Improve admin UI and scanner flow

Author: macayu17

backend/src/middleware/auth.middleware.js

@@ -26,6 +26,26 @@ export const authenticate = async (req, res, next) => {
   }
 };
 
+export const authenticateToken = (req, res, next) => {
+  try {
+    const token = req.headers.authorization?.split(' ')[1];
+
+    if (!token) {
+      return res.status(401).json({ error: 'No token provided' });
+    }
+
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    req.user = {
+      id: decoded.userId,
+      email: decoded.email,
+      role: decoded.role
+    };
+    next();
+  } catch {
+    res.status(401).json({ error: 'Invalid or expired token' });
+  }
+};
+
 export const requireAdmin = (req, res, next) => {
   if (req.user.role !== 'ADMIN') {
     return res.status(403).json({ error: 'Admin access required' });

backend/src/routes/ticket.routes.js

@@ -5,13 +5,95 @@ import path from 'path';
 import { fileURLToPath } from 'url';
 import prisma from '../config/db.js';
 import { verifyQRSignature } from '../utils/qr.util.js';
-import { authenticate, checkEventAccess } from '../middleware/auth.middleware.js';
+import { authenticateToken } from '../middleware/auth.middleware.js';
 import { getR2ObjectBuffer, isR2TemplateRef } from '../utils/r2.util.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
 const router = express.Router();
+const debugTicketVerify = (...args) => {
+  if (process.env.DEBUG_TICKET_VERIFY === 'true') {
+    console.log(...args);
+  }
+};
+
+const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+const TICKET_PREFIX_PATTERN = /^[0-9a-f]{6,12}$/i;
+
+const ticketLookupSelect = `
+  SELECT
+    t.id,
+    t.order_id AS "orderId",
+    t.qr_payload AS "qrPayload",
+    t.issued_at AS "issuedAt",
+    t.revoked,
+    t.valid_until AS "validUntil",
+    t.scanned_at AS "scannedAt",
+    t.checked_in_at AS "checkedInAt",
+    r.form_response AS "formResponse",
+    e.id AS "eventId",
+    e.title AS "eventTitle",
+    e.location AS "eventLocation",
+    e.start_time AS "eventStartTime",
+    e.organizer_id AS "organizerId"
+  FROM tickets t
+  INNER JOIN orders o ON o.id = t.order_id
+  INNER JOIN registrations r ON r.id = o.registration_id
+  INNER JOIN events e ON e.id = r.event_id
+`;
+
+function mapTicketRow(row) {
+  if (!row) return null;
+
+  return {
+    id: row.id,
+    orderId: row.orderId,
+    qrPayload: row.qrPayload,
+    issuedAt: row.issuedAt,
+    revoked: row.revoked,
+    validUntil: row.validUntil,
+    scannedAt: row.scannedAt,
+    checkedInAt: row.checkedInAt,
+    order: {
+      registration: {
+        formResponse: row.formResponse,
+        event: {
+          id: row.eventId,
+          title: row.eventTitle,
+          location: row.eventLocation,
+          startTime: row.eventStartTime,
+          organizerId: row.organizerId
+        }
+      }
+    }
+  };
+}
+
+async function canScanTicket(user, event) {
+  if (user.role === 'ADMIN') {
+    return { hasAccess: true };
+  }
+
+  if (event.organizerId === user.id) {
+    return { hasAccess: true };
+  }
+
+  const teamMember = await prisma.teamMember.findUnique({
+    where: { eventId_email: { eventId: event.id, email: user.email } },
+    select: { role: true }
+  });
+
+  if (!teamMember) {
+    return { hasAccess: false, error: 'Not authorized' };
+  }
+
+  if (!['SUPER_MANAGER', 'MANAGER', 'SCANNER'].includes(teamMember.role)) {
+    return { hasAccess: false, error: 'Insufficient permissions' };
+  }
+
+  return { hasAccess: true };
+}
 
 const toNormalizedPayload = (input) => {
   if (!input) return null;
@@ -94,65 +176,69 @@ const toNormalizedPayload = (input) => {
 async function findTicketByIdOrPrefix(ticketId) {
   if (!ticketId) return null;
   const cleaned = ticketId.trim().toLowerCase();
+  const isFullId = UUID_PATTERN.test(cleaned);
+  const isPrefix = TICKET_PREFIX_PATTERN.test(cleaned);
+
+  if (!isFullId && !isPrefix) {
+    return null;
+  }
 
   // Try exact match first
-  let ticket = await prisma.ticket.findUnique({
-    where: { id: cleaned },
-    include: { order: { include: { registration: { include: { event: true } } } } }
-  });
-  if (ticket) return ticket;
+  if (isFullId) {
+    const rows = await prisma.$queryRawUnsafe(`${ticketLookupSelect} WHERE t.id = $1 LIMIT 1`, cleaned);
+    const ticket = mapTicketRow(rows[0]);
+    if (ticket) return ticket;
+  }
 
