refactor: extract room creation logic into a dedicated service (#150)

[cannonerd007]

Hi @M4dhav! I saw the proposal for refactoring the room creation logic and decided to tackle it since the issue had been open for a few days.

In this PR, I've decoupled the business logic from the create-room controller in functions/create-room/src/main.js. Following the suggested service/use-case pattern, I extracted the core responsibilities—like generating room metadata, handling LiveKit integration, and persisting data in Appwrite—into a standalone service layer. This makes the main entry point much cleaner by focusing it strictly on request and response handling.

I've ensured this is a non-breaking change and kept the existing input/output signatures intact. This should provide a much better foundation for testing and scaling the room management logic moving forward.

Summary by CodeRabbit

• New Features

  • OTP requests now enforce 60-second rate limiting and send secure 6‑digit OTPs via SMTP.

• Improvements

  • Room creation flow refactored for more reliable and consistent room provisioning.

• Chores

  • Updated package dependencies and streamlined backend configuration, reducing unused services and simplifying manifests.

• Documentation

  • OTP function README updated with feature-focused usage and simplified configuration.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The manifest was reduced from many resources to a minimal single-function project (projectId updated). A RoomCreationService was added and create-room refactored to use it. A new send-otp function was introduced with OTP generation, 60s rate limiting, SMTP delivery, and Appwrite user timestamp management.

Changes

Cohort / File(s)	Summary
Configuration & Manifest appwrite.json	Replaced large multi-resource manifest with a minimal manifest containing only the send-otp function; updated projectId to 6968ad380036f9106f75.
Room Creation Refactor functions/create-room/src/main.js, functions/create-room/src/room-creation-service.js	Added RoomCreationService; main.js delegates room creation to the service, centralizes validation, and returns the service result (livekitRoom, socketUrl, accessToken, appwriteRoomId).
Send-OTP: repo & style functions/send-otp/.gitignore, functions/send-otp/.prettierrc.json, functions/send-otp/README.md	Added standard .gitignore, Prettier config, and updated README describing OTP features, env vars, and runtime/entrypoint simplification.
Send-OTP: deps & package functions/send-otp/package.json	Replaced package.json content (project name changed to starter-template); bumped node-appwrite to ^20.3.0, nodemailer to ^7.0.12; removed start script, kept format script.
Send-OTP: Appwrite integration functions/send-otp/src/appwrite.js	Added Query import; added getUserByEmail(email) and updateUserLastOtpSent(userId,timestamp); createOtpDocument now includes recipient email.
Send-OTP: function logic functions/send-otp/src/main.js	Added 60s rate-limiting check using getUserByEmail; generates 6-digit OTP, sends via SMTP, creates OTP document with email and date, updates last_otp_sent, and returns 429 when rate limited; expanded env var validation and error handling.

Sequence Diagrams

sequenceDiagram
    participant Client
    participant CreateRoom as create-room<br/>Function
    participant RoomService as RoomCreationService
    participant AppwriteService
    participant LiveKitService

    Client->>CreateRoom: POST /create-room with details
    CreateRoom->>CreateRoom: Parse & validate request
    CreateRoom->>RoomService: createRoom(details)
    RoomService->>AppwriteService: create room document (metadata)
    AppwriteService-->>RoomService: appwriteRoomId
    RoomService->>LiveKitService: create LiveKit room (name=appwriteRoomId, emptyTimeout=300)
    LiveKitService-->>RoomService: livekitRoom
    RoomService->>LiveKitService: generate access token (admin)
    LiveKitService-->>RoomService: accessToken
    RoomService-->>CreateRoom: { livekitRoom, livekitSocketUrl, accessToken, appwriteRoomId }
    CreateRoom-->>Client: 200 + room details

Loading

sequenceDiagram
    participant Client
    participant SendOTP as send-otp<br/>Function
    participant AppwriteService
    participant SMTP as EmailService

    Client->>SendOTP: POST /send-otp { email }
    SendOTP->>AppwriteService: getUserByEmail(email)
    AppwriteService-->>SendOTP: user doc or null
    SendOTP->>SendOTP: check last_otp_sent (rate limiter)
    alt last_otp_sent within 60s
        SendOTP-->>Client: 429 + wait message
    else allowed
        SendOTP->>SendOTP: generate 6-digit OTP
        SendOTP->>SMTP: send email with OTP
        SMTP-->>SendOTP: success/failure
        SendOTP->>AppwriteService: createOtpDocument(otpId, otp, recipientEmail, date)
        AppwriteService-->>SendOTP: created otp doc
        SendOTP->>AppwriteService: updateUserLastOtpSent(userId, timestamp)
        AppwriteService-->>SendOTP: update result
        SendOTP-->>Client: 200 + success
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Add Config and Functions related to Chat Functionality Integration #90 — Modifies the same Appwrite manifest and send-otp function files; likely overlaps with manifest and function definition changes.

