fotospiel-app/routes/api.php

<?php

use App\Http\Controllers\Api\EventPublicController;
use App\Http\Controllers\Api\Tenant\EventController;
use App\Http\Controllers\Api\Tenant\SettingsController;
use App\Http\Controllers\Api\Tenant\TaskController;
use App\Http\Controllers\Api\Tenant\PhotoController;
use App\Http\Controllers\OAuthController;
use App\Http\Controllers\RevenueCatWebhookController;
use App\Http\Controllers\Api\PackageController;
use App\Http\Controllers\Api\TenantPackageController;
use Illuminate\Support\Facades\Route;

Route::prefix('v1')->name('api.v1.')->group(function () {
    Route::post('/webhooks/revenuecat', [RevenueCatWebhookController::class, 'handle'])
        ->middleware('throttle:60,1')
        ->name('webhooks.revenuecat');

    Route::middleware('throttle:oauth')->group(function () {
        Route::get('/oauth/authorize', [OAuthController::class, 'authorize'])->name('oauth.authorize');
        Route::post('/oauth/token', [OAuthController::class, 'token'])->name('oauth.token');
    });

    Route::middleware('throttle:100,1')->group(function () {
        Route::get('/events/{slug}', [EventPublicController::class, 'event'])->name('events.show');
        Route::get('/events/{slug}/stats', [EventPublicController::class, 'stats'])->name('events.stats');
        Route::get('/events/{slug}/achievements', [EventPublicController::class, 'achievements'])->name('events.achievements');
        Route::get('/events/{slug}/emotions', [EventPublicController::class, 'emotions'])->name('events.emotions');
        Route::get('/events/{slug}/tasks', [EventPublicController::class, 'tasks'])->name('events.tasks');
        Route::get('/events/{slug}/photos', [EventPublicController::class, 'photos'])->name('events.photos');
        Route::get('/photos/{id}', [EventPublicController::class, 'photo'])->name('photos.show');
        Route::post('/photos/{id}/like', [EventPublicController::class, 'like'])->name('photos.like');
        Route::post('/events/{slug}/upload', [EventPublicController::class, 'upload'])->name('events.upload');
    });

    Route::middleware(['tenant.token', 'tenant.isolation', 'throttle:tenant-api'])->prefix('tenant')->group(function () {
        Route::get('me', [OAuthController::class, 'me'])->name('tenant.me');

        Route::apiResource('events', EventController::class)
            ->only(['index', 'show', 'destroy'])
            ->parameters(['events' => 'event:slug']);

        Route::middleware('credit.check')->group(function () {
            Route::post('events', [EventController::class, 'store'])->name('tenant.events.store');
            Route::match(['put', 'patch'], 'events/{event:slug}', [EventController::class, 'update'])->name('tenant.events.update');
        });

        Route::prefix('events/{event:slug}')->group(function () {
            Route::get('stats', [EventController::class, 'stats'])->name('tenant.events.stats');
            Route::post('toggle', [EventController::class, 'toggle'])->name('tenant.events.toggle');
            Route::post('invites', [EventController::class, 'createInvite'])->name('tenant.events.invites');

            Route::get('photos', [PhotoController::class, 'index'])->name('tenant.events.photos.index');
            Route::post('photos', [PhotoController::class, 'store'])->name('tenant.events.photos.store');
            Route::get('photos/{photo}', [PhotoController::class, 'show'])->name('tenant.events.photos.show');
            Route::patch('photos/{photo}', [PhotoController::class, 'update'])->name('tenant.events.photos.update');
            Route::delete('photos/{photo}', [PhotoController::class, 'destroy'])->name('tenant.events.photos.destroy');
            Route::post('photos/{photo}/feature', [PhotoController::class, 'feature'])->name('tenant.events.photos.feature');
            Route::post('photos/{photo}/unfeature', [PhotoController::class, 'unfeature'])->name('tenant.events.photos.unfeature');
            Route::post('photos/bulk-approve', [PhotoController::class, 'bulkApprove'])->name('tenant.events.photos.bulk-approve');
            Route::post('photos/bulk-reject', [PhotoController::class, 'bulkReject'])->name('tenant.events.photos.bulk-reject');
            Route::get('photos/moderation', [PhotoController::class, 'forModeration'])->name('tenant.events.photos.for-moderation');
            Route::get('photos/stats', [PhotoController::class, 'stats'])->name('tenant.events.photos.stats');
        });

        Route::post('events/bulk-status', [EventController::class, 'bulkUpdateStatus'])->name('tenant.events.bulk-status');
        Route::get('events/search', [EventController::class, 'search'])->name('tenant.events.search');

        Route::apiResource('tasks', TaskController::class);
        Route::post('tasks/{task}/assign-event/{event}', [TaskController::class, 'assignToEvent'])
            ->name('tenant.tasks.assign-to-event');
        Route::post('tasks/bulk-assign-event/{event}', [TaskController::class, 'bulkAssignToEvent'])
            ->name('tenant.tasks.bulk-assign-to-event');
        Route::get('tasks/event/{event}', [TaskController::class, 'forEvent'])
            ->name('tenant.tasks.for-event');
        Route::get('tasks/collection/{collection}', [TaskController::class, 'fromCollection'])
            ->name('tenant.tasks.from-collection');

        Route::prefix('settings')->group(function () {
            Route::get('/', [SettingsController::class, 'index'])
                ->name('tenant.settings.index');
            Route::post('/', [SettingsController::class, 'update'])
                ->name('tenant.settings.update');
            Route::post('/reset', [SettingsController::class, 'reset'])
                ->name('tenant.settings.reset');
            Route::post('/validate-domain', [SettingsController::class, 'validateDomain'])
                ->name('tenant.settings.validate-domain');
        });

        Route::prefix('packages')->group(function () {
            Route::get('/', [PackageController::class, 'index'])->name('packages.index');
            Route::post('/purchase', [PackageController::class, 'purchase'])->name('packages.purchase');
        });

        Route::prefix('stripe')->group(function () {
            Route::post('/payment-intent', [StripeController::class, 'createPaymentIntent'])->name('stripe.payment-intent');
            Route::post('/subscription', [StripeController::class, 'createSubscription'])->name('stripe.subscription');
        });

        Route::prefix('tenant/packages')->group(function () {
            Route::get('/', [TenantPackageController::class, 'index'])->name('tenant.packages.index');
        });
    });

    // Stripe Webhook (no auth)
    Route::post('/stripe/webhook', [StripeWebhookController::class, 'handleWebhook'])
        ->name('stripe.webhook');
});