project-startup 1.1.1 → 1.2.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "project-startup",
-  "version": "1.1.1",
+  "version": "1.2.0",
   "description": "Minimal session-based auth starter using Express, MySQL, React, Vite, and React Router.",
   "main": "index.js",
   "bin": {

package/template/Logics/rbac/controllers/authController.js

@@ -0,0 +1,52 @@
+const bcrypt = require("bcrypt");
+const db     = require("../db");
+
+exports.login = async (req, res) => {
+    const { email, password } = req.body;
+
+    if (!email || !password) {
+        return res.status(400).json({ error: "Email and password are required." });
+    }
+
+    const [rows] = await db.query(
+        "SELECT * FROM users WHERE email = ?", [email]
+    );
+
+    if (rows.length === 0) {
+        return res.status(401).json({ error: "Invalid email or password." });
+    }
+
+    const user  = rows[0];
+    const match = await bcrypt.compare(password, user.password);
+
+    if (!match) {
+        return res.status(401).json({ error: "Invalid email or password." });
+    }
+
+    // Store only the safe user fields in the session — never the password hash
+    req.session.user = {
+        id:    user.id,
+        name:  user.name,
+        email: user.email,
+        role:  user.role,
+    };
+
+    // express-session saves the session and sends the Set-Cookie header
+    // automatically — we just respond with the user object for the frontend
+    res.json({ user: req.session.user });
+};
+
+exports.logout = (req, res) => {
+    // Destroys the session row in MySQL and clears the cookie
+    req.session.destroy(err => {
+        if (err) {
+            return res.status(500).json({ error: "Could not log out." });
+        }
+        res.clearCookie("connect.sid");
+        res.json({ message: "Logged out." });
+    });
+};
+
+exports.me = (req, res) => {
+    res.json(req.user);
+};

package/template/Logics/rbac/controllers/demoController.js

@@ -0,0 +1,38 @@
+// These are demo endpoints that exist purely to show RBAC in action.
+// In a real app you'd replace these with your actual business routes.
+
+// GET /api/demo/customer — any logged-in user
+exports.customerArea = (req, res) => {
+    res.json({
+        message: `Hello ${req.user.name}! You reached the customer area.`,
+        access:  "all authenticated users",
+        you:     req.user,
+    });
+};
+
+// GET /api/demo/manager — manager or admin only
+exports.managerArea = (req, res) => {
+    res.json({
+        message: `Hello ${req.user.name}! You reached the manager area.`,
+        access:  "manager + admin",
+        you:     req.user,
+    });
+};
+
+// GET /api/demo/admin — admin only
+exports.adminArea = (req, res) => {
+    res.json({
+        message: `Hello ${req.user.name}! You reached the admin area.`,
+        access:  "admin only",
+        you:     req.user,
+    });
+};
+
+// GET /api/demo/users — admin only: list all users
+exports.listUsers = async (req, res) => {
+    const db    = require("../db");
+    const [rows] = await db.query(
+        "SELECT id, name, email, role, created_at FROM users ORDER BY id"
+    );
+    res.json(rows);
+};

package/template/Logics/rbac/db.js

@@ -0,0 +1,12 @@
+const mysql = require("mysql2/promise");
+
+const pool = mysql.createPool({
+    host:             process.env.DB_HOST     || "localhost",
+    user:             process.env.DB_USER     || "root",
+    password:         process.env.DB_PASSWORD || "root",
+    database:         process.env.DB_NAME     || "rbac_db",
+    waitForConnections: true,
+    connectionLimit:  10,
+});
+
+module.exports = pool;

package/template/Logics/rbac/middleware/authMiddleware.js

@@ -0,0 +1,28 @@
+// With express-session there is no token to look up.
+// The session middleware already parsed the cookie and populated req.session
+// before this function runs — we just check what's in it.
+
+function requireAuth(req, res, next) {
+    if (!req.session.user) {
+        return res.status(401).json({ error: "Not authenticated. Please log in." });
+    }
+    // Attach user to req so controllers can use req.user (same API as before)
+    req.user = req.session.user;
+    next();
+}
+
+// Role guard — unchanged, still works exactly the same way
+function requireRole(...roles) {
+    return (req, res, next) => {
+        if (!roles.includes(req.user.role)) {
+            return res.status(403).json({
+                error:    "Access denied.",
+                yourRole: req.user.role,
+                required: roles,
+            });
+        }
+        next();
+    };
+}
+
+module.exports = { requireAuth, requireRole };

package/template/Logics/rbac/routes/authRoutes.js

@@ -0,0 +1,10 @@
+const express        = require("express");
+const router         = express.Router();
+const authController = require("../controllers/authController");
+const { requireAuth } = require("../middleware/authMiddleware");
+
+router.post("/login",  authController.login);
+router.post("/logout", requireAuth, authController.logout);
+router.get("/me",      requireAuth, authController.me);
+
+module.exports = router;

package/template/Logics/rbac/routes/demoRoutes.js

@@ -0,0 +1,37 @@
+const express          = require("express");
+const router           = express.Router();
+const demoController   = require("../controllers/demoController");
+const { requireAuth, requireRole } = require("../middleware/authMiddleware");
+
+// Any logged-in user
+router.get(
+    "/customer",
+    requireAuth,
+    demoController.customerArea
+);
+
+// Manager or Admin
+router.get(
+    "/manager",
+    requireAuth,
+    requireRole("manager", "admin"),
+    demoController.managerArea
+);
+
+// Admin only
+router.get(
+    "/admin",
+    requireAuth,
+    requireRole("admin"),
+    demoController.adminArea
+);
+
+// Admin only — lists all users
+router.get(
+    "/users",
+    requireAuth,
+    requireRole("admin"),
+    demoController.listUsers
+);
+
+module.exports = router;