feat(pharmacy): add pharmacist API (prescriptions, EMR, inventory, audit) + tests

kpcode11 · kpcode11 · commit 522a0e05fb97 · 2026-01-23T17:04:59.000+05:30
- implements pharmacist routes and RBAC checks
- adds comprehensive unit tests for happy/error flows
- non-destructive; no schema migrations
diff --git a/src/app/api/pharmacist/audit-logs/route.ts b/src/app/api/pharmacist/audit-logs/route.ts
@@ -0,0 +1,33 @@
+import { NextResponse } from 'next/server';
+import { requirePermission } from '@/lib/authorization';
+import { prisma } from '@/lib/prisma';
+
+// GET /api/pharmacist/audit-logs?take=50&skip=0
+export async function GET(req: Request) {
+  try {
+    await requirePermission(req, 'audit.read');
+  } catch (err) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+
+  const url = new URL(req.url);
+  const take = Math.min(Number(url.searchParams.get('take') ?? 100), 500);
+  const skip = Number(url.searchParams.get('skip') ?? 0);
+
+  // limit to pharmacy-related audit entries for safety
+  const where = {
+    OR: [
+      { action: { contains: 'prescription.' } },
+      { action: { contains: 'inventory.' } },
+      { resource: 'Prescription' },
+      { resource: 'Inventory' },
+    ],
+  } as any;
+
+  const [rows, count] = await Promise.all([
+    prisma.auditLog.findMany({ where, orderBy: { createdAt: 'desc' }, take, skip }),
+    prisma.auditLog.count({ where }),
+  ]);
+
+  return NextResponse.json({ rows, count });
+}
diff --git a/src/app/api/pharmacist/inventory/[id]/deduct/route.ts b/src/app/api/pharmacist/inventory/[id]/deduct/route.ts
@@ -0,0 +1,31 @@
+import { NextResponse } from 'next/server';
+import { requirePermission } from '@/lib/authorization';
+import { prisma } from '@/lib/prisma';
+import { createAudit } from '@/services/audit.service';
+
+// PATCH /api/pharmacist/inventory/:id/deduct
+export async function PATCH(req: Request, { params }: { params: { id: string } }) {
+  try {
+    const res = await requirePermission(req, 'inventory.update');
+    const actorId = res.session?.user?.id ?? null;
+    const id = params.id;
+    const body = await req.json();
+    const qty = Number(body.quantity ?? 0);
+    if (!qty || qty <= 0) return NextResponse.json({ error: 'quantity must be > 0' }, { status: 400 });
+
+    const existing = await prisma.inventory.findUnique({ where: { id } });
+    if (!existing) return NextResponse.json({ error: 'Not found' }, { status: 404 });
+    if ((existing.quantity ?? 0) < qty) return NextResponse.json({ error: 'insufficient stock' }, { status: 400 });
+
+    const updated = await prisma.$transaction(async (tx) => {
+      const before = existing;
+      const u = await tx.inventory.update({ where: { id }, data: { quantity: { decrement: qty } as any } });
+      await createAudit({ actorId, action: 'inventory.deduct', resource: 'Inventory', resourceId: id, before, after: u, meta: { deducted: qty } });
+      return u;
+    });
+
+    return NextResponse.json(updated);
+  } catch (err) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+}
diff --git a/src/app/api/pharmacist/inventory/[id]/route.ts b/src/app/api/pharmacist/inventory/[id]/route.ts
@@ -0,0 +1,32 @@
+import { NextResponse } from 'next/server';
+import { requirePermission } from '@/lib/authorization';
+import { prisma } from '@/lib/prisma';
+import { createAudit } from '@/services/audit.service';
+
+// PATCH /api/pharmacist/inventory/:id
+export async function PATCH(req: Request, { params }: { params: { id: string } }) {
+  try {
+    const res = await requirePermission(req, 'inventory.update');
+    const actorId = res.session?.user?.id ?? null;
+    const id = params.id;
+    const body = await req.json();
+
+    const existing = await prisma.inventory.findUnique({ where: { id } });
