Merge branch 'refactor/routes' into main

Author: aamoghS

package.json

@@ -2,7 +2,7 @@
   "name": "query",
   "private": true,
   "version": "1.0.0",
-  "packageManager": "pnpm@10.25.0",
+  "packageManager": "pnpm@10.26.1",
   "engines": {
     "node": ">=20.16.0",
     "pnpm": ">=9"

packages/api/package.json

@@ -2,25 +2,33 @@
   "name": "@query/api",
   "version": "0.0.0",
   "private": true,
-  "main": "./src/index.ts",
-  "types": "./src/index.ts",
+  "type": "module",
   "exports": {
-    ".": "./src/index.ts"
+    ".": "./src/index.ts",
+    "./client": "./src/client.ts",
+    "./trpc-server": "./src/trpc-server.ts",
+    "./server": "./src/index.ts",
+    "./context": "./src/context.ts",
+    "./middleware": "./src/middleware.ts",
+    "./trpc": "./src/trpc.ts"
   },
   "scripts": {
     "lint": "eslint .",
-    "type-check": "tsc --noEmit"
+    "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@trpc/server": "^11.8.0",
-    "@query/db": "workspace:*",
     "@query/auth": "workspace:*",
-    "superjson": "^2.2.1",
-    "zod": "^3.22.4"
+    "@query/db": "workspace:*",
+    "@trpc/server": "^11.7.2",
+    "@trpc/client": "^11.7.2",
+    "@trpc/react-query": "^11.7.2",
+    "@trpc/next": "^11.7.2",
+    "@tanstack/react-query": "^5.90.12",
+    "zod": "^3.23.8",
+    "superjson": "^2.2.6"
   },
   "devDependencies": {
     "@query/tsconfig": "workspace:*",
-    "@types/node": "^20",
-    "typescript": "^5"
+    "typescript": "^5.6.3"
   }
-}
+}

packages/api/src/middleware/security.ts

@@ -0,0 +1,102 @@
+import { TRPCError } from "@trpc/server";
+
+const rateLimitStore = new Map<string, { count: number; resetAt: number }>();
+
+setInterval(() => {
+  const now = Date.now();
+  for (const [key, value] of rateLimitStore.entries()) {
+    if (now > value.resetAt) {
+      rateLimitStore.delete(key);
+    }
+  }
+}, 5 * 60 * 1000);
+
+export function rateLimit(identifier: string, maxRequests: number, windowMs: number): boolean {
+  const now = Date.now();
+  const record = rateLimitStore.get(identifier);
+
+  if (!record || now > record.resetAt) {
+    rateLimitStore.set(identifier, {
+      count: 1,
+      resetAt: now + windowMs,
+    });
+    return true;
+  }
+
+  if (record.count >= maxRequests) {
+    return false;
+  }
+
+  record.count++;
+  return true;
+}
+
+export function sanitizeInput(input: any): any {
+  if (input === null || input === undefined) {
+    return input;
+  }
+
+  if (typeof input === 'string') {
+    return input
+      .replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '')
+      .replace(/javascript:/gi, '')
+      .replace(/on\w+\s*=/gi, '')
+      .replace(/data:text\/html/gi, '')
+      .replace(/<iframe/gi, '')
+      .replace(/<embed/gi, '')
+      .replace(/<object/gi, '')
+      .trim()
+      .slice(0, 10000);
+  }
+
+  if (Array.isArray(input)) {
+    if (input.length > 1000) {
+      throw new TRPCError({
+        code: "BAD_REQUEST",
+        message: "Array too large",
+      });
+    }
+    return input.map(sanitizeInput);
+  }
+
+  if (typeof input === 'object') {
+    const keys = Object.keys(input);
+    if (keys.length > 100) {
+      throw new TRPCError({
+        code: "BAD_REQUEST",
+        message: "Object too complex",
+      });
+    }
+
+    const sanitized: any = {};
+    for (const [key, value] of Object.entries(input)) {
+      // Sanitize keys too
+      const cleanKey = key.replace(/[^\w\-]/g, '').slice(0, 100);
+      if (cleanKey) {
+        sanitized[cleanKey] = sanitizeInput(value);
+      }
+    }
+    return sanitized;
+  }
+
+  return input;
+}
+
+export function validateEmail(email: string): boolean {
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  return emailRegex.test(email) && email.length <= 254;
+}
+
+export function validateUrl(url: string): boolean {
+  try {
+    const parsed = new URL(url);
+    return ['http:', 'https:'].includes(parsed.protocol);
+  } catch {
+    return false;
+  }
+}
+
+export function validateUUID(uuid: string): boolean {
+  const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+  return uuidRegex.test(uuid);
+}

packages/api/src/root.ts

@@ -1,10 +1,16 @@
 import { createTRPCRouter } from "./trpc";
 import { helloRouter } from "./routers/hello";
 import { userRouter } from "./routers/user";
+import { adminRouter } from "./routers/admin";
+import { memberRouter } from "./routers/member";
+import { hackathonRouter } from "./routers/hackathon";
 
 export const appRouter = createTRPCRouter({
   hello: helloRouter,
   user: userRouter,
+  admin: adminRouter,
+  member: memberRouter,
+  hackathon: hackathonRouter,
 });
 
 export type AppRouter = typeof appRouter;

