Merge branch 'main' into codex/fix-user-deletion-handling-in-backend

Author: fuzziecoder

.gitignore

@@ -27,3 +27,6 @@ dist-ssr
 *.njsproj
 *.sln
 *.sw?
+
+# Local backend datastore
+backend/data/

backend/README.md

@@ -24,6 +24,16 @@ Server starts at `http://localhost:4000` by default.
 - Passwords are stored as salted `scrypt` hashes (not plaintext).
 - Legacy plaintext user passwords are auto-migrated to hashed values on successful login.
 
+### Issue #29: Protect login endpoint from brute-force attempts
+
+- Login is now rate-limited per `IP + username` key.
+- Defaults: 5 failed attempts within 15 minutes triggers a 15 minute temporary block (`429`).
+- Configure via env vars:
+  - `LOGIN_RATE_LIMIT_MAX_ATTEMPTS`
+  - `LOGIN_RATE_LIMIT_WINDOW_MS`
+  - `LOGIN_RATE_LIMIT_BLOCK_MS`
+
+
 ## Available endpoints
 
 - `GET /api/health`

backend/db.js

@@ -1,7 +1,6 @@
-import { existsSync, mkdirSync } from 'node:fs';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
 import { dirname, resolve } from 'node:path';
 import { randomBytes, randomUUID, scryptSync, timingSafeEqual } from 'node:crypto';
-import { DatabaseSync } from 'node:sqlite';
 
 const defaultDbPath = resolve(process.cwd(), 'backend', 'data', 'brocode.sqlite');
 const dbPath = process.env.BROCODE_DB_PATH ? resolve(process.env.BROCODE_DB_PATH) : defaultDbPath;
@@ -11,10 +10,6 @@ if (!existsSync(dbDirectory)) {
   mkdirSync(dbDirectory, { recursive: true });
 }
 
-const db = new DatabaseSync(dbPath);
-db.exec('PRAGMA journal_mode = WAL;');
-db.exec('PRAGMA foreign_keys = ON;');
-
 const HASH_PREFIX = 'scrypt$';
 const SCRYPT_KEY_LENGTH = 64;
 
@@ -112,6 +107,79 @@ if (!hasUsers) {
      VALUES (?, ?, ?, ?, ?, ?)`
   ).run('ord-1', 'd-1', 'Brocode Beer', 2, 180, 360);
 }
+const seedData = () => ({
+  users: [
+    { id: 'u-1', username: 'brocode', password: hashPassword('changeme'), name: 'Ram', role: 'admin' },
+    { id: 'u-2', username: 'dhanush', password: hashPassword('changeme'), name: 'Dhanush', role: 'user' },
+  ],
+  spots: [
+    {
+      id: 'spot-2025-07-26',
+      location: 'Attibele Toll Plaza',
+      date: '2025-07-26T10:00:00.000Z',
+      host_user_id: 'u-1',
+    },
+  ],
+  catalog_items: [
+    { id: 'd-1', category: 'drinks', name: 'Brocode Beer', price: 180 },
+    { id: 'd-2', category: 'drinks', name: 'Kingfisher Beer', price: 170 },
+    { id: 'f-1', category: 'food', name: 'Beef Biriyani', price: 220 },
+    { id: 'f-2', category: 'food', name: 'Parotta', price: 30 },
+    { id: 'c-1', category: 'cigarettes', name: 'Marlboro', price: 25 },
+    { id: 'c-2', category: 'cigarettes', name: 'Classic', price: 20 },
+  ],
+  orders: [
+    {
+      id: 'ord-1',
+      spot_id: 'spot-2025-07-26',
+      user_id: 'u-2',
+      total_amount: 360,
+      created_at: '2025-07-26T10:30:00.000Z',
+    },
+  ],
+  order_items: [
+    {
+      id: 1,
+      order_id: 'ord-1',
+      product_id: 'd-1',
+      name: 'Brocode Beer',
+      quantity: 2,
+      unit_price: 180,
+      total: 360,
+    },
+  ],
+  next_order_item_id: 2,
+});
+
+const loadData = () => {
+  if (!existsSync(dbPath)) {
+    const initial = seedData();
+    writeFileSync(dbPath, JSON.stringify(initial, null, 2));
+    return initial;
+  }
+
+  try {
+    const parsed = JSON.parse(readFileSync(dbPath, 'utf-8'));
+    return {
+      users: parsed.users || [],
+      spots: parsed.spots || [],
+      catalog_items: parsed.catalog_items || [],
+      orders: parsed.orders || [],
+      order_items: parsed.order_items || [],
+      next_order_item_id: parsed.next_order_item_id || 1,
+    };
+  } catch {
+    const initial = seedData();
+    writeFileSync(dbPath, JSON.stringify(initial, null, 2));
+    return initial;
+  }
+};
+
+const state = loadData();
+
+const persist = () => {
+  writeFileSync(dbPath, JSON.stringify(state, null, 2));
+};
 
 const mapOrder = (order, items) => ({
   id: order.id,
@@ -166,14 +234,15 @@ const deleteSpotsByHostUserIdStatement = db.prepare('DELETE FROM spots WHERE hos
 
 export const database = {
   getUserByCredentials(username, password) {
-    const user = getUserByUsernameStatement.get(username);
+    const user = state.users.find((entry) => entry.username === username);
 
     if (!user || !verifyPassword(password, user.password)) {
       return null;
     }
 
     if (!user.password.startsWith(HASH_PREFIX)) {
-      updateUserPasswordStatement.run(hashPassword(password), user.id);
+      user.password = hashPassword(password);
+      persist();
     }
 
     return {
@@ -185,8 +254,7 @@ export const database = {
   },
 
   getCatalog() {
-    const rows = db.prepare('SELECT id, category, name, price FROM catalog_items ORDER BY category, id').all();
-    return rows.reduce(
+    return state.catalog_items.reduce(
       (acc, row) => {
         if (!acc[row.category]) {
           acc[row.category] = [];
@@ -204,52 +272,35 @@ export const database = {
     );
   },
 
