Feature/auth security route protection refactor

[saidai-bhuvanesh]

closes 383

📝 Description

[This PR delivers high-impact full-stack improvements across two primary areas:](feat: improve authentication security and route protection workflows)

1. Real-time Event Management & Dashboard Optimizations: Introduces real-time attendee synchronization (using Socket.IO), waitlist promotion fixes, and performan## 📝 Description
   This PR delivers high-impact full-stack improvements across two primary areas:
2. Real-time Event Management & Dashboard Optimizations: Introduces real-time attendee synchronization (using Socket.IO), waitlist promotion fixes, and performance refactoring to eliminate keystroke rendering lag.
3. Authentication Security & Route Protection Refactor: Hardens route validation boundaries (database-level checks for blocked users), normalizes express-validator payloads, centralizes error handling, and resolves frontend session persistence bugs.

---

🔗 Related Issue

Closes #383

---

🛠️ Key Changes

1. Realtime & Performance Optimizations (Phase 1)

• Socket.IO Integration: Wired Socket.IO into server.js and fixed the nesting syntax bug in socket.js.
• Keystroke Lag Fix: Extracted and memoized the manual check-in search inputs and attendee tables in OrganizerDashboard.jsx to prevent full-page re-renders during text input.
• Atomic Waitlist Handling: Refactored cancelRegistration inside registrationController.js to automatically and atomically promote waitlisted users and update counts on Socket.IO when a booking is cancelled.
• Flexible Check-in Queries: Allowed check-in via registration ID OR combination of event and user IDs, with security restricted to organizers, co-organizers, and admins.

2. Authentication & Route Security Refactor (Phase 2)

• Database-Backed Token Check: Enhanced the authenticate middleware in auth.js to query the database and verify user active status (isBlocked). If a user is blocked, they are immediately cut off from API access.
• Input Validation Layer: Added validations for events (eventValidation), reviews (reviewValidation), and co-organizers (coOrganizerValidation) in validationMiddleware.js. Normalized validation failures to output { success: false, message: 'Validation failed', errors: [...] }.
• Standardized Error Handling: Created a custom AppError wrapper in errors.js and updated the global error handler in app.js to return unified JSON error bodies.
• Frontend Session Resilience: Refactored fetchUser in AuthContext.jsx to retain active user credentials on general network/fetch failures, clearing sessions only on explicit 401/403 responses.
• Login Redirect Back: Configured frontend routes in App.jsx to capture pre-redirect locations, and updated SignIn.jsx to return users to their original target pathname upon successful login.

---

🧪 How to Test

Backend Testing (Jest Suites)

Run the automated test suites in the backend directory:

npm run testce refactoring to eliminate keystroke rendering lag.
2. **Authentication Security & Route Protection Refactor**: Hardens route validation boundaries (database-level checks for blocked users), normalizes express-validator payloads, centralizes error handling, and resolves frontend session persistence bugs.

---

## 🛠️ Key Changes

### 1. Realtime & Performance Optimizations (Phase 1)
* **Socket.IO Integration**: Wired Socket.IO into `server.js` and fixed the nesting syntax bug in `socket.js`.
* **Keystroke Lag Fix**: Extracted and memoized the manual check-in search inputs and attendee tables in `OrganizerDashboard.jsx` to prevent full-page re-renders during text input.
* **Atomic Waitlist Handling**: Refactored `cancelRegistration` inside `registrationController.js` to automatically and atomically promote waitlisted users and update counts on Socket.IO when a booking is cancelled.
* **Flexible Check-in Queries**: Allowed check-in via registration ID OR combination of event and user IDs, with security restricted to organizers, co-organizers, and admins.

### 2. Authentication & Route Security Refactor (Phase 2)
* **Database-Backed Token Check**: Enhanced the `authenticate` middleware in `auth.js` to query the database and verify user active status (`isBlocked`). If a user is blocked, they are immediately cut off from API access.
* **Input Validation Layer**: Added validations for events (`eventValidation`), reviews (`reviewValidation`), and co-organizers (`coOrganizerValidation`) in `validationMiddleware.js`. Normalized validation failures to output `{ success: false, message: 'Validation failed', errors: [...] }`.
* **Standardized Error Handling**: Created a custom `AppError` wrapper in `errors.js` and updated the global error handler in `app.js` to return unified JSON error bodies.
* **Frontend Session Resilience**: Refactored `fetchUser` in `AuthContext.jsx` to retain active user credentials on general network/fetch failures, clearing sessions only on explicit `401`/`403` responses.
* **Login Redirect Back**: Configured frontend routes in `App.jsx` to capture pre-redirect locations, and updated `SignIn.jsx` to return users to their original target pathname upon successful login.

---

## 🧪 How to Test

### Backend Testing (Jest Suites)
Run the automated test suites in the backend directory:
```bash
npm run test

[vercel]

Someone is attempting to deploy a commit to the anubhav12302387's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

❌ PR Format Check — Failed — Please Fix Below

Hi @saidai-bhuvanesh! Please fix the issues below before your PR can proceed to mentor review.

❌ Must Fix Before Proceeding

❌ Title format invalid — Use Conventional Commits format

Examples: feat: add login page, fix: button alignment, docs: update readme

❌ Issue #383 is not assigned to you (@saidai-bhuvanesh) — You must be assigned to the issue before submitting a PR.

Comment /assign on Issue #383 or ask a maintainer to assign it to you.

---

📋 EventOne PR Guidelines (click to expand)

Title format — Conventional Commits:
feat: · fix: · docs: · style: · refactor: · test: · chore: · perf:

Always link an issue: Closes #number

Use a feature branch — never PR directly from main

Write your own description — AI-generated content = gssoc:ai-slop label

EventOne × GSSoC Pipeline — Stage 1 Automated Check

[github-actions]

👋 Thanks for opening a PR, @saidai-bhuvanesh!

Your PR has entered the 🎯 EventOne GSSoC PR Review Pipeline.

🟢 GSSoC PR detected — your PR will be routed to an approved GSSoC mentor for Stage 2 review.

What happens next

Stage	Reviewer	Checks
Stage 1 — Automated Validation	🤖 Bot	Title format · Issue link · AI Slop · Branch check
Stage 2 — Mentor Review	🧑‍🏫 GSSoC Mentor	Code + Quality Review
Stage 3 — Admin Final Gate	🔑 @anubhavxdev	Label check + Final Merge Decision

A pipeline status comment will appear below and update automatically as your PR progresses.

---

While you wait

• Sign all commits using git commit -s
• Link your issue with Closes #123
• Use a feature branch — not main
• Avoid unrelated changes in the same PR
• Write your own description — no AI-generated content

This comment is posted only once.

EventOne × GSSoC Automated Pipeline