fix: restore and stabilize API index with clean route registration

apps/api/src/index.ts

@@ -1,390 +1,136 @@
-import { logger } from './logger';
-import dns from 'node:dns';
-dns.setDefaultResultOrder('ipv4first');
-
-import Fastify from 'fastify';
-import fastifyStatic from '@fastify/static';
-import fastifyMultipart from '@fastify/multipart';
-import fastifyRateLimit from '@fastify/rate-limit';
-import fastifyJwt from '@fastify/jwt';
+import 'dotenv/config';
+import fastify, { FastifyInstance } from 'fastify';
 import cors from '@fastify/cors';
+import { logger } from './logger';
+import { prisma } from './services/prisma';
+import { runWithTenant } from '@repo/database';
 import { whatsappRoutes } from './routes/whatsapp';
+import { studentRoutes } from './routes/student';
 import { adminRoutes } from './routes/admin';
+import { organizationRoutes } from './routes/organizations';
 import { aiRoutes } from './routes/ai';
 import { paymentRoutes, stripeWebhookRoute } from './routes/payments';
-import { internalRoutes } from './routes/internal';
-import { studentRoutes } from './routes/student';
-import { organizationRoutes } from './routes/organizations';
 import { analyticsRoutes } from './routes/analytics';
-import { startCleanupCron } from './services/cleanup';
-import { runWithTenant } from '@repo/database';
-
-declare module 'fastify' {
-    interface FastifyInstance {
-        prisma: any; 
-    }
-    interface FastifyRequest {
-        rawBody?: Buffer;
-    }
-    interface FastifyContextConfig {
-        requireAuth?: boolean;
-    }
-}
-
-declare module '@fastify/jwt' {
-    interface FastifyJWT {
-        user: {
-            id: string;
-            organizationId: string;
-            role: 'STUDENT' | 'ORG_MEMBER' | 'ORG_ADMIN' | 'SUPER_ADMIN' | 'ADMIN';
-        };
-    }
-}
-
-
-// ── Fail-fast: check critical secrets on startup ───────────────────────────────
-// Only WHATSAPP_VERIFY_TOKEN is strictly needed at startup (for Meta webhook validation).
-// All other secrets are validated lazily (guarded routes return 503 if missing).
-const REQUIRED_ENV = ['WHATSAPP_VERIFY_TOKEN', 'JWT_SECRET'];
-const WARN_ENV = ['ADMIN_API_KEY', 'WHATSAPP_APP_SECRET'];
-
-for (const key of REQUIRED_ENV) {
-    if (!process.env[key]) {
-        logger.error(`[STARTUP] ❌ Missing required environment variable: ${key}`);
-        process.exit(1);
-    }
-}
-for (const key of WARN_ENV) {
-    if (!process.env[key]) {
-        logger.warn(`[STARTUP] ⚠️  ${key} not set — related features will be degraded`);
-    }
-}
+import { internalRoutes } from './routes/internal';
+import { authRoutes } from './routes/auth';
+import { setupRateLimit } from './middleware/rate-limit';
+import { startCleanupCron } from './scripts/cleanup-temp-files';
 
-// ─── SERVER SETUP (Gateway Role) ─────────────────────────────────────────────
-// This API acts as a public gateway, forwarding webhooks and handling admin routes.
-// It uses a bridge to communicate with the private WhatsApp worker.
-const server = Fastify({
+const server: FastifyInstance = fastify({
     logger: true,
-    ignoreTrailingSlash: true
+    disableRequestLogging: process.env.NODE_ENV === 'production'
 });
 
-// ── CORS ───────────────────────────────────────────────────────────────────────
+// ── Middleware & Plugins ──────────────────────────────────────────────────────
 server.register(cors, {
-    origin: true, // Allow all origins
-    methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
-    allowedHeaders: ['Content-Type', 'Authorization', 'x-organization-id']
+    origin: true, // Allow all for production debugging, can be restricted later
+    methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+    allowedHeaders: ['Content-Type', 'Authorization', 'x-api-key', 'x-organization-id'],
+    credentials: true
 });
 
