Update app.py

app.py

@@ -1,8 +1,9 @@
-from fastapi import FastAPI, Request, UploadFile, File, Form
+# app.py
+from fastapi import FastAPI, Request
 from fastapi.middleware.cors import CORSMiddleware
-from fastapi.responses import JSONResponse
 from pydantic import BaseModel, Field
 from typing import Optional, List, Dict
+import httpx
 import json
 import logging
 import os
@@ -10,13 +11,12 @@ import asyncio
 import hashlib
 from datetime import datetime, timezone
 import re
-import base64
-import imghdr
+import fastapi
 
 app = FastAPI()
 logging.basicConfig(level=logging.INFO)
 
-# CORS
+# Enable CORS for all origins
 app.add_middleware(
     CORSMiddleware,
     allow_origins=["*"],
@@ -25,36 +25,33 @@ app.add_middleware(
 )
 
 # ---------------------------
-# Persistent storage setup
+# 📦 Persistent storage setup
 # ---------------------------
 PERSISTENT_ROOT = os.environ.get("PERSISTENT_DIR", "/data")
-if not os.path.isdir(PERSISTENT_ROOT):
-    PERSISTENT_ROOT = os.path.join(".", "data")
-os.makedirs(PERSISTENT_ROOT, exist_ok=True)
-
 CHAT_DIR = os.path.join(PERSISTENT_ROOT, "chat")
+if not os.path.isdir(PERSISTENT_ROOT):
+    CHAT_DIR = os.path.join(".", "data", "chat")
 os.makedirs(CHAT_DIR, exist_ok=True)
 
 USERS_DIR = os.path.join(PERSISTENT_ROOT, "users")
 os.makedirs(USERS_DIR, exist_ok=True)
 USERS_FILE = os.path.join(USERS_DIR, "users.jsonl")
 SESSIONS_FILE = os.path.join(USERS_DIR, "sessions.json")
-ADMIN_KEY = os.environ.get("ADMIN_KEY", "")
+ADMIN_KEY = os.environ.get("ADMIN_KEY", "")  # set in HF Space secrets
 
-# locks & in-memory
+# Async file locks
 app.state.chat_locks = {}
 app.state.users_lock = asyncio.Lock()
 app.state.sessions_lock = asyncio.Lock()
 app.state.sessions: Dict[str, str] = {}
 
 
-# ---------------------------
-# Helpers
-# ---------------------------
-def _chat_file_for(room: str) -> str:
-    h = hashlib.sha256(room.encode("utf-8")).hexdigest()[:32]
+def _chat_file_for(video_id: str) -> str:
+    # Stable filename to avoid path traversal
+    h = hashlib.sha256(video_id.encode("utf-8")).hexdigest()[:32]
     return os.path.join(CHAT_DIR, f"{h}.jsonl")
 
+
 def _lock_for(path: str) -> asyncio.Lock:
     lock = app.state.chat_locks.get(path)
     if lock is None:
@@ -62,90 +59,108 @@ def _lock_for(path: str) -> asyncio.Lock:
         app.state.chat_locks[path] = lock
     return lock
 
+
 def _now_iso() -> str:
     return datetime.now(timezone.utc).isoformat()
 
-def _safe_handle(s: str) -> str:
-    s = (s or "").strip()
-    s = re.sub(r"[^a-zA-Z0-9_.~-]", "_", s)
-    return s[:24]
 
-def _hash_pin(pin: str) -> str:
-    return hashlib.sha256(("tlks|" + (pin or "")).encode("utf-8")).hexdigest()
+def _valid_author(s: Optional[str]) -> str:
+    s = (s or "anon").strip()
+    s = re.sub(r"\s+", " ", s)
+    return s[:32] or "anon"
 
-def _rand_token() -> str:
-    return hashlib.sha256(os.urandom(32)).hexdigest()
 
-# JSONL read/write
-async def _append_jsonl(path: str, record: dict):
+def _valid_text(s: str) -> str:
+    s = (s or "").rstrip("\n")
+    return s[:2000]
+
+
+async def _append_jsonl(path: str, record: dict) -> None:
     line = json.dumps(record, ensure_ascii=False) + "\n"
+
     def _write():
         with open(path, "a", encoding="utf-8") as f:
             f.write(line)
+
     await asyncio.to_thread(_write)
 
