Skip to content

Add/Update Categories and Role Middleware #1767

Merged
s223973381 merged 2 commits intoChameleon-company:backend_workfrom
Binara93Lokuliyanage:backend_work
Apr 13, 2026
Merged

Add/Update Categories and Role Middleware #1767
s223973381 merged 2 commits intoChameleon-company:backend_workfrom
Binara93Lokuliyanage:backend_work

Conversation

@Binara93Lokuliyanage
Copy link
Copy Markdown

@Binara93Lokuliyanage Binara93Lokuliyanage commented Apr 10, 2026

Summary

This PR introduces full category management functionality along with role-based authentication and authorization using JWT middleware.

Features Implemented

1. Create Category (Admin Only)

  • Added POST /api/categories endpoint
  • Validates and sanitizes input data
  • Stores created_by using authenticated user ID
  • Prevents duplicate category creation (case-insensitive)
  • Returns enriched response with creator details

2. Update Category (Admin Only)

  • Added PUT /api/categories/[id] endpoint
  • Validates and sanitizes update input
  • Ensures category exists before updating
  • Implements duplicate name check (case-insensitive)
  • Excludes current category during duplicate validation
  • Returns updated category with creator details

3. Role-Based Middleware (JWT Authentication)

  • Implemented middleware to verify JWT tokens

  • Decodes and injects user details into request headers:

    • x-user-id
    • x-user-role
    • x-user-role-id

  • Protects API routes:

    • /api/categories
    • /api/profile

  • Restricts category creation and updates to admin users only

4. Reusable Authentication Utility

  • Added getAuthUser() helper function
  • Simplifies access to user ID and role in API routes
  • Centralizes authentication logic

5. Data Integrity & Validation

  • Added input validation for category creation and updates

  • Implemented duplicate prevention using:

    • API-level checks (ilike)
    • Database-level safeguards (recommended UNIQUE constraint)

  • Ensures consistent and clean data storage

Security Improvements

  • Enforces authentication for protected routes
  • Restricts sensitive operations to admin users
  • Prevents unauthorized access and data modification

Testing

  • Tested via Postman:

    • Admin can successfully create and update categories
    • Non-admin users receive 403 Forbidden
    • Unauthenticated users receive 401 Unauthorized
    • Duplicate category names are rejected
    • Middleware correctly injects user headers

Notes

  • Follows Next.js App Router best practices (route.ts + dynamic [id] routes)
  • Designed for scalability and reuse across other modules
  • Clean separation of concerns (middleware, helpers, validation)

Outcome

  • Fully functional category CRUD (Create + Update)
  • Secure, role-based API access
  • Improved data consistency and maintainability

@s223973381 s223973381 merged commit 24221a5 into Chameleon-company:backend_work Apr 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Binara93Lokuliyanage @s223973381