create-ishvexa-app 1.0.0

package/templates/lms-app/backend-mysql/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "lms-backend-mysql",
+  "version": "1.0.0",
+  "description": "Library Management System API — Express + MySQL",
+  "main": "src/server.js",
+  "scripts": {
+    "dev": "nodemon src/server.js",
+    "start": "node src/server.js",
+    "db:init": "bash -c 'set -a && source .env && set +a && if [ -n \"$DB_PASSWORD\" ]; then mysql -h \"$DB_HOST\" -P \"$DB_PORT\" -u \"$DB_USER\" -p\"$DB_PASSWORD\" < database/schema.sql; else mysql -h \"$DB_HOST\" -P \"$DB_PORT\" -u \"$DB_USER\" < database/schema.sql; fi'"
+  },
+  "license": "MIT",
+  "dependencies": {
+    "bcryptjs": "^3.0.3",
+    "cors": "^2.8.6",
+    "dotenv": "^17.4.2",
+    "express": "^5.2.1",
+    "express-session": "^1.19.0",
+    "mysql2": "^3.14.1"
+  },
+  "devDependencies": {
+    "nodemon": "^3.1.14"
+  }
+}

package/templates/lms-app/backend-mysql/src/config/db.js

@@ -0,0 +1,33 @@
+const mysql = require("mysql2/promise");
+const dotenv = require("dotenv");
+
+dotenv.config();
+
+const pool = mysql.createPool({
+  host: process.env.DB_HOST || "localhost",
+  user: process.env.DB_USER || "student",
+  password: process.env.DB_PASSWORD || "",
+  database: process.env.DB_NAME || "LMS",
+  port: Number(process.env.DB_PORT || 3306),
+  waitForConnections: true,
+  connectionLimit: 10,
+});
+
+const query = async (sql, params = []) => {
+  const [rows] = await pool.execute(sql, params);
+  return rows;
+};
+
+async function connectDatabase() {
+  try {
+    await query("SELECT 1");
+    console.log("Database Connected Successfully");
+    return true;
+  } catch (error) {
+    console.log("Database Connection Failed");
+    console.error(error.message);
+    return false;
+  }
+}
+
+module.exports = { query, connectDatabase, pool };

package/templates/lms-app/backend-mysql/src/config/env.js

@@ -0,0 +1,21 @@
+function parsePort(raw, fallback) {
+  const n = Number(String(raw || "").trim());
+  return Number.isFinite(n) && n > 0 ? n : fallback;
+}
+
+function getEnv() {
+  return {
+    port: parsePort(process.env.PORT || process.env.LMS_BACKEND_PORT, 5827),
+    sessionSecret:
+      process.env.SESSION_SECRET?.trim() ||
+      process.env.LMS_SESSION_SECRET?.trim() ||
+      "lms-dev-session-secret-change-in-production",
+    frontendUrl:
+      process.env.FRONTEND_URL?.trim() ||
+      process.env.LMS_FRONTEND_URL?.trim() ||
+      "http://localhost:5828",
+    nodeEnv: process.env.NODE_ENV || "development",
+  };
+}
+
+module.exports = { getEnv };