+
 async def _read_jsonl(path: str) -> List[dict]:
     if not os.path.exists(path):
         return []
-    def _r():
+
+    def _read():
         with open(path, "r", encoding="utf-8") as f:
             return [json.loads(x) for x in f if x.strip()]
-    return await asyncio.to_thread(_r)
 
-# users load/write helpers
+    return await asyncio.to_thread(_read)
+
+
+# ---------------------------
+# 👤 Users & Auth helpers
+# ---------------------------
+
+def _safe_handle(s: str) -> str:
+    s = (s or "").strip()
+    s = re.sub(r"[^a-zA-Z0-9_.~-]", "_", s)
+    return s[:24]
+
+
+def _hash_pin(pin: str) -> str:
+    return hashlib.sha256(("tlks|" + pin).encode("utf-8")).hexdigest()
+
+
+def _rand_token() -> str:
+    return hashlib.sha256(os.urandom(32)).hexdigest()
+
+
+async def _append_user(record: dict) -> None:
+    line = json.dumps(record, ensure_ascii=False) + "\n"
+
+    def _write():
+        with open(USERS_FILE, "a", encoding="utf-8") as f:
+            f.write(line)
+
+    async with app.state.users_lock:
+        await asyncio.to_thread(_write)
+
+
 async def _read_users() -> List[dict]:
     if not os.path.exists(USERS_FILE):
         return []
-    def _r():
+
+    def _read():
         with open(USERS_FILE, "r", encoding="utf-8") as f:
             return [json.loads(x) for x in f if x.strip()]
-    async with app.state.users_lock:
-        return await asyncio.to_thread(_r)
 
-async def _write_users(users: List[dict]):
-    def _w():
-        with open(USERS_FILE, "w", encoding="utf-8") as f:
-            for u in users:
-                f.write(json.dumps(u, ensure_ascii=False) + "\n")
-    async with app.state.users_lock:
-        await asyncio.to_thread(_w)
-
-async def _append_user(rec: dict):
-    # ensure default fields
-    rec.setdefault("disabled", False)
-    rec.setdefault("created_at", _now_iso())
-    rec.setdefault("verified", "")      # "", "staff", "dev"
-    rec.setdefault("seen_intro", False)
-    line = json.dumps(rec, ensure_ascii=False) + "\n"
     async with app.state.users_lock:
-        def _w():
-            with open(USERS_FILE, "a", encoding="utf-8") as f:
-                f.write(line)
-        await asyncio.to_thread(_w)
+        return await asyncio.to_thread(_read)
+
 
-# sessions
 async def _load_sessions():
     if os.path.exists(SESSIONS_FILE):
-        def _r():
+        def _read():
             with open(SESSIONS_FILE, "r", encoding="utf-8") as f:
                 return json.load(f)
-        app.state.sessions = await asyncio.to_thread(_r)
+        app.state.sessions = await asyncio.to_thread(_read)
     else:
         app.state.sessions = {}
 
+
 async def _save_sessions():
-    def _w(data):
+    def _write(data):
         with open(SESSIONS_FILE, "w", encoding="utf-8") as f:
             json.dump(data, f)
+
     async with app.state.sessions_lock:
-        await asyncio.to_thread(_w, app.state.sessions)
+        await asyncio.to_thread(_write, app.state.sessions)
+
 
 @app.on_event("startup")
-async def _startup():
+async def _startup_load_sessions():
     await _load_sessions()
 
 
-# admin guard
 def _require_admin(request: Request):
     provided = request.headers.get("x-admin-key", "")
     if not ADMIN_KEY or provided != ADMIN_KEY:
@@ -153,7 +168,44 @@ def _require_admin(request: Request):
 
