refactor: enforce domain validation and VO construction at system boundaries

Author: raphico

internal/db/device_repository.go

@@ -98,5 +98,15 @@ func (r *DeviceRepository) FindById(ctx context.Context, id device.DeviceID, use
 		return nil, fmt.Errorf("find device by id failed: %w", err)
 	}
 
-	return device.RehydrateDevice(deviceID, userID, name, deviceType, status, metadata, createdAt, updatedAt)
+	return device.RehydrateDevice(
+		device.DeviceID(deviceID),
+		user.UserID(userID),
+		name,
+		deviceType,
+		status,
+		metadata,
+		createdAt,
+		updatedAt,
+	)
+
 }

internal/db/token_repository.go

@@ -97,7 +97,7 @@ func (r *TokenRepository) FindValidTokenByHash(ctx context.Context, hash []byte,
 		return nil, fmt.Errorf("failed to find token: %w", err)
 	}
 
-	return token.RehydrateToken(id, dbHash, userID, dbScope, revoked, expiresAt, lastUsedAt, createdAt), nil
+	return token.RehydrateToken(token.TokenID(id), dbHash, userID, dbScope, revoked, expiresAt, lastUsedAt, createdAt), nil
 }
 
 func (r *TokenRepository) Revoke(ctx context.Context, scope string, hash []byte) error {

internal/db/user_repository.go

@@ -55,7 +55,7 @@ func (r *UserRepository) Create(ctx context.Context, u *user.User) error {
 	return nil
 }
 
-func (r *UserRepository) FindByEmail(ctx context.Context, email string) (*user.User, error) {
+func (r *UserRepository) FindByEmail(ctx context.Context, email user.Email) (*user.User, error) {
 	var (
 		id                   uuid.UUID
 		emailStr             string
@@ -70,7 +70,7 @@ func (r *UserRepository) FindByEmail(ctx context.Context, email string) (*user.U
 		WHERE users.email = $1
 	`
 
-	err := r.db.QueryRow(ctx, query, email).Scan(
+	err := r.db.QueryRow(ctx, query, email.String()).Scan(
 		&id,
 		&emailStr,
 		&usernameStr,
@@ -87,5 +87,5 @@ func (r *UserRepository) FindByEmail(ctx context.Context, email string) (*user.U
 		return nil, fmt.Errorf("failed to find user: %w", err)
 	}
 
-	return user.RehydrateUser(id, emailStr, usernameStr, passwordHash, createdAt, updatedAt)
+	return user.RehydrateUser(user.UserID(id), emailStr, usernameStr, passwordHash, createdAt, updatedAt)
 }

internal/domain/auth/service.go

@@ -19,12 +19,17 @@ func NewService(userService *user.Service, tokenService *token.Service) *Service
 	}
 }
 
-func (s *Service) Register(ctx context.Context, username, email, password string) (*user.User, error) {
+func (s *Service) Register(
+	ctx context.Context,
+	username user.Username,
+	email user.Email,
+	password user.Password,
+) (*user.User, error) {
 	return s.user.RegisterUser(ctx, username, email, password)
 }
 
-func (s *Service) Login(ctx context.Context, email, password string) (string, *token.Token, error) {
-	u, err := s.user.AuthenticateUser(ctx, email, password)
+func (s *Service) Login(ctx context.Context, email user.Email, rawPassword string) (string, *token.Token, error) {
+	u, err := s.user.AuthenticateUser(ctx, email, rawPassword)
 	if err != nil {
 		return "", nil, err
 	}

internal/domain/device/device.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/google/uuid"
 	"github.com/raphico/go-device-telemetry-api/internal/domain/user"
 )
 
@@ -20,38 +19,29 @@ type Device struct {
 	UpdatedAt  time.Time
 }
 
-func NewDevice(userId user.UserID, name, status, deviceType string, metadata map[string]any) (*Device, error) {
-	n, err := NewName(name)
-	if err != nil {
-		return nil, err
-	}
-
-	s, err := NewStatus(status)
-	if err != nil {
-		return nil, err
-	}
-
-	dt, err := NewDeviceType(deviceType)
-	if err != nil {
-		return nil, err
-	}
-
+func NewDevice(
+	userId user.UserID,
+	name Name,
+	status Status,
+	deviceType DeviceType,
+	metadata map[string]any,
+) *Device {
 	if metadata == nil {
 		metadata = make(map[string]any)
 	}
 
 	return &Device{
 		UserID:     userId,
-		Name:       n,
-		Status:     s,
-		DeviceType: dt,
+		Name:       name,
+		Status:     status,
+		DeviceType: deviceType,
 		Metadata:   metadata,
-	}, nil
+	}
 }
 