   // Try prefix match (short IDs like "2FBF033A" → first 8 chars of UUID)
-  if (cleaned.length >= 6 && cleaned.length <= 12 && !cleaned.includes('-')) {
-    ticket = await prisma.ticket.findFirst({
-      where: { id: { startsWith: cleaned } },
-      include: { order: { include: { registration: { include: { event: true } } } } }
-    });
+  if (isPrefix) {
+    const rows = await prisma.$queryRawUnsafe(`${ticketLookupSelect} WHERE t.id LIKE $1 LIMIT 1`, `${cleaned}%`);
+    const ticket = mapTicketRow(rows[0]);
     if (ticket) return ticket;
   }
 
   return null;
 }
 
-// Verify ticket (for scanning at venue) - requires authentication
-router.post('/verify', authenticate, async (req, res) => {
+// Verify ticket (for scanning at venue) - uses JWT-only auth for fast gate checks.
+router.post('/verify', authenticateToken, async (req, res) => {
   try {
     const { qrPayload } = req.body;
 
     if (!qrPayload) {
       return res.status(400).json({ error: 'QR payload required' });
     }
 
-    console.log('[verify] Raw qrPayload type:', typeof qrPayload, 'length:', String(qrPayload).length);
+    debugTicketVerify('[verify] Raw qrPayload type:', typeof qrPayload, 'length:', String(qrPayload).length);
 
     // Parse QR payload (supports JSON, URL-encoded JSON, base64 JSON, URL query payloads)
     const payload = toNormalizedPayload(qrPayload);
 
     let ticket = null;
 
     if (payload && payload.ticketId) {
-      console.log('[verify] Parsed ticketId:', payload.ticketId);
+      debugTicketVerify('[verify] Parsed ticketId:', payload.ticketId);
       ticket = await findTicketByIdOrPrefix(payload.ticketId);
     }
 
     // Fallback: treat raw qrPayload as a plain ticket ID string
     if (!ticket && typeof qrPayload === 'string') {
       const rawId = qrPayload.trim().replace(/^\uFEFF/, '').replace(/[^a-fA-F0-9-]/g, '');
       if (rawId.length >= 6) {
-        console.log('[verify] Trying raw string as ticketId:', rawId);
+        debugTicketVerify('[verify] Trying raw string as ticketId:', rawId);
         ticket = await findTicketByIdOrPrefix(rawId);
       }
     }
 
     if (!ticket) {
-      console.log('[verify] Ticket not found for payload:', JSON.stringify(payload));
+      debugTicketVerify('[verify] Ticket not found for payload:', JSON.stringify(payload));
       return res.status(404).json({
         valid: false,
         error: 'Ticket not found'
       });
     }
 
-    console.log('[verify] Found ticket:', ticket.id);
+    debugTicketVerify('[verify] Found ticket:', ticket.id);
 
     // Signature verification — multiple fallback strategies
     let storedPayload = null;
@@ -178,7 +264,7 @@ router.post('/verify', authenticate, async (req, res) => {
     // In dev mode ALWAYS valid; in production accept any valid fallback
     const isValid = isDev ? true : (hasValidHmac || matchesStoredPayload || matchesTicketIdentity);
 
-    console.log('[verify] Sig check:', { isDev, hasValidHmac, matchesStoredPayload, matchesTicketIdentity, isValid });
+    debugTicketVerify('[verify] Sig check:', { isDev, hasValidHmac, matchesStoredPayload, matchesTicketIdentity, isValid });
 
     if (!isValid) {
       return res.status(400).json({
@@ -188,8 +274,8 @@ router.post('/verify', authenticate, async (req, res) => {
     }
 
     // Check if user has access to scan this event's tickets
-    const eventId = ticket.order.registration.event.id;
-    const accessCheck = await checkEventAccess(req.user, eventId, ['SUPER_MANAGER', 'MANAGER', 'SCANNER']);
+    const event = ticket.order.registration.event;
+    const accessCheck = await canScanTicket(req.user, event);
 
     if (!accessCheck.hasAccess) {
       return res.status(403).json({
@@ -230,14 +316,34 @@ router.post('/verify', authenticate, async (req, res) => {
 
     // Mark ticket as scanned (set both fields for compatibility)
     const now = new Date();
-    await prisma.ticket.update({
-      where: { id: ticket.id },
-      data: { 
+    const updateResult = await prisma.ticket.updateMany({
+      where: {
+        id: ticket.id,
+        scannedAt: null,
+        checkedInAt: null
+      },
+      data: {
         scannedAt: now,
-        checkedInAt: now 
+        checkedInAt: now,
+        checkedInBy: req.user.id
       }
     });
 
+    if (updateResult.count === 0) {
+      const currentTicket = await prisma.ticket.findUnique({
+        where: { id: ticket.id },
+        select: { scannedAt: true, checkedInAt: true }
+      });
+
+      return res.status(400).json({
+        valid: false,
+        alreadyScanned: true,
+        error: 'Ticket already used',
+        scannedAt: currentTicket?.scannedAt || currentTicket?.checkedInAt || now,
+        attendee: ticket.order.registration.formResponse
+      });
+    }
+
     res.json({
       valid: true,
       ticket: {

backend/src/server.js

@@ -1,7 +1,7 @@
+import 'dotenv/config';
 import express from 'express';
 import cors from 'cors';
 import helmet from 'helmet';
-import dotenv from 'dotenv';
 import rateLimit from 'express-rate-limit';
 
 // Import routes
@@ -21,8 +21,6 @@ import teamRoutes from './routes/team.routes.js';
 import featureRoutes from './routes/feature.routes.js';
 import walletRoutes from './routes/wallet.routes.js';
 
-dotenv.config();
-
 const app = express();
 const PORT = process.env.PORT || 5000;