 
 # ---------------------------
-# Models
+# 💬 Chat API (public read, authed write)
+# ---------------------------
+class NewMessage(BaseModel):
+    # author is ignored and server uses authenticated user's profile.
+    text: str = Field(..., min_length=1, max_length=5000)
+    images: Optional[List[str]] = []  # base64 data-urls or URLs
+
+
+@app.get("/chat/{video_id}")
+async def get_messages(video_id: str, limit: int = 50, since: Optional[str] = None):
+    """
+    Fetch messages for a room/video.
+    - limit: max messages (default 50)
+    - since: ISO8601 timestamp; return only messages newer than this
+    """
+    limit = max(1, min(limit, 200))
+    path = _chat_file_for(video_id)
+    items = await _read_jsonl(path)
+
+    if since:
+        try:
+            since_dt = datetime.fromisoformat(since.replace("Z", "+00:00"))
+            items = [
+                m for m in items
+                if datetime.fromisoformat(str(m.get("created_at", "")).replace("Z", "+00:00")) > since_dt
+            ]
+        except Exception:
+            pass  # Ignore bad since param
+
+    items.sort(key=lambda m: m.get("created_at", ""))
+    if len(items) > limit:
+        items = items[-limit:]
+
+    return {"video_id": video_id, "count": len(items), "messages": items}
+
+
+# ---------------------------
+# 👤 Users & Auth API
 # ---------------------------
 class NewUser(BaseModel):
     email: str
@@ -164,7 +216,8 @@ class NewUser(BaseModel):
     profile_image: Optional[str] = ""
     description: Optional[str] = ""
     pin: str = Field(..., min_length=3, max_length=32)
-    verified: Optional[str] = ""  # optional initial verified status
+    verified: Optional[str] = None  # 'staff' or 'dev' or None
+
 
 class UpdateUser(BaseModel):
     first_name: Optional[str] = None
@@ -176,43 +229,21 @@ class UpdateUser(BaseModel):
     disabled: Optional[bool] = None
     verified: Optional[str] = None
 
+
 class LoginReq(BaseModel):
     handle: str
     pin: str
 
-class NewMessage(BaseModel):
-    text: str = Field(..., min_length=1, max_length=5000)
-    images: Optional[List[str]] = None  # (base64 data URLs or URLs)
-
 
-# ---------------------------
-# Auth utilities
-# ---------------------------
-async def _require_user(request: Request) -> dict:
-    auth = request.headers.get("authorization", "")
-    if not auth or not auth.lower().startswith("bearer "):
-        raise fastapi.HTTPException(status_code=401, detail="Missing bearer token")
-    token = auth.split(" ", 1)[1].strip()
-    handle = app.state.sessions.get(token)
-    if not handle:
-        raise fastapi.HTTPException(status_code=401, detail="Invalid session")
-    users = await _read_users()
-    user = next((u for u in users if u.get("handle") == handle), None)
-    if not user or user.get("disabled"):
-        raise fastapi.HTTPException(status_code=401, detail="User disabled")
-    return user
-
-
-# ---------------------------
-# Admin: create/list/update users (pin stored hashed); includes 'verified'
-# ---------------------------
 @app.post("/admin/users")
 async def admin_create_user(user: NewUser, request: Request):
     _require_admin(request)
     users = await _read_users()
+
     handle = _safe_handle(user.handle.lstrip("@"))
     if any(u.get("handle") == handle for u in users):
         return {"ok": False, "error": "Handle already exists"}
+
     rec = {
         "email": user.email.strip(),
         "first_name": user.first_name.strip(),
@@ -223,14 +254,14 @@ async def admin_create_user(user: NewUser, request: Request):
         "description": (user.description or "").strip(),
         "pin_hash": _hash_pin(user.pin),
         "disabled": False,
+        "verified": (user.verified or None),
         "created_at": _now_iso(),
-        "verified": (user.verified or ""),
-        "seen_intro": False
     }
     await _append_user(rec)
     pub = {k: v for k, v in rec.items() if k != "pin_hash"}
     return {"ok": True, "user": pub}
 
