import { Router } from 'express'; import multer from 'multer'; import path from 'path'; import fs from 'fs'; import { authenticate, requirePermission } from '../middleware/auth.js'; import * as gdprController from '../controllers/gdpr.controller.js'; const router = Router(); // Multer für Vollmacht-Uploads const uploadsDir = path.join(process.cwd(), 'uploads', 'authorizations'); if (!fs.existsSync(uploadsDir)) { fs.mkdirSync(uploadsDir, { recursive: true }); } const authUpload = multer({ storage: multer.diskStorage({ destination: (_req, _file, cb) => cb(null, uploadsDir), filename: (_req, file, cb) => { const uniqueSuffix = Date.now() + '-' + Math.round(Math.random() * 1e9); cb(null, `vollmacht-${uniqueSuffix}${path.extname(file.originalname)}`); }, }), fileFilter: (_req, file, cb) => { if (file.mimetype === 'application/pdf') { cb(null, true); } else { cb(new Error('Nur PDF-Dateien sind erlaubt')); } }, limits: { fileSize: 10 * 1024 * 1024 }, }); // Alle Routen erfordern Authentifizierung router.use(authenticate); // Dashboard-Statistiken router.get('/dashboard', requirePermission('gdpr:admin'), gdprController.getDashboardStats); // Kundendaten exportieren (DSGVO Art. 15) router.get('/customer/:customerId/export', requirePermission('gdpr:export'), gdprController.exportCustomerData); // Löschanfragen router.get('/deletions', requirePermission('gdpr:admin'), gdprController.getDeletionRequests); router.get('/deletions/:id', requirePermission('gdpr:admin'), gdprController.getDeletionRequest); router.post('/deletions', requirePermission('gdpr:delete'), gdprController.createDeletionRequest); router.put('/deletions/:id/process', requirePermission('gdpr:admin'), gdprController.processDeletionRequest); // Einwilligungen (Consents) router.get('/customer/:customerId/consent-status', requirePermission('customers:read'), gdprController.checkConsentStatus); router.get('/customer/:customerId/consents', requirePermission('customers:read'), gdprController.getCustomerConsents); // Consent-Update: Nur authenticate (Check im Controller - nur Portal-User erlaubt) router.put('/customer/:customerId/consents/:consentType', gdprController.updateCustomerConsent); router.get('/consents/overview', requirePermission('gdpr:admin'), gdprController.getConsentOverview); // Datenschutzerklärung (Editor) router.get('/privacy-policy', requirePermission('gdpr:admin'), gdprController.getPrivacyPolicy); router.put('/privacy-policy', requirePermission('gdpr:admin'), gdprController.updatePrivacyPolicy); // Vollmacht-Vorlage (Editor) router.get('/authorization-template', requirePermission('gdpr:admin'), gdprController.getAuthorizationTemplate); router.put('/authorization-template', requirePermission('gdpr:admin'), gdprController.updateAuthorizationTemplate); // Impressum (Editor + Portal-Anzeige) router.get('/imprint', gdprController.getImprint); router.put('/imprint', requirePermission('gdpr:admin'), gdprController.updateImprint); // Website-Datenschutzerklärung (Editor + Portal-Anzeige) router.get('/website-privacy-policy', gdprController.getWebsitePrivacyPolicy); router.put('/website-privacy-policy', requirePermission('gdpr:admin'), gdprController.updateWebsitePrivacyPolicy); // Consent-Link senden router.post('/customer/:customerId/send-consent-link', requirePermission('customers:update'), gdprController.sendConsentLink); // Portal: Eigene Datenschutzseite (nur authenticate, Check im Controller) router.get('/my-privacy', gdprController.getMyPrivacy); router.get('/my-privacy/pdf', gdprController.getMyPrivacyPdf); router.get('/my-consent-status', gdprController.getMyConsentStatus); // Vollmachten (Admin) router.get('/customer/:customerId/authorizations', requirePermission('customers:read'), gdprController.getAuthorizations); router.post('/customer/:customerId/authorizations/:representativeId/send', requirePermission('customers:update'), gdprController.sendAuthorizationRequest); router.post('/customer/:customerId/authorizations/:representativeId/grant', requirePermission('customers:update'), gdprController.grantAuthorization); router.post('/customer/:customerId/authorizations/:representativeId/withdraw', requirePermission('customers:update'), gdprController.withdrawAuthorization); router.post('/customer/:customerId/authorizations/:representativeId/upload', requirePermission('customers:update'), authUpload.single('document'), gdprController.uploadAuthorizationDocument); router.delete('/customer/:customerId/authorizations/:representativeId/document', requirePermission('customers:update'), gdprController.deleteAuthorizationDocument); // Portal: Vollmachten router.get('/my-authorizations', gdprController.getMyAuthorizations); router.put('/my-authorizations/:representativeId', gdprController.toggleMyAuthorization); router.get('/my-authorization-status', gdprController.getMyAuthorizationStatus); export default router;