Skip to content

Protect Backend Routes #156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Protect Backend Routes #156

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b982ac4
protect routes
ksantoso2 Nov 18, 2025
0fb7534
fix comments
ksantoso2 Nov 18, 2025
751b03d
fix staff
ksantoso2 Nov 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 7 additions & 9 deletions backend/src/routes/HousingRoutes.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,7 @@ import {
import { housingReviewPictures } from '../server';
import { ObjectId } from 'mongodb';
import {
isAdmin,
isAuthenticated,
isCourseReviewOwner,
isHousingReviewOwner,
} from '../middleware/authMiddleware';

Expand All @@ -22,7 +20,7 @@ const upload = multer({ storage: storage });
/**
* @route GET /api/campus/housing
* @desc Get all housing buildings
* @access Public
* @access isAuthenticated
*/
router.get('/', isAuthenticated, async (req: Request, res: Response) => {
try {
Expand All @@ -36,7 +34,7 @@ router.get('/', isAuthenticated, async (req: Request, res: Response) => {
/**
* @route GET /api/campus/housing/:building
* @desc Get housing building by id
* @access Public
* @access isAuthenticated
*/
router.get(
'/:building',
Expand Down Expand Up @@ -72,7 +70,7 @@ router.get(
/**
* @route GET /campus/housing/:building/rooms
* @desc Get all roms in a building (by building id)
* @access Public
* @access isAuthenticated
*/
router.get(
'/:building/rooms',
Expand Down Expand Up @@ -108,7 +106,7 @@ router.get(
/**
* @route GET /api/campus/:room/reviews
* @desc Get housing reviews for a room
* @access Public
* @access isAuthenticated
*/
router.get(
'/:room/reviews',
Expand Down Expand Up @@ -195,7 +193,7 @@ router.get(
/**
* @route GET /api/campus/housing/:buildingId/:roomNumber/reviews
* @desc Get reviews for a room by building id and room number
* @access Public
* @access isAuthenticated
*/
router.get(
'/:buildingId/:roomNumber/reviews',
Expand Down Expand Up @@ -285,7 +283,7 @@ router.get(
/**
* @route POST /api/campus/housing/:buildingId/:roomNumber/reviews
* @desc Add new housing room review
* @access Public
* @access isAuthenticated
*/
router.post(
'/:buildingId/:roomNumber/reviews',
Expand Down Expand Up @@ -509,7 +507,7 @@ router.delete(
/**
* @route GET /api/campus/housing/review_pictures/:id
* @desc Get review picture by id
* @access Public
* @access isAuthenticated
*/
router.get(
'/review_pictures/:id',
Expand Down
278 changes: 145 additions & 133 deletions backend/src/routes/ReviewsRoutes.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,167 +1,179 @@
import express, { Request, Response, Router } from 'express';
import { CourseReviews } from '../models/Courses';
import {
isAuthenticated,
isCourseReviewOwner,
} from '../middleware/authMiddleware';

const router: Router = express.Router();

/**
* @route GET /api/reviews/:id
* @desc Get review by ID
* @access Public
* @access isAuthenticated
*/
router.get('/reviews/:id', async (req: Request, res: Response) => {
try {
const reviewId = parseInt(req.params.id);

// Check if conversion is valid
if (isNaN(reviewId)) {
res.status(400).json({ message: 'Invalid review ID format' });
return;
router.get(
'/reviews/:id',
isAuthenticated,
async (req: Request, res: Response) => {
try {
const reviewId = parseInt(req.params.id);

// Check if conversion is valid
if (isNaN(reviewId)) {
res.status(400).json({ message: 'Invalid review ID format' });
return;
}

const review = await CourseReviews.findOne({
id: reviewId,
});

if (!review) {
res.status(404).json({ message: 'Review not found' });
return;
}

res.json(review);
} catch (err) {
console.error(err);
res.status(500).json({ message: 'Server error' });
}

const review = await CourseReviews.findOne({
id: reviewId,
});

if (!review) {
res.status(404).json({ message: 'Review not found' });
return;
}

res.json(review);
} catch (err) {
console.error(err);
res.status(500).json({ message: 'Server error' });
}
});
);

/**
* @route POST /api/reviews
* @desc Create new review
* @access Private
* @access isAuthenticated
*/
router.post('/reviews', async (req: Request, res: Response) => {
try {
const {
id,
overall_rating,
challenge_rating,
inclusivity_rating,
work_per_week,
total_cost,
comments,
course_id,
instructor_id,
user_id,
} = req.body;