+
 @app.get("/admin/users")
 async def admin_list_users(request: Request, q: Optional[str] = None, limit: int = 200):
     _require_admin(request)
@@ -239,11 +270,10 @@ async def admin_list_users(request: Request, q: Optional[str] = None, limit: int
         ql = q.lower()
         users = [u for u in users if ql in u.get("email", "").lower() or ql in u.get("handle", "").lower()]
     users = users[: max(1, min(limit, 1000))]
-    out = []
     for u in users:
-        copy = {k: v for k, v in u.items() if k != "pin_hash"}
-        out.append(copy)
-    return {"count": len(out), "users": out}
+        u.pop("pin_hash", None)
+    return {"count": len(users), "users": users}
+
 
 @app.put("/admin/users/{handle}")
 async def admin_update_user(handle: str, patch: UpdateUser, request: Request):
@@ -268,19 +298,22 @@ async def admin_update_user(handle: str, patch: UpdateUser, request: Request):
             if patch.pin is not None:
                 u["pin_hash"] = _hash_pin(patch.pin)
             if patch.verified is not None:
-                # allow "", "staff", "dev"
-                val = (patch.verified or "").strip()
-                u["verified"] = val
+                u["verified"] = patch.verified
             changed = True
             break
     if not changed:
         raise fastapi.HTTPException(status_code=404, detail="User not found")
-    await _write_users(users)
+
+    # rewrite file
+    async with app.state.users_lock:
+        def _write_all():
+            with open(USERS_FILE, "w", encoding="utf-8") as f:
+                for rec in users:
+                    f.write(json.dumps(rec, ensure_ascii=False) + "\n")
+        await asyncio.to_thread(_write_all)
     return {"ok": True}
 
-# ---------------------------
-# Auth: login & me with intro support
-# ---------------------------
+
 @app.post("/auth/login")
 async def login(req: LoginReq):
     users = await _read_users()
@@ -290,73 +323,64 @@ async def login(req: LoginReq):
         return {"ok": False, "error": "Invalid user"}
     if u.get("pin_hash") != _hash_pin(req.pin):
         return {"ok": False, "error": "Invalid PIN"}
+
     token = _rand_token()
     app.state.sessions[token] = handle
     await _save_sessions()
     return {"ok": True, "token": token}
 
+
+async def _require_user(request: Request) -> dict:
+    auth = request.headers.get("authorization", "")
+    if not auth.lower().startswith("bearer "):
+        raise fastapi.HTTPException(status_code=401, detail="Missing bearer token")
+    token = auth.split(" ", 1)[1].strip()
+    handle = app.state.sessions.get(token)
+    if not handle:
+        raise fastapi.HTTPException(status_code=401, detail="Invalid session")
+
+    users = await _read_users()
+    user = next((u for u in users if u.get("handle") == handle), None)
+    if not user or user.get("disabled"):
+        raise fastapi.HTTPException(status_code=401, detail="User disabled")
+    return user
+
+
 @app.get("/me")
 async def me(request: Request):
     user = await _require_user(request)
-    # copy raising sensitive info out
-    pub = {k: v for k, v in user.items() if k != "pin_hash"}
-    # Intro behavior: if user hasn't seen intro, return show_intro and update their flag
-    show_intro = False
-    if not user.get("seen_intro"):
-        show_intro = True
-        # mark seen_intro true and rewrite users file
-        users = await _read_users()
-        for u in users:
-            if u.get("handle") == user.get("handle"):
-                u["seen_intro"] = True
-                break
-        await _write_users(users)
-    # Access notice string for frontend popup
-    access_notice = "Access is rolling out class by class — you must be invited. If you entered an incorrect name or PIN, ask your teacher for help."
-    pub["show_intro"] = show_intro
-    pub["access_notice"] = access_notice
+    pub = {k: v for k, v in user.items() if k not in ("pin_hash",)}
     return {"ok": True, "user": pub}
 
