add student portal with role-based auth

Adds a student-facing portal behind DISCORD_ALLOWED_STUDENT_IDS allowlist.
Students see their own EOD messages, daily stats (attendance/PRs/EOD), and
simulations. Instructors see the existing admin dashboard unchanged. All
admin routes are now gated by requireInstructor middleware.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dsshimel

attendabot/.env.example

@@ -13,8 +13,10 @@ DISCORD_CLIENT_ID=your-discord-oauth-client-id
 DISCORD_CLIENT_SECRET=your-discord-oauth-client-secret
 BETTER_AUTH_SECRET=your-32-char-secret-here
 BETTER_AUTH_URL=http://localhost:3001
-# Comma-separated Discord user IDs allowed to log in (empty = allow all)
+# Comma-separated Discord user IDs allowed to log in as instructors (empty = allow all)
 DISCORD_ALLOWED_USER_IDS=123456789,987654321
+# Comma-separated Discord user IDs allowed to log in as students
+DISCORD_ALLOWED_STUDENT_IDS=111111111,222222222
 
 GEMINI_API_KEY=
 

attendabot/backend/src/api/index.ts

@@ -9,6 +9,8 @@ import path from "path";
 import http from "http";
 import { toNodeHandler } from "better-auth/node";
 import { auth } from "../auth";
+import { authenticateToken } from "./middleware/auth";
+import { requireInstructor } from "./middleware/requireInstructor";
 import { statusRouter } from "./routes/status";
 import { messagesRouter } from "./routes/messages";
 import { channelsRouter } from "./routes/channels";
@@ -20,6 +22,8 @@ import { featureRequestsRouter } from "./routes/featureRequests";
 import { featureFlagsRouter } from "./routes/featureFlags";
 import { observersRouter } from "./routes/observers";
 import { databaseRouter } from "./routes/database";
+import { meRouter } from "./routes/me";
+import { studentPortalRouter } from "./routes/studentPortal";
 import { initializeWebSocket } from "./websocket";
 
 /** Express application instance. */
@@ -39,19 +43,27 @@ app.all("/api/auth/better/*", toNodeHandler(auth));
 
 app.use(express.json({ limit: "10mb" }));
 
-// API routes
-app.use("/api/status", statusRouter);
-app.use("/api/messages", messagesRouter);
-app.use("/api/channels", channelsRouter);
-app.use("/api/users", usersRouter);
-app.use("/api/students", studentsRouter);
-app.use("/api/cohorts", cohortsRouter);
-app.use("/api/testing", testingRouter);
-app.use("/api/llm", llmRouter);
-app.use("/api/feature-requests", featureRequestsRouter);
-app.use("/api/feature-flags", featureFlagsRouter);
-app.use("/api/observers", observersRouter);
-app.use("/api/database", databaseRouter);
+// Routes accessible by both roles (auth handled inside router)
+app.use("/api/auth/me", meRouter);
+
+// Student-only routes (auth + role check handled inside router)
+app.use("/api/student-portal", studentPortalRouter);
+
+// Admin/instructor-only routes
+// authenticateToken sets req.user (with role), then requireInstructor checks it.
+// Each router also calls authenticateToken internally, but it short-circuits if already set.
+app.use("/api/status", authenticateToken, requireInstructor, statusRouter);
+app.use("/api/messages", authenticateToken, requireInstructor, messagesRouter);
+app.use("/api/channels", authenticateToken, requireInstructor, channelsRouter);
+app.use("/api/users", authenticateToken, requireInstructor, usersRouter);
+app.use("/api/students", authenticateToken, requireInstructor, studentsRouter);
+app.use("/api/cohorts", authenticateToken, requireInstructor, cohortsRouter);
+app.use("/api/testing", authenticateToken, requireInstructor, testingRouter);
+app.use("/api/llm", authenticateToken, requireInstructor, llmRouter);
+app.use("/api/feature-requests", authenticateToken, requireInstructor, featureRequestsRouter);
+app.use("/api/feature-flags", authenticateToken, requireInstructor, featureFlagsRouter);
+app.use("/api/observers", authenticateToken, requireInstructor, observersRouter);
+app.use("/api/database", authenticateToken, requireInstructor, databaseRouter);
 
 // Serve static frontend files in production only
 if (process.env.NODE_ENV === "production") {
@@ -63,8 +75,10 @@ if (process.env.NODE_ENV === "production") {
   // Fallback: serve the correct index.html based on path
   app.get("*", (req, res) => {
     if (req.path.startsWith("/api")) return;
-    if (req.path.startsWith("/simulations")) {
-      res.sendFile(path.join(frontendPath, "simulations/index.html"));
+    if (req.path.startsWith("/simulations/auth")) {
+      res.sendFile(path.join(frontendPath, "simulations/auth/index.html"));
+    } else if (req.path.startsWith("/simulations")) {
+      res.sendFile(path.join(frontendPath, "simulations/auth/index.html"));
     } else {
       res.sendFile(path.join(frontendPath, "index.html"));
     }

attendabot/backend/src/api/middleware/auth.ts

@@ -7,12 +7,17 @@
 
 import { Request, Response, NextFunction } from "express";
 import { fromNodeHeaders } from "better-auth/node";
-import { auth } from "../../auth";
+import { auth, getUserRole, getAuthDatabase } from "../../auth";
 import { validateApiKey } from "../../services/apiKeys";
 
