fix: update lock file, routes, controllers and add public assets

Author: frckbrice

README.md

@@ -11,6 +11,10 @@
   <img src="https://img.shields.io/badge/WebSocket-ws-010101?style=flat-square&logo=socket.io&logoColor=white" alt="WebSocket" />
 </p>
 
+<p align="center">
+  <img src="public/assets/images/museum%20management%20api.png" alt="Museum Management API" width="100%" />
+</p>
+
 Production-ready REST API for a digital museum platform: content, auth, bookings, forum, and real-time features. Built with a **modular, microservice-friendly** design and standard Web API practices.
 
 ## Key features

public/assets/images/museum management api.png

@@ -139,6 +139,7 @@
       background: var(--accent-soft);
       transform: translateY(-1px);
       box-shadow: 0 8px 24px rgba(184, 134, 11, 0.35);
+      color: #fff;
     }
 
     .btn--outline {

public/index.html

@@ -4,35 +4,38 @@ import { postLikeService } from "../services";
 export class PostLikesController {
   async likePost(req: Request, res: Response) {
     try {
-      const data = req.body;
+      // Use authenticated user (required by route); ignore body userId for security
+      const userId = req.user?.id ?? req.body.userId;
+      const postId = req.body.postId;
 
-      if (!data.userId || !data.postId)
-        return res.status(400).send({
+      if (!userId || !postId)
+        return res.status(400).json({
           error: true,
-          message: "Missing required fields post id and author id",
+          message: "Missing required fields: postId (and authentication for userId)",
         });
 
-      const content = await postLikeService.postLike(data);
+      const content = await postLikeService.postLike({ userId, postId });
       res.json(content);
     } catch (error) {
-      res.status(500).json({ error: "Failed like a post with id: " + req.body.postId });
+      res.status(500).json({ error: "Failed to like post with id: " + req.body?.postId });
     }
   }
 
   async unlikePost(req: Request, res: Response) {
-    const data = req.body;
+    try {
+      const userId = req.user?.id ?? req.body.userId;
+      const postId = req.body.postId;
 
-    if (!data.userId || !data.postId)
-      return res.status(400).send({
-        error: true,
-        message: "Missing required fields post id and author id",
-      });
+      if (!userId || !postId)
+        return res.status(400).json({
+          error: true,
+          message: "Missing required fields: postId (and authentication for userId)",
+        });
 
-    try {
-      const content = await postLikeService.unlikePost(data);
+      const content = await postLikeService.unlikePost({ userId, postId });
       res.json(content);
     } catch (error) {
-      res.status(500).json({ error: "Failed to unlike a post with id: " + req.body.postId });
+      res.status(500).json({ error: "Failed to unlike post with id: " + req.body?.postId });
     }
   }
 }

server/controllers/post_like.controller.ts

@@ -86,7 +86,7 @@ export class UserController {
     try {
       const { email } = req.params;
       await userService.deleteUserByEmail(email);
-      res.sendStatus(204).send({ message: "User deleted successfully" });
+      res.sendStatus(204);
     } catch (error) {
       res.status(500).json({ error: "Failed to delete user" });
     }
@@ -97,9 +97,9 @@ export class UserController {
     try {
       const { id } = req.params;
       await userService.deleteUserById(id);
-      res.sendStatus(204).send({ message: "User deleted successfully" });
+      res.sendStatus(204);
     } catch (error) {
-      console.error("\n\n 💥💥💥💥💥💥💥💥💥 rror deleting user:", error);
+      console.error("Error deleting user:", error);
       res.status(500).json({ error: "Failed to delete user" });
     }
   }

server/controllers/user.controller.ts

@@ -4,7 +4,8 @@ import { requireAdmin } from "../../config/auth/auth-config";
 
 const router = Router();
 
-// router.use(requireAdmin);
+// All admin routes require admin role
+router.use(requireAdmin);
 
 // Get all contact messages (admin only)
 router.get("/admin/contact-messages", adminController.getAllContactMessages);

server/routes/admin-route.ts

@@ -1,7 +1,7 @@
 import { Router } from "express";
 import passport from "passport";
 import { userService } from "../services";
-import { hashPassword } from "../../config/auth/auth-config";
+import { hashPassword, requireAuth } from "../../config/auth/auth-config";
 
 const authRoute = Router();
 
@@ -57,8 +57,8 @@ authRoute.post("/login", (req, res, next) => {
   )(req, res, next);
 });
 