Suggested labels

enhancement

Poem

🐰 Hopped through code with nimble feet,
I stitched a service, tidy and neat.
OTPs sent, rate limits guard the way,
Rooms stand up when users play,
A carrot-cheer for cleaner day! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main objective: extracting room creation logic into a dedicated service, which aligns with the primary changes in the create-room function.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@appwrite.json`:
- Around line 2-27: The appwrite.json manifest only lists the "send-otp"
function but must include every function you intend to deploy (e.g.,
create-room, delete-room, join-room, livekit-webhook, match-maker, verify-otp,
verify-email, etc.) or explicitly omit them; update the "functions" array in
appwrite.json to restore entries for each function directory documented in the
README (matching their $id, name, runtime, entrypoint, path, scopes, timeout,
enabled, and other metadata) or remove unused function dirs and update README to
match—ensure the function names in the manifest exactly match the filesystem
directories and README to keep appwrite push functions in sync.

In `@functions/send-otp/src/appwrite.js`:
- Around line 27-40: The createOtpDocument currently only saves otp and date
while getUserByEmail queries for email, so update the createOtpDocument function
signature to accept an email parameter and include an email field in the
document payload when calling this.databases.createDocument (refer to
createOtpDocument), then update the caller in main.js that invokes
createOtpDocument (around the OTP creation call) to pass the user's email so
getUserByEmail and rate-limiting work correctly.

In `@functions/send-otp/src/main.js`:
- Around line 22-39: The rate-limit check in send-otp's main function
incorrectly skips when appwrite.getUserByEmail returns null; update the logic to
ensure rate limiting for all emails by attempting to read-or-create/upsert a
per-email rate record (use the same identifier used in getUserByEmail) before
checking last_otp_sent, i.e., call appwrite.getUserByEmail(email) and if null
create or upsert a minimal record with last_otp_sent = 0 (or set a last_otp_sent
field) then perform the existing timestamp comparison against that record's
last_otp_sent and persist the updated last_otp_sent after sending the OTP;
reference appwrite.getUserByEmail and the last_otp_sent field so the rate-limit
applies even for new users.

🧹 Nitpick comments (5)

functions/send-otp/src/appwrite.js (1)

42-56: Silent failure may hide persistent rate-limiting failures.

The updateUserLastOtpSent method logs errors but silently continues. While the comment says this is "non-critical," if updates consistently fail (e.g., due to schema mismatch or permissions), the rate-limiting feature will never work and you won't get alerted beyond console logs.

Consider tracking or alerting on repeated failures to detect misconfiguration early.

functions/send-otp/src/main.js (2)

51-59: Redundant try-catch block.

updateUserLastOtpSent already contains its own try-catch that logs errors and doesn't rethrow. This outer try-catch will never catch anything from that method call, making it unnecessary.

♻️ Suggested simplification

         // Update last_otp_sent timestamp in user document
         if (userDoc) {
-            try {
-                await appwrite.updateUserLastOtpSent(userDoc.$id, new Date().toISOString());
-            } catch (updateError) {
-                // Log error but don't fail the request if timestamp update fails
-                log(`Warning: Failed to update last_otp_sent timestamp: ${updateError}`);
-            }
+            await appwrite.updateUserLastOtpSent(userDoc.$id, new Date().toISOString());
         }

---

41-41: Consider using cryptographically secure random number generation.

Math.random() is not cryptographically secure. While it's often acceptable for 6-digit OTPs, using crypto.randomInt provides better security guarantees.

♻️ Suggested improvement

+import { randomInt } from 'crypto';
+
-        const otp = String(Math.floor(100000 + Math.random() * 900000));
+        const otp = String(randomInt(100000, 1000000));

functions/send-otp/package.json (2)

2-4: Package name and description should be updated.

The package name "starter-template" doesn't reflect the actual function. Consider updating to "send-otp" or a similar descriptive name, and adding a meaningful description.

