DineFlow — Server

🍽️ Restaurant Management REST API

A robust, scalable Node.js + Express backend powering the DineFlow restaurant management platform — featuring JWT authentication, role-based access control, and a comprehensive REST API.

API Base URL · Report Bug · Request Feature

---

📑 Table of Contents

• About The Project
• Key Features
• Tech Stack
• Getting Started
• Environment Variables
• Project Structure
• API Reference
• Database Models
• Authentication Flow
• Error Handling
• Related Repository
• Contributing
• License

---

📖 About The Project

DineFlow Server is the backend API for the DineFlow restaurant management platform. Built with Node.js and Express 5, it provides a comprehensive RESTful API that handles everything from user authentication to inventory management.

The server supports two user roles — Customer and Admin — with fine-grained, middleware-based access control. It integrates with Firebase for authentication, MongoDB for data persistence, Cloudinary for image management, and uses JWT tokens for secure API communication.

---

✨ Key Features

🔐 Security & Auth JWT-based authentication with Bearer tokens Firebase token verification (Email + Google OAuth) Role-based access control (Customer / Admin) Password hashing with bcrypt CORS configuration with credentials	🏗️ Architecture RESTful API design with consistent response format MVC architecture (Models, Controllers, Routes) Centralized error handling middleware ES Modules throughout Environment-based configuration
📦 Data Management 10 Mongoose models with validations Soft-delete pattern for data integrity Price snapshot in orders for historical accuracy Inventory audit trail with log entries Query param filtering, sorting, and pagination	🔌 Integrations MongoDB Atlas (cloud database) Cloudinary (image storage & transformation) Firebase Admin (token verification) Nodemon (development hot-reload)

---

🛠️ Tech Stack

Category	Technology	Version
Runtime	Node.js	18+
Framework	Express.js	5.x
Database	MongoDB (Mongoose ODM)	9.x
Authentication	JSON Web Tokens (JWT)	9.x
Password Hashing	bcryptjs	3.x
Image Upload	Cloudinary SDK	2.x
File Upload	Multer	2.x
Environment Config	dotenv	17.x
CORS	cors	2.x
Dev Server	Nodemon	3.x

---

🚀 Getting Started

Prerequisites

• Node.js ≥ 18.x
• npm ≥ 9.x (or yarn / pnpm)
• MongoDB instance (local or MongoDB Atlas)
• Cloudinary account (Sign up free)
• Firebase project with Authentication enabled

Installation

1. Clone the repository

   git clone https://github.com/M-R-Saad/DineFlow-server.git
   cd DineFlow-server

2. Install dependencies

   npm install

3. Set up environment variables

   Create a .env file in the root directory (see Environment Variables below).

4. Start the development server

   npm run dev

   The server will be running at http://localhost:5000.

5. Verify the server is running

   curl http://localhost:5000
   # Response: { "message": "DineFlow API is running" }

Production

npm start

---

🔐 Environment Variables

Create a .env file in the project root with the following variables:

# Server
PORT=5000

# MongoDB
MONGO_URI=mongodb+srv://username:password@cluster.mongodb.net/dineflow?retryWrites=true&w=majority

# JWT
JWT_SECRET=your_super_secret_jwt_key_here

# Client URL (for CORS)
CLIENT_URL=http://localhost:5173

# Cloudinary
CLOUDINARY_CLOUD_NAME=your_cloud_name
CLOUDINARY_API_KEY=your_api_key
CLOUDINARY_API_SECRET=your_api_secret

⚠️ Important: Never commit your .env file to version control. It is already included in .gitignore.

