_name: event.venue_name,
          venue_address: event.venue_address,
          start_time: event.start_time,
          end_time: event.end_time,
          latitude: event.latitude,
          longitude: event.longitude,
          featured: event.featured,
          image_url: event.display_image_url,
          created_at: event.created_at,
          updated_at: event.updated_at,
          user: {
            id: event.user.id,
            email: event.user.email,
            first_name: event.user.first_name,
            last_name: event.user.last_name
          }
        }
      end

      # Finds an event by its ID or returns 404 Not Found
      # Used as before_action for the show, update, and destroy actions
      def set_event
        @event = Event.find(params[:id])
      rescue ActiveRecord::RecordNotFound
        render json: { error: "Event not found" }, status: :not_found
      end

      # Strong parameters for creating and updating events
      # Whitelist of allowed attributes to avoid mass assignment vulnerabilities
      def event_params
        params.require(:event).permit(
          :name,
          :slug,
          :description,
          :state,
          :venue_name,
          :venue_address,
          :start_time,
          :end_time,
          :latitude,
          :longitude,
          :featured,
          :user_id
        )
      end

      # Helper method to serialize event data safely
      def event_json(event)
        {
          id: event.id,
          name: event.name,
          slug: event.slug,
          description: event.description,
          state: event.state,
          venue_name: event.venue_name,
          venue_address: event.venue_address,
          start_time: event.start_time,
          end_time: event.end_time,
          latitude: event.latitude,
          longitude: event.longitude,
          featured: event.featured,
          created_at: event.created_at,
          updated_at: event.updated_at,
          user: {
            id: event.user.id,
            email: event.user.email, # May be remove public email ?
            first_name: event.user.first_name, # May be remove public name ?
            last_name: event.user.last_name # May be remove public name ?
          }
        }
      end
    end
  end
end