package/templates/lms-app/backend-mysql/src/controllers/authController.js

@@ -0,0 +1,87 @@
+const bcrypt = require("bcryptjs");
+const { query } = require("../config/db");
+
+const normalize = (value) => String(value || "").trim().toLowerCase();
+const normalizeEmail = (email) => String(email || "").trim().toLowerCase();
+
+const login = async (req, res) => {
+  try {
+    const username = normalize(req.body.username);
+    const password = String(req.body.password || "");
+    if (!username || !password) {
+      return res.status(400).json({ message: "Username and password are required" });
+    }
+
+    const rows = await query("SELECT * FROM users WHERE username = ?", [username]);
+    const user = rows[0];
+    if (!user) {
+      return res.status(401).json({ message: "Invalid credentials" });
+    }
+
+    const ok = await bcrypt.compare(password, user.password_hash);
+    if (!ok) {
+      return res.status(401).json({ message: "Invalid credentials" });
+    }
+
+    req.session.userId = String(user.id);
+    req.session.username = user.username;
+    req.session.role = user.role;
+    return res.json({
+      message: "Login successful",
+      username: user.username,
+      role: user.role,
+    });
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+const forgotPassword = async (req, res) => {
+  try {
+    const { email, newPassword, confirmPassword } = req.body;
+    if (!email) {
+      return res.status(400).json({ success: false, message: "Email is required." });
+    }
+    if (!newPassword) {
+      return res.status(400).json({ success: false, message: "New password is required." });
+    }
+    if (!confirmPassword) {
+      return res.status(400).json({ success: false, message: "Confirm password is required." });
+    }
+    if (newPassword !== confirmPassword) {
+      return res.status(400).json({
+        success: false,
+        message: "New password and confirm password must match.",
+      });
+    }
+    const emailNorm = normalizeEmail(email);
+    const rows = await query("SELECT id FROM users WHERE email = ?", [emailNorm]);
+    if (!rows.length) {
+      return res.status(404).json({ success: false, message: "User not found" });
+    }
+    const hash = await bcrypt.hash(newPassword, 10);
+    await query("UPDATE users SET password_hash = ? WHERE email = ?", [hash, emailNorm]);
+    return res.json({ success: true, message: "Password reset successfully" });
+  } catch (error) {
+    return res.status(500).json({ success: false, message: error.message });
+  }
+};
+
+const me = (req, res) => {
+  if (!req.session.userId) {
+    return res.status(401).json({ message: "Unauthorized" });
+  }
+  return res.json({
+    username: req.session.username,
+    role: req.session.role,
+  });
+};
+
+const logout = (req, res) => {
+  req.session.destroy(() => {
+    res.clearCookie("connect.sid");
+    res.json({ message: "Logged out" });
+  });
+};
+
+module.exports = { login, forgotPassword, me, logout };

package/templates/lms-app/backend-mysql/src/controllers/bookController.js

@@ -0,0 +1,106 @@
+const { query } = require("../config/db");
+const { mapBook } = require("../utils/mappers");
+
+const listBooks = async (req, res) => {
+  try {
+    const q = String(req.query.title || "").trim();
+    const rows = q
+      ? await query("SELECT * FROM books WHERE title LIKE ? ORDER BY title", [`%${q}%`])
+      : await query("SELECT * FROM books ORDER BY title");
+    return res.json(rows.map(mapBook));
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+const getBook = async (req, res) => {
+  try {
+    const rows = await query("SELECT * FROM books WHERE id = ?", [req.params.id]);
+    if (!rows.length) return res.status(404).json({ message: "Book not found" });
+    return res.json(mapBook(rows[0]));
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+const createBook = async (req, res) => {
+  try {
+    const { title, author, category, quantity, publishedYear } = req.body;
+    if (!title || !author || !category || quantity === undefined || !publishedYear) {
+      return res.status(400).json({ message: "All fields are required" });
+    }
+    const qty = Number(quantity);
+    if (!Number.isFinite(qty) || qty < 0) {
+      return res.status(400).json({ message: "Quantity must be a non-negative number" });
+    }
+    const year = Number(publishedYear);
+    if (!Number.isFinite(year) || year < 1000 || year > 9999) {
+      return res.status(400).json({ message: "Invalid published year" });
+    }
+    const result = await query(
+      "INSERT INTO books (title, author, category, quantity, published_year) VALUES (?, ?, ?, ?, ?)",
+      [String(title).trim(), String(author).trim(), String(category).trim(), qty, year]
+    );
+    const rows = await query("SELECT * FROM books WHERE id = ?", [result.insertId]);
+    return res.status(201).json(mapBook(rows[0]));
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+const updateBook = async (req, res) => {
+  try {
+    const rows = await query("SELECT * FROM books WHERE id = ?", [req.params.id]);
+    if (!rows.length) return res.status(404).json({ message: "Book not found" });
+
+    const { title, author, category, quantity, publishedYear } = req.body;
+    const current = rows[0];
+    let qty = current.quantity;
+    let year = current.published_year;
+
+    if (quantity !== undefined) {
+      qty = Number(quantity);
+      if (!Number.isFinite(qty) || qty < 0) {
+        return res.status(400).json({ message: "Invalid quantity" });
+      }
+    }
+    if (publishedYear !== undefined) {
+      year = Number(publishedYear);
+      if (!Number.isFinite(year) || year < 1000 || year > 9999) {
+        return res.status(400).json({ message: "Invalid published year" });
+      }
+    }
+
+    await query(
+      "UPDATE books SET title = ?, author = ?, category = ?, quantity = ?, published_year = ? WHERE id = ?",
+      [
+        title !== undefined ? String(title).trim() : current.title,
+        author !== undefined ? String(author).trim() : current.author,
+        category !== undefined ? String(category).trim() : current.category,
+        qty,
+        year,
+        req.params.id,
+      ]
+    );
+    const updated = await query("SELECT * FROM books WHERE id = ?", [req.params.id]);
+    return res.json(mapBook(updated[0]));
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+const deleteBook = async (req, res) => {
+  try {
+    const active = await query("SELECT id FROM borrows WHERE book_id = ? AND returned_at IS NULL LIMIT 1", [req.params.id]);
+    if (active.length) {
+      return res.status(409).json({ message: "Book has active borrows" });
+    }
+    const result = await query("DELETE FROM books WHERE id = ?", [req.params.id]);
+    if (!result.affectedRows) return res.status(404).json({ message: "Book not found" });
+    return res.json({ message: "Deleted" });
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+module.exports = { listBooks, getBook, createBook, updateBook, deleteBook };