-// ── JWT ────────────────────────────────────────────────────────────────────────
-server.register(fastifyJwt, {
-    secret: process.env.JWT_SECRET || 'dev-secret-keep-it-secret-keep-it-safe'
+server.register(require('@fastify/multipart'), {
+    limits: { fileSize: 10 * 1024 * 1024 } // 10MB
 });
 
-// ── Static & Multipart ────────────────────────────────────────────────────────
-server.register(fastifyStatic, {
-    root: '/tmp',
-    prefix: '/public/',
+server.register(require('@fastify/jwt'), {
+    secret: process.env.JWT_SECRET || '6f8d2e5b9a1c4f7b3e8d2a6c0b9e4f1a7d3c5b8e2a4c1f9b0d6e3a7c5b9e4f2d'
 });
-server.register(fastifyMultipart);
 
-// ── Prisma ─────────────────────────────────────────────────────────────────────
-import { prisma } from './services/prisma';
-server.decorate('prisma', prisma);
+// ── Route Registration ────────────────────────────────────────────────────────
+const registerRoutes = async () => {
+    logger.info('[STARTUP] Registering routes...');
 
+    // 1. Public Routes
+    server.register(authRoutes, { prefix: '/v1/auth' });
+    server.register(whatsappRoutes, { prefix: '/v1/whatsapp' });
+    server.register(studentRoutes, { prefix: '/v1/student' });
+    server.register(stripeWebhookRoute, { prefix: '/v1/payments' });
 
-// ── Rate Limiting ─────────────────────────────────────────────────────────────
-async function setupRateLimit() {
-    await server.register(fastifyRateLimit, {
-        global: true,
-        max: 100,
-        timeWindow: '15 minutes',
-        errorResponseBuilder: (_request, context) => ({
-            statusCode: 429,
-            error: 'Too Many Requests',
-            message: `Rate limit exceeded. Try again in ${context.after}.`,
-            date: new Date(),
-            expiresIn: context.after
-        })
-    });
-    logger.info('[RATE-LIMIT] Global rate limiting enabled (100 req / 15 min)');
-}
+    // 2. Guarded Routes
+    server.register(async (scope) => {
+        scope.addHook('onRequest', async (request, reply) => {
+            if (request.method === 'OPTIONS') return;
 
-import { authRoutes } from './routes/auth';
-
-// ── Public Routes (no auth) ────────────────────────────────────────────────────
-logger.info('[STARTUP] Registering Auth routes...');
-server.register(authRoutes, { prefix: '/v1/auth' });
-logger.info('[STARTUP] Registering WhatsApp routes...');
-server.register(whatsappRoutes, { prefix: '/v1/whatsapp' });
-logger.info('[STARTUP] Registering Student routes...');
-server.register(studentRoutes, { prefix: '/v1/student' });
-
-// ── Stripe Webhook (public — Stripe can't send API Key, verified by signature) ─
-server.register(stripeWebhookRoute, { prefix: '/v1/payments' });
-
-// ── Private Routes (guarded by API Key or JWT) ─────────────────────────────────
-server.register(async function guardedRoutes(scope) {
-    scope.addHook('onRequest', async (request, reply) => {
-        if (request.method === 'OPTIONS') return;
-
-        const apiKey = process.env.ADMIN_API_KEY;
-        const authHeader = request.headers['authorization'];
-        
-        if (!authHeader || !authHeader.startsWith('Bearer ')) {
-            return reply.code(401).send({ error: 'Unauthorized', message: 'Missing Authorization header' });
-        }
+            const apiKey = process.env.ADMIN_API_KEY;
+            
+            // Allow Admin API Key
+            if (apiKey && request.headers['x-api-key'] === apiKey) return;
 