packages/api/src/routers/admin.ts

@@ -0,0 +1,197 @@
+import { z } from "zod";
+import { TRPCError } from "@trpc/server";
+import { createTRPCRouter, protectedProcedure } from "../trpc";
+import { admins, users } from "@query/db";
+import { eq, and } from "drizzle-orm";
+
+const isAdmin = protectedProcedure.use(async ({ ctx, next }) => {
+  const admin = await ctx.db.query.admins.findFirst({
+    where: and(
+      eq(admins.userId, ctx.userId!),
+      eq(admins.isActive, true)
+    ),
+  });
+
+  if (!admin) {
+    throw new TRPCError({
+      code: "FORBIDDEN",
+      message: "Admin access required",
+    });
+  }
+
+  return next({ ctx: { ...ctx, admin } });
+});
+
+const isSuperAdmin = isAdmin.use(async ({ ctx, next }) => {
+  if (ctx.admin.role !== "super_admin") {
+    throw new TRPCError({
+      code: "FORBIDDEN",
+      message: "Super admin access required",
+    });
+  }
+  return next({ ctx });
+});
+
+export const adminRouter = createTRPCRouter({
+  isAdmin: protectedProcedure.query(async ({ ctx }) => {
+    const admin = await ctx.db.query.admins.findFirst({
+      where: and(
+        eq(admins.userId, ctx.userId!),
+        eq(admins.isActive, true)
+      ),
+    });
+
+    return {
+      isAdmin: !!admin,
+      role: admin?.role || null,
+      permissions: admin?.permissions || [],
+    };
+  }),
+
+  list: isAdmin.query(async ({ ctx }) => {
+    const allAdmins = await ctx.db.query.admins.findMany({
+      with: {
+        user: {
+          columns: {
+            id: true,
+            name: true,
+            email: true,
+            image: true,
+          },
+        },
+      },
+      orderBy: (admins, { desc }) => [desc(admins.createdAt)],
+      limit: 100,
+    });
+
+    return allAdmins;
+  }),
+
+  create: isSuperAdmin
+    .input(
+      z.object({
+        userId: z.string().min(1).max(255),
+        role: z.enum(["super_admin", "admin", "moderator"]),
+        permissions: z.array(z.string().max(100)).max(50).optional(),
+      })
+    )
+    .mutation(async ({ ctx, input }) => {
+      const user = await ctx.db.query.users.findFirst({
+        where: eq(users.id, input.userId),
+      });
+
+      if (!user) {
+        throw new TRPCError({
+          code: "NOT_FOUND",
+          message: "User not found",
+        });
+      }
+
+      const existingAdmin = await ctx.db.query.admins.findFirst({
+        where: eq(admins.userId, input.userId),
+      });
+
+      if (existingAdmin) {
+        throw new TRPCError({
+          code: "BAD_REQUEST",
+          message: "User is already an admin",
+        });
+      }
+
+      const result = await ctx.db
+        .insert(admins)
+        .values({
+          userId: input.userId,
+          role: input.role,
+          permissions: input.permissions || [],
+        })
+        .returning();
+
+      const newAdmin = result[0];
+
+      if (!newAdmin) {
+        throw new TRPCError({
+          code: "INTERNAL_SERVER_ERROR",
+          message: "cannot create",
+        });
+      }
+
+      return newAdmin;
+    }),
+
+  update: isSuperAdmin
+    .input(
+      z.object({
+        adminId: z.string().uuid(),
+        role: z.enum(["super_admin", "admin", "moderator"]).optional(),
+        permissions: z.array(z.string().max(100)).max(50).optional(),
+        isActive: z.boolean().optional(),
+      })
+    )
+    .mutation(async ({ ctx, input }) => {
+      const targetAdmin = await ctx.db.query.admins.findFirst({
+        where: eq(admins.id, input.adminId),
+      });
+
+      if (!targetAdmin) {
+        throw new TRPCError({
+          code: "NOT_FOUND",
+          message: "Admin not found",
+        });
+      }
+      if (targetAdmin.userId === ctx.userId && input.isActive === false) {
+        throw new TRPCError({
+          code: "BAD_REQUEST",
+          message: "why?",
+        });
+      }
+
+      const result = await ctx.db
+        .update(admins)
+        .set({
+          role: input.role,
+          permissions: input.permissions,
+          isActive: input.isActive,
+          updatedAt: new Date(),
+        })
+        .where(eq(admins.id, input.adminId))
+        .returning();
+
+      const updatedAdmin = result[0];
+
+      if (!updatedAdmin) {
+        throw new TRPCError({
+          code: "INTERNAL_SERVER_ERROR",
+          message: "couldnt update",
+        });
+      }
+
+      return updatedAdmin;
+    }),
+
+  remove: isSuperAdmin
+    .input(z.object({ adminId: z.string().uuid() }))
+    .mutation(async ({ ctx, input }) => {
+      const targetAdmin = await ctx.db.query.admins.findFirst({
+        where: eq(admins.id, input.adminId),
+      });
+
+      if (!targetAdmin) {
+        throw new TRPCError({
+          code: "NOT_FOUND",
+          message: "not located",
+        });
+      }
+
+      if (targetAdmin.userId === ctx.userId) {
+        throw new TRPCError({
+          code: "BAD_REQUEST",
+          message: "why are you trying to do this",
+        });
+      }
+
+      await ctx.db.delete(admins).where(eq(admins.id, input.adminId));
+
+      return { success: true };
+    }),
+});