@ratim818/allyve-wellness-backend 1.0.0

package/src/routes/appointments.ts

@@ -0,0 +1,293 @@
+import { Router, Request, Response } from "express";
+import { v4 as uuidv4 } from "uuid";
+import { z } from "zod";
+import { db } from "../config/database.js";
+import { encrypt, decrypt } from "../services/encryption.js";
+import { writeAuditLog } from "../services/audit.js";
+import { authenticate, validateSession } from "../middleware/auth.js";
+
+export const appointmentRouter = Router();
+appointmentRouter.use(authenticate, validateSession);
+
+const appointmentSchema = z.object({
+  title: z.string().min(1).max(200),
+  providerName: z.string().min(1).max(100),
+  providerType: z.enum(["OBGYN", "Cardiologist", "Doula", "Lactation Specialist", "Pharmacist", "Therapist", "Dietician", "Other"]),
+  date: z.string().datetime(),
+  location: z.string().max(500).optional(),
+  notes: z.string().max(2000).optional(),
+  confirmed: z.boolean().optional(),
+  isTelehealth: z.boolean().optional(),
+});
+
+// GET /appointments
+appointmentRouter.get("/", async (req: Request, res: Response) => {
+  try {
+    const appointments = await db("appointments")
+      .where("user_id", req.user!.userId)
+      .where("is_deleted", false)
+      .orderBy("appointment_date", "asc");
+
+    const decrypted = appointments.map((a: any) => ({
+      id: a.id,
+      title: a.title,
+      providerName: a.provider_name,
+      providerType: a.provider_type,
+      date: a.appointment_date,
+      location: a.location_encrypted ? decrypt(a.location_encrypted) : null,
+      notes: a.notes_encrypted ? decrypt(a.notes_encrypted) : null,
+      confirmed: a.confirmed,
+      isTelehealth: a.is_telehealth,
+    }));
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "VIEW",
+      resource_type: "appointment",
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.json({ data: decrypted });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to fetch appointments" });
+  }
+});
+
+// POST /appointments
+appointmentRouter.post("/", async (req: Request, res: Response) => {
+  try {
+    const data = appointmentSchema.parse(req.body);
+    const id = uuidv4();
+
+    await db("appointments").insert({
+      id,
+      user_id: req.user!.userId,
+      title: data.title,
+      provider_name: data.providerName,
+      provider_type: data.providerType,
+      appointment_date: new Date(data.date),
+      location_encrypted: data.location ? encrypt(data.location) : null,
+      notes_encrypted: data.notes ? encrypt(data.notes) : null,
+      confirmed: data.confirmed ?? false,
+      is_telehealth: data.isTelehealth ?? false,
+    });
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "CREATE",
+      resource_type: "appointment",
+      resource_id: id,
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.status(201).json({ id, message: "Appointment created" });
+  } catch (err) {
+    if (err instanceof z.ZodError) {
+      res.status(400).json({ error: "Validation failed", details: err.errors });
+      return;
+    }
+    res.status(500).json({ error: "Failed to create appointment" });
+  }
+});
+
+// PUT /appointments/:id
+appointmentRouter.put("/:id", async (req: Request, res: Response) => {
+  try {
+    const data = appointmentSchema.partial().parse(req.body);
+
+    const existing = await db("appointments")
+      .where("id", req.params.id)
+      .where("user_id", req.user!.userId)
+      .where("is_deleted", false)
+      .first();
+
+    if (!existing) {
+      res.status(404).json({ error: "Appointment not found" });
+      return;
+    }
+
+    const updates: Record<string, unknown> = { updated_at: new Date() };
+    if (data.title) updates.title = data.title;
+    if (data.providerName) updates.provider_name = data.providerName;
+    if (data.providerType) updates.provider_type = data.providerType;
+    if (data.date) updates.appointment_date = new Date(data.date);
+    if (data.location !== undefined) updates.location_encrypted = data.location ? encrypt(data.location) : null;
+    if (data.notes !== undefined) updates.notes_encrypted = data.notes ? encrypt(data.notes) : null;
+    if (data.confirmed !== undefined) updates.confirmed = data.confirmed;
+    if (data.isTelehealth !== undefined) updates.is_telehealth = data.isTelehealth;
+
+    await db("appointments").where("id", req.params.id).update(updates);
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "UPDATE",
+      resource_type: "appointment",
+      resource_id: req.params.id,
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.json({ message: "Appointment updated" });
+  } catch (err) {
+    if (err instanceof z.ZodError) {
+      res.status(400).json({ error: "Validation failed", details: err.errors });