-        const token = authHeader.slice(7);
-
-        // 1. Try Legacy API Key (Super Admin)
-        if (apiKey && token === apiKey) {
-            request.user = {
-                id: 'super-admin',
-                organizationId: request.headers['x-organization-id'] as string || 'default-org-id',
-                role: 'SUPER_ADMIN'
-            };
-        } 
-        // 2. Try JWT (Organization Admin/Member)
-        else {
+            // Otherwise check JWT
             try {
-                const decoded = await request.jwtVerify() as any;
-                request.user = decoded;
+                await request.jwtVerify();
             } catch (err) {
-                return reply.code(401).send({ error: 'Unauthorized', message: 'Invalid token or API key' });
+                return reply.code(401).send({ error: 'Unauthorized', message: 'Invalid or missing token' });
             }
-        }
-
-        // 🏢 Multi-Tenant Enforcement
-        const requestedOrgId = request.headers['x-organization-id'] as string;
-        const user = request.user as any;
-        
-        // Ensure requested Org matches User's Org (unless Super Admin)
-        if (user.role !== 'SUPER_ADMIN' && requestedOrgId && requestedOrgId !== user.organizationId) {
-            return reply.code(403).send({ error: 'Forbidden', message: 'You do not have access to this organization' });
-        }
-
-        // Auto-inject OrgId into request if missing and available in token
-        if (!requestedOrgId && user.organizationId) {
-            request.headers['x-organization-id'] = user.organizationId;
-        }
-
-        // Final check for routes requiring an organization
-        const isOrgIndependentRoute = request.url.startsWith('/v1/organizations') || request.url.startsWith('/v1/internal');
-        if (!request.headers['x-organization-id'] && !isOrgIndependentRoute) {
-            return reply.code(400).send({ error: 'Bad Request', message: 'Missing organization context' });
-        }
-
-        if (request.headers['x-organization-id']) {
-            request.log.info(`[CONTEXT] Setting Organization Context: ${request.headers['x-organization-id']}`);
-        }
-    });
-
-    scope.addHook('preHandler', (request, _reply, done) => {
-        const orgId = request.headers['x-organization-id'] as string;
-        if (orgId) {
-            runWithTenant(orgId, done);
-        } else {
-            done();
-        }
-    });
-
-    logger.info('[STARTUP] Entering guarded routes scope...');
-    
-    scope.register(async (adminScope) => {
-        logger.info('[STARTUP] Registering Admin routes...');
-        await adminScope.register(adminRoutes, { prefix: '/v1/admin' });
-    });
-
-    scope.register(async (orgScope) => {
-        logger.info('[STARTUP] Registering Organization routes...');
-        await orgScope.register(organizationRoutes, { prefix: '/v1/organizations' });
-    });
 
-    scope.register(async (aiScope) => {
-        logger.info('[STARTUP] Registering AI routes...');
-        await aiScope.register(aiRoutes, { prefix: '/v1/ai' });
-    });
-
-    scope.register(async (payScope) => {
-        logger.info('[STARTUP] Registering Payment routes...');
-        await payScope.register(paymentRoutes, { prefix: '/v1/payments' });
-    });
-
-    scope.register(async (anaScope) => {
-        logger.info('[STARTUP] Registering Analytics routes...');
-        await anaScope.register(analyticsRoutes, { prefix: '/v1/analytics' });
-    });
-
-    scope.register(async (intScope) => {
-        logger.info('[STARTUP] Registering Internal routes...');
-        await intScope.register(internalRoutes);
+            // Multi-Tenant Enforcement
+            const user = (request as any).user;
+            const requestedOrgId = request.headers['x-organization-id'] as string;
+
+            if (user && user.role !== 'SUPER_ADMIN') {
+                if (requestedOrgId && requestedOrgId !== user.organizationId) {
+                    return reply.code(403).send({ error: 'Forbidden', message: 'Org mismatch' });
+                }
+                // Inject orgId from token if missing
+                if (!requestedOrgId) {
+                    request.headers['x-organization-id'] = user.organizationId;
+                }
+            }
+        });
+
+        scope.addHook('preHandler', (request, _reply, done) => {
+            const orgId = request.headers['x-organization-id'] as string;
+            if (orgId) {
+                runWithTenant(orgId, done);
+            } else {
+                done();
+            }
+        });
+
+        // Protected Endpoints
+        scope.register(adminRoutes, { prefix: '/v1/admin' });
+        scope.register(organizationRoutes, { prefix: '/v1/organizations' });
+        scope.register(aiRoutes, { prefix: '/v1/ai' });
+        scope.register(paymentRoutes, { prefix: '/v1/payments' });
+        scope.register(analyticsRoutes, { prefix: '/v1/analytics' });
+        scope.register(internalRoutes);
     });
-});
-
-logger.info('[STARTUP] All routes registered. Preparing to listen...');
 