 
-# ---------------------------
-# Chat endpoints (post + read + delete)
-# ---------------------------
-@app.get("/chat/{room}")
-async def get_messages(room: str, limit: int = 50, since: Optional[str] = None):
-    limit = max(1, min(limit, 200))
-    path = _chat_file_for(room)
-    items = await _read_jsonl(path)
-    if since:
-        try:
-            since_dt = datetime.fromisoformat(since.replace("Z", "+00:00"))
-            items = [
-                m for m in items
-                if datetime.fromisoformat(str(m.get("created_at", "")).replace("Z", "+00:00")) > since_dt
-            ]
-        except Exception:
-            pass
-    items.sort(key=lambda m: m.get("created_at", ""))
-    if len(items) > limit:
-        items = items[-limit:]
-    return {"room": room, "count": len(items), "messages": items}
-
-@app.post("/chat/{room}")
-async def post_message(room: str, msg: NewMessage, request: Request):
-    path = _chat_file_for(room)
+@app.post("/chat/{video_id}")
+async def post_message(video_id: str, msg: NewMessage, request: Request):
+    """
+    Append a message to a room's chat.
+    Body: { "text": "hello", "images": [...] }
+    """
+    path = _chat_file_for(video_id)
     lock = _lock_for(path)
+
+    # Require a valid session and take author from the user profile
     user = await _require_user(request)
-    author = f"{user.get('first_name','')} {user.get('last_name','')}".strip() or user.get("handle")
-    handle = user.get("handle")
+    author = _valid_author(f"{user.get('first_name','')} {user.get('last_name','')}".strip() or user["handle"])
+    handle = user["handle"]
     klass = user.get("klass", "")
     profile_image = user.get("profile_image", "")
-    text = (msg.text or "").strip()
-    if not text and not (msg.images or []):
-        return {"ok": False, "error": "Empty message"}
+
+    text = _valid_text(msg.text)
+    if not text and not (msg.images and len(msg.images) > 0):
+        return {"ok": False, "error": "Empty message and no images"}
+
     created = _now_iso()
-    mid = hashlib.sha1(f"{room}|{author}|{created}|{text}".encode("utf-8")).hexdigest()[:16]
-    rec = {
+    mid = hashlib.sha1(f"{video_id}|{author}|{created}|{text}".encode("utf-8")).hexdigest()[:16]
+    ip = request.client.host if request and request.client else None
+
+    record = {
         "id": mid,
-        "room": room,
+        "video_id": video_id,
+        "room": video_id,
         "author": author,
         "handle": handle,
         "klass": klass,
@@ -364,120 +388,273 @@ async def post_message(room: str, msg: NewMessage, request: Request):
         "text": text,
         "images": msg.images or [],
         "created_at": created,
-        "ua": request.headers.get("user-agent", "")[:200]
+        "ip": ip,
+        "ua": request.headers.get("user-agent", "")[:200],
     }
+
     async with lock:
-        await _append_jsonl(path, rec)
-    return {"ok": True, "message": rec}
+        await _append_jsonl(path, record)
 
-@app.delete("/chat/{room}/{msgid}")
-async def delete_message(room: str, msgid: str, request: Request):
-    """
-    Verified users (staff/dev) may delete posts; admin via x-admin-key may delete too.
-    """
-    # admin bypass?
-    if request.headers.get("x-admin-key", "") == ADMIN_KEY and ADMIN_KEY:
-        # allow admin delete
-        pass
+    return {"ok": True, "message": record}
+
+
+# ---------------------------
+# DM endpoints (map to deterministic dm room names)
+# ---------------------------
+@app.get("/dm/{other_handle}")
+async def get_dm(other_handle: str, request: Request, limit: int = 50, since: Optional[str] = None):
+    user = await _require_user(request)
+    a = user["handle"]
+    b = _safe_handle(other_handle.lstrip("@"))
+    if a == b:
+        # Allow reading your own DMs (empty)
+        room = f"dm_{a}_{b}"
     else:
-        user = await _require_user(request)
-        if user.get("verified") not in ("staff", "dev"):
-            raise fastapi.HTTPException(status_code=403, detail="Only verified staff/developers may delete posts")
-    path = _chat_file_for(room)
-    items = await _read_jsonl(path)
-    new = [m for m in items if m.get("id") != msgid]
-    if len(new) == len(items):
-        raise fastapi.HTTPException(status_code=404, detail="Message not found")
-    # rewrite file
-    def _write():
-        with open(path, "w", encoding="utf-8") as f:
-            for rec in new:
-                f.write(json.dumps(rec, ensure_ascii=False) + "\n")
-    await asyncio.to_thread(_write)
-    return {"ok": True, "deleted": msgid}
+        handles = sorted([a, b])
+        room = f"dm_{handles[0]}_{handles[1]}"
+    return await get_messages(room, limit=limit, since=since)
+
+
+@app.post("/dm/{other_handle}")
+async def post_dm(other_handle: str, msg: NewMessage, request: Request):
+    user = await _require_user(request)
+    a = user["handle"]
+    b = _safe_handle(other_handle.lstrip("@"))
+    handles = sorted([a, b])
+    room = f"dm_{handles[0]}_{handles[1]}"
+    # reuse post_message logic: make a NewMessage-like object and call post_message
+    return await post_message(room, msg, request)
+
 
