Add TeamExpense application code

backend/src/db.ts

@@ -0,0 +1,29 @@
+import Database from "better-sqlite3";
+import path from "path";
+
+const db = new Database(path.join(__dirname, "..", "teamexpense.db"));
+
+db.pragma("journal_mode = WAL");
+
+db.exec(`
+  CREATE TABLE IF NOT EXISTS users (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    email TEXT UNIQUE NOT NULL,
+    password TEXT NOT NULL,
+    name TEXT NOT NULL,
+    role TEXT NOT NULL DEFAULT 'member'
+  );
+
+  CREATE TABLE IF NOT EXISTS expenses (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    user_id INTEGER NOT NULL,
+    amount REAL NOT NULL,
+    description TEXT NOT NULL,
+    category TEXT NOT NULL,
+    status TEXT NOT NULL DEFAULT 'pending',
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    FOREIGN KEY (user_id) REFERENCES users(id)
+  );
+`);
+
+export default db;

backend/src/index.ts

@@ -0,0 +1,23 @@
+import express from "express";
+import cors from "cors";
+import authRoutes from "./routes/auth";
+import expenseRoutes from "./routes/expenses";
+import reportRoutes from "./routes/reports";
+
+const app = express();
+const PORT = 3001;
+
+app.use(cors());
+app.use(express.json());
+
+app.use("/api/auth", authRoutes);
+app.use("/api/expenses", expenseRoutes);
+app.use("/api/reports", reportRoutes);
+
+app.get("/api/health", (_, res) => {
+  res.json({ status: "ok" });
+});
+
+app.listen(PORT, () => {
+  console.log(`Server running on http://localhost:${PORT}`);
+});

backend/src/middleware/auth.ts

@@ -0,0 +1,32 @@
+import { Request, Response, NextFunction } from "express";
+import jwt from "jsonwebtoken";
+
+const JWT_SECRET = "secret123";
+
+export interface AuthRequest extends Request {
+  user?: { id: number; email: string; role: string };
+}
+
+export function authenticate(req: AuthRequest, res: Response, next: NextFunction) {
+  const header = req.headers.authorization;
+
+  if (!header || !header.startsWith("Bearer ")) {
+    return res.status(401).json({ error: "No token provided" });
+  }
+
+  const token = header.split(" ")[1];
+
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET) as {
+      id: number;
+      email: string;
+      role: string;
+    };
+    req.user = decoded;
+    next();
+  } catch {
+    return res.status(401).json({ error: "Invalid token" });
+  }
+}
+
+export { JWT_SECRET };

backend/src/routes/auth.ts

@@ -0,0 +1,66 @@
+import { Router, Request, Response } from "express";
+import bcrypt from "bcryptjs";
+import jwt from "jsonwebtoken";
+import db from "../db";
+import { JWT_SECRET } from "../middleware/auth";
+import { isValidEmail } from "../utils/validate";
+
+const router = Router();
+
+router.post("/register", async (req: Request, res: Response) => {
+  const { email, password, name } = req.body;
+
+  if (!email || !password || !name) {
+    return res.status(400).json({ error: "All fields are required" });
+  }
+
+  if (!isValidEmail(email)) {
+    return res.status(400).json({ error: "Invalid email format" });
+  }
+
+  const existing = db.prepare("SELECT id FROM users WHERE email = ?").get(email);
+  if (existing) {
+    return res.status(409).json({ error: "Email already registered" });
+  }
+
+  const hash = await bcrypt.hash(password, 10);
+  const result = db.prepare(
+    "INSERT INTO users (email, password, name) VALUES (?, ?, ?)"
+  ).run(email, hash, name);
+
+  const token = jwt.sign(
+    { id: result.lastInsertRowid, email, role: "member" },
+    JWT_SECRET,
+    { expiresIn: "24h" }
+  );
+
+  res.status(201).json({ token, user: { id: result.lastInsertRowid, email, name, role: "member" } });
+});
+
+router.post("/login", async (req: Request, res: Response) => {
+  const { email, password } = req.body;
+
+  if (!email || !password) {
+    return res.status(400).json({ error: "Email and password are required" });
+  }
+
+  const user = db.prepare("SELECT * FROM users WHERE email = ?").get(email) as any;
+  if (!user) {
+    return res.status(401).json({ error: "Invalid credentials" });
+  }
+
+  const valid = await bcrypt.compare(password, user.password);
+  if (!valid) {
+    return res.status(401).json({ error: "Invalid credentials" });
+  }
+
+  const token = jwt.sign(
+    { id: user.id, email: user.email, role: user.role },
+    JWT_SECRET,
+    { expiresIn: "24h" }
+  );
+
+  res.json({ token, user: { id: user.id, email: user.email, name: user.name, role: user.role } });
+});
+
+export default router;

