feat: implement doctor working hours system with RBAC and secure middleware

rohitbytecode · rohitbytecode · commit a02d428cad32 · 2026-02-20T20:09:26.000+05:30
diff --git a/src/controllers/admincontroller.js b/src/controllers/admincontroller.js
@@ -39,4 +39,23 @@ export const login = async (req, res) => {
       error: error.message,
     });
   }
+};
+
+export const updateDoctorWorkingHours = async (req, res) => {
+    try {
+
+        if (req.user.role !== 'admin') {
+            return res.status(403).json({ message: "Access denied" });
+        }
+
+        const result = await doctorService.updateWorkingHours(
+            req.params.id,
+            req.body.workingHours
+        );
+
+        res.status(200).json(result);
+
+    } catch (error) {
+        res.status(400).json({ message: error.message });
+    }
 };
diff --git a/src/controllers/doctor.controller.js b/src/controllers/doctor.controller.js
@@ -50,11 +50,31 @@ const deleteDoctor = async (req, res) => {
     res.status(500).json({ message: err.message });
   }
 };
+
+const updateMyWorkingHours = async (req, res) => {
+    try {
+
+        if (req.user.role !== 'doctor') {
+            return res.status(403).json({ message: "Access denied" });
+        }
+
+        const result = await doctorService.updateWorkingHours(
+            req.user.id,
+            req.body.workingHours
+        );
+
+        res.status(200).json(result);
+
+    } catch (error) {
+        res.status(400).json({ message: error.message });
+    }
+}
   
 export {
   createDoctor,
   changePassword,
   getDoctors,
   updateDoctor,
-  deleteDoctor
+  deleteDoctor,
+  updateMyWorkingHours
 };
diff --git a/src/middleware/authmiddleware.js b/src/middleware/authmiddleware.js
@@ -1,6 +1,7 @@
 import jwt from 'jsonwebtoken';
+import User from '../models/User.js';
 
-export const protect = (req, res, next) => {
+export const protect = async (req, res, next) => {
   let token;
 
   if (
@@ -12,13 +13,30 @@ export const protect = (req, res, next) => {
 
       const decoded = jwt.verify(token, process.env.JWT_SECRET);
 
+      const user = await User.findById(decoded.id).select('-password');
+
+      if (!user) {
+        return res.status(401).json({
+          success: false,
+          message: "User no longer exists",
+        });
+      }
+
+      if (user.status === 'Inactive') {
+        return res.status(401).json({
+          success: false,
+          message: "User account is inactive",
+        });
+      }
+
       req.user = {
-        id: decoded.id,
-        role: decoded.role.toLowerCase(),
-        email: decoded.email,
+        id: user._id,
+        role: user.role.toLowerCase(),
+        email: user.email,
       };
 
       return next();
+
     } catch (error) {
       return res.status(401).json({
         success: false,
diff --git a/src/models/User.js b/src/models/User.js
@@ -1,39 +1,143 @@
 import mongoose from 'mongoose';
 
+const timeRegex = /^([01]\d|2[0-3]):([0-5]\d)$/;
+
+const slotSchema = new mongoose.Schema({
+  startTime: { 
+    type: String,
+    required: true,
+    match: timeRegex
+  },
+  endTime: { 
+    type: String,
+    required: true,
+    match: timeRegex
+  }
+}, { _id: false });
+
+const workingDaySchema = new mongoose.Schema({
+  day: {
+    type: String,
+    required: true,
+    enum: ["Monday","Tuesday","Wednesday","Thursday","Friday","Saturday","Sunday"]
+  },
+  isAvailable: {
+    type: Boolean,
+    default: true
+  },
+  slots: {
+    type: [slotSchema],
+    default: []
+  }
+}, { _id: false });
+
+workingDaySchema.pre('validate', function(next) {
+
+  if (!this.isAvailable && this.slots.length > 0) {
+    return next(new Error("Slots cannot exist when doctor is unavailable"));
+  }
+
+  const sorted = [...this.slots].sort((a, b) =>
+    a.startTime.localeCompare(b.startTime)
+  );
+
+  for (let i = 0; i < sorted.length; i++) {
+
+    if (sorted[i].startTime >= sorted[i].endTime) {
+      return next(new Error("Start time must be before end time"));
+    }
+
+    if (i > 0 && sorted[i - 1].endTime > sorted[i].startTime) {
+      return next(new Error("Overlapping time slots detected"));
+    }
+  }
+
+  next();
+});
+
+const DEFAULT_WORKING_HOURS = [
+  { day: "Monday", isAvailable: true, slots: [{ startTime: "09:00", endTime: "17:00" }] },
+  { day: "Tuesday", isAvailable: true, slots: [{ startTime: "09:00", endTime: "17:00" }] },
+  { day: "Wednesday", isAvailable: true, slots: [{ startTime: "09:00", endTime: "17:00" }] },
+  { day: "Thursday", isAvailable: true, slots: [{ startTime: "09:00", endTime: "17:00" }] },
+  { day: "Friday", isAvailable: true, slots: [{ startTime: "09:00", endTime: "17:00" }] },
+  { day: "Saturday", isAvailable: false, slots: [] },
+  { day: "Sunday", isAvailable: false, slots: [] },
+];
+
 const userSchema = new mongoose.Schema({
+
   email: {
     type: String,
     required: true,
     unique: true,
-    match: /.+\@.+\..+/  
+    match: /.+\@.+\..+/
+  },
+
+  password: { 
+    type: String, 
+    required: true 
   },
-  password: { type: String, required: true },
 
