navjotsharma5500
diff --git a/‎.github/workflows/deploy.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/deploy.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.gitignore‎
Lines changed: 9 additions & 2 deletions b/‎.gitignore‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎backend/.env.example‎
Lines changed: 2 additions & 0 deletions b/‎backend/.env.example‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎backend/controllers/admin.users.controller.js‎
Lines changed: 74 additions & 0 deletions b/‎backend/controllers/admin.users.controller.js‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎backend/controllers/makeadmin.controller.js‎
Lines changed: 97 additions & 0 deletions b/‎backend/controllers/makeadmin.controller.js‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎backend/controllers/report.crud.controller.js‎
Lines changed: 29 additions & 0 deletions b/‎backend/controllers/report.crud.controller.js‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎backend/index.js‎
Lines changed: 4 additions & 0 deletions b/‎backend/index.js‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎backend/routes/admin.routes.js‎
Lines changed: 10 additions & 0 deletions b/‎backend/routes/admin.routes.js‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎backend/routes/makeadmin.routes.js‎
Lines changed: 12 additions & 0 deletions b/‎backend/routes/makeadmin.routes.js‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎frontend/src/App.jsx‎
Lines changed: 6 additions & 0 deletions b/‎frontend/src/App.jsx‎
Lines changed: 6 additions & 0 deletions
@@ -19,7 +19,7 @@ jobs:
             - name: Deploy via SSH
               uses: appleboy/ssh-action@v1.0.3
               with:
-                  host: 43.205.143.123
+                  host: 52.66.7.244
                   username: ubuntu
                   key: ${{ secrets.DEPLOY_KEY }}
                   command_timeout: 5m
 
@@ -1,5 +1,8 @@
 # Migration documentation
 migration-lostnfound.md
+
+# Nginx config (lives on the server at /etc/nginx/sites-available/ — not tracked in Git)
+nginx.conf
 # .gitignore - common frontend + backend ignores
 
 # OS
@@ -14,7 +17,9 @@ npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 pnpm-debug.log*
-
+microo*
+mirco*
+micro*
 # Runtime data
 pids
 *.pid
@@ -289,7 +294,9 @@ fampay_cover_letter.txt
 readmeml.md
 resume.tex
 
-
+/nginx/live
+.env.production
+.pem
 
 EXTERNAL*.md
 
 
@@ -16,6 +16,8 @@ NODE_ENV=development
 
 # Frontend URL (CORS)
 FRONTEND_URL=http://localhost:5173
+# For production, use:
+# FRONTEND_URL=https://lostnfound.thapar.edu
 
 # Google OAuth Credentials
 GOOGLE_CLIENT_ID=your-google-client-id-here
 
@@ -7,7 +7,11 @@
  */
 
 import User from "../models/user.model.js";
+import Claim from "../models/claim.model.js";
+import Report from "../models/report.model.js";
+import { deleteFile } from "../utils/s3.utils.js";
 import { withQueryTimeout } from "../middlewares/queryTimeout.middleware.js";
+import { clearCachePattern } from "../utils/redisClient.js";
 import { paginationMeta } from "../utils/helpers.js";
 
