UPDATE: Change auth logic

internal/services/authService.go

@@ -38,7 +38,7 @@ type AuthService interface {
 	VerifyToken(ctx context.Context, dto *request.VerifyTokenDto) (*response.VerifyTokenResponse, error)
 	CreateToken(ctx context.Context, dto *request.CreateTokenDto) error
 	SigninWithGoogle(ctx context.Context, dto *request.SigninWithGoogleDto) (*response.AuthResponse, error)
-	RefreshToken(ctx context.Context, id string) (*response.AuthResponse, error)
+	RefreshToken(ctx context.Context, id string, refreshToken string) (*response.AuthResponse, error)
 }
 
 type authService struct {
@@ -203,7 +203,7 @@ func (a *authService) Logout(ctx context.Context, userId string) error {
 	return nil
 }
 
-func (a *authService) RefreshToken(ctx context.Context, id string) (*response.AuthResponse, error) {
+func (a *authService) RefreshToken(ctx context.Context, id string, refreshToken string) (*response.AuthResponse, error) {
 	var pgID pgtype.UUID
 	err := pgID.Scan(id)
 	if err != nil {
@@ -213,6 +213,11 @@ func (a *authService) RefreshToken(ctx context.Context, id string) (*response.Au
 	if err != nil {
 		return nil, fiber.NewError(fiber.StatusInternalServerError, "Invalid user data")
 	}
+
+	if user.RefreshToken != refreshToken {
+		return nil, fiber.NewError(fiber.StatusUnauthorized, "Invalid refresh token")
+	}
+
 	roles := models.RolesEntityToRoleConstant(user.Roles)
 
 	if slices.Contains(roles, constants.BANNED) {

internal/services/mediaService.go

@@ -32,6 +32,7 @@ type MediaService interface {
 	GetMediaByUserID(ctx context.Context, userId string) ([]*response.MediaResponse, error)
 	SearchMedia(ctx context.Context, dto *request.SearchMediaDto) (*response.PaginatedResponse, error)
 	DeleteMedia(ctx context.Context, claims *response.JWTClaims, mediaId string) error
+	BulkDeleteMedia(ctx context.Context, claims *response.JWTClaims, dto *request.MediaBulkDeleteDto) error
 	UploadServerSide(ctx context.Context, userId string, fileHeader *multipart.FileHeader) (*response.MediaResponse, error)
 	GeneratePresignedURL(ctx context.Context, userId string, dto *request.PreSignedDto) (*response.PreSignedResponse, error)
 	PreSignedCompleted(ctx context.Context, userId string, dto *request.PreSignedCompleteDto) (*response.MediaResponse, error)
@@ -88,6 +89,39 @@ func (m *mediaService) DeleteMedia(ctx context.Context, claims *response.JWTClai
 	return nil
 }
 
+func (m *mediaService) BulkDeleteMedia(ctx context.Context, claims *response.JWTClaims, dto *request.MediaBulkDeleteDto) error {
+	listMedia, err := m.mediaRepo.GetByIDs(ctx, dto.MediaIDs)
+	if err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+	shoudDelete := false
+	if slices.Contains(claims.Roles, constants.ADMIN) || slices.Contains(claims.Roles, constants.MOD) {
+		shoudDelete = true
+	}
+	listMediaIds := make([]pgtype.UUID, len(listMedia))
+	listMediaStorageEntities := make([]*models.MediaStorageEntity, len(listMedia))
+	for _, media := range listMedia {
+		if media.UserID != claims.UId && !shoudDelete {
+			return fiber.NewError(fiber.StatusForbidden, "You don't have permission to delete this media")
+		}
+		id, err := convert.StringToUUID(media.ID)
+		if err != nil {
+			return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+		}
+		listMediaIds = append(listMediaIds, id)
+		listMediaStorageEntities = append(listMediaStorageEntities, media.ToStorageEntity())
+	}
+
+	err = m.mediaRepo.BulkDelete(ctx, listMediaIds)
+	if err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	m.c.PublishTask(ctx, constants.StreamStorageName, constants.TaskTypeBulkDeleteMedia, listMediaStorageEntities)
+
+	return nil
+}
+
 func (m *mediaService) GetMediaByID(ctx context.Context, id string) (*response.MediaResponse, error) {
 	mediaId, err := convert.StringToUUID(id)
 	if err != nil {