@ratim818/allyve-wellness-backend 1.0.0

package/src/routes/health.ts

@@ -0,0 +1,387 @@
+import { Router, Request, Response } from "express";
+import { v4 as uuidv4 } from "uuid";
+import { z } from "zod";
+import { db } from "../config/database.js";
+import { encrypt, decrypt, encryptJSON, decryptJSON } from "../services/encryption.js";
+import { writeAuditLog } from "../services/audit.js";
+import { authenticate, validateSession } from "../middleware/auth.js";
+
+export const healthRouter = Router();
+
+// All routes require authentication + valid session
+healthRouter.use(authenticate, validateSession);
+
+// ── Validation Schemas ──────────────────────────────────
+const healthMetricSchema = z.object({
+  metricName: z.string().min(1).max(50),
+  value: z.union([z.number(), z.string()]),
+  unit: z.string().max(20),
+  status: z.enum(["normal", "warning", "critical", "unknown"]),
+  trend: z.enum(["rising", "falling", "stable", "fluctuating", "unknown"]).optional(),
+  minThreshold: z.number().optional(),
+  maxThreshold: z.number().optional(),
+  deviceId: z.string().uuid().optional(),
+  recordedAt: z.string().datetime().optional(),
+});
+
+const symptomSchema = z.object({
+  name: z.string().min(1).max(100),
+  severity: z.number().int().min(1).max(10),
+  notes: z.string().max(2000).optional(),
+  isCardiovascularRelated: z.boolean(),
+  recordedAt: z.string().datetime().optional(),
+});
+
+const moodSchema = z.object({
+  mood: z.enum(["verySad", "sad", "neutral", "happy", "veryHappy", "angry"]),
+  notes: z.string().max(2000).optional(),
+  anxietyLevel: z.number().int().min(1).max(10).optional(),
+  recordedAt: z.string().datetime().optional(),
+});
+
+const journalSchema = z.object({
+  content: z.string().min(1).max(10000),
+  tags: z.array(z.string().max(50)).max(20).optional(),
+  painScore: z.number().int().min(1).max(10).optional(),
+  anxietyLevel: z.number().int().min(1).max(10).optional(),
+  recordedAt: z.string().datetime().optional(),
+});
+
+// ════════════════════════════════════════════════════════════
+// HEALTH METRICS
+// ════════════════════════════════════════════════════════════
+
+// GET /health/metrics — list user's health metrics
+healthRouter.get("/metrics", async (req: Request, res: Response) => {
+  try {
+    const userId = req.user!.userId;
+    const { limit = 50, offset = 0, metric, since } = req.query;
+
+    let query = db("health_metrics")
+      .where("user_id", userId)
+      .where("is_deleted", false)
+      .orderBy("recorded_at", "desc")
+      .limit(Number(limit))
+      .offset(Number(offset));
+
+    if (metric) query = query.where("metric_name", metric as string);
+    if (since) query = query.where("recorded_at", ">=", new Date(since as string));
+
+    const metrics = await query;
+
+    // Decrypt values before sending
+    const decrypted = metrics.map((m: any) => ({
+      id: m.id,
+      metricName: m.metric_name,
+      value: decrypt(m.value_encrypted),
+      unit: m.unit,
+      status: m.status,
+      trend: m.trend,
+      minThreshold: m.min_threshold,
+      maxThreshold: m.max_threshold,
+      deviceId: m.device_id,
+      recordedAt: m.recorded_at,
+    }));
+
+    await writeAuditLog({
+      user_id: userId,
+      action: "VIEW",
+      resource_type: "health_metric",
+      details: { count: decrypted.length },
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.json({ data: decrypted, total: decrypted.length });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to fetch health metrics" });
+  }
+});
+
+// POST /health/metrics — record a new health metric
+healthRouter.post("/metrics", async (req: Request, res: Response) => {
+  try {
+    const data = healthMetricSchema.parse(req.body);
+    const id = uuidv4();
+
+    await db("health_metrics").insert({
+      id,
+      user_id: req.user!.userId,
+      metric_name: data.metricName,
+      value_encrypted: encrypt(String(data.value)),
+      unit: data.unit,
+      status: data.status,
+      trend: data.trend || "unknown",
+      min_threshold: data.minThreshold,
+      max_threshold: data.maxThreshold,
+      device_id: data.deviceId,
