Merge pull request #29 from fuzziecoder/codex/fix-issue-#26-by-migrating-to-db-osa172

 [issue]order creation previously trusted client-provided pricing/details

Author: fuzziecoder

backend/README.md

@@ -12,9 +12,12 @@ Server starts at `http://localhost:4000` by default.
 
 ## Database
 
+### Issue #26: Move from in-memory store to persistent DB
+
 - Uses `node:sqlite` with a local database file at `backend/data/brocode.sqlite`.
 - You can override the location with `BROCODE_DB_PATH=/custom/path.sqlite npm run backend`.
 - On first start, seed data is inserted for users, spots, catalog items, and a sample order.
+- New orders are validated against DB data (known `spotId`, `userId`, `productId`) and item pricing is always derived from catalog prices in the database.
 
 ## Available endpoints
 

backend/db.js

@@ -128,6 +128,13 @@ const fetchOrderItemsByOrderIds = (orderIds) => {
   return itemsByOrderId;
 };
 
+const getCatalogItemByIdStatement = db.prepare(
+  'SELECT id, category, name, price FROM catalog_items WHERE id = ?'
+);
+
+const userExistsStatement = db.prepare('SELECT 1 AS found FROM users WHERE id = ? LIMIT 1');
+const spotExistsStatement = db.prepare('SELECT 1 AS found FROM spots WHERE id = ? LIMIT 1');
+
 export const database = {
   getUserByCredentials(username, password) {
     const user = db
@@ -162,6 +169,14 @@ export const database = {
     return rows;
   },
 
+  userExists(userId) {
+    return Boolean(userExistsStatement.get(userId));
+  },
+
+  spotExists(spotId) {
+    return Boolean(spotExistsStatement.get(spotId));
+  },
+
   getSpots() {
     return db
       .prepare('SELECT id, location, date, host_user_id AS hostUserId FROM spots ORDER BY date DESC')
@@ -200,14 +215,21 @@ export const database = {
   createOrder({ spotId, userId, items }) {
     const parsedItems = items.map((item) => {
       const quantity = Number(item.quantity || 0);
-      const unitPrice = Number(item.unitPrice || 0);
+      if (!item.productId || !Number.isInteger(quantity) || quantity <= 0) {
+        throw new Error('Each order item must include productId and a positive integer quantity');
+      }
+
+      const catalogItem = getCatalogItemByIdStatement.get(item.productId);
+      if (!catalogItem) {
+        throw new Error(`Unknown productId: ${item.productId}`);
+      }
 
       return {
-        productId: item.productId,
-        name: item.name,
+        productId: catalogItem.id,
+        name: catalogItem.name,
         quantity,
-        unitPrice,
-        total: quantity * unitPrice,
+        unitPrice: catalogItem.price,
+        total: quantity * catalogItem.price,
       };
     });
 

backend/server.js

@@ -119,11 +119,25 @@ const server = createServer(async (req, res) => {
         return;
       }
 
+      if (!database.userExists(userId)) {
+        sendJson(res, 404, { error: `Unknown userId: ${userId}` });
+        return;
+      }
+
+      if (!database.spotExists(spotId)) {
+        sendJson(res, 404, { error: `Unknown spotId: ${spotId}` });
+        return;
+      }
+
       const newOrder = database.createOrder({ spotId, userId, items });
       sendJson(res, 201, newOrder);
       return;
     } catch (error) {
-      sendJson(res, 400, { error: error.message });
+      const isValidationError =
+        error.message.includes('Unknown productId') ||
+        error.message.includes('Each order item must include productId');
+
+      sendJson(res, isValidationError ? 400 : 500, { error: error.message });
       return;
     }
   }