---

📁 Project Structure

DineFlow-server/
├── config/
│   └── db.js                    # MongoDB connection via Mongoose
├── controllers/                 # Route handler logic (business layer)
│   ├── authController.js        #   Register, login, Firebase auth
│   ├── userController.js        #   Profile & user management
│   ├── menuController.js        #   Menu item CRUD
│   ├── categoryController.js    #   Category CRUD
│   ├── bookingController.js     #   Table booking operations
│   ├── orderController.js       #   Order placement & management
│   ├── reviewController.js      #   Dish review operations
│   ├── inventoryController.js   #   Inventory & stock management
│   ├── tableController.js       #   Table management
│   └── testimonialController.js #   Testimonial operations
├── middleware/
│   ├── verifyToken.js           # JWT verification middleware
│   ├── verifyAdmin.js           # Admin role-check middleware
│   └── errorHandler.js          # Global error handling middleware
├── models/                      # Mongoose schema definitions
│   ├── User.js                  #   User accounts & roles
│   ├── Category.js              #   Menu categories
│   ├── MenuItem.js              #   Menu items (dishes)
│   ├── Table.js                 #   Restaurant tables
│   ├── Booking.js               #   Table reservations
│   ├── Order.js                 #   Customer orders
│   ├── Review.js                #   Dish reviews & ratings
│   ├── Inventory.js             #   Inventory items & stock levels
│   ├── InventoryLog.js          #   Stock change audit trail
│   └── Testimonial.js           #   Customer testimonials
├── routes/                      # Express route definitions
│   ├── authRoutes.js
│   ├── userRoutes.js
│   ├── menuRoutes.js
│   ├── categoryRoutes.js
│   ├── bookingRoutes.js
│   ├── orderRoutes.js
│   ├── reviewRoutes.js
│   ├── inventoryRoutes.js
│   ├── tableRoutes.js
│   └── testimonialRoutes.js
├── utils/
│   └── generateOrderNumber.js   # Unique order number generator
├── .env                         # Environment variables (not committed)
├── .gitignore
├── index.js                     # App entry point
└── package.json

---

📡 API Reference

Base URL: http://localhost:5000/api

Access Levels: 🌐 Public · 🔒 Customer · 🛡️ Admin

---

🔑 Auth — /api/auth

Method	Endpoint	Access	Description
POST	/register	🌐 Public	Register a new user account
POST	/login	🌐 Public	Login with email & password
POST	/firebase	🌐 Public	Login / register via Firebase token

---

👤 Users — /api/users

Method	Endpoint	Access	Description
GET	/me	🔒 Customer	Get own profile
PATCH	/me	🔒 Customer	Update own profile
GET	/	🛡️ Admin	Get all users
PATCH	/:id/role	🛡️ Admin	Change a user's role
PATCH	/:id/status	🛡️ Admin	Activate / deactivate user

---

📂 Categories — /api/categories

Method	Endpoint	Access	Description
GET	/	🌐 Public	Get all active categories
POST	/	🛡️ Admin	Create new category
PATCH	/:id	🛡️ Admin	Update category
DELETE	/:id	🛡️ Admin	Soft delete category

---

🍔 Menu Items — /api/menu

Method	Endpoint	Access	Description
GET	/	🌐 Public	Get all items (?category, ?search, ?sort)
GET	/featured	🌐 Public	Get featured items for homepage
GET	/:id	🌐 Public	Get single item detail
POST	/	🛡️ Admin	Add new menu item
PATCH	/:id	🛡️ Admin	Update menu item
DELETE	/:id	🛡️ Admin	Soft delete (set isAvailable: false)

---

📅 Bookings — /api/bookings

Method	Endpoint	Access	Description
GET	/available-slots	🌐 Public	Get available time slots for a date
POST	/	🔒 Customer	Create a booking
GET	/my	🔒 Customer	Get own bookings
PATCH	/my/:id/cancel	🔒 Customer	Cancel own booking
GET	/	🛡️ Admin	Get all bookings (?date, ?status)
PATCH	/:id/status	🛡️ Admin	Confirm or cancel a booking

---

📦 Orders — /api/orders

Method	Endpoint	Access	Description
POST	/	🔒 Customer	Place a new order
GET	/my	🔒 Customer	Get own order history
GET	/my/:id	🔒 Customer	Get single order detail
GET	/	🛡️ Admin	Get all orders (?status)
PATCH	/:id/status	🛡️ Admin	Update order status
GET	/stats	🛡️ Admin	Revenue & order stats for dashboard

---

⭐ Reviews — /api/reviews

Method	Endpoint	Access	Description
GET	/menu/:menuItemId	🌐 Public	Get all reviews for a menu item
POST	/	🔒 Customer	Submit a review for a menu item
DELETE	/:id	🛡️ Admin	Remove an inappropriate review