 # ---------------------------
-# Admin endpoints for posts (view and delete)
+# Admin: user posts listing & deletion
 # ---------------------------
-@app.get("/admin/users/{handle}/posts")
-async def admin_user_posts(handle: str, request: Request):
+@app.get("/admin/user_posts/{handle}")
+async def admin_user_posts(handle: str, request: Request, limit: int = 500):
+    """Return a list of messages authored by handle across chat files (admin-only)."""
     _require_admin(request)
-    handle = _safe_handle(handle)
-    posts = []
-    # scan chat files
-    for fn in os.listdir(CHAT_DIR):
-        path = os.path.join(CHAT_DIR, fn)
+    handle = _safe_handle(handle.lstrip("@"))
+    collected = []
+    # scan all chat files
+    for fname in os.listdir(CHAT_DIR):
+        if not fname.endswith(".jsonl"):
+            continue
+        path = os.path.join(CHAT_DIR, fname)
         try:
-            items = await _read_jsonl(path)
-            for m in items:
-                if m.get("handle") == handle:
-                    posts.append(m)
+            msgs = await _read_jsonl(path)
         except Exception:
-            continue
-    # sort newest first
-    posts.sort(key=lambda x: x.get("created_at", ""), reverse=True)
-    return {"ok": True, "count": len(posts), "posts": posts}
+            msgs = []
+        for m in msgs:
+            if m.get("handle") == handle:
+                collected.append(m)
+                if len(collected) >= limit:
+                    break
+        if len(collected) >= limit:
+            break
+    # sort descending by created_at
+    collected.sort(key=lambda m: m.get("created_at", ""), reverse=True)
+    return {"count": len(collected), "messages": collected}
+
 
-@app.delete("/admin/posts/{room}/{msgid}")
-async def admin_delete_post(room: str, msgid: str, request: Request):
+@app.delete("/admin/posts/{post_id}")
+async def admin_delete_post_admin(post_id: str, request: Request):
+    """Admin-only deletion endpoint (x-admin-key)."""
     _require_admin(request)
-    path = _chat_file_for(room)
-    items = await _read_jsonl(path)
-    new = [m for m in items if m.get("id") != msgid]
-    if len(new) == len(items):
-        raise fastapi.HTTPException(status_code=404, detail="Message not found")
-    def _write():
-        with open(path, "w", encoding="utf-8") as f:
-            for rec in new:
-                f.write(json.dumps(rec, ensure_ascii=False) + "\n")
-    await asyncio.to_thread(_write)
-    return {"ok": True, "deleted": msgid}
+    # reuse deletion routine
+    ok = await _delete_post_by_id(post_id)
+    if not ok:
+        raise fastapi.HTTPException(status_code=404, detail="Post not found")
+    return {"ok": True}
 