+      recorded_at: data.recordedAt ? new Date(data.recordedAt) : new Date(),
+    });
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "CREATE",
+      resource_type: "health_metric",
+      resource_id: id,
+      details: { metricName: data.metricName, status: data.status },
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.status(201).json({ id, message: "Health metric recorded" });
+  } catch (err) {
+    if (err instanceof z.ZodError) {
+      res.status(400).json({ error: "Validation failed", details: err.errors });
+      return;
+    }
+    res.status(500).json({ error: "Failed to record health metric" });
+  }
+});
+
+// ════════════════════════════════════════════════════════════
+// SYMPTOMS
+// ════════════════════════════════════════════════════════════
+
+healthRouter.get("/symptoms", async (req: Request, res: Response) => {
+  try {
+    const symptoms = await db("symptoms")
+      .where("user_id", req.user!.userId)
+      .where("is_deleted", false)
+      .orderBy("recorded_at", "desc")
+      .limit(Number(req.query.limit || 50));
+
+    const decrypted = symptoms.map((s: any) => ({
+      id: s.id,
+      name: s.name,
+      severity: s.severity,
+      notes: s.notes_encrypted ? decrypt(s.notes_encrypted) : null,
+      isCardiovascularRelated: s.is_cardiovascular_related,
+      recordedAt: s.recorded_at,
+    }));
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "VIEW",
+      resource_type: "symptom",
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.json({ data: decrypted });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to fetch symptoms" });
+  }
+});
+
+healthRouter.post("/symptoms", async (req: Request, res: Response) => {
+  try {
+    const data = symptomSchema.parse(req.body);
+    const id = uuidv4();
+
+    await db("symptoms").insert({
+      id,
+      user_id: req.user!.userId,
+      name: data.name,
+      severity: data.severity,
+      notes_encrypted: data.notes ? encrypt(data.notes) : null,
+      is_cardiovascular_related: data.isCardiovascularRelated,
+      recorded_at: data.recordedAt ? new Date(data.recordedAt) : new Date(),
+    });
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "CREATE",
+      resource_type: "symptom",
+      resource_id: id,
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.status(201).json({ id, message: "Symptom recorded" });
+  } catch (err) {
+    if (err instanceof z.ZodError) {
+      res.status(400).json({ error: "Validation failed", details: err.errors });
+      return;
+    }
+    res.status(500).json({ error: "Failed to record symptom" });
+  }
+});
+
+// ════════════════════════════════════════════════════════════
+// MOOD ENTRIES
+// ════════════════════════════════════════════════════════════
+
+healthRouter.get("/mood", async (req: Request, res: Response) => {
+  try {
+    const entries = await db("mood_entries")
+      .where("user_id", req.user!.userId)
+      .where("is_deleted", false)
+      .orderBy("recorded_at", "desc")
+      .limit(Number(req.query.limit || 50));
+
+    const decrypted = entries.map((e: any) => ({
+      id: e.id,
+      mood: e.mood,
+      notes: e.notes_encrypted ? decrypt(e.notes_encrypted) : null,
+      anxietyLevel: e.anxiety_level,
+      recordedAt: e.recorded_at,
+    }));
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "VIEW",
+      resource_type: "mood_entry",
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.json({ data: decrypted });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to fetch mood entries" });
+  }
+});
+
+healthRouter.post("/mood", async (req: Request, res: Response) => {
+  try {
+    const data = moodSchema.parse(req.body);
+    const id = uuidv4();
+
+    await db("mood_entries").insert({
+      id,
+      user_id: req.user!.userId,
+      mood: data.mood,
+      notes_encrypted: data.notes ? encrypt(data.notes) : null,
+      anxiety_level: data.anxietyLevel,
+      recorded_at: data.recordedAt ? new Date(data.recordedAt) : new Date(),
+    });
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "CREATE",
+      resource_type: "mood_entry",
+      resource_id: id,