♻️ Suggested fix

 {
-  "name": "starter-template",
+  "name": "send-otp",
   "version": "1.0.0",
-  "description": "",
+  "description": "Appwrite function for sending OTP via email with rate limiting",

---

10-13: Consider upgrading node-appwrite to the latest version.

nodemailer@^7.0.12 is current and has no known security issues. However, node-appwrite@^20.3.0 is outdated; the latest available version is 21.1.0. Both versions are currently not deprecated and show no security advisories. If upgrading node-appwrite to 21.1.0, verify compatibility with your code since it's a major version bump.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "appwrite.json" -type f

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 86

---

🏁 Script executed:

# Check if appwrite.json exists and read its full content
if [ -f "appwrite.json" ]; then
  echo "=== Full appwrite.json ===" 
  cat -n appwrite.json
else
  echo "appwrite.json not found"
fi

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 1077

---

🏁 Script executed:

# Check for git history of appwrite.json to see if functions were removed
git log --oneline appwrite.json 2>/dev/null | head -20

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 142

---

🏁 Script executed:

# Search for any function definitions or references to create-room or other functions
rg "create-room|function" --type json --type js --type yaml -i 2>/dev/null | head -30

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 2989

---

🏁 Script executed:

# Get git diff for appwrite.json to see what changed
git show HEAD:appwrite.json 2>/dev/null || echo "Failed to get HEAD version"

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 847

---

🏁 Script executed:

# Check git diff for appwrite.json to see recent changes
git diff HEAD~1 appwrite.json 2>/dev/null | head -100

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 53

---

🏁 Script executed:

# List all function directories that exist in the project
ls -la functions/ | grep "^d"

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 1267

---

🏁 Script executed:

# Check if there's a create-room directory
find ./functions -maxdepth 1 -name "*create-room*" -o -name "*room*" 2>/dev/null

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 140

---

🏁 Script executed:

# Check README and any documentation about appwrite.json
find . -maxdepth 2 -type f \( -name "README*" -o -name "*.md" \) | head -5

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 82

---

🏁 Script executed:

# Check if there's recent history changes to appwrite.json
git log --oneline appwrite.json 2>/dev/null | head -10

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 142

---

🏁 Script executed:

# Look for deployment or setup scripts that reference appwrite.json
rg "appwrite.json" --type sh --type js --type md -l 2>/dev/null

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 78

---

🏁 Script executed:

# Check git history of appwrite.json - show more context
git log -p appwrite.json 2>/dev/null | head -200

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 53

---

🏁 Script executed:

# Read README to understand appwrite.json usage
cat README.md | head -100

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 2475

---

🏁 Script executed:

# Check init.sh to see how appwrite.json is used in deployment
cat init.sh

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 8401

---

🏁 Script executed:

# Check if there's any indication of what appwrite.json is used for
rg "deploy|appwrite" README.md

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 291

---

🏁 Script executed:

# Search for documentation or comments about how appwrite.json and functions are deployed
rg "appwrite.*push.*functions|push.*functions" --type sh --type md -B 2 -A 2

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 462

---

🏁 Script executed:

# Check if there's any .appwriterc or similar config file
find . -maxdepth 2 -type f -name ".appwrite*" -o -name "appwrite*" | grep -v node_modules | grep -v ".git"

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 86

---

🌐 Web query:

Appwrite CLI push functions behavior appwrite.json source of truth

💡 Result:

appwrite push functions treats your local CLI config file as the deployment “source of truth”—it reads function metadata (like path, entrypoint, commands, etc.) from the config file in your repo and deploys what’s on disk. Appwrite’s current docs consistently refer to this file as appwrite.config.json and instruct you to edit it to change deployment settings (project/endpoint, function path/entrypoint, etc.). [1][2]

Key behaviors:

• Push is one-way (local → server): you change code/config locally, then run appwrite push functions to deploy those changes. [2][1]
• Pull is the opposite (server → local): appwrite pull functions pulls existing function definitions into your local appwrite.config.json. If you want the server state to become your local baseline, you pull first, then commit the resulting config. [2]
• If you’re thinking “appwrite.json”: that’s legacy. Older/archived CLI materials and the old CLI repo describe an appwrite.json manifest created by init and used for deployments. Newer CLI documentation has moved to appwrite.config.json. [3][2]
• No VCS commits happen: push deploys to Appwrite; it doesn’t create Git commits or push anything to GitHub for you. [4]

So, for today’s CLI, treat appwrite.config.json as the authoritative local manifest for what gets deployed, and use pull when you want to update that manifest from what currently exists on the Appwrite server. [2][1]

Sources:
[1] Appwrite Docs – Deploy manually (Functions + CLI config via appwrite.config.json)
[2] Appwrite Docs – CLI Functions (pull/push expects appwrite.config.json)
[3] Appwrite GitHub – sdk-for-cli README (legacy appwrite.json)
[4] Appwrite Threads – “appwrite push functions doesn’t commit?”

