From 319b8a30e668cfd3496f1d469875e087821954a7 Mon Sep 17 00:00:00 2001
From: anshul23102 <anshul23102@iiitd.ac.in>
Date: Tue, 2 Jun 2026 22:17:03 +0530
Subject: [PATCH] fix(routes): require authentication on GET /tasks and GET
 /messages, remove duplicate registrations [NSoC'26]

GET /tasks and GET /messages were registered without any authentication
middleware, exposing all project tasks and chat history to unauthenticated
callers. Added authenticateUser to both GET endpoints.

Also removed duplicate route registrations in both route files. POST /tasks,
PATCH /:id, PATCH /:id/edit, and DELETE /:id were registered twice with
conflicting middleware stacks. Express uses the first matched handler, making
the second registrations dead code. The second DELETE /:id had no auth at all,
which would allow unauthenticated deletion if the registration order was ever
changed.

Each route now has exactly one registration with the correct middleware chain:
authenticateUser, then the relevant validation middleware, then the handler.

Closes #158
Closes #159
---
 backend/routes/chat.routes.js  |  6 ++----
 backend/routes/tasks.routes.js | 17 +++++------------
 2 files changed, 7 insertions(+), 16 deletions(-)

diff --git a/backend/routes/chat.routes.js b/backend/routes/chat.routes.js
index 5f3dd79..6e9b54a 100644
--- a/backend/routes/chat.routes.js
+++ b/backend/routes/chat.routes.js
@@ -6,9 +6,7 @@ import { validateMessage } from "../middleware/validation.middleware.js";
 
 const router = express.Router();
 
-router.get("/", getMessages);
-
-router.post("/", authenticateUser, sendMessage);
-router.post("/", validateMessage, sendMessage);
+router.get("/", authenticateUser, getMessages);
+router.post("/", authenticateUser, validateMessage, sendMessage);
 
 export default router;
\ No newline at end of file
diff --git a/backend/routes/tasks.routes.js b/backend/routes/tasks.routes.js
index 5e0c542..e600259 100644
--- a/backend/routes/tasks.routes.js
+++ b/backend/routes/tasks.routes.js
@@ -12,17 +12,10 @@ import { validateTask } from "../middleware/validation.middleware.js";
 
 const router = express.Router();
 
-router.get("/", getTasks);
-
-// Centralized protection for all task mutation routes
-router.use(authenticateUser);
-
-router.post("/", createTask);
-
-router.patch("/:id", updateTaskStatus);
-
-router.patch("/:id/edit", updateTask);
-
-router.delete("/:id", deleteTask);
+router.get("/", authenticateUser, getTasks);
+router.post("/", authenticateUser, validateTask, createTask);
+router.patch("/:id", authenticateUser, validateTask, updateTaskStatus);
+router.patch("/:id/edit", authenticateUser, validateTask, updateTask);
+router.delete("/:id", authenticateUser, deleteTask);
 
 export default router;
\ No newline at end of file