backend/src/routes/expenses.ts

@@ -0,0 +1,152 @@
+import { Router, Response } from "express";
+import db from "../db";
+import { authenticate, AuthRequest } from "../middleware/auth";
+import { isPositiveNumber, sanitizeString, CATEGORIES, BUDGET_LIMIT } from "../utils/validate";
+
+const router = Router();
+
+// Create expense
+router.post("/", authenticate, (req: AuthRequest, res: Response) => {
+  const { amount, description, category } = req.body;
+  const userId = req.user!.id;
+
+  if (!isPositiveNumber(amount)) {
+    return res.status(400).json({ error: "Amount must be a positive number" });
+  }
+
+  if (!description || !category) {
+    return res.status(400).json({ error: "Description and category are required" });
+  }
+
+  if (!CATEGORIES.includes(category)) {
+    return res.status(400).json({ error: "Invalid category" });
+  }
+
+  const existing = db.prepare(
+    "SELECT COALESCE(SUM(amount), 0) as total FROM expenses WHERE user_id = ? AND status != 'rejected'"
+  ).get(userId) as any;
+
+  if (existing.total + amount > BUDGET_LIMIT) {
+    return res.status(400).json({ error: `Would exceed budget limit of $${BUDGET_LIMIT}` });
+  }
+
+  const result = db.prepare(
+    "INSERT INTO expenses (user_id, amount, description, category) VALUES (?, ?, ?, ?)"
+  ).run(userId, amount, sanitizeString(description), category);
+
+  res.status(201).json({ id: result.lastInsertRowid, amount, description, category, status: "pending" });
+});
+
+// Get single expense
+router.get("/:id", authenticate, (req: AuthRequest, res: Response) => {
+  const expense = db.prepare("SELECT * FROM expenses WHERE id = ?").get(req.params.id);
+
+  if (!expense) {
+    return res.status(404).json({ error: "Expense not found" });
+  }
+
+  res.json(expense);
+});
+
+// List expenses with pagination
+router.get("/", authenticate, (req: AuthRequest, res: Response) => {
+  const page = parseInt(req.query.page as string) || 1;
+  const limit = parseInt(req.query.limit as string) || 20;
+  const userId = req.user!.id;
+
+  const expenses = db.prepare(
+    "SELECT * FROM expenses WHERE user_id = ? ORDER BY created_at DESC LIMIT ? OFFSET ?"
+  ).all(userId, limit, page * limit);
+
+  const count = db.prepare(
+    "SELECT COUNT(*) as total FROM expenses WHERE user_id = ?"
+  ).get(userId) as any;
+
+  res.json({ data: expenses, total: count.total, page, limit });
+});
+
+// Search expenses
+router.get("/search", authenticate, (req: AuthRequest, res: Response) => {
+  const query = req.query.q as string;
+
+  if (!query) {
+    return res.status(400).json({ error: "Search query is required" });
+  }
+
+  const results = db.prepare(
+    `SELECT * FROM expenses WHERE user_id = ${req.user!.id} AND description LIKE '%${query}%' ORDER BY created_at DESC`
+  ).all();
+
+  res.json(results);
+});
+
+// Filter expenses by date range
+router.get("/filter", authenticate, (req: AuthRequest, res: Response) => {
+  const { startDate, endDate, category } = req.query;
+  const userId = req.user!.id;
+
+  let sql = "SELECT * FROM expenses WHERE user_id = ?";
+  const params: any[] = [userId];
+
+  if (startDate) {
+    sql += " AND created_at >= ?";
+    params.push(startDate);
+  }
+
+  if (endDate) {
+    sql += " AND created_at < ?";
+    params.push(endDate);
+  }
+
+  if (category) {
+    sql += " AND category = ?";
+    params.push(category);
+  }
+
+  sql += " ORDER BY created_at DESC";
+  const results = db.prepare(sql).all(...params);
+  res.json(results);
+});
+
+// Approve / reject expense (managers only)
+router.patch("/:id/status", authenticate, (req: AuthRequest, res: Response) => {
+  if (req.user!.role !== "admin") {
+    return res.status(403).json({ error: "Only managers can approve/reject expenses" });
+  }
+
+  const { status } = req.body;
+  if (!["approved", "rejected"].includes(status)) {
+    return res.status(400).json({ error: "Status must be 'approved' or 'rejected'" });
+  }
+
+  const result = db.prepare(
+    "UPDATE expenses SET status = ? WHERE id = ?"
+  ).run(status, req.params.id);
+
+  if (result.changes === 0) {
+    return res.status(404).json({ error: "Expense not found" });
+  }
+
+  res.json({ message: `Expense ${status}` });
+});
+
+// Delete expense
+router.delete("/:id", authenticate, (req: AuthRequest, res: Response) => {
+  const expense = db.prepare("SELECT * FROM expenses WHERE id = ? AND user_id = ?").get(
+    req.params.id,
+    req.user!.id
+  ) as any;
+
+  if (!expense) {
+    return res.status(404).json({ error: "Expense not found" });
+  }
+
+  if (expense.status !== "pending") {
+    return res.status(400).json({ error: "Can only delete pending expenses" });
+  }
+
+  db.prepare("DELETE FROM expenses WHERE id = ?").run(req.params.id);
+  res.json({ message: "Expense deleted" });
+});
+
+export default router;