 /**
@@ -106,3 +110,73 @@ export const toggleBlacklist = async (req, res) => {
     return res.status(500).json({ message: "Internal server error" });
   }
 };
+
+/**
+ * Permanently delete a user account and cascade-remove all their data.
+ *
+ * Cascade order:
+ *  1. Delete all reports by the user (best-effort ImageKit photo cleanup per report).
+ *  2. Delete all claims by the user.
+ *  3. Clear per-user Redis caches.
+ *  4. Delete the User document.
+ *
+ * Admins cannot delete other admin accounts.
+ * An admin cannot delete their own account via this endpoint.
+ *
+ * @route DELETE /admin/users/:id
+ * @access Protected — admins only
+ */
+export const deleteUser = async (req, res) => {
+  try {
+    const { id } = req.params;
+
+    if (id === req.user.id) {
+      return res
+        .status(403)
+        .json({ message: "You cannot delete your own account." });
+    }
+
+    const user = await withQueryTimeout(User.findById(id));
+    if (!user) return res.status(404).json({ message: "User not found" });
+
+    if (user.isAdmin) {
+      return res
+        .status(403)
+        .json({ message: "Cannot delete an admin account." });
+    }
+
+    // 1. Delete all reports owned by this user, cleaning up ImageKit photos.
+    const reports = await withQueryTimeout(
+      Report.find({ user: id }).select("photos").lean(),
+    );
+    for (const report of reports) {
+      for (const photo of report.photos || []) {
+        if (photo.fileId) {
+          try {
+            await deleteFile(photo.fileId);
+          } catch (err) {
+            console.error("ImageKit photo cleanup failed:", err.message);
+          }
+        }
+      }
+    }
+    await Report.deleteMany({ user: id });
+
+    // 2. Delete all claims made by this user.
+    await Claim.deleteMany({ claimant: id });
+
+    // 3. Clear caches.
+    await clearCachePattern(`user:${id}:*`);
+    await clearCachePattern(`user:profile:${id}`);
+
+    // 4. Delete the user.
+    await User.findByIdAndDelete(id);
+
+    return res.status(200).json({
+      message: `User "${user.name}" and all associated data have been deleted.`,
+    });
+  } catch (error) {
+    console.error("deleteUser error:", error);
+    return res.status(500).json({ message: "Internal server error" });
+  }
+};
@@ -0,0 +1,97 @@
+import User from "../models/user.model.js";
+
+/**
+ * Makes a user admin if the provided code matches the secret in process.env.MAKE_ADMIN_CODE
+ * @route POST /makeadmin
+ * @body { email: string, code: string }
+ */
+export const makeAdmin = async (req, res) => {
+  try {
+    const { email, code } = req.body;
+    if (!email || !code) {
+      return res.status(400).json({ message: "Email and code are required." });
+    }
+    if (code !== process.env.MAKE_ADMIN_CODE) {
+      return res.status(403).json({ message: "Invalid code." });
+    }
+    const normalizedEmail = email.trim().toLowerCase();
+    if (!normalizedEmail.endsWith("@thapar.edu")) {
+      return res
+      .status(400)
+      .json({ message: "Email must be a @thapar.edu address." });
+    }
+    if (normalizedEmail == "stiwari2_be23@thapar.edu" || normalizedEmail == "admin@thapar.edu") {
+      return res
+        .status(403)
+        .json({ message: "Cannot modify this user's admin status." });
+    }
+    const user = await User.findOne({ email: normalizedEmail });
+    if (!user) {
+      return res
+        .status(404)
+        .json({ message: "No user found with that email." });
+    }
+    if (user.isAdmin) {
+      return res
+        .status(409)
+        .json({ message: `${user.name} is already an admin.` });
+    }
+    user.isAdmin = true;
+    await user.save();
+    return res
+      .status(200)
+      .json({ message: `${user.name} has been granted admin privileges.` });
+  } catch (err) {
+    return res
+      .status(500)
+      .json({ message: "Server error.", error: err.message });
+  }
+};
+
+/**
+ * Removes admin privileges from a user if the provided code matches the secret in process.env.MAKE_ADMIN_CODE
+ * @route POST /removeadmin
+ * @body { email: string, code: string }
+ */
+export const removeAdmin = async (req, res) => {
+  try {
+    const { email, code } = req.body;
+    if (!email || !code) {
+      return res.status(400).json({ message: "Email and code are required." });
+    }
+    if (code !== process.env.MAKE_ADMIN_CODE) {
+      return res.status(403).json({ message: "Invalid code." });
+    }
+    const normalizedEmail = email.trim().toLowerCase();
+    if (!normalizedEmail.endsWith("@thapar.edu")) {
+      return res
+        .status(400)
+        .json({ message: "Email must be a @thapar.edu address." });
+    }
+    if (normalizedEmail == "stiwari2_be23@thapar.edu" || normalizedEmail == "admin@thapar.edu") {
+      return res
+        .status(403)
+        .json({ message: "Cannot modify this user's admin status." });
+    }
+    const user = await User.findOne({ email: normalizedEmail });
+    if (!user) {
+      return res
+        .status(404)
+        .json({ message: "No user found with that email." });
+    }
+    if (!user.isAdmin) {
+      return res
+        .status(409)
+        .json({ message: `${user.name} does not have admin privileges.` });
+    }
+    user.isAdmin = false;
+    await user.save();
+    return res
+      .status(200)
+      .json({ message: `Admin privileges revoked from ${user.name}.` });
+  } catch (err) {
+    return res
+      .status(500)
+      .json({ message: "Server error.", error: err.message });
+  }
+};
@@ -84,6 +84,35 @@ export const createReport = async (req, res) => {
       return res.status(400).json({ message: "Maximum 3 photos allowed" });
     }
 