-# ---------------------------
-# Optional: upload_data_url endpoint (kept for future use)
-# ---------------------------
-@app.post("/upload_image")
-async def upload_image(file: Optional[UploadFile] = File(None), data_url: Optional[str] = Form(None)):
+
+@app.delete("/posts/{post_id}")
+async def delete_post(post_id: str, request: Request):
     """
-    Accepts multipart file OR a data_url form field. Saves to disk and returns /static path.
-    (You asked to keep base64 as-is; we keep this endpoint but you can keep sending base64/images directly.)
+    Delete a post if the caller is admin (x-admin-key) or a verified moderator (staff/dev).
     """
-    # simple saving implementation
-    IMAGES_DIR = os.path.join(PERSISTENT_ROOT, "static_images")
-    os.makedirs(IMAGES_DIR, exist_ok=True)
-    if file:
-        contents = await file.read()
-        ext = "." + (imghdr.what(None, contents) or "jpg")
-        name = hashlib.sha256(contents).hexdigest()[:20] + ext
-        out = os.path.join(IMAGES_DIR, name)
-        def _w():
-            with open(out, "wb") as f:
-                f.write(contents)
-        await asyncio.to_thread(_w)
-        return {"ok": True, "url": f"/static_images/{name}"}
-    if data_url:
-        if not data_url.startswith("data:"):
-            raise fastapi.HTTPException(status_code=400, detail="Not a data URL")
-        header, b64 = data_url.split(",", 1)
-        try:
-            payload = base64.b64decode(b64)
-        except Exception:
-            raise fastapi.HTTPException(status_code=400, detail="Bad base64")
-        ext = "." + (imghdr.what(None, payload) or "jpg")
-        name = hashlib.sha256(payload).hexdigest()[:20] + ext
-        out = os.path.join(IMAGES_DIR, name)
-        def _w():
-            with open(out, "wb") as f:
-                f.write(payload)
-        await asyncio.to_thread(_w)
-        return {"ok": True, "url": f"/static_images/{name}"}
-    raise fastapi.HTTPException(status_code=400, detail="No file or data_url provided")
+    # admin via header
+    provided = request.headers.get("x-admin-key", "")
+    if ADMIN_KEY and provided == ADMIN_KEY:
+        ok = await _delete_post_by_id(post_id)
+        if not ok:
+            raise fastapi.HTTPException(status_code=404, detail="Post not found")
+        return {"ok": True}
+
+    # otherwise require user and verified
+    user = await _require_user(request)
+    if user.get("verified") not in ("staff", "dev"):
+        raise fastapi.HTTPException(status_code=403, detail="Not authorized to delete posts")
+
+    ok = await _delete_post_by_id(post_id)
+    if not ok:
+        raise fastapi.HTTPException(status_code=404, detail="Post not found")
+    return {"ok": True}
+
+
+async def _delete_post_by_id(post_id: str) -> bool:
+    """
+    Scan chat files and remove the message with id==post_id.
+    Returns True if deleted, False if not found.
+    """
+    for fname in os.listdir(CHAT_DIR):
+        if not fname.endswith(".jsonl"):
+            continue
+        path = os.path.join(CHAT_DIR, fname)
+        lock = _lock_for(path)
+        async with lock:
+            msgs = await _read_jsonl(path)
+            found = False
+            new_msgs = []
+            for m in msgs:
+                if m.get("id") == post_id:
+                    found = True
+                    continue
+                new_msgs.append(m)
+            if found:
+                # rewrite file atomically
+                def _write_all():
+                    with open(path, "w", encoding="utf-8") as f:
+                        for rec in new_msgs:
+                            f.write(json.dumps(rec, ensure_ascii=False) + "\n")
+                await asyncio.to_thread(_write_all)
+                return True
+    return False
+
 
 # ---------------------------
-# Keep existing /album endpoints if you use them unchanged (omitted here)
+# (Original iCloud album endpoints)
 # ---------------------------
+BASE_62_MAP = {c: i for i, c in enumerate("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")}
 
