-
Notifications
You must be signed in to change notification settings - Fork 24
Expand file tree
/
Copy pathroute.ts
More file actions
111 lines (96 loc) · 3.45 KB
/
route.ts
File metadata and controls
111 lines (96 loc) · 3.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
import { auth } from '@clerk/nextjs/server'
import { NextRequest, NextResponse } from 'next/server'
import { connectDB } from '@/lib/mongodb'
import { Student } from '@/models/Student'
import { z } from 'zod'
const StudentSchema = z.object({
name: z.string().min(1),
rollNo: z.string().min(1),
class: z.string().min(1),
email: z.string().email().optional().or(z.literal('')),
phone: z.string().optional(),
address: z.string().optional(),
parentName: z.string().optional(),
parentPhone: z.string().optional(),
})
function escapeRegex(str: string): string {
return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
}
export async function GET(req: NextRequest) {
const { userId } = await auth()
if (!userId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
try {
await connectDB();
const { searchParams } = new URL(req.url);
const search = (searchParams.get("search") ?? "").replace(/\s+/g, ' ');
const classFilter = searchParams.get("class") ?? "";
// Parse and validate pagination
const pageStr = searchParams.get("page") ?? "1";
const limitStr = searchParams.get("limit") ?? "20";
let page = parseInt(pageStr, 10);
let limit = parseInt(limitStr, 10);
if (Number.isNaN(page) || page < 1) page = 1;
if (Number.isNaN(limit) || limit < 1) limit = 20;
limit = Math.min(limit, 100); // Cap at 100
const query: Record<string, unknown> = { teacherId: userId };
if (search) {
// Escape regex special characters to prevent ReDoS
const escapedSearch = escapeRegex(search);
query.$or = [
{ name: { $regex: escapedSearch, $options: "i" } },
{ rollNo: { $regex: escapedSearch, $options: "i" } },
{ class: { $regex: escapedSearch, $options: "i" } },
];
}
// Add class filter if provided and not 'all'
if (classFilter && classFilter !== "all") {
query.class = classFilter;
}
const [students, total] = await Promise.all([
Student.find(query)
.sort({ createdAt: -1 })
.skip((page - 1) * limit)
.limit(limit)
.lean(),
Student.countDocuments(query),
]);
return NextResponse.json({
students,
total,
page,
pages: Math.ceil(total / limit),
});
} catch (error) {
if (error instanceof Error) {
console.error('GET /api/students error:', error.message)
}
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
}
export async function POST(req: NextRequest) {
const { userId } = await auth()
if (!userId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
try {
await connectDB()
let body
try {
body = await req.json()
} catch {
return NextResponse.json({ error: 'Malformed JSON' }, { status: 400 })
}
const parsed = StudentSchema.safeParse(body)
if (!parsed.success) {
return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 })
}
const student = await Student.create({ ...parsed.data, teacherId: userId })
return NextResponse.json(student, { status: 201 })
} catch (error) {
if (error instanceof Error) {
console.error('POST /api/students error:', error.message)
}
if ((error as { code?: number }).code === 11000) {
return NextResponse.json({ error: 'A student with this roll number already exists' }, { status: 409 })
}
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
}