From 40042eb76c64d58fd172a4d36accfdadbf886e6a Mon Sep 17 00:00:00 2001
From: openclaw <openclaw@forgejo.local>
Date: Wed, 4 Mar 2026 16:59:39 +0000
Subject: [PATCH] feat: add secured contact exchange endpoints

---
 README.md                      |  1 +
 backend/src/routes/contacts.js | 97 ++++++++++++++++++++++++++++++++++
 backend/src/server.js          |  2 +
 3 files changed, 100 insertions(+)
 create mode 100644 backend/src/routes/contacts.js

diff --git a/README.md b/README.md
index 3f8b16b..960be80 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,7 @@ Erster funktionaler Backend-Stand für die Vision:
 - Bewertungsgrundlage mit 2-14 Tage Prompt-Fenster (`/reviews/:dealId`)
 - Datenmodell inkl. postalischer Adress-Verifikation (`backend/sql/schema.sql`)
 - Address-Change-Flow mit Briefcode (`/addresses/change-request`, `/addresses/verify`)
+- Kontaktdatenaustausch nach Deal (`/contacts/request`, `/contacts/respond`, `/contacts/deal/:dealId`)
 
 ## Start
 
diff --git a/backend/src/routes/contacts.js b/backend/src/routes/contacts.js
new file mode 100644
index 0000000..3a7a246
--- /dev/null
+++ b/backend/src/routes/contacts.js
@@ -0,0 +1,97 @@
+import { Router } from 'express';
+import { z } from 'zod';
+import { pool } from '../db/connection.js';
+import { requireAuth } from '../middleware/auth.js';
+
+const router = Router();
+
+const getDealParticipants = async (dealId) => {
+  const [rows] = await pool.query(
+    `SELECT d.id, hr.requester_id, o.helper_id
+     FROM deals d
+     JOIN help_requests hr ON hr.id = d.request_id
+     JOIN offers o ON o.id = d.offer_id
+     WHERE d.id = ? LIMIT 1`,
+    [dealId]
+  );
+
+  return rows[0] || null;
+};
+
+router.post('/request', requireAuth, async (req, res) => {
+  const parsed = z.object({ dealId: z.number().int().positive(), targetUserId: z.number().int().positive() }).safeParse(req.body);
+  if (!parsed.success) return res.status(400).json({ error: parsed.error.flatten() });
+
+  const { dealId, targetUserId } = parsed.data;
+  const deal = await getDealParticipants(dealId);
+  if (!deal) return res.status(404).json({ error: 'Deal not found' });
+
+  const participants = [deal.requester_id, deal.helper_id];
+  if (!participants.includes(req.user.userId) || !participants.includes(targetUserId) || req.user.userId === targetUserId) {
+    return res.status(403).json({ error: 'Forbidden' });
+  }
+
+  const [existing] = await pool.query(
+    `SELECT id FROM contact_exchange_requests
+     WHERE deal_id = ? AND requester_id = ? AND target_id = ? LIMIT 1`,
+    [dealId, req.user.userId, targetUserId]
+  );
+  if (existing.length) return res.status(409).json({ error: 'Request already exists' });
+
+  const [result] = await pool.query(
+    `INSERT INTO contact_exchange_requests (deal_id, requester_id, target_id, accepted)
+     VALUES (?, ?, ?, FALSE)`,
+    [dealId, req.user.userId, targetUserId]
+  );
+
+  res.status(201).json({ id: result.insertId });
+});
+
+router.post('/respond', requireAuth, async (req, res) => {
+  const parsed = z.object({ requestId: z.number().int().positive(), accept: z.boolean() }).safeParse(req.body);
+  if (!parsed.success) return res.status(400).json({ error: parsed.error.flatten() });
+
+  const { requestId, accept } = parsed.data;
+  const [rows] = await pool.query(
+    `SELECT id, target_id FROM contact_exchange_requests WHERE id = ? LIMIT 1`,
+    [requestId]
+  );
+
+  const row = rows[0];
+  if (!row) return res.status(404).json({ error: 'Request not found' });
+  if (row.target_id !== req.user.userId) return res.status(403).json({ error: 'Forbidden' });
+
+  if (accept) {
+    await pool.query('UPDATE contact_exchange_requests SET accepted = TRUE WHERE id = ?', [requestId]);
+    return res.json({ status: 'accepted' });
+  }
+
+  await pool.query('DELETE FROM contact_exchange_requests WHERE id = ?', [requestId]);
+  res.json({ status: 'rejected' });
+});
+
+router.get('/deal/:dealId', requireAuth, async (req, res) => {
+  const dealId = Number(req.params.dealId);
+  if (Number.isNaN(dealId)) return res.status(400).json({ error: 'Invalid dealId' });
+
+  const deal = await getDealParticipants(dealId);
+  if (!deal) return res.status(404).json({ error: 'Deal not found' });
+
+  const participants = [deal.requester_id, deal.helper_id];
+  if (!participants.includes(req.user.userId)) return res.status(403).json({ error: 'Forbidden' });
+
+  const [rows] = await pool.query(
+    `SELECT cer.id, cer.requester_id, cer.target_id, cer.accepted,
+            ru.phone_encrypted AS requester_phone_encrypted,
+            tu.phone_encrypted AS target_phone_encrypted
+     FROM contact_exchange_requests cer
+     JOIN users ru ON ru.id = cer.requester_id
+     JOIN users tu ON tu.id = cer.target_id
+     WHERE cer.deal_id = ? AND cer.accepted = TRUE`,
+    [dealId]
+  );
+
+  res.json(rows);
+});
+
+export default router;
diff --git a/backend/src/server.js b/backend/src/server.js
index 76e6e41..4667534 100644
--- a/backend/src/server.js
+++ b/backend/src/server.js
@@ -5,6 +5,7 @@ import helpRequestRoutes from './routes/helpRequests.js';
 import offerRoutes from './routes/offers.js';
 import reviewRoutes from './routes/reviews.js';
 import addressRoutes from './routes/addresses.js';
+import contactRoutes from './routes/contacts.js';
 
 dotenv.config();
 
@@ -18,6 +19,7 @@ app.use('/requests', helpRequestRoutes);
 app.use('/offers', offerRoutes);
 app.use('/reviews', reviewRoutes);
 app.use('/addresses', addressRoutes);
+app.use('/contacts', contactRoutes);
 
 const port = Number(process.env.PORT || 3000);
 app.listen(port, () => {