-// Logout endpoint
-authRoute.post("/logout", (req, res, next) => {
+// Logout endpoint (authenticated only per API spec)
+authRoute.post("/logout", requireAuth, (req, res, next) => {
   req.logout((err) => {
     if (err) {
       console.log("\n\n Logging out user:", err);

server/routes/auth-routes.ts

@@ -2,32 +2,29 @@ import { Router } from "express";
 import { WebSocketServer } from "ws";
 
 import { bookingController } from "../controllers";
+import { requireAuth, requireAttendant } from "../../config/auth/auth-config";
 
 export default function bookingRoutes(wss: WebSocketServer) {
   const router = Router();
 
-  // Create a booking
+  // Create a booking (optional auth: session sets userId if present)
   router.post("/bookings", async (req, res) =>
     (await bookingController.createBooking(req, res))(wss)
   );
 
-  // Get bookings (user-specific or all based on user type)
-  router.get("/bookings", bookingController.getAllBookings);
+  // Get bookings (authenticated; visitors see own, attendants/admins see all)
+  router.get("/bookings", requireAuth, bookingController.getAllBookings);
 
-  // Get booking by ID
-  router.get("/bookings/:id", bookingController.getBookingById);
-
-  // Update booking status (attendant-specific)
-  router.patch("/bookings/attendant/:id/status", bookingController.updateBookingStatus);
-
-  // get specific booking for a user by id
-  router.get("/bookings/users/:userId", bookingController.getBookingsByUserId);
-
-  // get booking by id
-  router.get("/bookings/:id", bookingController.getBookingById);
+  // More specific paths before /bookings/:id (RESTful route order)
+  router.get("/bookings/users/:userId", requireAuth, bookingController.getBookingsByUserId);
+  router.patch(
+    "/bookings/attendant/:id/status",
+    requireAttendant,
+    bookingController.updateBookingStatus
+  );
 
-  // delete booking
-  // router.delete("/bookings/:id", bookingController.deleteBooking);
+  // Get booking by ID (authenticated)
+  router.get("/bookings/:id", requireAuth, bookingController.getBookingById);
 
   return router;
 }

server/routes/bookings-route.ts

@@ -1,24 +1,23 @@
 import { Router } from "express";
-import { contactService } from "../services";
-import {
-  ContactMessage,
-  insertContactMessageSchema,
-} from "../../config/database/schema/schema-types";
-import { z } from "zod";
 import { contactController } from "../controllers";
+import { requireAuth } from "../../config/auth/auth-config";
 
 const router = Router();
 
-// Submit contact form
+// Submit contact form (public per API spec)
 router.post("/contact_messages", contactController.createContactMessage);
 
-// Get all contact messages
-router.get("/contact_messages", contactController.getAllContactMessages);
-
-// Mark a contact message as read
-router.patch("/contact_messages/:id/read", contactController.markContactMessageAsRead);
-
-// Get unread contact messages count
-router.get("/contact_messages/unread_count", contactController.getUnreadContactMessagesCount);
+// Authenticated contact message operations (list, unread count, mark read)
+router.get("/contact_messages", requireAuth, contactController.getAllContactMessages);
+router.get(
+  "/contact_messages/unread_count",
+  requireAuth,
+  contactController.getUnreadContactMessagesCount
+);
+router.patch(
+  "/contact_messages/:id/read",
+  requireAuth,
+  contactController.markContactMessageAsRead
+);
 
 export default router;

server/routes/contact-route.ts

@@ -2,25 +2,32 @@ import { Router } from "express";
 import { WebSocketServer } from "ws";
 
 import { forumController } from "../controllers";
+import { requireAuth } from "../../config/auth/auth-config";
 
 export default function forumRoutes(wss: WebSocketServer) {
   const router = Router();
 
-  // Get all posts
+  // Get all posts (public; attendantOnly filter requires auth in controller)
   router.get("/posts", forumController.getAllPosts);
 
-  // Get post by ID
+  // Get post by ID (public; attendant-only access enforced in controller)
   router.get("/posts/:id", forumController.getPostById);
 
-  // Create a new post
-  router.post("/posts", async (req, res) => (await forumController.createPost(req, res))(wss));
+  // Create a new post (authenticated per API spec)
+  router.post(
+    "/posts",
+    requireAuth,
+    async (req, res) => (await forumController.createPost(req, res))(wss)
+  );
 
-  // Add comment to a post
-  router.post("/posts/:id/comments", async (req, res) =>
-    (await forumController.createComment(req, res))(wss)
+  // Add comment to a post (authenticated per API spec)
+  router.post(
+    "/posts/:id/comments",
+    requireAuth,
+    async (req, res) => (await forumController.createComment(req, res))(wss)
   );
 
-  // get comment by id
+  // Get comments by post ID
   router.get("/posts/:id/comments", forumController.getCommentsByPostId);
 
   return router;