Bug: POST /tasks and POST /messages are registered twice with conflicting middleware — duplicate route registration

[anshul23102]

Description

In both backend/routes/tasks.routes.js and backend/routes/chat.routes.js, mutation routes are registered twice - first with authenticateUser and again with only the validate* middleware. Express uses the first registered handler, making the second registration silently dead code. More critically, DELETE /tasks/:id is registered twice — once WITH authenticateUser and once WITHOUT:

// tasks.routes.js
router.post("/", authenticateUser, createTask);    // first registration (used)
router.delete("/:id", authenticateUser, deleteTask); // first registration (used)
// ...
router.post("/", validateTask, createTask);          // dead code
router.delete("/:id", deleteTask);                   // dead code (no auth!)

If the route registration order is ever changed by a future contributor, the DELETE /:id without authentication could become the active handler, allowing unauthenticated users to delete any task by ID.

To Reproduce

1. Inspect the route file and verify the duplicate registrations.
2. Swap the order of the two router.delete lines.
3. Send DELETE /api/tasks/:id with no auth token.
4. The task is deleted without authentication.

Expected Behavior

Each route should have exactly one registration that applies both middleware in the correct order:

router.get("/", authenticateUser, getTasks);
router.post("/", authenticateUser, validateTask, createTask);
router.patch("/:id", authenticateUser, validateTask, updateTaskStatus);
router.patch("/:id/edit", authenticateUser, validateTask, updateTask);
router.delete("/:id", authenticateUser, deleteTask);

Apply the same consolidation to chat.routes.js.

Actual Behavior

Duplicate route registrations exist. The second DELETE /:id registration has no authentication middleware and is one registration-order change away from being exploited.

Desktop

• Backend: Node.js / Express
• Files: backend/routes/tasks.routes.js, backend/routes/chat.routes.js

Additional context

Expected NSOC points: level2 (security - latent auth bypass risk from duplicate route registration)

Labels: bug, NSoC'26, level2

Checklist:

• Searched existing issues - not a duplicate (issue Bug: GET /tasks and GET /messages require no authentication, exposing all project data publicly #158 covers GET endpoints; this covers duplicate POST/DELETE registrations)
• Read CONTRIBUTING.md and NSoC rules
• No AI/Claude mentions
• No em dashes or double hyphens
• Repository verified as NSOC

[github-actions]

👋 Hey @anshul23102!

Thanks for opening this issue! 🚀

📌 NSoC'26 Contribution Guidelines

⚠️ Please follow these rules carefully:

• Do NOT create a PR until this issue is assigned to you
• Include NSoC'26 tag
• Include screenshots if it's UI-related
• Follow all contribution guidelines properly

🧑‍💻 A mentor will review and assign this issue soon.

---

🙏 Thank you for raising this issue!
We’ll review it as soon as possible. We truly appreciate your contribution ✨

📖 Meanwhile, please make sure you have checked:

• README.md
• CONTRIBUTING.md
• CODE_OF_CONDUCT.md

🚫 Reminder: Do NOT create a PR until this issue has been assigned.

Happy coding! 💻🔥

[anshul23102]

@Shriii19 Could you please /assign this issue to me? I'd like to work on it under NSOC '26.

[Shriii19]

@anshul23102 you can start you work

[anshul23102]

Fixed in PR #163 together with #158 since both involve duplicate route registrations in the same files. Each route now has exactly one registration with the correct middleware chain.