package/templates/lms-app/backend-mysql/src/controllers/borrowController.js

@@ -0,0 +1,113 @@
+const { query, pool } = require("../config/db");
+const { mapBorrowRow, borrowSelect } = require("../utils/mappers");
+
+const startOfDay = (d) => {
+  const x = new Date(d);
+  x.setHours(0, 0, 0, 0);
+  return x;
+};
+
+const listBorrows = async (req, res) => {
+  try {
+    const status = String(req.query.status || "all").toLowerCase();
+    const dateFrom = req.query.dateFrom ? startOfDay(req.query.dateFrom) : null;
+    const dateTo = req.query.dateTo ? startOfDay(req.query.dateTo) : null;
+    if (dateTo) dateTo.setHours(23, 59, 59, 999);
+
+    const clauses = [];
+    const params = [];
+    if (status === "active") clauses.push("b.returned_at IS NULL");
+    else if (status === "returned") clauses.push("b.returned_at IS NOT NULL");
+    if (dateFrom) {
+      clauses.push("b.borrow_date >= ?");
+      params.push(dateFrom);
+    }
+    if (dateTo) {
+      clauses.push("b.borrow_date <= ?");
+      params.push(dateTo);
+    }
+    const where = clauses.length ? `WHERE ${clauses.join(" AND ")}` : "";
+    const rows = await query(`${borrowSelect} ${where} ORDER BY b.borrow_date DESC`, params);
+    return res.json(rows.map(mapBorrowRow));
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+const createBorrow = async (req, res) => {
+  const conn = await pool.getConnection();
+  try {
+    const { studentId, bookId, borrowDate, returnDueDate } = req.body;
+    if (!studentId || !bookId || !borrowDate || !returnDueDate) {
+      return res.status(400).json({ message: "Student, book, borrow date and return date are required" });
+    }
+    const bd = new Date(borrowDate);
+    const rd = new Date(returnDueDate);
+    if (Number.isNaN(bd.getTime()) || Number.isNaN(rd.getTime())) {
+      return res.status(400).json({ message: "Invalid dates" });
+    }
+    if (rd < bd) {
+      return res.status(400).json({ message: "Return date must be on or after borrow date" });
+    }
+
+    const students = await query("SELECT id FROM students WHERE id = ?", [studentId]);
+    if (!students.length) return res.status(404).json({ message: "Student not found" });
+
+    await conn.beginTransaction();
+    const [books] = await conn.execute("SELECT id, quantity FROM books WHERE id = ? FOR UPDATE", [bookId]);
+    if (!books.length) {
+      await conn.rollback();
+      return res.status(404).json({ message: "Book not found" });
+    }
+    if (books[0].quantity < 1) {
+      await conn.rollback();
+      return res.status(409).json({ message: "No copies available to borrow" });
+    }
+
+    await conn.execute("UPDATE books SET quantity = quantity - 1 WHERE id = ?", [bookId]);
+    const [insert] = await conn.execute(
+      "INSERT INTO borrows (student_id, book_id, borrow_date, return_due_date, returned_at) VALUES (?, ?, ?, ?, NULL)",
+      [studentId, bookId, bd, rd]
+    );
+    await conn.commit();
+
+    const rows = await query(`${borrowSelect} WHERE b.id = ?`, [insert.insertId]);
+    return res.status(201).json(mapBorrowRow(rows[0]));
+  } catch (error) {
+    await conn.rollback();
+    return res.status(500).json({ message: error.message });
+  } finally {
+    conn.release();
+  }
+};
+
+const returnBorrow = async (req, res) => {
+  const conn = await pool.getConnection();
+  try {
+    await conn.beginTransaction();
+    const [borrows] = await conn.execute("SELECT * FROM borrows WHERE id = ? FOR UPDATE", [req.params.id]);
+    const borrow = borrows[0];
+    if (!borrow) {
+      await conn.rollback();
+      return res.status(404).json({ message: "Borrow record not found" });
+    }
+    if (borrow.returned_at) {
+      await conn.rollback();
+      return res.status(409).json({ message: "Already returned" });
+    }
+
+    await conn.execute("UPDATE borrows SET returned_at = NOW() WHERE id = ?", [req.params.id]);
+    await conn.execute("UPDATE books SET quantity = quantity + 1 WHERE id = ?", [borrow.book_id]);
+    await conn.commit();
+
+    const rows = await query(`${borrowSelect} WHERE b.id = ?`, [req.params.id]);
+    return res.json(mapBorrowRow(rows[0]));
+  } catch (error) {
+    await conn.rollback();
+    return res.status(500).json({ message: error.message });
+  } finally {
+    conn.release();
+  }
+};
+
+module.exports = { listBorrows, createBorrow, returnBorrow };

