fix: resolve API mismatches, security issues, and implement Firebase topic subscription

API Fixes:
- Add blog stats endpoint (GET /blog/admin/stats)
- Fix content upsert path alignment (/content/${key}/upsert)
- Fix menus reorder method (PUT→POST) and payload format
- Fix contact filters field name (isStarred→starred)

Security Fixes:
- Add escapeRegex() for email search in careers controller
- Add field whitelist in contact updateMessage to prevent mass assignment

Firebase Implementation:
- Implement FCM topic subscribe/unsubscribe in notification service
- Connect notification controller to actual Firebase Admin SDK

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: Bagour Delivery

backend/src/controllers/blog.controller.ts

@@ -1246,6 +1246,41 @@ async function invalidateCategoryCache() {
   }
 }
 
+/**
+ * Get blog statistics (Admin)
+ * جلب إحصائيات المدونة (للمسؤول)
+ */
+export const getStats = asyncHandler(async (_req: Request, res: Response) => {
+  const [
+    total,
+    published,
+    draft,
+    scheduled,
+    archived,
+    totalViewsResult,
+  ] = await Promise.all([
+    BlogPost.countDocuments(),
+    BlogPost.countDocuments({ status: 'published' }),
+    BlogPost.countDocuments({ status: 'draft' }),
+    BlogPost.countDocuments({ status: 'scheduled' }),
+    BlogPost.countDocuments({ status: 'archived' }),
+    BlogPost.aggregate([
+      { $group: { _id: null, totalViews: { $sum: '$views' } } },
+    ]),
+  ]);
+
+  const totalViews = totalViewsResult[0]?.totalViews || 0;
+
+  return successResponse(res, {
+    total,
+    published,
+    draft,
+    scheduled,
+    archived,
+    totalViews,
+  });
+});
+
 export const blogController = {
   // Categories
   getCategories,
@@ -1266,6 +1301,8 @@ export const blogController = {
   updatePost,
   deletePost,
   bulkUpdateStatus,
+  // Stats
+  getStats,
   // Saved Posts
   savePost,
   unsavePost,

backend/src/controllers/careers.controller.ts

@@ -516,7 +516,7 @@ export const getAllApplications = asyncHandler(async (req: Request, res: Respons
   }
 
   if (email) {
-    filter.email = { $regex: email, $options: 'i' };
+    filter.email = { $regex: escapeRegex(email as string), $options: 'i' };
   }
 
   const total = await JobApplication.countDocuments(filter);

backend/src/controllers/contact.controller.ts

@@ -201,7 +201,15 @@ export const getMessageById = asyncHandler(async (req: Request, res: Response) =
  */
 export const updateMessage = asyncHandler(async (req: Request, res: Response) => {
   const { id } = req.params;
-  const updateData = req.body;
+
+  // Whitelist allowed fields for update to prevent mass assignment
+  const allowedFields = ['status', 'priority', 'notes', 'isStarred', 'labels', 'assignedTo'];
+  const updateData: Record<string, unknown> = {};
+  for (const field of allowedFields) {
+    if (req.body[field] !== undefined) {
+      updateData[field] = req.body[field];
+    }
+  }
 
   const message = await Contact.findByIdAndUpdate(id, updateData, { new: true });
 

backend/src/controllers/notification.controller.ts

@@ -183,8 +183,16 @@ export const subscribeToTopic = asyncHandler(async (req: Request, res: Response)
   const { topic } = req.params;
   const { token } = req.body;
 
-  // This would use Firebase Admin SDK to subscribe to topic
-  // For now, just acknowledge the request
+  if (!token) {
+    throw new ApiError(400, 'TOKEN_REQUIRED', 'Device token is required');
+  }
+
+  const result = await notificationService.subscribeToTopic(token, topic);
+
+  if (!result.success) {
+    throw new ApiError(500, 'SUBSCRIPTION_FAILED', result.error || 'Failed to subscribe to topic');
+  }
+
   sendSuccess(res, { message: `Subscribed to topic: ${topic}`, topic, token });
 });
 
@@ -197,7 +205,16 @@ export const unsubscribeFromTopic = asyncHandler(async (req: Request, res: Respo
   const { topic } = req.params;
   const { token } = req.body;
 
-  // This would use Firebase Admin SDK to unsubscribe from topic
+  if (!token) {
+    throw new ApiError(400, 'TOKEN_REQUIRED', 'Device token is required');
+  }
+
+  const result = await notificationService.unsubscribeFromTopic(token, topic);
+
+  if (!result.success) {
+    throw new ApiError(500, 'UNSUBSCRIPTION_FAILED', result.error || 'Failed to unsubscribe from topic');
+  }
+
   sendSuccess(res, { message: `Unsubscribed from topic: ${topic}`, topic, token });
 });
 

backend/src/routes/blog.routes.ts

@@ -838,6 +838,42 @@ router.delete(
  *       403:
  *         description: Forbidden - Insufficient permissions
  */
+/**
+ * @swagger
+ * /blog/admin/stats:
+ *   get:
+ *     summary: Get blog statistics
+ *     description: Retrieves blog statistics including post counts by status and total views (Admin only)
+ *     tags: [Blog Admin]
+ *     security:
+ *       - bearerAuth: []
+ *     responses:
+ *       200:
+ *         description: Blog statistics
+ *         content:
+ *           application/json:
+ *             schema:
+ *               type: object
+ *               properties:
+ *                 total:
+ *                   type: number
+ *                 published:
+ *                   type: number
+ *                 draft:
+ *                   type: number
+ *                 scheduled:
+ *                   type: number
+ *                 archived:
+ *                   type: number
+ *                 totalViews:
+ *                   type: number
+ *       401:
+ *         description: Unauthorized
+ *       403:
+ *         description: Forbidden - Insufficient permissions
+ */
+router.get('/admin/stats', authenticate, authorize('blog:read'), blogController.getStats);
+
 router.get('/admin/posts', authenticate, authorize('blog:read'), blogController.getAllPosts);
 
