thalesvvikas · thechitransh · Nov 10, 2025
diff --git a/.env.example b/.env.example
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -13,8 +13,10 @@
   },
   "dependencies": {
     "bcrypt": "^5.1.1",
+    "cors": "^2.8.5",
     "dotenv": "^16.4.5",
     "express": "^4.21.1",
+    "express-rate-limit": "^8.2.1",
     "express-validator": "^7.2.1",
     "jsonwebtoken": "^9.0.2",
     "pg": "^8.13.1",
@@ -29,4 +31,4 @@
     "prettier": "^3.3.3",
     "supertest": "^7.1.1"
   }
-}
+}
diff --git a/src/app.js b/src/app.js
@@ -3,10 +3,12 @@ const app = express();
 const authRoutes = require('./routes/authRoutes');
 const taskRoutes = require('./routes/taskRoutes');
 const errorHandler = require('./middleware/errorHandler');
+const cors = require('cors');
 
 app.use(express.json());
+app.use(cors());
 app.use('/api/auth', authRoutes);
 app.use('/api/tasks', taskRoutes);
 app.use(errorHandler);
 
-module.exports = app;
+module.exports = app;
diff --git a/src/controllers/authController.js b/src/controllers/authController.js
@@ -4,17 +4,22 @@ const authService = require('../services/authService');
 exports.register = async (req, res, next) => {
   try {
     const errors = validationResult(req);
-    if (!errors.isEmpty()) return res.status(400).json({ errors: errors.array() });
-    const { username, password } = req.body;
-    const user = await authService.register(username, password);
+    if (!errors.isEmpty())
+      return res.status(400).json({ errors: errors.array() });
+    const { username, password, role } = req.body;
+    const user = await authService.register(username, password, role);
     res.status(201).json({ message: 'User created', user });
-  } catch (err) { next(err); }
+  } catch (err) {
+    next(err);
+  }
 };
 
 exports.login = async (req, res, next) => {
   try {
     const { username, password } = req.body;
     const token = await authService.login(username, password);
     res.json({ token });
-  } catch (err) { next(err); }
-};
+  } catch (err) {
+    next(err);
+  }
+};
diff --git a/src/controllers/taskController.js b/src/controllers/taskController.js
@@ -3,37 +3,103 @@ const { Task } = require('../models');
 
 exports.getTasks = async (req, res, next) => {
   try {
-    const tasks = await Task.findAll({ where: { userId: req.user.id } });
-    res.json(tasks);
-  } catch (err) { next(err); }
+    let { page = 1, limit = 10, status = 'pending', userId } = req.query;
+
+    page = parseInt(page);
+    limit = parseInt(limit);
+    const offset = (page - 1) * limit;
+
+    const where = {};
+
+    if (req.user.role === 'admin') {
+      if (userId) where.userId = userId;
+    } else {
+      where.userId = req.user.id;
+    }
+
+    if (status) where.status = status;
+
+    const [tasks, total] = await Promise.all([
+      Task.findAll({
+        where,
+        limit,
+        offset,
+        order: [['createdAt', 'DESC']],
+        attributes: [
+          'id',
+          'title',
+          'description',
+          'status',
+          'userId',
+          'createdAt',
+        ],
+      }),
+      Task.count({ where }),
+    ]);
+
+    res.status(200).json({
+      page,
+      limit,
+      totalPages: Math.ceil(total / limit),
+      totalTasks: total,
+      tasks,
+    });
+  } catch (err) {
+    next(err);
+  }
 };
 
 exports.createTask = async (req, res, next) => {
   try {
     const errors = validationResult(req);
-    if (!errors.isEmpty()) return res.status(400).json({ errors: errors.array() });
+    if (!errors.isEmpty())
+      return res.status(400).json({ errors: errors.array() });
     const { title, description } = req.body;
     const task = await Task.create({ title, description, userId: req.user.id });
     res.status(201).json(task);
-  } catch (err) { next(err); }
+  } catch (err) {
+    next(err);
+  }
 };
 
 exports.updateTask = async (req, res, next) => {
   try {
     const task = await Task.findByPk(req.params.id);
     if (!task) return res.status(404).json({ message: 'Task not found' });
-    if (task.userId !== req.user.id) return res.status(403).json({ message: 'Forbidden' });
+    if (task.userId !== req.user.id)
+      return res.status(403).json({ message: 'Forbidden' });
     await task.update(req.body);
     res.json(task);
-  } catch (err) { next(err); }
+  } catch (err) {
+    next(err);
+  }
 };
 
