A minimal Node.js backend for BroCode Spot backed by a persistent JSON file database.
npm run backendServer starts at http://localhost:4000 by default.
- Uses a local JSON database file at
backend/data/brocode.json. - You can override the location with
BROCODE_DB_PATH=/custom/path.json npm run backend. - On first start, seed data is inserted for users, spots, catalog items, and a sample order.
- New orders are validated against DB data (known
spotId,userId,productId) and item pricing is always derived from catalog prices in the database.
- Passwords are stored as salted
scrypthashes (not plaintext). - Legacy plaintext user passwords are auto-migrated to hashed values on successful login.
- Login is now rate-limited per
IP + usernamekey. - Defaults: 5 failed attempts within 15 minutes triggers a 15 minute temporary block (
429). - Configure via env vars:
LOGIN_RATE_LIMIT_MAX_ATTEMPTSLOGIN_RATE_LIMIT_WINDOW_MSLOGIN_RATE_LIMIT_BLOCK_MS
- Login now returns an HMAC-signed bearer token (replacing predictable demo tokens).
- Tokens include user id, role, and expiry, and are validated with constant-time signature checks.
- Data endpoints now require
Authorization: Bearer <token>and enforce role access:GET /api/orders→ users can only read their own orders; admins can read all.POST /api/orders→ users can create only for themselves; admins can create for any user.GET /api/orders/:id→ users can read only their own order; admins can read any order.GET /api/bills/:spotIdandDELETE /api/users/:userId→ admin only.
- Configure via env vars:
AUTH_TOKEN_SECRETAUTH_TOKEN_TTL_SECONDSCORS_ALLOW_ORIGIN
GET /api/healthPOST /api/auth/loginGET /api/catalogGET /api/catalog/:category(drinks,food,cigarettes)GET /api/spotsGET /api/orders?spotId=...&userId=...(auth required)GET /api/orders/:id(auth required)POST /api/orders(auth required)GET /api/bills/:spotId(admin only)DELETE /api/users/:userId(admin only; removes the user and all related records)
{
"username": "brocode",
"password": "changeme"
}