Learn_System/backend/src/routes/shop.js

const router = require('express').Router();
const { authMiddleware, requireRole, requirePermission } = require('../middleware/auth');
const rateLimit = require('../middleware/rateLimit');
const validate  = require('../middleware/validate');
const {
  getItems, purchaseItem, getPurchases, getCoins, getMyActive, activateItem,
  adminGetItems, adminCreateItem, adminUpdateItem, adminDeleteItem, adminAwardCoins, adminShopStats
} = require('../controllers/shopController');
const { isGamificationEnabled } = require('../controllers/gamification/_shared');

/* Same kill-switch as gamification routes — shop is part of the gam loop. */
function shopGate(req, res, next) {
  if (req.path.startsWith('/admin/')) return next();
  if (!isGamificationEnabled()) {
    return res.status(404).json({ error: 'Gamification disabled' });
  }
  next();
}

const purchaseLimiter = rateLimit({ windowMs: 60_000, max: 10, message: 'Слишком много покупок, подождите минуту' });
const activateSchema  = { body: { type: { type: 'string', oneOf: ['frame', 'title', 'effect', 'background'] } } };
const adminItemSchema = { body: {
  name:  { type: 'string', required: true, minLen: 1, maxLen: 200 },
  type:  { type: 'string', required: true, oneOf: ['frame', 'title', 'effect', 'background'] },
  price: { type: 'number', required: true, min: 0 },
}};
const awardCoinsSchema = { body: {
  userId: { type: 'number', required: true, min: 1, integer: true },
  amount: { type: 'number', required: true, min: 1, integer: true },
}};

router.use(authMiddleware);
router.use(shopGate);

router.get('/items', getItems);
router.post('/items/:id/purchase', requirePermission('shop.purchase'), purchaseLimiter, purchaseItem);
router.get('/purchases', getPurchases);
router.get('/coins', getCoins);
router.get('/my-active', getMyActive);
router.post('/activate', validate(activateSchema), activateItem);

/* Admin routes — read/award/stats require shop.manage permission
   (admin always passes; teachers need explicit grant from permissions UI)
   Create/update/delete items remain admin-only (shop catalogue changes) */
router.get('/admin/items',        requirePermission('shop.manage'),           adminGetItems);
router.post('/admin/items',       requireRole('admin'), validate(adminItemSchema), adminCreateItem);
router.put('/admin/items/:id',    requireRole('admin'),                       adminUpdateItem);
router.delete('/admin/items/:id', requireRole('admin'),                       adminDeleteItem);
router.post('/admin/award-coins', requirePermission('shop.manage'), validate(awardCoinsSchema), adminAwardCoins);
router.get('/admin/stats',        requirePermission('shop.manage'),           adminShopStats);

module.exports = router;