package/templates/lms-app/backend-mysql/src/controllers/dashboardController.js

@@ -0,0 +1,33 @@
+const { query } = require("../config/db");
+
+const stats = async (_req, res) => {
+  try {
+    const [{ totalBooks }] = await query("SELECT COUNT(*) AS totalBooks FROM books");
+    const [{ totalStudents }] = await query("SELECT COUNT(*) AS totalStudents FROM students");
+    const copies = await query("SELECT COALESCE(SUM(quantity), 0) AS sum FROM books");
+    const copiesInLibrary = copies[0]?.sum ?? 0;
+
+    const [{ borrowedActive }] = await query("SELECT COUNT(*) AS borrowedActive FROM borrows WHERE returned_at IS NULL");
+    const [{ returnedCount }] = await query("SELECT COUNT(*) AS returnedCount FROM borrows WHERE returned_at IS NOT NULL");
+    const [{ lateReturned }] = await query(
+      "SELECT COUNT(*) AS lateReturned FROM borrows WHERE returned_at IS NOT NULL AND returned_at > return_due_date"
+    );
+    const [{ overdueActive }] = await query(
+      "SELECT COUNT(*) AS overdueActive FROM borrows WHERE returned_at IS NULL AND return_due_date < NOW()"
+    );
+
+    return res.json({
+      totalBookTitles: totalBooks,
+      totalCopiesInLibrary: copiesInLibrary,
+      totalStudents,
+      borrowedActive,
+      returnedCount,
+      lateReturned,
+      overdueActive,
+    });
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+module.exports = { stats };

package/templates/lms-app/backend-mysql/src/controllers/reportController.js

@@ -0,0 +1,40 @@
+const { query } = require("../config/db");
+const { mapStudent, mapBook, mapBorrowRow, borrowSelect } = require("../utils/mappers");
+
+const allStudents = async (_req, res) => {
+  try {
+    const rows = await query("SELECT * FROM students ORDER BY full_name");
+    return res.json({ generatedAt: new Date().toISOString(), rows: rows.map(mapStudent) });
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+const allBooks = async (_req, res) => {
+  try {
+    const rows = await query("SELECT * FROM books ORDER BY title");
+    return res.json({ generatedAt: new Date().toISOString(), rows: rows.map(mapBook) });
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+const borrowedReport = async (_req, res) => {
+  try {
+    const rows = await query(`${borrowSelect} WHERE b.returned_at IS NULL ORDER BY b.borrow_date DESC`);
+    return res.json({ generatedAt: new Date().toISOString(), rows: rows.map(mapBorrowRow) });
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+const returnedReport = async (_req, res) => {
+  try {
+    const rows = await query(`${borrowSelect} WHERE b.returned_at IS NOT NULL ORDER BY b.returned_at DESC`);
+    return res.json({ generatedAt: new Date().toISOString(), rows: rows.map(mapBorrowRow) });
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+module.exports = { allStudents, allBooks, borrowedReport, returnedReport };

