phase 14

backend/app/api/sharing.py

@@ -0,0 +1,277 @@
+"""Board sharing API endpoints."""
+
+from datetime import datetime
+from uuid import UUID
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+
+from app.boards.schemas import (
+    BoardDetail,
+    CommentCreate,
+    CommentResponse,
+    ShareLinkCreate,
+    ShareLinkResponse,
+)
+from app.boards.sharing import generate_secure_token
+from app.core.deps import get_current_user, get_db
+from app.database.models.board import Board
+from app.database.models.comment import Comment
+from app.database.models.share_link import ShareLink
+from app.database.models.user import User
+
+router = APIRouter(tags=["sharing"])
+
+
+def validate_share_link(token: str, db: Session, required_permission: str = "view-only") -> ShareLink:
+    """
+    Validate share link token and check permissions.
+
+    Args:
+        token: Share link token
+        db: Database session
+        required_permission: Required permission level
+
+    Returns:
+        ShareLink if valid
+
+    Raises:
+        HTTPException: 403 if invalid or insufficient permissions
+    """
+    share_link = (
+        db.query(ShareLink)
+        .filter(
+            ShareLink.token == token,
+            ShareLink.is_revoked == False,  # noqa: E712
+        )
+        .first()
+    )
+
+    if share_link is None:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Invalid or revoked share link",
+        )
+
+    # Check expiration
+    if share_link.expires_at and share_link.expires_at < datetime.utcnow():
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Share link has expired",
+        )
+
+    # Check permission level
+    if required_permission == "view-comment" and share_link.permission_level != "view-comment":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Insufficient permissions - commenting not allowed",
+        )
+
+    # Update access tracking
+    share_link.access_count += 1
+    share_link.last_accessed_at = datetime.utcnow()
+    db.commit()
+
+    return share_link
+
+
+@router.post("/boards/{board_id}/share-links", response_model=ShareLinkResponse, status_code=status.HTTP_201_CREATED)
+def create_share_link(
+    board_id: UUID,
+    share_link_data: ShareLinkCreate,
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+) -> ShareLinkResponse:
+    """
+    Create a new share link for a board.
+
+    Only the board owner can create share links.
+    """
+    # Verify board exists and user owns it
+    board = db.query(Board).filter(Board.id == board_id, Board.user_id == current_user.id).first()
+
+    if board is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Board not found or access denied",
+        )
+
+    # Generate unique token
+    token = generate_secure_token()
+
+    # Create share link
+    share_link = ShareLink(
+        board_id=board_id,
+        token=token,
+        permission_level=share_link_data.permission_level,
+        expires_at=share_link_data.expires_at,
+    )
+    db.add(share_link)
+    db.commit()
+    db.refresh(share_link)
+
+    return ShareLinkResponse.model_validate(share_link)
+
+
+@router.get("/boards/{board_id}/share-links", response_model=list[ShareLinkResponse])
+def list_share_links(
+    board_id: UUID,
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+) -> list[ShareLinkResponse]:
+    """
+    List all share links for a board.
+
+    Only the board owner can list share links.
+    """
+    # Verify board exists and user owns it
+    board = db.query(Board).filter(Board.id == board_id, Board.user_id == current_user.id).first()
+
+    if board is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Board not found or access denied",
+        )
+
+    # Get all share links for board
+    share_links = db.query(ShareLink).filter(ShareLink.board_id == board_id).order_by(ShareLink.created_at.desc()).all()
+
+    return [ShareLinkResponse.model_validate(link) for link in share_links]
+
+
+@router.delete("/boards/{board_id}/share-links/{link_id}", status_code=status.HTTP_204_NO_CONTENT)
+def revoke_share_link(
+    board_id: UUID,
+    link_id: UUID,
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+) -> None:
+    """
+    Revoke (soft delete) a share link.
+
+    Only the board owner can revoke share links.
+    """
+    # Verify board exists and user owns it
+    board = db.query(Board).filter(Board.id == board_id, Board.user_id == current_user.id).first()
+
+    if board is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Board not found or access denied",
+        )
+
+    # Get and revoke share link
+    share_link = db.query(ShareLink).filter(ShareLink.id == link_id, ShareLink.board_id == board_id).first()
+
+    if share_link is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Share link not found",
+        )
+
+    share_link.is_revoked = True
+    db.commit()
+
+
+@router.get("/shared/{token}", response_model=BoardDetail)
+def get_shared_board(
+    token: str,
+    db: Session = Depends(get_db),
+) -> BoardDetail:
+    """
+    Access a shared board via token.
+
+    No authentication required - access controlled by share link token.
+    """
+    # Validate share link
+    share_link = validate_share_link(token, db, required_permission="view-only")
+
+    # Get board details
+    board = db.query(Board).filter(Board.id == share_link.board_id).first()
+
+    if board is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Board not found",
+        )
+
+    return BoardDetail.model_validate(board)
+
+
+@router.post("/shared/{token}/comments", response_model=CommentResponse, status_code=status.HTTP_201_CREATED)
+def create_comment(
+    token: str,
+    comment_data: CommentCreate,
+    db: Session = Depends(get_db),
+) -> CommentResponse:
+    """
+    Create a comment on a shared board.
+
+    Requires view-comment permission level.
+    """
+    # Validate share link with comment permission
+    share_link = validate_share_link(token, db, required_permission="view-comment")
+
+    # Create comment
+    comment = Comment(
+        board_id=share_link.board_id,
+        share_link_id=share_link.id,
+        author_name=comment_data.author_name,
+        content=comment_data.content,
+        position=comment_data.position,
+    )
+    db.add(comment)
+    db.commit()
+    db.refresh(comment)
+
+    return CommentResponse.model_validate(comment)
+
+
+@router.get("/shared/{token}/comments", response_model=list[CommentResponse])
+def list_comments(
+    token: str,
+    db: Session = Depends(get_db),
+) -> list[CommentResponse]:
+    """
+    List all comments on a shared board.
+
+    Requires view-only or view-comment permission.
+    """
+    # Validate share link
+    share_link = validate_share_link(token, db, required_permission="view-only")
+
+    # Get all comments for board (non-deleted)
+    comments = (
+        db.query(Comment)
+        .filter(Comment.board_id == share_link.board_id, Comment.is_deleted == False)  # noqa: E712
+        .order_by(Comment.created_at.desc())
+        .all()
+    )
+
+    return [CommentResponse.model_validate(comment) for comment in comments]
+
+
+@router.get("/boards/{board_id}/comments", response_model=list[CommentResponse])
+def list_board_comments(
+    board_id: UUID,
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+) -> list[CommentResponse]:
+    """
+    List all comments on a board (owner view).
+
+    Only the board owner can access this endpoint.
+    """
+    # Verify board exists and user owns it
+    board = db.query(Board).filter(Board.id == board_id, Board.user_id == current_user.id).first()
+
+    if board is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Board not found or access denied",
+        )
+
+    # Get all comments for board (including deleted for owner)
+    comments = db.query(Comment).filter(Comment.board_id == board_id).order_by(Comment.created_at.desc()).all()
+
+    return [CommentResponse.model_validate(comment) for comment in comments]