-  getCatalogCategory(category) {
-    const rows = db.prepare('SELECT id, name, price FROM catalog_items WHERE category = ? ORDER BY id').all(category);
-    return rows;
-  },
-
   userExists(userId) {
-    return Boolean(userExistsStatement.get(userId));
+    return state.users.some((user) => user.id === userId);
   },
 
   spotExists(spotId) {
-    return Boolean(spotExistsStatement.get(spotId));
+    return state.spots.some((spot) => spot.id === spotId);
   },
 
   getSpots() {
-    return db
-      .prepare('SELECT id, location, date, host_user_id AS hostUserId FROM spots ORDER BY date DESC')
-      .all();
+    return state.spots
+      .map((spot) => ({
+        id: spot.id,
+        location: spot.location,
+        date: spot.date,
+        hostUserId: spot.host_user_id,
+      }))
+      .sort((a, b) => b.date.localeCompare(a.date));
   },
 
   getOrders({ spotId, userId }) {
-    const conditions = [];
-    const values = [];
-
-    if (spotId) {
-      conditions.push('spot_id = ?');
-      values.push(spotId);
-    }
-
-    if (userId) {
-      conditions.push('user_id = ?');
-      values.push(userId);
-    }
-
-    const whereClause = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : '';
-    const orders = db
-      .prepare(
-        `SELECT id, spot_id, user_id, total_amount, created_at
-         FROM orders
-         ${whereClause}
-         ORDER BY created_at DESC`
-      )
-      .all(...values);
-
-    const itemsByOrderId = fetchOrderItemsByOrderIds(orders.map((order) => order.id));
-
-    return orders.map((order) => mapOrder(order, itemsByOrderId.get(order.id) || []));
+    const orders = state.orders
+      .filter((order) => !spotId || order.spot_id === spotId)
+      .filter((order) => !userId || order.user_id === userId)
+      .sort((a, b) => b.created_at.localeCompare(a.created_at));
+
+    return orders.map((order) => {
+      const orderItems = state.order_items.filter((item) => item.order_id === order.id);
+      return mapOrder(order, orderItems);
+    });
   },
 
   createOrder({ spotId, userId, items }) {
@@ -259,7 +310,7 @@ export const database = {
         throw new Error('Each order item must include productId and a positive integer quantity');
       }
 
-      const catalogItem = getCatalogItemByIdStatement.get(item.productId);
+      const catalogItem = state.catalog_items.find((entry) => entry.id === item.productId);
       if (!catalogItem) {
         throw new Error(`Unknown productId: ${item.productId}`);
       }
@@ -277,24 +328,27 @@ export const database = {
     const orderId = randomUUID();
     const createdAt = new Date().toISOString();
 
-    const insertOrder = db.prepare(
-      'INSERT INTO orders (id, spot_id, user_id, total_amount, created_at) VALUES (?, ?, ?, ?, ?)'
-    );
-    const insertOrderItem = db.prepare(
-      'INSERT INTO order_items (order_id, product_id, name, quantity, unit_price, total) VALUES (?, ?, ?, ?, ?, ?)'
-    );
+    state.orders.push({
+      id: orderId,
+      spot_id: spotId,
+      user_id: userId,
+      total_amount: totalAmount,
+      created_at: createdAt,
+    });
 
-    db.exec('BEGIN');
-    try {
-      insertOrder.run(orderId, spotId, userId, totalAmount, createdAt);
-      parsedItems.forEach((item) => {
-        insertOrderItem.run(orderId, item.productId, item.name, item.quantity, item.unitPrice, item.total);
+    parsedItems.forEach((item) => {
+      state.order_items.push({
+        id: state.next_order_item_id++,
+        order_id: orderId,
+        product_id: item.productId,
+        name: item.name,
+        quantity: item.quantity,
+        unit_price: item.unitPrice,
+        total: item.total,
       });
-      db.exec('COMMIT');
-    } catch (error) {
-      db.exec('ROLLBACK');
-      throw error;
-    }
+    });
+
+    persist();
 
     return {
       id: orderId,
@@ -322,28 +376,19 @@ export const database = {
   },
 
   getBillBySpotId(spotId) {
-    const summaryRows = db
-      .prepare(
-        `SELECT user_id, SUM(total_amount) AS total
-         FROM orders
-         WHERE spot_id = ?
-         GROUP BY user_id`
-      )
-      .all(spotId);
-
-    const total = summaryRows.reduce((sum, row) => sum + row.total, 0);
+    const summaryRows = state.orders.filter((order) => order.spot_id === spotId);
+
+    const total = summaryRows.reduce((sum, row) => sum + row.total_amount, 0);
     const userTotals = summaryRows.reduce((acc, row) => {
-      acc[row.user_id] = row.total;
+      acc[row.user_id] = (acc[row.user_id] || 0) + row.total_amount;
       return acc;
     }, {});
 
-    const orderCount = db.prepare('SELECT COUNT(*) AS count FROM orders WHERE spot_id = ?').get(spotId).count;
-
     return {
       spotId,
       total,
       userTotals,
-      orderCount,
+      orderCount: summaryRows.length,
     };
   },
 };