+    if (!existing) return NextResponse.json({ error: 'Not found' }, { status: 404 });
+
+    const data: any = {};
+    if (body.itemName !== undefined) data.itemName = body.itemName;
+    if (body.category !== undefined) data.category = body.category;
+    if (body.quantity !== undefined) data.quantity = Number(body.quantity);
+    if (body.minStock !== undefined) data.minStock = Number(body.minStock);
+    if (body.unit !== undefined) data.unit = body.unit;
+    if (body.batchNumber !== undefined) data.batchNumber = body.batchNumber;
+    if (body.expiryDate !== undefined) data.expiryDate = body.expiryDate;
+
+    const updated = await prisma.inventory.update({ where: { id }, data });
+    await createAudit({ actorId, action: 'inventory.update', resource: 'Inventory', resourceId: id, before: existing, after: updated });
+    return NextResponse.json(updated);
+  } catch (err) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+}
diff --git a/src/app/api/pharmacist/inventory/low-stock/route.ts b/src/app/api/pharmacist/inventory/low-stock/route.ts
@@ -0,0 +1,20 @@
+import { NextResponse } from 'next/server';
+import { requirePermission } from '@/lib/authorization';
+import { prisma } from '@/lib/prisma';
+
+// GET /api/pharmacist/inventory/low-stock
+export async function GET(req: Request) {
+  try {
+    await requirePermission(req, 'inventory.read');
+  } catch (err) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+
+  const rows = await prisma.inventory.findMany({ where: { quantity: { lte: prisma.raw('"minStock"') } }, orderBy: { itemName: 'asc' }, take: 200 });
+  // Fallback - if the DB/Prisma version doesn't allow raw in where, do client-side filter
+  if (!rows.length) {
+    const all = await prisma.inventory.findMany({ take: 200, orderBy: { itemName: 'asc' } });
+    return NextResponse.json(all.filter((r) => r.quantity <= (r.minStock ?? 0)));
+  }
+  return NextResponse.json(rows);
+}
diff --git a/src/app/api/pharmacist/inventory/route.ts b/src/app/api/pharmacist/inventory/route.ts
@@ -0,0 +1,32 @@
+import { NextResponse } from 'next/server';
+import { requirePermission } from '@/lib/authorization';
+import { prisma } from '@/lib/prisma';
+import { createAudit } from '@/services/audit.service';
+
+// GET /api/pharmacist/inventory
+export async function GET(req: Request) {
+  try {
+    await requirePermission(req, 'inventory.read');
+  } catch (err) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+
+  const rows = await prisma.inventory.findMany({ take: 500, orderBy: { itemName: 'asc' } });
+  return NextResponse.json(rows);
+}
+
+// POST /api/pharmacist/inventory
+export async function POST(req: Request) {
+  try {
+    const res = await requirePermission(req, 'inventory.update');
+    const actorId = res.session?.user?.id ?? null;
+    const body = await req.json();
+    if (!body?.itemName) return NextResponse.json({ error: 'itemName is required' }, { status: 400 });
+
+    const rec = await prisma.inventory.create({ data: { itemName: body.itemName, category: body.category ?? 'general', quantity: Number(body.quantity ?? 0), minStock: Number(body.minStock ?? 0), unit: body.unit ?? 'ea', batchNumber: body.batchNumber ?? null, expiryDate: body.expiryDate ?? null } });
+    await createAudit({ actorId, action: 'inventory.create', resource: 'Inventory', resourceId: rec.id, after: rec });
+    return NextResponse.json(rec);
+  } catch (err) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+}
diff --git a/src/app/api/pharmacist/patients/[patientId]/emr/route.ts b/src/app/api/pharmacist/patients/[patientId]/emr/route.ts
@@ -0,0 +1,23 @@
+import { NextResponse } from 'next/server';
+import { requirePermission } from '@/lib/authorization';
+import { prisma } from '@/lib/prisma';
+
+// GET /api/pharmacist/patients/:patientId/emr
+export async function GET(req: Request, { params }: { params: { patientId: string } }) {