package/templates/lms-app/backend-mysql/src/controllers/studentController.js

@@ -0,0 +1,95 @@
+const { query } = require("../config/db");
+const { mapStudent } = require("../utils/mappers");
+
+const listStudents = async (req, res) => {
+  try {
+    const q = String(req.query.name || "").trim();
+    const rows = q
+      ? await query("SELECT * FROM students WHERE full_name LIKE ? ORDER BY full_name", [`%${q}%`])
+      : await query("SELECT * FROM students ORDER BY full_name");
+    return res.json(rows.map(mapStudent));
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+const getStudent = async (req, res) => {
+  try {
+    const rows = await query("SELECT * FROM students WHERE id = ?", [req.params.id]);
+    if (!rows.length) return res.status(404).json({ message: "Student not found" });
+    return res.json(mapStudent(rows[0]));
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+const createStudent = async (req, res) => {
+  try {
+    const { fullName, gender, className, phone, email } = req.body;
+    if (!fullName || !gender || !className || !phone || !email) {
+      return res.status(400).json({ message: "All fields are required" });
+    }
+    if (!["Male", "Female", "Other"].includes(gender)) {
+      return res.status(400).json({ message: "Invalid gender" });
+    }
+    const result = await query(
+      "INSERT INTO students (full_name, gender, class_name, phone, email) VALUES (?, ?, ?, ?, ?)",
+      [String(fullName).trim(), gender, String(className).trim(), String(phone).trim(), String(email).trim().toLowerCase()]
+    );
+    const rows = await query("SELECT * FROM students WHERE id = ?", [result.insertId]);
+    return res.status(201).json(mapStudent(rows[0]));
+  } catch (error) {
+    if (error.code === "ER_DUP_ENTRY") {
+      return res.status(409).json({ message: "Duplicate email" });
+    }
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+const updateStudent = async (req, res) => {
+  try {
+    const rows = await query("SELECT * FROM students WHERE id = ?", [req.params.id]);
+    if (!rows.length) return res.status(404).json({ message: "Student not found" });
+
+    const { fullName, gender, className, phone, email } = req.body;
+    const current = rows[0];
+    if (gender !== undefined && !["Male", "Female", "Other"].includes(gender)) {
+      return res.status(400).json({ message: "Invalid gender" });
+    }
+
+    await query(
+      "UPDATE students SET full_name = ?, gender = ?, class_name = ?, phone = ?, email = ? WHERE id = ?",
+      [
+        fullName !== undefined ? String(fullName).trim() : current.full_name,
+        gender !== undefined ? gender : current.gender,
+        className !== undefined ? String(className).trim() : current.class_name,
+        phone !== undefined ? String(phone).trim() : current.phone,
+        email !== undefined ? String(email).trim().toLowerCase() : current.email,
+        req.params.id,
+      ]
+    );
+    const updated = await query("SELECT * FROM students WHERE id = ?", [req.params.id]);
+    return res.json(mapStudent(updated[0]));
+  } catch (error) {
+    if (error.code === "ER_DUP_ENTRY") {
+      return res.status(409).json({ message: "Duplicate email" });
+    }
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+const deleteStudent = async (req, res) => {
+  try {
+    const active = await query("SELECT id FROM borrows WHERE student_id = ? AND returned_at IS NULL LIMIT 1", [req.params.id]);
+    if (active.length) {
+      return res.status(409).json({ message: "Student has active borrows; return books first" });
+    }
+    const result = await query("DELETE FROM students WHERE id = ?", [req.params.id]);
+    if (!result.affectedRows) return res.status(404).json({ message: "Student not found" });
+    return res.json({ message: "Deleted" });
+  } catch (error) {
+    return res.status(500).json({ message: error.message });
+  }
+};
+
+module.exports = { listStudents, getStudent, createStudent, updateStudent, deleteStudent };