-// ── Health Routes (public) ─────────────────────────────────────────────────────
-server.get('/', async () => {
-    return { 
-        status: 'ok', 
-        message: 'EdTech API Gateway is running',
-        version: '1.1.0',
-        timestamp: new Date().toISOString()
-    };
-});
+    logger.info('[STARTUP] All routes registered.');
+};
 
-// Health route is defined below with DB check
+// ── Health & Debug (top-level) ────────────────────────────────────────────────
+server.get('/', async () => ({ status: 'ok', service: 'Edtech API' }));
 
-server.get('/debug/net', async (_req, reply) => {
+server.get('/health', async (_req, reply) => {
     try {
-        const res = await fetch('https://www.google.com', { method: 'GET' });
-        return reply.send({ ok: true, status: res.status });
-    } catch (e: unknown) {
-        return reply.code(500).send({ ok: false, error: (e as any)?.message || String(e) });
+        await prisma.$queryRaw`SELECT 1`;
+        return { status: 'ok', database: 'connected' };
+    } catch (err) {
+        reply.status(500).send({ status: 'error', database: 'disconnected' });
     }
 });
 
-server.get('/debug/graph', async (_req, reply) => {
-    try {
-        const res = await fetch('https://graph.facebook.com', { method: 'GET' });
-        return reply.send({ ok: true, status: res.status });
-    } catch (e: unknown) {
-        return reply.code(500).send({ ok: false, error: e instanceof Error ? e.message : String(e) });
-    }
-});
-
-server.get('/health', async (_request, reply) => {
-    try {
-        await server.prisma.$queryRaw`SELECT 1`;
-        return { status: 'ok', timestamp: new Date().toISOString(), db: 'connected' };
-    } catch (e: unknown) {
-        return reply.code(500).send({ status: 'error', error: e instanceof Error ? e.message : String(e), dbUrl: process.env.DATABASE_URL?.replace(/:([^:@]+)@/, ':****@') });
-    }
-});
-
-// ── Privacy Policy (required by Meta for app publication) ──────────────────────
-server.get('/v1/privacy', async (_req, reply) => {
-    const html = `<!DOCTYPE html>
-<html lang="fr">
-<head>
-  <meta charset="UTF-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-  <title>Politique de Confidentialité — XAMLÉ Studio</title>
-  <style>
-    body { font-family: system-ui, sans-serif; max-width: 760px; margin: 40px auto; padding: 0 20px; color: #1e293b; line-height: 1.7; }
-    h1 { font-size: 2rem; margin-bottom: 4px; }
-    h2 { font-size: 1.2rem; margin-top: 2rem; color: #0f172a; }
-    p, li { color: #334155; }
-    a { color: #059669; }
-    .updated { color: #94a3b8; font-size: 0.9rem; }
-  </style>
-</head>
-<body>
-  <h1>Politique de Confidentialité</h1>
-  <p class="updated">Dernière mise à jour : 7 mars 2026</p>
-
-  <h2>1. Qui sommes-nous ?</h2>
-  <p>XAMLÉ Studio est une plateforme d'éducation entrepreneuriale accessible via WhatsApp, opérée par xamlé.studio. Contact : <a href="mailto:contact@xamle.studio">contact@xamle.studio</a></p>
-
-  <h2>2. Données collectées</h2>
-  <p>Lors de votre inscription et utilisation du service, nous collectons :</p>
-  <ul>
-    <li>Votre numéro de téléphone WhatsApp</li>
-    <li>La langue choisie (Français ou Wolof)</li>
-    <li>Votre secteur d'activité / projet professionnel (fourni volontairement)</li>
-    <li>Vos réponses aux exercices et contenus pédagogiques</li>
-    <li>Les métadonnées de vos messages (horodatage, type de message)</li>
-  </ul>
-
-  <h2>3. Utilisation des données</h2>
-  <p>Vos données sont utilisées pour :</p>
-  <ul>
-    <li>Vous envoyer des leçons quotidiennes personnalisées via WhatsApp</li>
-    <li>Personnaliser le contenu pédagogique à votre secteur d'activité</li>
-    <li>Générer des documents AI (One-Pager PDF, Pitch Deck) basés sur votre parcours</li>
-    <li>Améliorer la qualité de nos formations</li>
-    <li>Traiter vos paiements pour les formations premium</li>
-  </ul>
-