---

Manifest is incomplete and out of sync with documented functions.

The appwrite.json file currently declares only send-otp, but the README documents at least 10 functions (create-room, delete-room, join-room, livekit-webhook, match-maker, send-otp, verify-otp, verify-email, and others), and the filesystem contains 16+ function directories. Since appwrite push functions uses this manifest as the deployment source of truth, functions not listed will not be deployed. Either restore the missing function entries or confirm these functions are intentionally not part of this deployment configuration.

🤖 Prompt for AI Agents

In `@appwrite.json` around lines 2 - 27, The appwrite.json manifest only lists the
"send-otp" function but must include every function you intend to deploy (e.g.,
create-room, delete-room, join-room, livekit-webhook, match-maker, verify-otp,
verify-email, etc.) or explicitly omit them; update the "functions" array in
appwrite.json to restore entries for each function directory documented in the
README (matching their $id, name, runtime, entrypoint, path, scopes, timeout,
enabled, and other metadata) or remove unused function dirs and update README to
match—ensure the function names in the manifest exactly match the filesystem
directories and README to keep appwrite push functions in sync.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

rg -n "createOtpDocument|OTP_COLLECTION_ID|email.*otp|last_otp_sent" --type js

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 1709

---

🏁 Script executed:

cat -n functions/send-otp/src/appwrite.js | sed -n '15,60p'

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 1781

---

🏁 Script executed:

cat -n functions/send-otp/src/main.js | sed -n '20,60p'

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 2053

---

🏁 Script executed:

cat -n functions/verify-otp/src/appwrite.js | head -40

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 139

---

🏁 Script executed:

ls -la functions/verify-otp/src/ && echo "---" && grep -rn "email" functions/send-otp/src/appwrite.js

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 467

---

🏁 Script executed:

# Check if there are any other OTP document creation patterns or if email should be added to createOtpDocument
rg -B3 -A3 "createOtpDocument" --type js

Repository: AOSSIE-Org/Resonate-Backend

Length of output: 1027

---

Email field missing from OTP documents breaks rate-limiting functionality.

The createOtpDocument method (lines 15-25) only stores otp and date fields, but getUserByEmail (line 32) queries for an email field that is never created. This causes getUserByEmail to always return null, making the rate-limiting check in main.js ineffective.

To fix this, add the email parameter to createOtpDocument and store it in the document:

async createOtpDocument(otpId, otp, email, date) {
    await this.databases.createDocument(
        process.env.VERIFICATION_DATABASE_ID,
        process.env.OTP_COLLECTION_ID,
        otpId,
        {
            email,      // Add this
            otp,
            date
        }
    );
}

Then update the call in main.js (line 49) to pass the email parameter.

🤖 Prompt for AI Agents

In `@functions/send-otp/src/appwrite.js` around lines 27 - 40, The
createOtpDocument currently only saves otp and date while getUserByEmail queries
for email, so update the createOtpDocument function signature to accept an email
parameter and include an email field in the document payload when calling
this.databases.createDocument (refer to createOtpDocument), then update the
caller in main.js that invokes createOtpDocument (around the OTP creation call)
to pass the user's email so getUserByEmail and rate-limiting work correctly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Rate limiting bypassed when user document doesn't exist.

If getUserByEmail returns null (user not found or error), the rate-limiting check is completely bypassed. Combined with the schema concern in appwrite.js, this could mean rate limiting never applies.

Additionally, new users without an existing document can request unlimited OTPs until their first document is created. Consider creating/upserting a rate-limit record for all email addresses, not just existing ones.