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.status(201).json({ id, message: "Mood entry recorded" });
+  } catch (err) {
+    if (err instanceof z.ZodError) {
+      res.status(400).json({ error: "Validation failed", details: err.errors });
+      return;
+    }
+    res.status(500).json({ error: "Failed to record mood" });
+  }
+});
+
+// ════════════════════════════════════════════════════════════
+// JOURNAL ENTRIES
+// ════════════════════════════════════════════════════════════
+
+healthRouter.get("/journal", async (req: Request, res: Response) => {
+  try {
+    const entries = await db("journal_entries")
+      .where("user_id", req.user!.userId)
+      .where("is_deleted", false)
+      .orderBy("recorded_at", "desc")
+      .limit(Number(req.query.limit || 50));
+
+    const decrypted = entries.map((e: any) => ({
+      id: e.id,
+      content: decrypt(e.content_encrypted),
+      tags: e.tags,
+      painScore: e.pain_score,
+      anxietyLevel: e.anxiety_level,
+      recordedAt: e.recorded_at,
+    }));
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "VIEW",
+      resource_type: "journal_entry",
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.json({ data: decrypted });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to fetch journal entries" });
+  }
+});
+
+healthRouter.post("/journal", async (req: Request, res: Response) => {
+  try {
+    const data = journalSchema.parse(req.body);
+    const id = uuidv4();
+
+    await db("journal_entries").insert({
+      id,
+      user_id: req.user!.userId,
+      content_encrypted: encrypt(data.content),
+      tags: data.tags || [],
+      pain_score: data.painScore,
+      anxiety_level: data.anxietyLevel,
+      recorded_at: data.recordedAt ? new Date(data.recordedAt) : new Date(),
+    });
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "CREATE",
+      resource_type: "journal_entry",
+      resource_id: id,
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.status(201).json({ id, message: "Journal entry recorded" });
+  } catch (err) {
+    if (err instanceof z.ZodError) {
+      res.status(400).json({ error: "Validation failed", details: err.errors });
+      return;
+    }
+    res.status(500).json({ error: "Failed to record journal entry" });
+  }
+});
+
+// ════════════════════════════════════════════════════════════
+// CARDIOVASCULAR RISK
+// ════════════════════════════════════════════════════════════
+
+healthRouter.get("/cardiovascular-risk", async (req: Request, res: Response) => {
+  try {
+    const latest = await db("cardiovascular_risks")
+      .where("user_id", req.user!.userId)
+      .where("is_deleted", false)
+      .orderBy("assessed_at", "desc")
+      .first();
+
+    if (!latest) {
+      res.json({ data: null });
+      return;
+    }
+
+    await writeAuditLog({
+      user_id: req.user!.userId,
+      action: "VIEW",
+      resource_type: "cardiovascular_risk",
+      resource_id: latest.id,
+      ip_address: req.ip,
+      outcome: "success",
+    });
+
+    res.json({
+      data: {
+        id: latest.id,
+        overallScore: latest.overall_score,
+        factors: decryptJSON(latest.factors_encrypted),
+        trend: latest.trend,
+        recommendations: latest.recommendations_encrypted
+          ? decryptJSON(latest.recommendations_encrypted)
+          : [],
+        assessedAt: latest.assessed_at,
+      },
+    });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to fetch cardiovascular risk" });
+  }
+});

package/src/server.ts

@@ -0,0 +1,124 @@
+import express from "express";
+import { config } from "./config/index.js";
+import { testConnection, closeConnection } from "./config/database.js";
+import { applySecurityMiddleware } from "./middleware/security.js";
+import { authRouter } from "./routes/auth.js";
+import { healthRouter } from "./routes/health.js";
+import { appointmentRouter, shareRouter } from "./routes/appointments.js";
+import { auditRouter } from "./routes/audit.js";
+import { logger } from "./utils/logger.js";
+
+const app = express();
+const API = `/api/${config.apiVersion}`;
+
+// ── Security Middleware ──────────────────────────────────