---

📦 Inventory — /api/inventory

Method	Endpoint	Access	Description
GET	/	🛡️ Admin	Get all inventory items
GET	/low-stock	🛡️ Admin	Get items below minimum stock level
POST	/	🛡️ Admin	Add new inventory item
PATCH	/:id	🛡️ Admin	Update item details
POST	/:id/restock	🛡️ Admin	Add stock + create audit log entry
GET	/:id/logs	🛡️ Admin	Get stock change history

---

💬 Testimonials — /api/testimonials

Method	Endpoint	Access	Description
GET	/	🌐 Public	Get all approved testimonials
POST	/	🔒 Customer	Submit a testimonial
GET	/all	🛡️ Admin	Get all (approved + pending)
PATCH	/:id/approve	🛡️ Admin	Approve a testimonial
DELETE	/:id	🛡️ Admin	Delete a testimonial

---

🪑 Tables — /api/tables

Method	Endpoint	Access	Description
GET	/	🛡️ Admin	Get all tables
POST	/	🛡️ Admin	Add a new table
PATCH	/:id	🛡️ Admin	Update table details
DELETE	/:id	🛡️ Admin	Remove a table

---

🗄️ Database Models

The application uses 10 Mongoose models reflecting a normalized MongoDB schema:

┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│    User      │────▶│   Booking    │     │   Category   │
│              │────▶│   Order      │     │              │
│              │────▶│   Review     │     └──────┬───────┘
│              │────▶│  Testimonial │            │
└──────────────┘     └──────────────┘     ┌──────▼───────┐
                                          │  MenuItem    │
┌──────────────┐     ┌──────────────┐     │              │
│   Table      │────▶│   Booking    │     └──────┬───────┘
└──────────────┘     └──────────────┘            │
                                          ┌──────▼───────┐
┌──────────────┐     ┌──────────────┐     │   Review     │
│  Inventory   │────▶│ InventoryLog │     └──────────────┘
└──────────────┘     └──────────────┘

Model	Description
User	User accounts with roles (customer, admin), soft-delete support
Category	Menu categories with soft-delete
MenuItem	Dishes with pricing, images, availability, featured flag
Table	Restaurant tables with capacity and status
Booking	Table reservations with date, time slot, guests, status
Order	Customer orders with price snapshots and status pipeline
Review	Dish reviews with ratings (1–5)
Inventory	Stock items with minimum level tracking
InventoryLog	Audit trail for all stock changes
Testimonial	Customer testimonials with approval workflow

---

🔐 Authentication Flow

┌─────────┐     ┌──────────┐     ┌───────────┐     ┌──────────┐
│  Client  │────▶│ Firebase │────▶│  Backend  │────▶│ MongoDB  │
│          │     │   Auth   │     │  /auth/*  │     │          │
│          │◀────│          │◀────│  JWT Gen  │     │          │
│          │     └──────────┘     └───────────┘     └──────────┘
│          │                                               │
│          │─── Bearer Token ──▶ verifyToken ──▶ verifyAdmin ──▶ Controller
└─────────┘

1. User authenticates via Firebase (Email/Password or Google OAuth)
2. Firebase token is sent to /api/auth/firebase
3. Server verifies the token, creates/finds user in MongoDB
4. Server issues a JWT and returns it to the client
5. Client stores JWT and attaches it to every secure request via Axios interceptor
6. verifyToken middleware validates the JWT on protected routes
7. verifyAdmin middleware checks user role for admin-only routes

---

⚠️ Error Handling

All API responses follow a consistent format:

Success Response:

{
  "success": true,
  "data": { ... }
}

Error Response:

{
  "success": false,
  "message": "Descriptive error message"
}

The global errorHandler middleware catches unhandled errors and returns appropriate HTTP status codes.

---

🔗 Related Repository

Repository	Description
DineFlow Client	React 19 + Vite frontend application

---

🤝 Contributing

Contributions are welcome! Here's how you can help:

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

Please make sure to follow the existing code style and test your changes thoroughly.

---

📄 License

Distributed under the MIT License. See LICENSE for more information.

---

Built with ❤️ using Node.js, Express, and MongoDB

⬆️ Back to Top