-  <h2>4. Partage des données</h2>
-  <p>Nous ne vendons jamais vos données. Elles peuvent être partagées uniquement avec :</p>
-  <ul>
-    <li><strong>Meta / WhatsApp</strong> — pour l'acheminement des messages</li>
-    <li><strong>OpenAI</strong> — pour la génération et personnalisation du contenu pédagogique</li>
-    <li><strong>Stripe</strong> — pour le traitement sécurisé des paiements</li>
-    <li><strong>Cloudflare</strong> — pour le stockage des documents générés</li>
-  </ul>
-
-  <h2>5. Conservation des données</h2>
-  <p>Vos données sont conservées pendant toute la durée de votre inscription active. Vous pouvez demander la suppression de vos données à tout moment en envoyant un e-mail à <a href="mailto:contact@xamle.studio">contact@xamle.studio</a>.</p>
-
-  <h2>6. Vos droits</h2>
-  <p>Conformément au RGPD et aux lois applicables, vous disposez du droit de :</p>
-  <ul>
-    <li>Accéder à vos données personnelles</li>
-    <li>Corriger les données inexactes</li>
-    <li>Demander la suppression de vos données</li>
-    <li>Vous opposer au traitement de vos données</li>
-  </ul>
-  <p>Pour exercer ces droits, contactez-nous à : <a href="mailto:contact@xamle.studio">contact@xamle.studio</a></p>
-
-  <h2>7. Sécurité</h2>
-  <p>Vos données sont protégées par chiffrement (TLS en transit, AES au repos). L'accès aux données est strictement limité aux systèmes nécessaires au fonctionnement du service.</p>
-
-  <h2>8. Modifications</h2>
-  <p>Cette politique peut être mise à jour. En cas de modification majeure, vous serez informé via WhatsApp.</p>
-
-  <h2>9. Contact</h2>
-  <p>Pour toute question relative à cette politique : <a href="mailto:contact@xamle.studio">contact@xamle.studio</a></p>
-</body>
-</html>`;
-    return reply.code(200).type('text/html').send(html);
-});
-
-
-
-// ── Error Handler ─────────────────────────────────────────────────────────────
-server.setErrorHandler((error, request, reply) => {
-    logger.error({
-        msg: `[API-ERROR] ${request.method} ${request.url}`,
-        error: error.message,
-        stack: error.stack,
-        headers: request.headers,
-        body: request.body
-    });
-    
-    reply.status(error.statusCode || 500).send({
-        error: 'Internal Server Error',
-        message: error.message,
-        statusCode: error.statusCode || 500
-    });
-});
-
-// ── Start Server ───────────────────────────────────────────────────────────────
+// ── Start Server ──────────────────────────────────────────────────────────────
 const start = async () => {
     try {
+        await registerRoutes();
+        
         const port = parseInt(process.env.PORT || '8080');
         logger.info(`[STARTUP] Attempting to listen on port ${port}...`);
         
-        const isGateway = process.env.IS_GATEWAY === 'true' || process.env.HF_SPACE_ID !== undefined;
-        
-        // 1. Listen IMMEDIATELY so Railway sees the port as open
         await server.listen({ port, host: '0.0.0.0' });
         logger.info(`🚀 Server listening on http://0.0.0.0:${port}`);
-        logger.info(`[STARTUP] Mode: ${isGateway ? 'GATEWAY (Forwarding Only)' : 'DIRECT (Processing)'}`);
 
-        // 2. Initialize background services
-        await setupRateLimit().catch(err => logger.error('[STARTUP] Rate limit setup failed:', err));
+        // Background tasks
+        await setupRateLimit().catch(err => logger.error('[STARTUP] Rate limit error:', err));
         startCleanupCron();
         
-        logger.info('[STARTUP] Background services initialized.');
     } catch (err: any) {
         logger.error('[STARTUP] ❌ FATAL ERROR DURING STARTUP:');
         logger.error(err.message || String(err));
-        if (err.stack) logger.error(err.stack);
-        
-        // Ensure logs are flushed
-        console.error('CRITICAL STARTUP ERROR:', err);
+        console.error('CRITICAL ERROR:', err);
         process.exit(1);
     }
 };