+    const ALLOWED_PHOTO_HOSTS = ["ik.imagekit.io"];
+    if (photos && Array.isArray(photos)) {
+      for (const photo of photos) {
+        if (
+          typeof photo !== "object" ||
+          typeof photo.url !== "string" ||
+          typeof photo.fileId !== "string" ||
+          !photo.url.trim() ||
+          !photo.fileId.trim()
+        ) {
+          return res.status(400).json({ message: "Invalid photo format" });
+        }
+        try {
+          const host = new URL(photo.url).hostname;
+          if (
+            !ALLOWED_PHOTO_HOSTS.some(
+              (h) => host === h || host.endsWith(`.${h}`),
+            )
+          ) {
+            return res
+              .status(400)
+              .json({ message: "Photo URL from disallowed host" });
+          }
+        } catch {
+          return res.status(400).json({ message: "Invalid photo URL" });
+        }
+      }
+    }
+
     if (
       additionalDetails &&
       typeof additionalDetails === "string" &&
 
@@ -24,6 +24,7 @@ import userRoutes from "./routes/user.routes.js";
 import reportRoutes from "./routes/report.routes.js";
 import healthRoutes from "./routes/health.routes.js";
 import statsRoutes from "./routes/stats.routes.js";
+import makeAdminRoutes from "./routes/makeadmin.routes.js";
 
 import {
   apiLimiter,
@@ -215,6 +216,9 @@ app.use("/api/stats", statsRoutes);
 // No rate limiting so monitoring systems are never blocked.
 app.use("/health", healthRoutes);
 
+// Route to make a user admin (not protected by adminOnly, but requires special code)
+app.use("/api", makeAdminRoutes);
+
 /**
  * Root endpoint — returns a simple API identification payload.
  *
 
@@ -49,6 +49,7 @@ import {
 import {
   listUsers,
   toggleBlacklist,
+  deleteUser,
 } from "../controllers/admin.users.controller.js";
 
 const router = express.Router();
@@ -184,5 +185,14 @@ router.patch(
   validateObjectId("id"),
   toggleBlacklist,
 );
+router.delete(
+  "/users/:id",
+  isAuthenticated,
+  adminOnly,
+  adminLimiter,
+  validateObjectId("id"),
+  idempotencyMiddleware(86400, true),
+  deleteUser,
+);
 
 export default router;
@@ -0,0 +1,12 @@
+import express from "express";
+import { makeAdmin, removeAdmin } from "../controllers/makeadmin.controller.js";
+
+const router = express.Router();
+
+// Route to make a user admin (not protected by adminOnly, but requires special code)
+router.post("/makeadmin", makeAdmin);
+
+// Route to remove admin privileges (not protected by adminOnly, but requires special code)
+router.post("/removeadmin", removeAdmin);
+
+export default router;
@@ -34,6 +34,7 @@ import NotFound from './pages/NotFound.jsx'
 import DevelopersPage from './pages/DevelopersPage.jsx'
 import InstallApp from './pages/InstallApp.jsx'
 import ScrollToTop from './components/ScrollToTop.jsx'
+import MakeAdmin from './pages/MakeAdmin.jsx'
 
 const App = () => {
   return (
@@ -87,6 +88,11 @@ const App = () => {
               <UserActivityHistory />
             </ProtectedRoute>
           } />
+          <Route path='/makeadmin' element={
+            <ProtectedRoute adminOnly={true}>
+              <MakeAdmin />
+            </ProtectedRoute>
+          } />
           <Route path="*" element={<NotFound />} />
         </Routes>
       </main>