🤖 Prompt for AI Agents

In `@functions/send-otp/src/main.js` around lines 22 - 39, The rate-limit check in
send-otp's main function incorrectly skips when appwrite.getUserByEmail returns
null; update the logic to ensure rate limiting for all emails by attempting to
read-or-create/upsert a per-email rate record (use the same identifier used in
getUserByEmail) before checking last_otp_sent, i.e., call
appwrite.getUserByEmail(email) and if null create or upsert a minimal record
with last_otp_sent = 0 (or set a last_otp_sent field) then perform the existing
timestamp comparison against that record's last_otp_sent and persist the updated
last_otp_sent after sending the OTP; reference appwrite.getUserByEmail and the
last_otp_sent field so the rate-limit applies even for new users.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

functions/send-otp/src/appwrite.js (1)

15-26: Critical: email parameter missing from function signature causes ReferenceError.

The function signature on line 15 is createOtpDocument(otpId, otp, date) but line 21 references an email variable that is not defined. This will throw a ReferenceError at runtime.

Additionally, main.js line 49 calls this function with 4 arguments: createOtpDocument(otpID, otp, recipientEmail, currentDate), but the signature only accepts 3 parameters.

🐛 Proposed fix

-    async createOtpDocument(otpId, otp, date) {
+    async createOtpDocument(otpId, otp, email, date) {
         await this.databases.createDocument(
             process.env.VERIFICATION_DATABASE_ID,
             process.env.OTP_COLLECTION_ID,
             otpId,
             {
                 email,
                 otp,
                 date
             }
         );
     }

♻️ Duplicate comments (1)

functions/send-otp/src/main.js (1)

22-39: Rate limiting bypassed for new email addresses.

When getUserByEmail returns null (first OTP request for an email), rate limiting is skipped entirely. Additionally, updateUserLastOtpSent on line 54 is only called when userDoc exists, so new emails never get a timestamp recorded. This allows unlimited OTP requests for any email until a document with that email already exists from a previous request.

Since createOtpDocument now stores the email (once the signature is fixed), subsequent requests should find it via getUserByEmail. However, a race condition exists where rapid requests before the first document is created can bypass rate limiting.

🔧 Suggested approach

Consider creating the OTP document first (with a placeholder or initial timestamp), then checking rate limits based on that document's existence and timestamp. Alternatively, use an atomic "create-if-not-exists" pattern or leverage Appwrite's document ID based on email hash for idempotent creation.

+        // For new users, the rate limit will apply on subsequent requests
+        // since createOtpDocument now stores the email
+        // Consider: update last_otp_sent on the newly created document as well
         await appwrite.createOtpDocument(otpID, otp, recipientEmail, currentDate);
 
         // Update last_otp_sent timestamp in user document
-        if (userDoc) {
-            try {
-                await appwrite.updateUserLastOtpSent(userDoc.$id, new Date().toISOString());
-            } catch (updateError) {
-                // Log error but don't fail the request if timestamp update fails
-                log(`Warning: Failed to update last_otp_sent timestamp: ${updateError}`);
-            }
-        }
+        // Update the document we just created/found with the timestamp
+        const docId = userDoc ? userDoc.$id : otpID;
+        await appwrite.updateUserLastOtpSent(docId, new Date().toISOString());

Also applies to: 51-59

🧹 Nitpick comments (3)

functions/send-otp/src/main.js (3)

41-41: Consider using cryptographically secure random for OTP generation.

Math.random() is not cryptographically secure. While acceptable for short-lived 6-digit OTPs, Node.js's crypto.randomInt() provides better randomness.

♻️ Optional improvement

+import { randomInt } from 'crypto';
+
-        const otp = String(Math.floor(100000 + Math.random() * 900000));
+        const otp = String(randomInt(100000, 1000000));

---

53-58: Redundant try-catch block.

updateUserLastOtpSent in appwrite.js already catches errors internally and logs them without throwing. This nested try-catch is unnecessary.

♻️ Simplify

         if (userDoc) {
-            try {
-                await appwrite.updateUserLastOtpSent(userDoc.$id, new Date().toISOString());
-            } catch (updateError) {
-                // Log error but don't fail the request if timestamp update fails
-                log(`Warning: Failed to update last_otp_sent timestamp: ${updateError}`);
-            }
+            await appwrite.updateUserLastOtpSent(userDoc.$id, new Date().toISOString());
         }

---

61-64: Avoid exposing internal error details to clients.

Returning String(e) in the response may leak implementation details (stack traces, internal paths, database errors) to clients.

♻️ Proposed fix

     } catch (e) {
         error(String(e));
-        return res.json({ message: String(e) },500);
+        return res.json({ message: "An error occurred while processing your request" }, 500);
     }