package/templates/lms-app/backend-mysql/src/ensureSeedData.js

@@ -0,0 +1,54 @@
+const bcrypt = require("bcryptjs");
+const { query } = require("./config/db");
+
+async function ensureSeedData() {
+  const log = [];
+
+  const userPairs = [
+    { username: "admin", email: "admin@exam.local", password: "admin123", role: "admin" },
+    { username: "librarian", email: "librarian@exam.local", password: "librarian123", role: "librarian" },
+  ];
+  let usersCreated = 0;
+  for (const { username, email, password, role } of userPairs) {
+    const exists = await query("SELECT id FROM users WHERE username = ?", [username]);
+    if (exists.length) continue;
+    await query("INSERT INTO users (username, email, password_hash, role) VALUES (?, ?, ?, ?)", [
+      username,
+      email,
+      await bcrypt.hash(password, 10),
+      role,
+    ]);
+    usersCreated += 1;
+  }
+  if (usersCreated) log.push(`${usersCreated} user(s)`);
+
+  const studentCount = await query("SELECT COUNT(*) AS c FROM students");
+  if (studentCount[0].c === 0) {
+    await query(
+      "INSERT INTO students (full_name, gender, class_name, phone, email) VALUES (?, ?, ?, ?, ?), (?, ?, ?, ?, ?)",
+      [
+        "Marie Uwase", "Female", "Senior 3", "+250788100001", "marie.demo@school.test",
+        "David Nkurunziza", "Male", "Senior 2", "+250788100002", "david.demo@school.test",
+      ]
+    );
+    log.push("2 students");
+  }
+
+  const bookCount = await query("SELECT COUNT(*) AS c FROM books");
+  if (bookCount[0].c === 0) {
+    await query(
+      "INSERT INTO books (title, author, category, quantity, published_year) VALUES (?, ?, ?, ?, ?), (?, ?, ?, ?, ?)",
+      [
+        "Computer Science Basics", "Teaching Team", "Textbook", 5, 2021,
+        "Stories for Young Readers", "A. Mukamana", "Literature", 8, 2019,
+      ]
+    );
+    log.push("2 books");
+  }
+
+  if (log.length) {
+    console.log(`LMS seed: created ${log.join(", ")}.`);
+  }
+}
+
+module.exports = ensureSeedData;

package/templates/lms-app/backend-mysql/src/middleware/auth.js

@@ -0,0 +1,28 @@
+const requireAuth = (req, res, next) => {
+  if (!req.session.userId) {
+    return res.status(401).json({ message: "Unauthorized" });
+  }
+  return next();
+};
+
+const requireAdmin = (req, res, next) => {
+  if (!req.session.userId) {
+    return res.status(401).json({ message: "Unauthorized" });
+  }
+  if (req.session.role !== "admin") {
+    return res.status(403).json({ message: "Admin only" });
+  }
+  return next();
+};
+
+const requireLibrarian = (req, res, next) => {
+  if (!req.session.userId) {
+    return res.status(401).json({ message: "Unauthorized" });
+  }
+  if (req.session.role !== "librarian" && req.session.role !== "admin") {
+    return res.status(403).json({ message: "Librarian or admin required" });
+  }
+  return next();
+};
+
+module.exports = { requireAuth, requireAdmin, requireLibrarian };

package/templates/lms-app/backend-mysql/src/routes/authRoutes.js

@@ -0,0 +1,12 @@
+const express = require("express");
+const authController = require("../controllers/authController");
+const { requireAuth } = require("../middleware/auth");
+
+const router = express.Router();
+
+router.post("/login", authController.login);
+router.post("/forgot-password", authController.forgotPassword);
+router.get("/me", requireAuth, authController.me);
+router.post("/logout", requireAuth, authController.logout);
+
+module.exports = router;

package/templates/lms-app/backend-mysql/src/routes/bookRoutes.js

@@ -0,0 +1,13 @@
+const express = require("express");
+const { requireAuth, requireAdmin } = require("../middleware/auth");
+const bookController = require("../controllers/bookController");
+
+const router = express.Router();
+
+router.get("/", requireAuth, bookController.listBooks);
+router.get("/:id", requireAuth, bookController.getBook);
+router.post("/", requireAuth, requireAdmin, bookController.createBook);
+router.put("/:id", requireAuth, requireAdmin, bookController.updateBook);
+router.delete("/:id", requireAuth, requireAdmin, bookController.deleteBook);
+
+module.exports = router;

package/templates/lms-app/backend-mysql/src/routes/borrowRoutes.js

@@ -0,0 +1,11 @@
+const express = require("express");
+const { requireAuth, requireLibrarian } = require("../middleware/auth");
+const borrowController = require("../controllers/borrowController");
+
+const router = express.Router();
+
+router.get("/", requireAuth, requireLibrarian, borrowController.listBorrows);
+router.post("/", requireAuth, requireLibrarian, borrowController.createBorrow);
+router.patch("/:id/return", requireAuth, requireLibrarian, borrowController.returnBorrow);
+
+module.exports = router;