+applySecurityMiddleware(app);
+
+// ── Health Check (no auth required) ──────────────────────
+app.get("/health", (_req, res) => {
+  res.json({ status: "ok", timestamp: new Date().toISOString() });
+});
+
+// ── API Routes ───────────────────────────────────────────
+app.use(`${API}/auth`, authRouter);
+app.use(`${API}/health`, healthRouter);
+app.use(`${API}/appointments`, appointmentRouter);
+app.use(`${API}/share`, shareRouter);
+app.use(`${API}/audit`, auditRouter);
+
+// ── API Documentation endpoint ───────────────────────────
+app.get(`${API}`, (_req, res) => {
+  res.json({
+    name: "Allyve Wellness AI API",
+    version: config.apiVersion,
+    hipaaCompliant: true,
+    endpoints: {
+      auth: {
+        "POST /auth/register": "Create new account",
+        "POST /auth/login": "Login and get tokens",
+        "POST /auth/refresh": "Refresh access token",
+        "POST /auth/logout": "Logout and revoke session",
+        "GET  /auth/me": "Get current user profile",
+      },
+      health: {
+        "GET  /health/metrics": "List health metrics",
+        "POST /health/metrics": "Record health metric",
+        "GET  /health/symptoms": "List symptoms",
+        "POST /health/symptoms": "Record symptom",
+        "GET  /health/mood": "List mood entries",
+        "POST /health/mood": "Record mood",
+        "GET  /health/journal": "List journal entries",
+        "POST /health/journal": "Record journal entry",
+        "GET  /health/cardiovascular-risk": "Get latest CV risk",
+      },
+      appointments: {
+        "GET    /appointments": "List appointments",
+        "POST   /appointments": "Create appointment",
+        "PUT    /appointments/:id": "Update appointment",
+        "DELETE /appointments/:id": "Soft-delete appointment",
+      },
+      sharing: {
+        "GET  /share": "List shared data records",
+        "POST /share": "Share data with provider/family",
+        "POST /share/:id/revoke": "Revoke data sharing",
+      },
+      audit: {
+        "GET /audit/logs": "Query audit trail (admin only)",
+      },
+    },
+  });
+});
+
+// ── 404 Handler ──────────────────────────────────────────
+app.use((_req, res) => {
+  res.status(404).json({ error: "Endpoint not found" });
+});
+
+// ── Global Error Handler ─────────────────────────────────
+app.use((err: Error, _req: express.Request, res: express.Response, _next: express.NextFunction) => {
+  logger.error("Unhandled error:", err);
+  // Never leak internal errors to client (HIPAA: minimum necessary)
+  res.status(500).json({ error: "Internal server error" });
+});
+
+// ── Start Server ─────────────────────────────────────────
+async function start() {
+  try {
+    await testConnection();
+    logger.info("Database connected");
+
+    app.listen(config.port, () => {
+      logger.info(`
+┌─────────────────────────────────────────────┐
+│  🩺 Allyve Wellness AI — Backend Server     │
+│                                             │
+│  Environment : ${config.env.padEnd(28)}│
+│  Port        : ${String(config.port).padEnd(28)}│
+│  API Base    : ${API.padEnd(28)}│
+│  HIPAA Mode  : ENABLED                      │
+│  Encryption  : AES-256-GCM                  │
+│  Auth        : JWT + bcrypt (12 rounds)     │
+│  Audit Trail : PostgreSQL (immutable)       │
+└─────────────────────────────────────────────┘
+      `);
+    });
+  } catch (err) {
+    logger.error("Failed to start server:", err);
+    process.exit(1);
+  }
+}
+
+// Graceful shutdown
+process.on("SIGTERM", async () => {
+  logger.info("SIGTERM received. Shutting down...");
+  await closeConnection();
+  process.exit(0);
+});
+
+process.on("SIGINT", async () => {
+  logger.info("SIGINT received. Shutting down...");
+  await closeConnection();
+  process.exit(0);
+});
+
+start();

package/src/services/audit.ts

@@ -0,0 +1,117 @@
+import { db } from "../config/database.js";
+import { logger } from "../utils/logger.js";
+
+// ─── HIPAA AUDIT TRAIL ──────────────────────────────────────
+// HIPAA §164.312(b) — Audit controls
+// HIPAA §164.530(j) — 6-year retention requirement
+//
+// Records WHO accessed WHAT, WHEN, from WHERE, and the OUTCOME.
