OPCODE-Open-Spring-Fest · Somilg11 · Oct 24, 2025 · Oct 16, 2025 · Oct 24, 2025
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -23,6 +23,7 @@
     "cors": "^2.8.5",
     "dotenv": "^17.2.3",
     "express": "^5.1.0",
+    "joi": "^18.0.1",
     "jsonwebtoken": "^9.0.2",
     "mongoose": "^8.19.1",
     "nodemon": "^3.1.10",

diff --git a/src/middlewares/validate.middleware.js b/src/middlewares/validate.middleware.js
@@ -0,0 +1,11 @@
+export const validateMiddleware = (schema, property = 'body') => {
+  return (req, res, next) => {
+    const { error } = schema.validate(req[property]);
+    if (error) {
+      return res.status(400).json({
+        error: error.details[0].message,
+      });
+    }
+    next();
+  };
+};
diff --git a/src/routes/authRoutes.js b/src/routes/authRoutes.js
@@ -1,11 +1,13 @@
 import express from 'express';
-import { registerUser,loginUser, forgotPassword, resetPassword } from '../controllers/authController.js';
-import { authMiddleware } from '../middlewares/auth.middleware.js';
+import { registerUser,loginUser } from '../controllers/authController.js';
+import { registerSchema, loginSchema } from '../validations/authValidation.js';
+import {validateMiddleware} from '../middlewares/validate.middleware.js';
+
 
 const router = express.Router();
 
-router.post('/register', registerUser);
-router.post('/login', loginUser);
+router.post('/register', validateMiddleware(registerSchema), registerUser);
+router.post('/login', validateMiddleware(loginSchema), loginUser);
 router.post('/forgotPassword',forgotPassword);
 router.post('/resetPassword/:token',resetPassword);
 

diff --git a/src/routes/rbacRoutes.js b/src/routes/rbacRoutes.js
@@ -1,16 +1,18 @@
 import express from 'express';
 import { authMiddleware } from '../middlewares/auth.middleware.js';
 import { checkRole } from '../middlewares/rbac.middleware.js';
+import { adminAccessSchema, userAccessSchema } from '../validations/rbacValidation.js';
+import {validateMiddleware} from '../middlewares/validate.middleware.js';
 
 const router = express.Router();
 
 
-router.get('/admin-only', authMiddleware, checkRole(['Admin']), (req, res) => {
+router.get('/admin-only', validateMiddleware(adminAccessSchema, 'headers'), authMiddleware, checkRole(['Admin']), (req, res) => {
 	return res.status(200).json({ message: 'Welcome, Admin' });
 });
 
- 
-router.get('/user-only', authMiddleware, checkRole(['User']), (req, res) => {
+
+router.get('/user-only', validateMiddleware(userAccessSchema, 'headers'), authMiddleware, checkRole(['User']), (req, res) => {
 	return res.status(200).json({ message: 'Welcome, User' });
 });
 

diff --git a/src/validations/authValidation.js b/src/validations/authValidation.js
@@ -0,0 +1,35 @@
+import Joi from 'joi';
+
+const registerSchema = Joi.object({
+  username: Joi.string().min(3).max(30).required().messages({
+    'string.empty': 'Username is required',
+    'string.min': 'Username must be at least 3 characters',
+    'string.max': 'Username must be at most 30 characters',
+  }),
+  fullname: Joi.string().min(3).max(50).required().messages({
+    'string.empty': 'Full name is required',
+    'string.min': 'Full name must be at least 3 characters',
+    'string.max': 'Full name must be at most 50 characters',
+  }),
+  email: Joi.string().email().required().messages({
+    'string.empty': 'Email is required',
+    'string.email': 'Email must be a valid email address',
+  }),
+  password: Joi.string().min(6).required().messages({
+    'string.empty': 'Password is required',
+    'string.min': 'Password must be at least 6 characters',
+  }),
+});
+
+const loginSchema = Joi.object({
+  email: Joi.string().email().required().messages({
+    'string.empty': 'Email is required',
+    'string.email': 'Email must be a valid email address',
+  }),
+  password: Joi.string().min(6).required().messages({
+    'string.empty': 'Password is required',
+    'string.min': 'Password must be at least 6 characters',
+  }),
+});
+
+export { registerSchema, loginSchema };
diff --git a/src/validations/rbacValidation.js b/src/validations/rbacValidation.js
@@ -0,0 +1,24 @@
+// src/validations/rbacValidation.js
+import Joi from "joi";
+
+const adminAccessSchema = Joi.object({
+  authorization: Joi.string()
+    .pattern(/^Bearer\s.+$/)
+    .required()
+    .messages({
+      "string.pattern.base": "Authorization header must be in Bearer token format",
+      "string.empty": "Authorization token is required",
+    }),
+}).unknown(true); // allows other headers
+
+const userAccessSchema = Joi.object({
+  authorization: Joi.string()
+    .pattern(/^Bearer\s.+$/)
+    .required()
+    .messages({
+      "string.pattern.base": "Authorization header must be in Bearer token format",
+      "string.empty": "Authorization token is required",
+    }),
+}).unknown(true);
+
+export { adminAccessSchema, userAccessSchema };