+  try {
+    await requirePermission(req, 'emr.read');
+  } catch (err) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+
+  const patientId = params.patientId;
+  const records = await prisma.eMR.findMany({
+    where: { patientId },
+    select: { id: true, diagnosis: true, symptoms: true, vitals: true, notes: true, createdAt: true },
+    orderBy: { createdAt: 'desc' },
+    take: 50,
+  });
+
+  if (!records || records.length === 0) return NextResponse.json({ error: 'No EMR found' }, { status: 404 });
+  return NextResponse.json(records);
+}
diff --git a/src/app/api/pharmacist/prescriptions/[id]/dispense/route.ts b/src/app/api/pharmacist/prescriptions/[id]/dispense/route.ts
@@ -0,0 +1,31 @@
+import { NextResponse } from 'next/server';
+import { requirePermission } from '@/lib/authorization';
+import { prisma } from '@/lib/prisma';
+import { createAudit } from '@/services/audit.service';
+
+// PATCH /api/pharmacist/prescriptions/:id/dispense
+export async function PATCH(req: Request, { params }: { params: { id: string } }) {
+  const id = params.id;
+  let sessionRes;
+  try {
+    sessionRes = await requirePermission(req, 'pharmacy.dispense');
+  } catch (err) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+
+  const actorId = sessionRes.session?.user?.id ?? null;
+
+  const existing = await prisma.prescription.findUnique({ where: { id } });
+  if (!existing) return NextResponse.json({ error: 'Not found' }, { status: 404 });
+  if (existing.dispensed) return NextResponse.json({ error: 'Already dispensed' }, { status: 400 });
+
+  // perform dispense in a transaction (mark prescription, optionally deduct inventory handled separately)
+  const now = new Date();
+  const updated = await prisma.$transaction(async (tx) => {
+    const p = await tx.prescription.update({ where: { id }, data: { dispensed: true, dispensedAt: now, pharmacistId: actorId } });
+    await createAudit({ actorId, action: 'prescription.dispense', resource: 'Prescription', resourceId: id, before: existing, after: p });
+    return p;
+  });
+
+  return NextResponse.json(updated);
+}
diff --git a/src/app/api/pharmacist/prescriptions/[id]/note/route.ts b/src/app/api/pharmacist/prescriptions/[id]/note/route.ts
@@ -0,0 +1,27 @@
+import { NextResponse } from 'next/server';
+import { requirePermission } from '@/lib/authorization';
+import { prisma } from '@/lib/prisma';
+import { createAudit } from '@/services/audit.service';
+
+// PATCH /api/pharmacist/prescriptions/:id/note
+export async function PATCH(req: Request, { params }: { params: { id: string } }) {
+  try {
+    const res = await requirePermission(req, 'pharmacy.read');
+    const actorId = res.session?.user?.id ?? null;
+    const id = params.id;
+    const body = await req.json();
+    const note = typeof body.note === 'string' ? body.note.trim() : '';
+    if (!note) return NextResponse.json({ error: 'note is required' }, { status: 400 });
+
+    const existing = await prisma.prescription.findUnique({ where: { id } });
+    if (!existing) return NextResponse.json({ error: 'Not found' }, { status: 404 });
+
+    // persist to prescription.pharmacistNotes (non-destructive) and create an audit trail
+    const updated = await prisma.prescription.update({ where: { id }, data: { pharmacistNotes: note } });
+    await createAudit({ actorId, action: 'prescription.note', resource: 'Prescription', resourceId: id, before: { pharmacistNotes: existing.pharmacistNotes ?? null }, after: { pharmacistNotes: note }, meta: { note } });
+
+    return NextResponse.json(updated);
+  } catch (err) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+}
diff --git a/src/app/api/pharmacist/prescriptions/[id]/route.ts b/src/app/api/pharmacist/prescriptions/[id]/route.ts
@@ -0,0 +1,34 @@
