From 6ebeca5d7f84a7b694183b05c6eb166f7b4fdb04 Mon Sep 17 00:00:00 2001
From: rohitcpp <rohitdmore2255@gmail.com>
Date: Sun, 15 Mar 2026 21:57:57 +0530
Subject: [PATCH] fix: all fix; final code

---
 src/app.js                        | 2 +-
 src/controllers/aptcontrol.js     | 2 +-
 src/controllers/authcontroller.js | 1 +
 src/middleware/authmiddleware.js  | 5 +++--
 src/routes/appointment.js         | 8 ++++----
 src/routes/patient.js             | 8 ++++----
 6 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/src/app.js b/src/app.js
index 597e95c..e36bd9f 100644
--- a/src/app.js
+++ b/src/app.js
@@ -87,7 +87,7 @@ app.get('/', (_req, res) => {
   });
 });
 
-app.use(globalLimiter);
+//app.use(globalLimiter);
 
 app.use('/api/auth', authRoutes);
 app.use('/api/payment', paymentRoutes);
diff --git a/src/controllers/aptcontrol.js b/src/controllers/aptcontrol.js
index a18e2eb..109c59d 100644
--- a/src/controllers/aptcontrol.js
+++ b/src/controllers/aptcontrol.js
@@ -85,7 +85,7 @@ const updateAppointment = async (req, res, next) => {
 
     if (
       req.user.role === "doctor" &&
-      appointment.doctor.toString() !== req.user.id
+      appointment.doctor.toString() !== req.user.id.toString()
     ) {
       return res.status(403).json({
         success: false,
diff --git a/src/controllers/authcontroller.js b/src/controllers/authcontroller.js
index 4e700da..d19435d 100644
--- a/src/controllers/authcontroller.js
+++ b/src/controllers/authcontroller.js
@@ -47,6 +47,7 @@ export const login = async (req, res) => {
       role: user.role,
       token,
       user: {
+        id: user._id,
         email: user.email,
         role: user.role,
         status: user.status,
diff --git a/src/middleware/authmiddleware.js b/src/middleware/authmiddleware.js
index 4cbf3e7..cf9b5ce 100644
--- a/src/middleware/authmiddleware.js
+++ b/src/middleware/authmiddleware.js
@@ -31,7 +31,7 @@ export const protect = async (req, res, next) => {
 
       req.user = {
         id: user._id,
-        role: user.role.toLowerCase(),
+        role: String(user.role || '').trim().toLowerCase(),
         email: user.email,
       };
 
@@ -57,8 +57,9 @@ export const protect = async (req, res, next) => {
 export const authorize = (...roles) => {
   return (req, res, next) => {
     const allowedRoles = Array.isArray(roles[0]) ? roles[0] : roles;
+    const normalizedAllowed = allowedRoles.map((r) => String(r || '').trim().toLowerCase());
 
-    if (!req.user || !allowedRoles.includes(req.user.role)) {
+    if (!req.user || !normalizedAllowed.includes(String(req.user.role || '').trim().toLowerCase())) {
       return res.status(403).json({
         success: false,
         message: "Access denied",
diff --git a/src/routes/appointment.js b/src/routes/appointment.js
index 48e6d9b..52f7d6a 100644
--- a/src/routes/appointment.js
+++ b/src/routes/appointment.js
@@ -7,28 +7,28 @@ const router = express.Router();
 router.post(
   '/',
   protect,
-  authorize('admin', 'doctor', 'receptionist'),
+  authorize('admin', 'doctor', 'receptionist','billing'),
   appointmentController.createAppointment
 );
 
 router.get(
   '/',
   protect,
-  authorize('admin', 'doctor', 'receptionist', 'patient'),
+  authorize('admin', 'doctor', 'receptionist', 'patient', 'billing'),
   appointmentController.getAppointments
 );
 
 router.get(
   '/:id',
   protect,
-  authorize('admin', 'doctor', 'receptionist', 'patient'),
+  authorize('admin', 'doctor', 'receptionist', 'patient', 'billing'),
   appointmentController.getAppointmentById
 );
 
 router.put(
   '/:id',
   protect,
-  authorize('admin', 'doctor', 'receptionist'),
+  authorize('admin', 'doctor', 'receptionist','billing'),
   appointmentController.updateAppointment
 );
 
diff --git a/src/routes/patient.js b/src/routes/patient.js
index 546e8d6..665f2e2 100644
--- a/src/routes/patient.js
+++ b/src/routes/patient.js
@@ -5,13 +5,13 @@ import * as patientController from '../controllers/patient.js';
 const router = express.Router();
 
 
-router.get('/', protect, authorize('admin', 'doctor', 'receptionist'), patientController.getPatients);
+router.get('/', protect, authorize('admin', 'doctor', 'receptionist','billing'), patientController.getPatients);
 
-router.get('/:id', protect, authorize('admin', 'doctor', 'receptionist'), patientController.getPatientById);
+router.get('/:id', protect, authorize('admin', 'doctor', 'receptionist','billing'), patientController.getPatientById);
 
-router.post('/', protect, authorize('admin', 'doctor', 'receptionist'), patientController.createPatient);
+router.post('/', protect, authorize('admin', 'doctor', 'receptionist','billing'), patientController.createPatient);
 
-router.put('/:id', protect, authorize('admin', 'doctor', 'receptionist'), patientController.updatePatient);
+router.put('/:id', protect, authorize('admin', 'doctor', 'receptionist','billing'), patientController.updatePatient);
 
 router.delete('/:id', protect, authorize('admin'), patientController.deletePatient);