+      return;
+    }
+    res.status(500).json({ error: "Failed to update appointment" });
+  }
+});
+
+// DELETE /appointments/:id (soft delete)
+appointmentRouter.delete("/:id", async (req: Request, res: Response) => {
+  try {
+    const result = await db("appointments")
+      .where("id", req.params.id)
+      .where("user_id", req.user!.userId)
+      .update({ is_deleted: true, updated_at: new Date() });
+
+    if (!result) {
+      res.status(404).json({ error: "Appointment not found" });
+      return;
+    }
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "DELETE",
+      resource_type: "appointment",
+      resource_id: req.params.id,
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.json({ message: "Appointment deleted" });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to delete appointment" });
+  }
+});
+
+// ════════════════════════════════════════════════════════════
+// DATA SHARING (HIPAA-compliant with consent tracking)
+// ════════════════════════════════════════════════════════════
+
+export const shareRouter = Router();
+shareRouter.use(authenticate, validateSession);
+
+const shareSchema = z.object({
+  recipientName: z.string().min(1).max(100),
+  recipientType: z.enum(["provider", "family", "other"]),
+  recipientEmail: z.string().email().optional(),
+  dataTypes: z.array(z.enum(["health_metrics", "symptoms", "mood", "journal", "appointments"])).min(1),
+  expiresInDays: z.number().int().min(1).max(365).optional(),
+});
+
+shareRouter.get("/", async (req: Request, res: Response) => {
+  try {
+    const shares = await db("shared_data")
+      .where("user_id", req.user!.userId)
+      .orderBy("shared_at", "desc");
+
+    const decrypted = shares.map((s: any) => ({
+      id: s.id,
+      recipientName: decrypt(s.recipient_name_encrypted),
+      recipientType: s.recipient_type,
+      recipientEmail: s.recipient_email_encrypted ? decrypt(s.recipient_email_encrypted) : null,
+      dataTypes: s.data_types,
+      status: s.status,
+      sharedAt: s.shared_at,
+      expiresAt: s.expires_at,
+    }));
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "VIEW",
+      resource_type: "shared_data",
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.json({ data: decrypted });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to fetch shared data" });
+  }
+});
+
+shareRouter.post("/", async (req: Request, res: Response) => {
+  try {
+    const data = shareSchema.parse(req.body);
+    const id = uuidv4();
+
+    await db("shared_data").insert({
+      id,
+      user_id: req.user!.userId,
+      recipient_name_encrypted: encrypt(data.recipientName),
+      recipient_type: data.recipientType,
+      recipient_email_encrypted: data.recipientEmail ? encrypt(data.recipientEmail) : null,
+      data_types: data.dataTypes,
+      status: "active",
+      shared_at: new Date(),
+      expires_at: data.expiresInDays
+        ? new Date(Date.now() + data.expiresInDays * 24 * 60 * 60 * 1000)
+        : null,
+    });
+
+    // Record consent
+    await db("consent_records").insert({
+      id: uuidv4(),
+      user_id: req.user!.userId,
+      consent_type: "data_sharing",
+      granted: true,
+      details: JSON.stringify({ shareId: id, dataTypes: data.dataTypes, recipient: data.recipientName }),
+      ip_address: req.ip,
+      granted_at: new Date(),
+    });
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "SHARE",
+      resource_type: "shared_data",
+      resource_id: id,
+      details: { dataTypes: data.dataTypes, recipientType: data.recipientType },
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.status(201).json({ id, message: "Data shared successfully" });
+  } catch (err) {
+    if (err instanceof z.ZodError) {
+      res.status(400).json({ error: "Validation failed", details: err.errors });
+      return;
+    }
+    res.status(500).json({ error: "Failed to share data" });
+  }
+});
+
+// POST /share/:id/revoke — revoke a data share
+shareRouter.post("/:id/revoke", async (req: Request, res: Response) => {
+  try {
+    const result = await db("shared_data")
+      .where("id", req.params.id)
+      .where("user_id", req.user!.userId)
+      .where("status", "active")
+      .update({ status: "revoked", revoked_at: new Date() });
+
+    if (!result) {
+      res.status(404).json({ error: "Active share not found" });
+      return;
+    }
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "REVOKE_SHARE",
+      resource_type: "shared_data",
+      resource_id: req.params.id,
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.json({ message: "Data sharing revoked" });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to revoke share" });
+  }
+});