   role: { 
     type: String, 
     required: true, 
     enum: ['admin', 'doctor','receptionist','billing'] 
   },
 
-
   name: { type: String },
+
   phno: { 
     type: String,
     match: /^[0-9]{10}$/  
   },
+
   spec: { type: String },
+
   dept: { 
     type: mongoose.Schema.Types.ObjectId, 
     ref: 'Department' 
   },
+
   exp: { type: String },
   qual: { type: String },
+
   status: { 
     type: String, 
     enum: ['Active', 'Inactive'], 
     default: 'Active' 
+  },
+
+  workingHours: {
+    type: [workingDaySchema]
   }
+
 }, { timestamps: true });
 
+
+userSchema.pre('validate', function(next) {
+
+  if (this.role === 'doctor' && this.workingHours) {
+    const days = this.workingHours.map(d => d.day);
+    const uniqueDays = new Set(days);
+
+    if (days.length !== uniqueDays.size) {
+      return next(new Error("Duplicate days are not allowed"));
+    }
+  }
+
+  next();
+});
+
+userSchema.pre('save', function(next) {
+
+  if (this.role === 'doctor' && (!this.workingHours || this.workingHours.length === 0)) {
+    this.workingHours = DEFAULT_WORKING_HOURS;
+  }
+
+  next();
+});
+
+
 const User = mongoose.models.User || mongoose.model('User', userSchema);
 export default User;
diff --git a/src/routes/adminroutes.js b/src/routes/adminroutes.js
@@ -1,8 +1,15 @@
 import express from 'express';
 import * as adminController from '../controllers/admincontroller.js';
-
+import { protect, authorize } from '../middleware/authmiddleware.js';
 const router = express.Router();
 
 router.post('/login', adminController.login);
 
-export default router;
+router.put(
+    '/doctors/:id/working-hours',
+    protect,
+    authorize(['admin']),
+    adminController.updateDoctorWorkingHours
+);
+
+export default router;
diff --git a/src/routes/doctor.routes.js b/src/routes/doctor.routes.js
@@ -12,6 +12,12 @@ router.put('/change-password', protect, authorize('doctor'), doctorController.ch
 
 router.put('/:id', protect, authorize('admin'), doctorController.updateDoctor);
 
+router.put('/me/working-hours',
+    protect,
+    authorize('doctor'),
+    doctorController.updateMyWorkingHours
+);
+
 router.delete('/:id', protect, authorize('admin'), doctorController.deleteDoctor);
 
-export default router;
+export default router;
diff --git a/src/services/billing.service.js b/src/services/billing.service.js
@@ -46,7 +46,7 @@ const updateBillingStaff = async (id, data) => {
     const billing = await User.findOneAndUpdate(
         { _id: id, role: 'billing' },
         data,
-        { new: true, runvalidators: true }
+        { new: true, runValidators: true }
     );
 
     if(!billing) throw new Error('Billing staff not found');
diff --git a/src/services/doctor.service.js b/src/services/doctor.service.js
@@ -38,14 +38,18 @@ const getDoctors = async () => {
 };
 
 const updateDoctor = async (id, data) => {
+
+    if(data.workingHours){
+        throw new Error('User dedicated endpoint to update working hours');
+    }
     if(data.password) {
         data.password = await bcrypt.hash(data.password, 10);
     }
 
     const doctor = await User.findOneAndUpdate(
         { _id: id, role: 'doctor' },
         data,
-        { new: true, runvalidators: true }
+        { new: true, runValidators: true }
     );
 
     if(!doctor) throw new Error('Doctor not found');
@@ -60,10 +64,29 @@ const deleteDoctor = async (id) => {
     return { message: 'Doctor deleted successfully' };
 };
 
+const updateWorkingHours = async (doctorId, workingHours) => {
+
+    const doctor = await User.findOne({
+        _id: doctorId,
+        role: 'doctor'
+    });
+
+    if (!doctor) throw new Error("Doctor not found");
+
+    doctor.workingHours = workingHours;
+
+    await doctor.save();
+
+    return {
+        message: "Working hours updated successfully"
+    };
+};
+
 export default{
   createDoctor,
   changePassword,
   getDoctors,
   updateDoctor,
-  deleteDoctor
+  deleteDoctor,
+  updateWorkingHours
 };