 func RehydrateDevice(
-	id uuid.UUID,
-	userID uuid.UUID,
+	id DeviceID,
+	userID user.UserID,
 	name string,
 	deviceType string,
 	status string,
@@ -85,8 +75,8 @@ func RehydrateDevice(
 	}
 
 	return &Device{
-		ID:         DeviceID(id),
-		UserID:     user.UserID(userID),
+		ID:         id,
+		UserID:     userID,
 		Name:       n,
 		Status:     s,
 		DeviceType: dt,

internal/domain/device/service.go

@@ -19,21 +19,18 @@ func NewService(repo Repository) *Service {
 func (s *Service) CreateDevice(
 	ctx context.Context,
 	userId user.UserID,
-	name,
-	status,
-	deviceType string,
+	name Name,
+	status Status,
+	deviceType DeviceType,
 	metadata map[string]any,
 ) (*Device, error) {
-	device, err := NewDevice(userId, name, status, deviceType, metadata)
-	if err != nil {
-		return nil, err
-	}
+	dev := NewDevice(userId, name, status, deviceType, metadata)
 
-	if err = s.repo.Create(ctx, device); err != nil {
+	if err := s.repo.Create(ctx, dev); err != nil {
 		return nil, err
 	}
 
-	return device, nil
+	return dev, nil
 }
 
 func (s *Service) GetDevice(ctx context.Context, id DeviceID, userId user.UserID) (*Device, error) {

internal/domain/token/token.go

@@ -50,7 +50,7 @@ func HashPlaintext(plaintext string) []byte {
 }
 
 func RehydrateToken(
-	id uuid.UUID,
+	id TokenID,
 	hash []byte,
 	userID user.UserID,
 	scope string,
@@ -60,7 +60,7 @@ func RehydrateToken(
 	createdAt time.Time,
 ) *Token {
 	return &Token{
-		ID:         TokenID(id),
+		ID:         id,
 		Hash:       hash,
 		UserID:     userID,
 		Scope:      scope,

internal/domain/user/password.go

@@ -31,18 +31,15 @@ func validatePassword(pw string) error {
 
 	var (
 		hasMinLen  = len(pw) >= 8
-		hasUpper   bool
-		hasLower   bool
+		hasLetter  bool
 		hasDigit   bool
 		hasSpecial bool
 	)
 
 	for _, c := range pw {
 		switch {
-		case unicode.IsUpper(c):
-			hasUpper = true
-		case unicode.IsLower(c):
-			hasLower = true
+		case unicode.IsLetter(c):
+			hasLetter = true
 		case unicode.IsDigit(c):
 			hasDigit = true
 		case unicode.IsSymbol(c) || unicode.IsPunct(c):
@@ -53,7 +50,7 @@ func validatePassword(pw string) error {
 	if !hasMinLen {
 		return ErrPasswordTooShort
 	}
-	if !hasUpper || !hasLower || !hasDigit || !hasSpecial {
+	if !hasLetter || !hasDigit || !hasSpecial {
 		return ErrPasswordTooWeak
 	}
 

internal/domain/user/repository.go

@@ -4,5 +4,5 @@ import "context"
 
 type Repository interface {
 	Create(ctx context.Context, u *User) error
-	FindByEmail(ctx context.Context, email string) (*User, error)
+	FindByEmail(ctx context.Context, email Email) (*User, error)
 }

internal/domain/user/service.go

@@ -14,11 +14,13 @@ func NewService(repo Repository) *Service {
 	}
 }
 
-func (s *Service) RegisterUser(ctx context.Context, username, email, password string) (*User, error) {
-	user, err := NewUser(email, username, password)
-	if err != nil {
-		return nil, err
-	}
+func (s *Service) RegisterUser(
+	ctx context.Context,
+	username Username,
+	email Email,
+	password Password,
+) (*User, error) {
+	user := NewUser(email, username, password)
 
 	if err := s.repo.Create(ctx, user); err != nil {
 		return nil, err
@@ -27,13 +29,13 @@ func (s *Service) RegisterUser(ctx context.Context, username, email, password st
 	return user, nil
 }
 
-func (s *Service) AuthenticateUser(ctx context.Context, email, password string) (*User, error) {
+func (s *Service) AuthenticateUser(ctx context.Context, email Email, rawPassword string) (*User, error) {
 	user, err := s.repo.FindByEmail(ctx, email)
 	if err != nil {
 		return nil, ErrInvalidCredentials
 	}
 
-	if matches := user.Password.Matches(password); !matches {
+	if matches := user.Password.Matches(rawPassword); !matches {
 		return nil, ErrInvalidCredentials
 	}