ghostguild-org/server/api/updates/[id].get.js

import jwt from "jsonwebtoken";
import Update from "../../models/update.js";
import { connectDB } from "../../utils/mongoose.js";

export default defineEventHandler(async (event) => {
  await connectDB();

  const id = getRouterParam(event, "id");
  const token = getCookie(event, "auth-token");
  let memberId = null;

  // Check if user is authenticated
  if (token) {
    try {
      const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
      memberId = decoded.memberId;
    } catch (err) {
      // Token invalid, continue as non-member
    }
  }

  try {
    const update = await Update.findById(id).populate("author", "name avatar");

    if (!update) {
      throw createError({
        statusCode: 404,
        statusMessage: "Update not found",
      });
    }

    // Check privacy permissions
    if (update.privacy === "private") {
      // Only author can view private updates
      if (!memberId || update.author._id.toString() !== memberId) {
        throw createError({
          statusCode: 403,
          statusMessage: "You don't have permission to view this update",
        });
      }
    } else if (update.privacy === "members") {
      // Must be authenticated to view members-only updates
      if (!memberId) {
        throw createError({
          statusCode: 403,
          statusMessage: "You must be a member to view this update",
        });
      }
    }

    return update;
  } catch (error) {
    if (error.statusCode) throw error;
    console.error("Get update error:", error);
    throw createError({
      statusCode: 500,
      statusMessage: "Failed to fetch update",
    });
  }
});