feat: teacher invitation middelware + extra error catchings

backend/src/controllers/teacher-invitations.ts

@@ -2,6 +2,7 @@ import { Request, Response } from 'express';
 import { requireFields } from './error-helper';
 import { createInvitation, deleteInvitation, getAllInvitations, getInvitation, updateInvitation } from '../services/teacher-invitations';
 import { TeacherInvitationData } from '@dwengo-1/common/interfaces/teacher-invitation';
+import {ConflictException} from "../exceptions/conflict-exception";
 
 export async function getAllInvitationsHandler(req: Request, res: Response): Promise<void> {
     const username = req.params.username;
@@ -30,6 +31,10 @@ export async function createInvitationHandler(req: Request, res: Response): Prom
     const classId = req.body.class;
     requireFields({ sender, receiver, classId });
 
+    if (sender === receiver){
+        throw new ConflictException("Cannot send an invitation to yourself");
+    }
+
     const data = req.body as TeacherInvitationData;
     const invitation = await createInvitation(data);
 

backend/src/middleware/auth/checks/teacher-invitation-checks.ts

@@ -0,0 +1,23 @@
+import {authorize} from "./auth-checks";
+import {AuthenticationInfo} from "../authentication-info";
+import {AuthenticatedRequest} from "../authenticated-request";
+
+export const onlyAllowSenderOrReceiver = authorize(
+    (auth: AuthenticationInfo, req: AuthenticatedRequest) =>
+        req.params.sender === auth.username || req.params.receiver === auth.username
+);
+
+export const onlyAllowSender = authorize(
+    (auth: AuthenticationInfo, req: AuthenticatedRequest) =>
+        req.params.sender === auth.username
+);
+
+export const onlyAllowSenderBody = authorize(
+    (auth: AuthenticationInfo, req: AuthenticatedRequest) =>
+        req.body.sender === auth.username
+);
+
+export const onlyAllowReceiverBody = authorize(
+    (auth: AuthenticationInfo, req: AuthenticatedRequest) =>
+        req.body.receiver === auth.username
+);

backend/src/routes/teacher-invitations.ts

@@ -6,17 +6,23 @@ import {
     getInvitationHandler,
     updateInvitationHandler,
 } from '../controllers/teacher-invitations';
+import {onlyAllowUserHimself} from "../middleware/auth/checks/user-auth-checks";
+import {
+    onlyAllowReceiverBody, onlyAllowSender,
+    onlyAllowSenderBody,
+    onlyAllowSenderOrReceiver
+} from "../middleware/auth/checks/teacher-invitation-checks";
 
 const router = express.Router({ mergeParams: true });
 
-router.get('/:username', getAllInvitationsHandler);
+router.get('/:username', onlyAllowUserHimself, getAllInvitationsHandler);
 
-router.get('/:sender/:receiver/:classId', getInvitationHandler);
+router.get('/:sender/:receiver/:classId', onlyAllowSenderOrReceiver ,getInvitationHandler);
 
-router.post('/', createInvitationHandler);
+router.post('/', onlyAllowSenderBody, createInvitationHandler);
 
-router.put('/', updateInvitationHandler);
+router.put('/', onlyAllowReceiverBody, updateInvitationHandler);
 
-router.delete('/:sender/:receiver/:classId', deleteInvitationHandler);
+router.delete('/:sender/:receiver/:classId', onlyAllowSender, deleteInvitationHandler);
 
 export default router;

backend/src/services/teacher-invitations.ts

@@ -32,6 +32,10 @@ export async function createInvitation(data: TeacherInvitationData): Promise<Tea
         throw new ConflictException('The teacher sending the invite is not part of the class');
     }
 
+    if (cls.teachers.contains(receiver)){
+        throw new ConflictException('The teacher receiving the invite is already part of the class');
+    }
+
     const newInvitation = mapToInvitation(sender, receiver, cls);
     await teacherInvitationRepository.save(newInvitation, { preventOverwrite: true });