+// Stored in an append-only table. No UPDATE/DELETE allowed.
+// ─────────────────────────────────────────────────────────────
+
+export type AuditAction =
+  | "LOGIN"
+  | "LOGOUT"
+  | "LOGIN_FAILED"
+  | "SESSION_TIMEOUT"
+  | "VIEW"
+  | "CREATE"
+  | "UPDATE"
+  | "DELETE"
+  | "EXPORT"
+  | "SHARE"
+  | "REVOKE_SHARE"
+  | "DOWNLOAD"
+  | "PRINT"
+  | "CONSENT_GIVEN"
+  | "CONSENT_REVOKED"
+  | "PASSWORD_CHANGE"
+  | "PASSWORD_RESET"
+  | "ROLE_CHANGE"
+  | "EMERGENCY_ACCESS";
+
+export type AuditResource =
+  | "user"
+  | "session"
+  | "health_metric"
+  | "ecg_data"
+  | "symptom"
+  | "mood_entry"
+  | "journal_entry"
+  | "appointment"
+  | "provider_contact"
+  | "shared_data"
+  | "health_report"
+  | "cardiovascular_risk"
+  | "wearable_device";
+
+export interface AuditEntry {
+  user_id: string | null;
+  action: AuditAction;
+  resource_type: AuditResource;
+  resource_id?: string;
+  details?: Record<string, unknown>;
+  ip_address?: string;
+  user_agent?: string;
+  outcome: "success" | "failure" | "denied";
+}
+
+/**
+ * Write an immutable audit log entry.
+ * This function never throws — audit failures are logged but don't break the app.
+ */
+export async function writeAuditLog(entry: AuditEntry): Promise<void> {
+  try {
+    await db("audit_logs").insert({
+      user_id: entry.user_id,
+      action: entry.action,
+      resource_type: entry.resource_type,
+      resource_id: entry.resource_id || null,
+      details: entry.details ? JSON.stringify(entry.details) : null,
+      ip_address: entry.ip_address || null,
+      user_agent: entry.user_agent || null,
+      outcome: entry.outcome,
+      created_at: new Date(),
+    });
+
+    // Also write to file-based audit log for redundancy
+    logger.info("AUDIT", {
+      userId: entry.user_id,
+      action: entry.action,
+      resource: entry.resource_type,
+      resourceId: entry.resource_id,
+      outcome: entry.outcome,
+    });
+  } catch (err) {
+    // Audit failures must never silently pass — log to stderr as critical
+    logger.error("CRITICAL: Failed to write audit log", {
+      error: (err as Error).message,
+      entry: { ...entry, details: undefined }, // Don't log details on error
+    });
+  }
+}
+
+/**
+ * Query audit logs with filters. Only accessible to admin/compliance roles.
+ */
+export async function queryAuditLogs(filters: {
+  userId?: string;
+  action?: AuditAction;
+  resourceType?: AuditResource;
+  startDate?: Date;
+  endDate?: Date;
+  limit?: number;
+  offset?: number;
+}) {
+  let query = db("audit_logs").orderBy("created_at", "desc");
+
+  if (filters.userId) query = query.where("user_id", filters.userId);
+  if (filters.action) query = query.where("action", filters.action);
+  if (filters.resourceType) query = query.where("resource_type", filters.resourceType);
+  if (filters.startDate) query = query.where("created_at", ">=", filters.startDate);
+  if (filters.endDate) query = query.where("created_at", "<=", filters.endDate);
+
+  query = query.limit(filters.limit || 100).offset(filters.offset || 0);
+
+  return query;
+}