// Check if review already exists
const reviewExists = await CourseReviews.findOne({
id,
});
if (reviewExists) {
res.status(400).json({ message: 'Review already exists' });
return;
router.post(
'/reviews',
isAuthenticated,
async (req: Request, res: Response) => {
try {
const {
id,
overall_rating,
challenge_rating,
inclusivity_rating,
work_per_week,
total_cost,
comments,
course_id,
instructor_id,
user_id,
} = req.body;

// Check if review already exists
const reviewExists = await CourseReviews.findOne({
id,
});
if (reviewExists) {
res.status(400).json({ message: 'Review already exists' });
return;
}

// Create new review
const newReview = new CourseReviews({
id,
overall_rating,
challenge_rating,
inclusivity_rating,
work_per_week,
total_cost,
comments,
course_id,
instructor_id,
user_id,
});

const savedReview = await newReview.save();
res.status(201).json(savedReview);
} catch (err) {
console.error(err);
res.status(500).json({ message: 'Server error' });
}

// Create new review
const newReview = new CourseReviews({
id,
overall_rating,
challenge_rating,
inclusivity_rating,
work_per_week,
total_cost,
comments,
course_id,
instructor_id,
user_id,
});

const savedReview = await newReview.save();
res.status(201).json(savedReview);
} catch (err) {
console.error(err);
res.status(500).json({ message: 'Server error' });
}
});
);

/**
* @route PUT /api/reviews/:id
* @desc Update review
* @access Private
* @access isCourseReviewOwner
*/
router.put('/reviews/:id', async (req: Request, res: Response) => {
try {
const reviewId = parseInt(req.params.id);

// Check if conversion is valid
if (isNaN(reviewId)) {
res.status(400).json({ message: 'Invalid review ID format' });
return;
}

// Check if review exists
const review = await CourseReviews.findOne({
id: reviewId,
});

if (!review) {
res.status(404).json({ message: 'Review not found' });
return;
router.put(
'/reviews/:id',
isCourseReviewOwner,
async (req: Request, res: Response) => {
try {
const reviewId = parseInt(req.params.id);

// Check if conversion is valid
if (isNaN(reviewId)) {
res.status(400).json({ message: 'Invalid review ID format' });
return;
}

// Check if review exists
const review = await CourseReviews.findOne({
id: reviewId,
});

if (!review) {
res.status(404).json({ message: 'Review not found' });
return;
}

const updatedReview = await CourseReviews.findOneAndUpdate(
{ id: reviewId },
{ $set: req.body },
{ new: true }
);

res.json(updatedReview);
} catch (err) {
console.error(err);
res.status(500).json({ message: 'Server error' });
}

// TODO: Check if user is authorized to update this review
// For example, checking if req.user.id === review.user_id
// This can also be done somewhere else

const updatedReview = await CourseReviews.findOneAndUpdate(
{ id: reviewId },
{ $set: req.body },
{ new: true }
);

res.json(updatedReview);
} catch (err) {
console.error(err);
res.status(500).json({ message: 'Server error' });
}
});
);

/**
* @route DELETE /api/reviews/:id
* @desc Delete review
* @access Private
* @access isCourseReviewOwner
*/
router.delete('/reviews/:id', async (req: Request, res: Response) => {
try {
const reviewId: number = parseInt(req.params.id);

// Check if conversion is valid
if (isNaN(reviewId)) {
res.status(400).json({ message: 'Invalid review ID format' });
return;
}

// Check if review exists
const review = await CourseReviews.findOne({
id: reviewId,
});

if (!review) {
res.status(404).json({ message: 'Review not found' });
return;
router.delete(
'/reviews/:id',
isCourseReviewOwner,
async (req: Request, res: Response) => {
try {
const reviewId: number = parseInt(req.params.id);

// Check if conversion is valid
if (isNaN(reviewId)) {
res.status(400).json({ message: 'Invalid review ID format' });
return;
}

// Check if review exists
const review = await CourseReviews.findOne({
id: reviewId,
});

if (!review) {
res.status(404).json({ message: 'Review not found' });
return;
}

await CourseReviews.findOneAndDelete({ id: reviewId });
res.json({ message: 'Review removed' });
} catch (err) {
console.error(err);
res.status(500).json({ message: 'Server error' });
}

// TODO: Check if user is authorized to delete this review
// For example, checking if req.user.id === review.user_id or if user is admin
// This can also be done somewhere else

await CourseReviews.findOneAndDelete({ id: reviewId });
res.json({ message: 'Review removed' });
} catch (err) {
console.error(err);
res.status(500).json({ message: 'Server error' });
}
});
);

export default router;
Loading