package/src/routes/audit.ts

@@ -0,0 +1,29 @@
+import { Router, Request, Response } from "express";
+import { authenticate, validateSession, requireRole } from "../middleware/auth.js";
+import { queryAuditLogs } from "../services/audit.js";
+
+export const auditRouter = Router();
+
+// Only admin/compliance roles can view audit logs
+auditRouter.use(authenticate, validateSession, requireRole("admin"));
+
+// GET /audit/logs — query audit trail
+auditRouter.get("/logs", async (req: Request, res: Response) => {
+  try {
+    const { userId, action, resourceType, startDate, endDate, limit, offset } = req.query;
+
+    const logs = await queryAuditLogs({
+      userId: userId as string,
+      action: action as any,
+      resourceType: resourceType as any,
+      startDate: startDate ? new Date(startDate as string) : undefined,
+      endDate: endDate ? new Date(endDate as string) : undefined,
+      limit: limit ? Number(limit) : 100,
+      offset: offset ? Number(offset) : 0,
+    });
+
+    res.json({ data: logs, total: logs.length });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to query audit logs" });
+  }
+});

package/src/routes/auth.ts

@@ -0,0 +1,141 @@
+import { Router, Request, Response } from "express";
+import { z } from "zod";
+import { registerUser, loginUser, refreshAccessToken, logoutUser } from "../services/auth.js";
+import { authenticate, validateSession } from "../middleware/auth.js";
+import { writeAuditLog } from "../services/audit.js";
+
+export const authRouter = Router();
+
+// ── Validation Schemas ──────────────────────────────────
+const registerSchema = z.object({
+  email: z.string().email("Invalid email"),
+  password: z
+    .string()
+    .min(12, "Password must be at least 12 characters")
+    .regex(/[A-Z]/, "Must include an uppercase letter")
+    .regex(/[a-z]/, "Must include a lowercase letter")
+    .regex(/[0-9]/, "Must include a number")
+    .regex(/[^A-Za-z0-9]/, "Must include a special character"),
+  fullName: z.string().min(2).max(100),
+  dateOfBirth: z.string().regex(/^\d{4}-\d{2}-\d{2}$/, "Use YYYY-MM-DD format"),
+  phone: z.string().optional(),
+});
+
+const loginSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(1),
+});
+
+// ── POST /auth/register ─────────────────────────────────
+authRouter.post("/register", async (req: Request, res: Response) => {
+  try {
+    const data = registerSchema.parse(req.body);
+    const result = await registerUser(data);
+    res.status(201).json({ message: "Account created", userId: result.userId });
+  } catch (err) {
+    if (err instanceof z.ZodError) {
+      res.status(400).json({ error: "Validation failed", details: err.errors });
+      return;
+    }
+    const message = (err as Error).message;
+    const status = message.includes("already exists") ? 409 : 500;
+    res.status(status).json({ error: message });
+  }
+});
+
+// ── POST /auth/login ────────────────────────────────────
+authRouter.post("/login", async (req: Request, res: Response) => {
+  try {
+    const data = loginSchema.parse(req.body);
+    const tokens = await loginUser(data.email, data.password, req.ip, req.get("user-agent"));
+
+    // Set refresh token as httpOnly cookie (more secure than localStorage)
+    res.cookie("refreshToken", tokens.refreshToken, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "strict",
+      maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
+      path: "/api/v1/auth/refresh",
+    });
+
+    res.json({
+      accessToken: tokens.accessToken,
+      expiresIn: tokens.expiresIn,
+    });
+  } catch (err) {
+    if (err instanceof z.ZodError) {
+      res.status(400).json({ error: "Validation failed", details: err.errors });
+      return;
+    }
+    const message = (err as Error).message;
+    const status = message.includes("locked") ? 423 : 401;
+    res.status(status).json({ error: message });
+  }
+});
+
+// ── POST /auth/refresh ──────────────────────────────────
+authRouter.post("/refresh", async (req: Request, res: Response) => {
+  try {
+    const refreshToken = req.cookies?.refreshToken || req.body.refreshToken;
+    if (!refreshToken) {
+      res.status(401).json({ error: "Refresh token required" });
+      return;
+    }
+
+    const tokens = await refreshAccessToken(refreshToken);
+    res.json({
+      accessToken: tokens.accessToken,
+      expiresIn: tokens.expiresIn,
+    });
+  } catch (err) {
+    res.status(401).json({ error: (err as Error).message });
+  }
+});
+
+// ── POST /auth/logout ───────────────────────────────────
+authRouter.post("/logout", authenticate, async (req: Request, res: Response) => {
+  try {
+    await logoutUser(req.user!.userId, req.user!.sessionId, req.ip);
+
+    res.clearCookie("refreshToken", { path: "/api/v1/auth/refresh" });
+    res.json({ message: "Logged out successfully" });
+  } catch (err) {
+    res.status(500).json({ error: "Logout failed" });
+  }
+});
+
+// ── GET /auth/me — current user profile ─────────────────
+authRouter.get("/me", authenticate, validateSession, async (req: Request, res: Response) => {
+  try {
+    const { db } = await import("../config/database.js");
+    const { decrypt } = await import("../services/encryption.js");
+
+    const user = await db("users").where("id", req.user!.userId).first();
+    if (!user) {
+      res.status(404).json({ error: "User not found" });
+      return;
+    }
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "VIEW",
+      resource_type: "user",
+      resource_id: req.user!.userId,
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.json({
+      id: user.id,
+      email: decrypt(user.email_encrypted),
+      fullName: decrypt(user.full_name_encrypted),
+      dateOfBirth: decrypt(user.date_of_birth_encrypted),
+      phone: user.phone_encrypted ? decrypt(user.phone_encrypted) : null,
+      pregnancyWeek: user.pregnancy_week,
+      role: user.role,
+      createdAt: user.created_at,
+    });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to fetch profile" });
+  }
+});