 /**

backend/src/services/notification.service.ts

@@ -5,7 +5,7 @@
 
 import * as admin from 'firebase-admin';
 import { getMessaging } from '../config/firebase';
-import { logger, emitToUser, emitToAdmins } from '../config';
+import { logger, emitToUser } from '../config';
 import { Notification, INotification } from '../models/Notification';
 import { User } from '../models';
 import { DeviceToken } from '../models/DeviceToken';
@@ -411,6 +411,72 @@ export async function deleteOldNotifications(daysOld: number = 30): Promise<numb
   return result.deletedCount;
 }
 
+/**
+ * Subscribe a device token to an FCM topic
+ * اشتراك جهاز في موضوع FCM
+ */
+export async function subscribeToTopic(
+  token: string,
+  topic: string
+): Promise<{ success: boolean; error?: string }> {
+  const messaging = getMessaging();
+
+  if (!messaging) {
+    logger.warn('FCM not initialized - cannot subscribe to topic');
+    return { success: false, error: 'FCM not initialized' };
+  }
+
+  try {
+    const response = await messaging.subscribeToTopic([token], topic);
+
+    if (response.failureCount > 0) {
+      const errorMsg = response.errors?.[0]?.error?.message || 'Unknown error';
+      logger.warn(`Failed to subscribe token to topic ${topic}: ${errorMsg}`);
+      return { success: false, error: errorMsg };
+    }
+
+    logger.info(`Token subscribed to topic: ${topic}`);
+    return { success: true };
+  } catch (error) {
+    const errorMsg = (error as Error).message;
+    logger.error(`Error subscribing to topic ${topic}:`, error);
+    return { success: false, error: errorMsg };
+  }
+}
+
+/**
+ * Unsubscribe a device token from an FCM topic
+ * إلغاء اشتراك جهاز من موضوع FCM
+ */
+export async function unsubscribeFromTopic(
+  token: string,
+  topic: string
+): Promise<{ success: boolean; error?: string }> {
+  const messaging = getMessaging();
+
+  if (!messaging) {
+    logger.warn('FCM not initialized - cannot unsubscribe from topic');
+    return { success: false, error: 'FCM not initialized' };
+  }
+
+  try {
+    const response = await messaging.unsubscribeFromTopic([token], topic);
+
+    if (response.failureCount > 0) {
+      const errorMsg = response.errors?.[0]?.error?.message || 'Unknown error';
+      logger.warn(`Failed to unsubscribe token from topic ${topic}: ${errorMsg}`);
+      return { success: false, error: errorMsg };
+    }
+
+    logger.info(`Token unsubscribed from topic: ${topic}`);
+    return { success: true };
+  } catch (error) {
+    const errorMsg = (error as Error).message;
+    logger.error(`Error unsubscribing from topic ${topic}:`, error);
+    return { success: false, error: errorMsg };
+  }
+}
+
 export default {
   sendPushNotification,
   sendNotification,
@@ -423,4 +489,6 @@ export default {
   markAllAsRead,
   getUnreadCount,
   deleteOldNotifications,
+  subscribeToTopic,
+  unsubscribeFromTopic,
 };

frontend/src/services/admin/contact.service.ts

@@ -54,7 +54,7 @@ export interface ContactFilters {
   limit?: number;
   status?: ContactStatus;
   priority?: ContactPriority;
-  isStarred?: boolean;
+  starred?: boolean; // Backend expects 'starred', not 'isStarred'
   search?: string;
   sort?: string;
   startDate?: string;

frontend/src/services/admin/content.service.ts

@@ -134,7 +134,7 @@ export async function updateContent(key: string, data: UpdateContentData): Promi
  */
 export async function upsertContent(key: string, data: CreateContentData): Promise<ContentItem> {
   const response = await apiClient.put<{ content: ContentItem }>(
-    `${CONTENT_ENDPOINT}/upsert/${key}`,
+    `${CONTENT_ENDPOINT}/${key}/upsert`,
     data
   );
   return response.data?.content as ContentItem;

frontend/src/services/admin/menus.service.ts

@@ -182,8 +182,10 @@ export async function removeMenuItem(menuId: string, itemId: string): Promise<Me
  * Reorder menu items
  */
 export async function reorderMenuItems(menuId: string, itemIds: string[]): Promise<Menu> {
-  const response = await apiClient.put<{ menu: Menu }>(`${MENUS_ENDPOINT}/${menuId}/reorder`, {
-    itemIds,
+  // Transform itemIds array to items array with { id, order } format expected by backend
+  const items = itemIds.map((id, index) => ({ id, order: index }));
+  const response = await apiClient.post<{ menu: Menu }>(`${MENUS_ENDPOINT}/${menuId}/reorder`, {
+    items,
   });
   return response.data?.menu as Menu;
 }