 /** Express Request extended with authenticated user data. */
 export interface AuthRequest extends Request {
-  user?: { authenticated: boolean; username: string };
+  user?: {
+    authenticated: boolean;
+    username: string;
+    role: "instructor" | "student";
+    discordAccountId?: string;
+  };
 }
 
 /**
@@ -24,11 +29,16 @@ export function authenticateToken(
   res: Response,
   next: NextFunction,
 ): void {
+  // Skip if already authenticated (e.g., by mount-level middleware)
+  if (req.user?.authenticated) {
+    return next();
+  }
+
   // Check for API key first
   const apiKey = req.headers["x-api-key"];
   if (typeof apiKey === "string" && apiKey.length > 0) {
     if (validateApiKey(apiKey)) {
-      req.user = { authenticated: true, username: "api-key" };
+      req.user = { authenticated: true, username: "api-key", role: "instructor" };
       return next();
     }
     res.status(401).json({ error: "Invalid API key" });
@@ -40,9 +50,24 @@ export function authenticateToken(
     headers: fromNodeHeaders(req.headers),
   }).then((session) => {
     if (session?.user) {
+      const username = session.user.name || session.user.email || "Discord User";
+
+      // Look up Discord account to determine role
+      const authDb = getAuthDatabase();
+      const account = authDb
+        .prepare(
+          `SELECT "accountId" FROM "account" WHERE "userId" = ? AND "providerId" = 'discord'`,
+        )
+        .get(session.user.id) as { accountId: string } | undefined;
+
+      const discordAccountId = account?.accountId;
+      const role = discordAccountId ? (getUserRole(discordAccountId) ?? "instructor") : "instructor";
+
       req.user = {
         authenticated: true,
-        username: session.user.name || session.user.email || "Discord User",
+        username,
+        role,
+        discordAccountId,
       };
       next();
     } else {

attendabot/backend/src/api/middleware/requireInstructor.ts

@@ -0,0 +1,19 @@
+/**
+ * @fileoverview Middleware that restricts access to instructor-role users only.
+ */
+
+import { Response, NextFunction } from "express";
+import { AuthRequest } from "./auth";
+
+/** Middleware that checks if the authenticated user has the "instructor" role. Returns 403 if not. */
+export function requireInstructor(
+  req: AuthRequest,
+  res: Response,
+  next: NextFunction,
+): void {
+  if (req.user?.role !== "instructor") {
+    res.status(403).json({ error: "Instructor access required" });
+    return;
+  }
+  next();
+}

attendabot/backend/src/api/routes/me.ts

@@ -0,0 +1,39 @@
+/**
+ * @fileoverview Route for fetching the current user's identity and role.
+ */
+
+import { Router, Response } from "express";
+import { authenticateToken, AuthRequest } from "../middleware/auth";
+import { getDatabase } from "../../services/db";
+
+export const meRouter = Router();
+
+/** GET /api/auth/me — Returns the current user's role, name, and identity info. */
+meRouter.get("/", authenticateToken, (req: AuthRequest, res: Response) => {
+  const user = req.user!;
+  const result: {
+    role: string;
+    name: string;
+    discordAccountId?: string;
+    studentId?: number;
+    studentName?: string;
+  } = {
+    role: user.role,
+    name: user.username,
+    discordAccountId: user.discordAccountId,
+  };
+
+  // If student, look up student record by discord_user_id
+  if (user.role === "student" && user.discordAccountId) {
+    const db = getDatabase();
+    const student = db
+      .prepare(`SELECT id, name FROM students WHERE discord_user_id = ?`)
+      .get(user.discordAccountId) as { id: number; name: string } | undefined;
+    if (student) {
+      result.studentId = student.id;
+      result.studentName = student.name;
+    }
+  }
+
+  res.json(result);
+});