-# minimal root
-@app.get("/")
-async def root():
-    return {"ok": True, "msg": "Central TLKS backend running"}
+
+async def get_client() -> httpx.AsyncClient:
+    if not hasattr(app.state, "client"):
+        app.state.client = httpx.AsyncClient(timeout=15.0)
+    return app.state.client
+
+
+def base62_to_int(token: str) -> int:
+    result = 0
+    for ch in token:
+        result = result * 62 + BASE_62_MAP[ch]
+    return result
+
+
+async def get_base_url(token: str) -> str:
+    first = token[0]
+    if first == "A":
+        n = base62_to_int(token[1])
+    else:
+        n = base62_to_int(token[1:3])
+    return f"https://p{n:02d}-sharedstreams.icloud.com/{token}/sharedstreams/"
+
+
+ICLOUD_HEADERS = {
+    "Origin": "https://www.icloud.com",
+    "Content-Type": "text/plain",
+}
+ICLOUD_PAYLOAD = '{"streamCtag":null}'
+
+
+async def get_redirected_base_url(base_url: str, token: str) -> str:
+    client = await get_client()
+    resp = await client.post(
+        f"{base_url}webstream", headers=ICLOUD_HEADERS, data=ICLOUD_PAYLOAD, follow_redirects=False
+    )
+    if resp.status_code == 330:
+        try:
+            body = resp.json()
+            host = body.get("X-Apple-MMe-Host")
+            if not host:
+                raise ValueError("Missing X-Apple-MMe-Host in 330 response")
+            logging.info(f"Redirected to {host}")
+            return f"https://{host}/{token}/sharedstreams/"
+        except Exception as e:
+            logging.error(f"Redirect parsing failed: {e}")
+            raise
+    elif resp.status_code == 200:
+        return base_url
+    else:
+        resp.raise_for_status()
+
+
+async def post_json(path: str, base_url: str, payload: str) -> dict:
+    client = await get_client()
+    resp = await client.post(f"{base_url}{path}", headers=ICLOUD_HEADERS, data=payload)
+    resp.raise_for_status()
+    return resp.json()
+
+
+async def get_metadata(base_url: str) -> list:
+    data = await post_json("webstream", base_url, ICLOUD_PAYLOAD)
+    return data.get("photos", [])
+
+
+async def get_asset_urls(base_url: str, guids: list) -> dict:
+    payload = json.dumps({"photoGuids": guids})
+    data = await post_json("webasseturls", base_url, payload)
+    return data.get("items", {})
+
+
+@app.get("/album/{token}")
+async def get_album(token: str):
+    try:
+        base_url = await get_base_url(token)
+        base_url = await get_redirected_base_url(base_url, token)
+
+        metadata = await get_metadata(base_url)
+        guids = [photo["photoGuid"] for photo in metadata]
+        asset_map = await get_asset_urls(base_url, guids)
+
+        videos = []
+        for photo in metadata:
+            if photo.get("mediaAssetType", "").lower() != "video":
+                continue
+
+            derivatives = photo.get("derivatives", {})
+            best = max(
+                (d for k, d in derivatives.items() if k.lower() != "posterframe"),
+                key=lambda d: int(d.get("fileSize") or 0),
+                default=None,
+            )
+            if not best:
+                continue
+
+            checksum = best.get("checksum")
+            info = asset_map.get(checksum)
+            if not info:
+                continue
+            video_url = f"https://{info['url_location']}{info['url_path']}"
+
+            poster = None
+            pf = derivatives.get("PosterFrame")
+            if pf:
+                pf_info = asset_map.get(pf.get("checksum"))
+                if pf_info:
+                    poster = f"https://{pf_info['url_location']}{pf_info['url_path']}"
+
+            videos.append({
+                "caption": photo.get("caption", ""),
+                "url": video_url,
+                "poster": poster or "",
+            })
+
+        return {"videos": videos}
+
+    except Exception as e:
+        logging.exception("Error in get_album")
+        return {"error": str(e)}
+
+
+@app.get("/album/{token}/raw")
+async def get_album_raw(token: str):
+    try:
+        base_url = await get_base_url(token)
+        base_url = await get_redirected_base_url(base_url, token)
+        metadata = await get_metadata(base_url)
+        guids = [photo["photoGuid"] for photo in metadata]
+        asset_map = await get_asset_urls(base_url, guids)
+        return {"metadata": metadata, "asset_urls": asset_map}
+    except Exception as e:
+        logging.exception("Error in get_album_raw")
+        return {"error": str(e)}