backend/app/boards/schemas.py

@@ -106,3 +106,49 @@ class GroupResponse(BaseModel):
     member_count: int = Field(default=0, description="Number of images in group")
     created_at: datetime
     updated_at: datetime
+
+
+class ShareLinkCreate(BaseModel):
+    """Schema for creating a new share link."""
+
+    permission_level: str = Field(..., pattern=r"^(view-only|view-comment)$", description="Permission level")
+    expires_at: datetime | None = Field(None, description="Optional expiration datetime")
+
+
+class ShareLinkResponse(BaseModel):
+    """Response schema for share link."""
+
+    model_config = ConfigDict(from_attributes=True)
+
+    id: UUID
+    board_id: UUID
+    token: str
+    permission_level: str
+    created_at: datetime
+    expires_at: datetime | None = None
+    last_accessed_at: datetime | None = None
+    access_count: int = 0
+    is_revoked: bool = False
+
+
+class CommentCreate(BaseModel):
+    """Schema for creating a new comment."""
+
+    author_name: str = Field(..., min_length=1, max_length=100, description="Commenter name")
+    content: str = Field(..., min_length=1, max_length=5000, description="Comment text")
+    position: dict | None = Field(None, description="Optional canvas position {x, y}")
+
+
+class CommentResponse(BaseModel):
+    """Response schema for comment."""
+
+    model_config = ConfigDict(from_attributes=True)
+
+    id: UUID
+    board_id: UUID
+    share_link_id: UUID | None = None
+    author_name: str
+    content: str
+    position: dict | None = None
+    created_at: datetime
+    is_deleted: bool = False