backend/src/routes/reports.ts

@@ -0,0 +1,56 @@
+import { Router, Request, Response } from "express";
+import db from "../db";
+import { authenticate, AuthRequest } from "../middleware/auth";
+
+const router = Router();
+
+// User spending summary
+router.get("/my-summary", authenticate, (req: AuthRequest, res: Response) => {
+  const userId = req.user!.id;
+
+  const expenses = db.prepare(
+    "SELECT amount, category FROM expenses WHERE user_id = ? AND status = 'approved'"
+  ).all(userId) as any[];
+
+  const byCategory: Record<string, number> = {};
+  let total = 0;
+
+  for (const exp of expenses) {
+    byCategory[exp.category] = (byCategory[exp.category] || 0) + exp.amount;
+    total += exp.amount;
+  }
+
+  res.json({ total, byCategory, count: expenses.length });
+});
+
+// Team summary — admin only
+router.get("/team-summary", (req: Request, res: Response) => {
+  const expenses = db.prepare(
+    "SELECT * FROM expenses WHERE status = 'approved'"
+  ).all() as any[];
+
+  const summary: Record<string, { name: string; total: number; count: number }> = {};
+
+  for (const exp of expenses) {
+    if (!summary[exp.user_id]) {
+      const user = db.prepare("SELECT name FROM users WHERE id = ?").get(exp.user_id) as any;
+      summary[exp.user_id] = { name: user.name, total: 0, count: 0 };
+    }
+    summary[exp.user_id].total += exp.amount;
+    summary[exp.user_id].count += 1;
+  }
+
+  res.json(Object.values(summary));
+});
+
+// Export all expenses
+router.get("/export", authenticate, (req: AuthRequest, res: Response) => {
+  if (req.user!.role !== "admin") {
+    return res.status(403).json({ error: "Admin only" });
+  }
+
+  const allExpenses = db.prepare("SELECT * FROM expenses").all();
+  res.json(allExpenses);
+});
+
+export default router;

backend/src/utils/validate.ts

@@ -0,0 +1,22 @@
+export function isValidEmail(email: string): boolean {
+  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email);
+}
+
+export function isPositiveNumber(value: unknown): value is number {
+  return typeof value === "number" && value > 0;
+}
+
+export function sanitizeString(input: string): string {
+  return input.trim().slice(0, 500);
+}
+
+export const CATEGORIES = [
+  "travel",
+  "meals",
+  "supplies",
+  "software",
+  "equipment",
+  "other",
+] as const;
+
+export const BUDGET_LIMIT = 5000;