crm-server/src/routes/timesheet.routes.js

import express from 'express';
import * as timesheetController from '../controllers/timesheet.controller.js';
import { authenticate } from '../middlewares/auth/authMiddleware.js';
import { requireTeamLeaderOrAdmin } from '../middlewares/auth/roleMiddleware.js';
import { validateBody, validateParams } from '../middlewares/security/validateInput.js';
import { z } from 'zod';
import { createUpload } from '../config/upload.js';

const router = express.Router();

const upload = createUpload({
  maxSizeMB: 5,
  allowedTypes: [
    'application/pdf',
    'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
    'application/vnd.ms-excel',
  ],
  errorMessage: 'Neplatný typ súboru. Povolené sú iba PDF a Excel súbory.',
});

/**
 * All timesheet routes require authentication
 */
router.use(authenticate);

/**
 * Upload timesheet
 * POST /api/timesheets/upload
 */
router.post(
  '/upload',
  upload.single('file'),
  validateBody(z.object({
    year: z.string().regex(/^\d{4}$/, 'Rok musí byť 4-miestne číslo'),
    month: z.string().regex(/^([1-9]|1[0-2])$/, 'Mesiac musí byť číslo od 1 do 12'),
    userId: z.string().uuid().optional(), // Optional: admin can upload for other users
  })),
  timesheetController.uploadTimesheet
);

/**
 * Get user's timesheets
 * GET /api/timesheets/my
 */
router.get('/my', timesheetController.getMyTimesheets);

/**
 * Get all timesheets (admin only)
 * GET /api/timesheets/all
 */
router.get('/all', requireTeamLeaderOrAdmin, timesheetController.getAllTimesheets);

/**
 * Download timesheet
 * GET /api/timesheets/:timesheetId/download
 */
router.get(
  '/:timesheetId/download',
  validateParams(z.object({ timesheetId: z.string().uuid() })),
  timesheetController.downloadTimesheet
);

/**
 * Delete timesheet
 * DELETE /api/timesheets/:timesheetId
 */
router.delete(
  '/:timesheetId',
  validateParams(z.object({ timesheetId: z.string().uuid() })),
  timesheetController.deleteTimesheet
);

export default router;