backend/app/boards/sharing.py

@@ -0,0 +1,84 @@
+"""Board sharing functionality."""
+
+import secrets
+import string
+from datetime import datetime
+
+from sqlalchemy.orm import Session
+
+from app.database.models.share_link import ShareLink
+
+
+def generate_secure_token(length: int = 64) -> str:
+    """
+    Generate a cryptographically secure random token for share links.
+
+    Args:
+        length: Length of the token (default 64 characters)
+
+    Returns:
+        URL-safe random string
+    """
+    # Use URL-safe characters (alphanumeric + - and _)
+    alphabet = string.ascii_letters + string.digits + "-_"
+    return "".join(secrets.choice(alphabet) for _ in range(length))
+
+
+def validate_share_link_token(token: str, db: Session) -> ShareLink | None:
+    """
+    Validate a share link token and return the share link if valid.
+
+    A share link is valid if:
+    - Token exists
+    - Not revoked
+    - Not expired (if expires_at is set)
+
+    Args:
+        token: The share link token
+        db: Database session
+
+    Returns:
+        ShareLink if valid, None otherwise
+    """
+    share_link = (
+        db.query(ShareLink)
+        .filter(
+            ShareLink.token == token,
+            ShareLink.is_revoked == False,  # noqa: E712
+        )
+        .first()
+    )
+
+    if share_link is None:
+        return None
+
+    # Check expiration
+    if share_link.expires_at and share_link.expires_at < datetime.utcnow():
+        return None
+
+    # Update access tracking
+    share_link.access_count += 1
+    share_link.last_accessed_at = datetime.utcnow()
+    db.commit()
+
+    return share_link
+
+
+def check_permission(share_link: ShareLink, required_permission: str) -> bool:
+    """
+    Check if a share link has the required permission level.
+
+    Args:
+        share_link: The share link to check
+        required_permission: Required permission level ('view-only' or 'view-comment')
+
+    Returns:
+        True if permission granted, False otherwise
+    """
+    if required_permission == "view-only":
+        # Both view-only and view-comment can view
+        return share_link.permission_level in ("view-only", "view-comment")
+    elif required_permission == "view-comment":
+        # Only view-comment can comment
+        return share_link.permission_level == "view-comment"
+    return False

backend/app/database/models/board.py

@@ -13,6 +13,7 @@ from app.database.base import Base
 
 if TYPE_CHECKING:
     from app.database.models.board_image import BoardImage
+    from app.database.models.comment import Comment
     from app.database.models.group import Group
     from app.database.models.share_link import ShareLink
     from app.database.models.user import User
@@ -56,6 +57,7 @@ class Board(Base):
     share_links: Mapped[list["ShareLink"]] = relationship(
         "ShareLink", back_populates="board", cascade="all, delete-orphan"
     )
+    comments: Mapped[list["Comment"]] = relationship("Comment", back_populates="board", cascade="all, delete-orphan")
 
     def __repr__(self) -> str:
         """String representation of Board."""

backend/app/database/models/comment.py

@@ -1,4 +1,4 @@
-"""Comment model for board comments."""
+"""Comment model for board annotations."""
 
 import uuid
 from datetime import datetime
@@ -11,18 +11,16 @@ from app.database.base import Base
 
 
 class Comment(Base):
-    """Comment model for viewer comments on shared boards."""
+    """Comment model representing viewer comments on shared boards."""
 
     __tablename__ = "comments"
 
     id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
-    board_id = Column(UUID(as_uuid=True), ForeignKey("boards.id", ondelete="CASCADE"), nullable=False, index=True)
-    share_link_id = Column(
-        UUID(as_uuid=True), ForeignKey("share_links.id", ondelete="SET NULL"), nullable=True, index=True
-    )
+    board_id = Column(UUID(as_uuid=True), ForeignKey("boards.id", ondelete="CASCADE"), nullable=False)
+    share_link_id = Column(UUID(as_uuid=True), ForeignKey("share_links.id", ondelete="SET NULL"), nullable=True)
     author_name = Column(String(100), nullable=False)
     content = Column(Text, nullable=False)
-    position = Column(JSONB, nullable=True)  # Optional canvas position
+    position = Column(JSONB, nullable=True)  # Optional canvas position reference
     created_at = Column(DateTime, nullable=False, default=datetime.utcnow)
     is_deleted = Column(Boolean, nullable=False, default=False)
 
@@ -31,4 +29,4 @@ class Comment(Base):
     share_link = relationship("ShareLink", back_populates="comments")
 
     def __repr__(self) -> str:
-        return f"<Comment(id={self.id}, author={self.author_name})>"
+        return f"<Comment(id={self.id}, board_id={self.board_id}, author={self.author_name})>"

backend/app/database/models/share_link.py

@@ -1,45 +1,33 @@
-"""ShareLink database model."""
+"""ShareLink model for board sharing functionality."""
 