 exports.deleteTask = async (req, res, next) => {
   try {
     const task = await Task.findByPk(req.params.id);
     if (!task) return res.status(404).json({ message: 'Task not found' });
-    if (task.userId !== req.user.id) return res.status(403).json({ message: 'Forbidden' });
+    if (task.userId !== req.user.id)
+      return res.status(403).json({ message: 'Forbidden' });
     await task.destroy();
     res.json({ message: 'Task deleted' });
-  } catch (err) { next(err); }
-};
+  } catch (err) {
+    next(err);
+  }
+};
+
+exports.SoftDelete = async (req, res) => {
+  const task = await Task.findOne({
+    where: { id: req.params.id, userId: req.user.id },
+  });
+
+  if (!task) {
+    return res.status(404).json({ error: 'Task not found' });
+  }
+
+  task.status = 'deleted';
+  task.deletedAt = new Date();
+  await task.save();
+
+  res.json({ message: 'Task Deleted', task });
+};
diff --git a/src/middleware/rateLimit.js b/src/middleware/rateLimit.js
@@ -0,0 +1,11 @@
+const rateLimit = require('express-rate-limit');
+
+exports.loginLimiter = rateLimit({
+  windowMs: 10 * 60 * 1000,
+  max: 5,
+  message: {
+    error: 'Too many login attempts. Please try again in 10 minutes.',
+  },
+  standardHeaders: true,
+  legacyHeaders: false,
+});
diff --git a/src/models/task.js b/src/models/task.js
@@ -6,12 +6,16 @@ const Task = sequelize.define('Task', {
   title: { type: DataTypes.STRING, allowNull: false },
   description: { type: DataTypes.TEXT },
   status: {
-    type: DataTypes.ENUM('pending', 'in-progress', 'done'),
+    type: DataTypes.ENUM('pending', 'in-progress', 'done', 'deleted'),
     defaultValue: 'pending',
   },
+  deletedAt: {
+    type: DataTypes.DATE,
+    allowNull: true,
+  },
 });
 
 Task.belongsTo(User, { foreignKey: 'userId', onDelete: 'CASCADE' });
 User.hasMany(Task, { foreignKey: 'userId' });
 
-module.exports = Task;
+module.exports = Task;
diff --git a/src/models/user.js b/src/models/user.js
@@ -5,10 +5,15 @@ const bcrypt = require('bcrypt');
 const User = sequelize.define('User', {
   username: { type: DataTypes.STRING, allowNull: false, unique: true },
   password: { type: DataTypes.STRING, allowNull: false },
+  role: {
+    type: DataTypes.ENUM('user', 'admin'),
+    allowNull: false,
+    defaultValue: 'user',
+  },
 });
 
 User.beforeCreate(async (user) => {
   user.password = await bcrypt.hash(user.password, 10);
 });
 
-module.exports = User;
+module.exports = User;
diff --git a/src/routes/authRoutes.js b/src/routes/authRoutes.js
@@ -2,7 +2,12 @@ const express = require('express');
 const { body } = require('express-validator');
 const router = express.Router();
 const authController = require('../controllers/authController');
+const { loginLimiter } = require('../middleware/rateLimit');
 
-router.post('/register', [body('username').notEmpty(), body('password').isLength({ min: 5 })], authController.register);
-router.post('/login', authController.login);
-module.exports = router;
+router.post(
+  '/register',
+  [body('username').notEmpty(), body('password').isLength({ min: 5 })],
+  authController.register
+);
+router.post('/login', loginLimiter, authController.login);
+module.exports = router;
diff --git a/src/routes/taskRoutes.js b/src/routes/taskRoutes.js
@@ -9,4 +9,5 @@ router.get('/', taskController.getTasks);
 router.post('/', [body('title').notEmpty()], taskController.createTask);
 router.put('/:id', taskController.updateTask);
 router.delete('/:id', taskController.deleteTask);
-module.exports = router;
+router.delete('/softdelete/:id', taskController.SoftDelete);
+module.exports = router;
diff --git a/src/services/authService.js b/src/services/authService.js
@@ -2,21 +2,26 @@ const jwt = require('jsonwebtoken');
 const bcrypt = require('bcrypt');
 const { User } = require('../models');
 
-exports.register = async (username, password) => {
+exports.register = async (username, password, role = 'user') => {
   const existing = await User.findOne({ where: { username } });
   if (existing) throw new Error('Username already exists');
-  return await User.create({ username, password });
+  const newUser = await User.create({ username, password, role });
+  const { password: _, ...safeUser } = newUser.toJSON();
+  return safeUser;
 };
 
 exports.login = async (username, password) => {
   const user = await User.findOne({ where: { username } });
   if (!user) throw new Error('User not found');
+
   const valid = await bcrypt.compare(password, user.password);
   if (!valid) throw new Error('Invalid credentials');
+
   const token = jwt.sign(
-    { id: user.id, username: user.username },
+    { id: user.id, username: user.username, role: user.role },
     process.env.JWT_SECRET,
     { expiresIn: '1h' }
   );
-  return token;
-};
+
+  return { token, role: user.role };
+};