attendabot/backend/src/api/routes/studentPortal.ts

@@ -0,0 +1,144 @@
+/**
+ * @fileoverview Student portal API routes. Provides students with read-only
+ * access to their own EOD messages and daily stats.
+ */
+
+import { Router, Response } from "express";
+import { authenticateToken, AuthRequest } from "../middleware/auth";
+import { getMessagesByUser, getMessagesByChannelAndDateRange } from "../../services/db";
+import { EOD_CHANNEL_ID, ATTENDANCE_CHANNEL_ID } from "../../bot/constants";
+import { countPrsInMessage, isValidEodMessage } from "../../bot/index";
+
+export const studentPortalRouter = Router();
+
+/** Middleware that ensures the user is a student. */
+function requireStudent(req: AuthRequest, res: Response, next: () => void): void {
+  if (req.user?.role !== "student") {
+    res.status(403).json({ error: "Student access required" });
+    return;
+  }
+  if (!req.user.discordAccountId) {
+    res.status(403).json({ error: "No Discord account linked" });
+    return;
+  }
+  next();
+}
+
+/**
+ * GET /api/student-portal/eods?limit=100
+ * Returns the student's own EOD messages sorted by date DESC.
+ */
+studentPortalRouter.get(
+  "/eods",
+  authenticateToken,
+  requireStudent,
+  (req: AuthRequest, res: Response) => {
+    const limit = Math.min(parseInt(req.query.limit as string) || 100, 500);
+    const discordId = req.user!.discordAccountId!;
+
+    const messages = getMessagesByUser(discordId, EOD_CHANNEL_ID, limit);
+    res.json({
+      messages: messages.map((m) => ({
+        id: m.discord_message_id,
+        content: m.content,
+        createdAt: m.created_at,
+        channelName: m.channel_name,
+      })),
+    });
+  },
+);
+
+/** Daily stats for the student portal. */
+interface DailyStats {
+  date: string;
+  attendancePosted: boolean;
+  attendanceOnTime: boolean;
+  middayPrPosted: boolean;
+  middayPrCount: number;
+  eodPosted: boolean;
+  totalPrCount: number;
+}
+
+/**
+ * GET /api/student-portal/stats?startDate=YYYY-MM-DD&endDate=YYYY-MM-DD
+ * Computes daily stats for the authenticated student over the given date range.
+ */
+studentPortalRouter.get(
+  "/stats",
+  authenticateToken,
+  requireStudent,
+  (req: AuthRequest, res: Response) => {
+    const discordId = req.user!.discordAccountId!;
+
+    // Default: last 30 days
+    const endDate = (req.query.endDate as string) || new Date().toISOString().split("T")[0];
+    const startDefault = new Date();
+    startDefault.setDate(startDefault.getDate() - 30);
+    const startDate = (req.query.startDate as string) || startDefault.toISOString().split("T")[0];
+
+    const days: DailyStats[] = [];
+    const current = new Date(startDate);
+    const end = new Date(endDate);
+
+    while (current <= end) {
+      const dateStr = current.toISOString().split("T")[0];
+      // Create date boundaries in ET (UTC-5)
+      const dayStart = new Date(`${dateStr}T00:00:00-05:00`).toISOString();
+      const dayEnd = new Date(`${dateStr}T23:59:59-05:00`).toISOString();
+      const tenAm = new Date(`${dateStr}T10:00:00-05:00`).toISOString();
+      const twoPm = new Date(`${dateStr}T14:00:00-05:00`).toISOString();
+
+      // Get messages for this day
+      const attendanceMessages = getMessagesByChannelAndDateRange("attendance", dayStart, dayEnd);
+      const eodMessages = getMessagesByChannelAndDateRange("eod", dayStart, dayEnd);
+
+      // Filter to this student's messages
+      const myAttendance = attendanceMessages.filter((m) => m.author_id === discordId);
+      const myEod = eodMessages.filter((m) => m.author_id === discordId);
+
+      // Attendance
+      const attendancePosted = myAttendance.length > 0;
+      const attendanceOnTime = attendancePosted && myAttendance[0].created_at < tenAm;
+
+      // Midday PR (PR links before 2 PM)
+      const prBeforeTwoPm = myEod.filter(
+        (m) => m.created_at < twoPm && countPrsInMessage(m.content ?? "") > 0,
+      );
+      const middayPrPosted = prBeforeTwoPm.length > 0;
+      const middayPrCount = prBeforeTwoPm.reduce(
+        (sum, m) => sum + countPrsInMessage(m.content ?? ""),
+        0,
+      );
+
+      // EOD
+      const eodPosted = myEod.some((m) => isValidEodMessage(m.content ?? ""));
+
+      // Total unique PR count
+      const prUrlRe = /https:\/\/github\.com\/[\w.-]+\/[\w.-]+\/pull\/\d+/g;
+      const allPrUrls = new Set<string>();
+      for (const m of myEod) {
+        const urls = (m.content ?? "").match(prUrlRe) ?? [];
+        for (const url of urls) {
+          allPrUrls.add(url);
+        }
+      }
+
+      days.push({
+        date: dateStr,
+        attendancePosted,
+        attendanceOnTime,
+        middayPrPosted,
+        middayPrCount,
+        eodPosted,
+        totalPrCount: allPrUrls.size,
+      });
+
+      current.setDate(current.getDate() + 1);
+    }
+
+    // Sort by date DESC
+    days.sort((a, b) => b.date.localeCompare(a.date));
+
+    res.json({ days });
+  },
+);