+import uuid
 from datetime import datetime
-from typing import TYPE_CHECKING
-from uuid import UUID, uuid4
 
-from sqlalchemy import Boolean, DateTime, ForeignKey, Integer, String
-from sqlalchemy.dialects.postgresql import UUID as PGUUID
-from sqlalchemy.orm import Mapped, mapped_column, relationship
+from sqlalchemy import Boolean, Column, DateTime, ForeignKey, Integer, String
+from sqlalchemy.dialects.postgresql import UUID
+from sqlalchemy.orm import relationship
 
 from app.database.base import Base
 
-if TYPE_CHECKING:
-    from app.database.models.board import Board
-
 
 class ShareLink(Base):
-    """
-    ShareLink model for sharing boards with configurable permissions.
-
-    Share links allow users to share boards with others without requiring
-    authentication, with permission levels controlling what actions are allowed.
-    """
+    """ShareLink model representing shareable board links with permissions."""
 
     __tablename__ = "share_links"
 
-    id: Mapped[UUID] = mapped_column(PGUUID(as_uuid=True), primary_key=True, default=uuid4)
-    board_id: Mapped[UUID] = mapped_column(
-        PGUUID(as_uuid=True), ForeignKey("boards.id", ondelete="CASCADE"), nullable=False
-    )
-    token: Mapped[str] = mapped_column(String(64), unique=True, nullable=False, index=True)
-    permission_level: Mapped[str] = mapped_column(String(20), nullable=False)  # 'view-only' or 'view-comment'
-
-    created_at: Mapped[datetime] = mapped_column(DateTime, nullable=False, default=datetime.utcnow)
-    expires_at: Mapped[datetime | None] = mapped_column(DateTime, nullable=True)
-    last_accessed_at: Mapped[datetime | None] = mapped_column(DateTime, nullable=True)
-    access_count: Mapped[int] = mapped_column(Integer, nullable=False, default=0)
-    is_revoked: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
+    id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
+    board_id = Column(UUID(as_uuid=True), ForeignKey("boards.id", ondelete="CASCADE"), nullable=False)
+    token = Column(String(64), unique=True, nullable=False, index=True)
+    permission_level = Column(String(20), nullable=False)  # 'view-only' or 'view-comment'
+    created_at = Column(DateTime, nullable=False, default=datetime.utcnow)
+    expires_at = Column(DateTime, nullable=True)
+    last_accessed_at = Column(DateTime, nullable=True)
+    access_count = Column(Integer, nullable=False, default=0)
+    is_revoked = Column(Boolean, nullable=False, default=False)
 
     # Relationships
-    board: Mapped["Board"] = relationship("Board", back_populates="share_links")
+    board = relationship("Board", back_populates="share_links")
+    comments = relationship("Comment", back_populates="share_link", cascade="all, delete-orphan")
 
     def __repr__(self) -> str:
-        """String representation of ShareLink."""
-        return f"<ShareLink(id={self.id}, token={self.token[:8]}..., board_id={self.board_id})>"
+        return f"<ShareLink(id={self.id}, board_id={self.board_id}, permission={self.permission_level})>"

backend/app/main.py

@@ -5,7 +5,7 @@ import logging
 from fastapi import FastAPI, Request
 from fastapi.responses import JSONResponse
 
-from app.api import auth, boards, groups, images
+from app.api import auth, boards, groups, images, sharing
 from app.core.config import settings
 from app.core.errors import WebRefException
 from app.core.logging import setup_logging
@@ -86,6 +86,7 @@ app.include_router(auth.router, prefix=f"{settings.API_V1_PREFIX}")
 app.include_router(boards.router, prefix=f"{settings.API_V1_PREFIX}")
 app.include_router(groups.router, prefix=f"{settings.API_V1_PREFIX}")
 app.include_router(images.router, prefix=f"{settings.API_V1_PREFIX}")
+app.include_router(sharing.router, prefix=f"{settings.API_V1_PREFIX}")
 
 
 @app.on_event("startup")