+import { NextResponse } from 'next/server';
+import { requirePermission } from '@/lib/authorization';
+import { prisma } from '@/lib/prisma';
+
+// GET /api/pharmacist/prescriptions/:id
+export async function GET(req: Request, { params }: { params: { id: string } }) {
+  try {
+    await requirePermission(req, 'pharmacy.read');
+  } catch (err) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+
+  const id = params.id;
+  const rec = await prisma.prescription.findUnique({
+    where: { id },
+    include: {
+      doctor: { select: { id: true, user: { select: { id: true, name: true, email: true } }, specialization: true } },
+      patient: { select: { id: true, firstName: true, lastName: true, phone: true, email: true, dateOfBirth: true } },
+    },
+  });
+
+  if (!rec) return NextResponse.json({ error: 'Not found' }, { status: 404 });
+
+  // return medications JSON as-is so pharmacist can review legacy -> new formats
+  return NextResponse.json({
+    id: rec.id,
+    patient: rec.patient,
+    doctor: rec.doctor,
+    medications: rec.medications,
+    instructions: rec.instructions,
+    dispensed: rec.dispensed,
+    dispensedAt: rec.dispensedAt,
+  });
+}
diff --git a/src/app/api/pharmacist/prescriptions/[id]/undo-dispense/route.ts b/src/app/api/pharmacist/prescriptions/[id]/undo-dispense/route.ts
@@ -0,0 +1,29 @@
+import { NextResponse } from 'next/server';
+import { requirePermission } from '@/lib/authorization';
+import { prisma } from '@/lib/prisma';
+import { createAudit } from '@/services/audit.service';
+
+// PATCH /api/pharmacist/prescriptions/:id/undo-dispense
+export async function PATCH(req: Request, { params }: { params: { id: string } }) {
+  try {
+    await requirePermission(req, 'pharmacy.dispense');
+  } catch (err) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+
+  const id = params.id;
+  const existing = await prisma.prescription.findUnique({ where: { id } });
+  if (!existing) return NextResponse.json({ error: 'Not found' }, { status: 404 });
+  if (!existing.dispensed) return NextResponse.json({ error: 'Not dispensed' }, { status: 400 });
+
+  const actorId = (await requirePermission(req, 'pharmacy.dispense')).session?.user?.id ?? null;
+
+  const updated = await prisma.$transaction(async (tx) => {
+    const before = existing;
+    const p = await tx.prescription.update({ where: { id }, data: { dispensed: false, dispensedAt: null, pharmacistId: null } });
+    await createAudit({ actorId, action: 'prescription.undo-dispense', resource: 'Prescription', resourceId: id, before, after: p });
+    return p;
+  });
+
+  return NextResponse.json(updated);
+}
diff --git a/src/app/api/pharmacist/prescriptions/route.ts b/src/app/api/pharmacist/prescriptions/route.ts
@@ -0,0 +1,36 @@
+import { NextResponse } from 'next/server';
+import { requirePermission } from '@/lib/authorization';
+import { prisma } from '@/lib/prisma';
+
+// GET /api/pharmacist/prescriptions?dispensed=false
+export async function GET(req: Request) {
+  try {
+    await requirePermission(req, 'pharmacy.read');
+  } catch (err) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+
+  const url = new URL(req.url);
+  const dispensedQ = url.searchParams.get('dispensed');
+  const where: any = {};
+  if (dispensedQ === 'false') where.dispensed = false;
+  if (dispensedQ === 'true') where.dispensed = true;
+
+  const list = await prisma.prescription.findMany({
+    where,
+    take: 200,
+    orderBy: { createdAt: 'desc' },
+    select: {
+      id: true,
+      patientId: true,
+      doctorId: true,
+      pharmacistId: true,
+      dispensed: true,
+      dispensedAt: true,
+      createdAt: true,
+      updatedAt: true,
+    },
+  });
+
+  return NextResponse.json(list);
+}
diff --git a/tests/pharmacist.routes.test.ts b/tests/pharmacist.routes.test.ts
