l_konstantin/TestingWebApp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat(card1): версии тестов API, черновик, HR-login, import, UI

Browse Source 
- V.1–V.3: saveTestDraft, fork при попытках; миграция 003 staff_id
- V.4–V.6: REST /api/tests, activate, PATCH, start attempt
- A: HR_DATABASE_URL + Werkzeug/bcrypt, JWT staffId, HR_AUTH
- D.1: multipart /api/tests/import/document
- Frontend: login, список тестов, экран версий/черновика/попытки
- ТЗ: V.10 назначения vs активная версия; журнал приёма

Made-with: Cursor
This commit is contained in:
Константин Лебединский
2026-04-24 20:30:09 +05:00
parent 7fa6f98ee1
commit 5631d85238
37 changed files with 9687 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/.env.example
+6
View File
@@ -20,3 +20,9 @@
# DB_PASSWORD=dev_password
DATABASE_URL=postgresql://hr_bot_user:hrbot123@localhost:5432/clinic_tests
JWT_SECRET=change_me_in_production
# A.1: HR login (Werkzeug password, staff by web_login)
# HR_AUTH=1
# HR_DATABASE_URL=postgresql://hr_bot_user:hrbot123@localhost:5432/hr_bot_test
backend/.eslintrc.json
+15
View File
@@ -0,0 +1,15 @@
{
"env": {
"es2022": true,
"node": true
},
"parserOptions": {
"ecmaVersion": "latest",
"sourceType": "module"
},
"extends": ["eslint:recommended"],
"rules": {
"no-unused-vars": ["error", { "argsIgnorePattern": "^_" }],
"no-console": "warn"
}
}
backend/.prettierrc
+7
View File
@@ -0,0 +1,7 @@
{
"semi": true,
"singleQuote": true,
"tabWidth": 2,
"trailingComma": "es5",
"printWidth": 100
}
backend/package-lock.json
Generated
+2978
View File
File diff suppressed because it is too large Load Diff
backend/package.json
+5 -4
View File
@@ -2,12 +2,12 @@
"name": "clinic-tests-backend",
"version": "1.0.0",
"description": "Backend for Clinic Tests application",
"main": "src/index.js",
"main": "src/server.js",
"type": "module",
"scripts": {
"start": "node src/index.js",
"dev": "node --watch src/index.js",
"test": "node --test src/services/testChainService.test.js",
"start": "node src/server.js",
"dev": "node --watch src/server.js",
"test": "node --test 'src/**/*.test.js'",
"migrate": "node src/db/migrate.js",
"lint": "eslint src/",
"lint:fix": "eslint src/ --fix",
@@ -23,6 +23,7 @@
"dotenv": "^16.4.5",
"express": "^4.21.0",
"jsonwebtoken": "^9.0.2",
"multer": "^1.4.5-lts.1",
"pg": "^8.12.0"
},
"devDependencies": {
backend/src/app.js
+45
View File
@@ -0,0 +1,45 @@
import express from 'express';
import cors from 'cors';
import cookieParser from 'cookie-parser';
import dotenv from 'dotenv';
import authRoutes from './routes/auth.js';
import testsRoutes from './routes/tests.js';
dotenv.config();
export function createApp() {
const app = express();
const corsOrigins =
process.env.NODE_ENV === 'production'
? process.env.FRONTEND_URL
? [process.env.FRONTEND_URL]
: []
: ['http://localhost:5173', 'http://localhost:3000'];
app.use(
cors({
origin: corsOrigins.length ? corsOrigins : true,
credentials: true,
})
);
app.use(express.json());
app.use(cookieParser());
app.use('/api/auth', authRoutes);
app.use('/api/tests', testsRoutes);
app.get('/api/health', (req, res) => {
res.json({
status: 'ok',
timestamp: new Date().toISOString(),
message: 'Server is running',
});
});
app.use((err, req, res, _next) => {
console.error('Error:', err);
res.status(err.status || 500).json({
error: err.message || 'Internal Server Error',
});
});
app.use((req, res) => {
res.status(404).json({ error: 'Not found' });
});
return app;
}
backend/src/config/authConstants.js
+7
View File
@@ -0,0 +1,7 @@
/** Пароль-заглушка: вход только через HR, локальный compare не пройдёт. */
export const HR_MANAGED_PASSWORD_PLACEHOLDER = '$HR$MANAGED$NO_LOCAL$';
/** HR login enabled (1 = Werkzeug + upsert user по staff_id) */
export function isHrAuthEnabled() {
return process.env.HR_AUTH === '1' || process.env.HR_AUTH === 'true';
}
backend/src/db/hrPool.js
+27
View File
@@ -0,0 +1,27 @@
/**
* Read-only (по соглашению) пул к hr_bot_test для логина и справки по сотруднику.
*/
import pg from 'pg';
import { getHrPoolConfig } from './poolConfig.js';
const { Pool } = pg;
const cfg = getHrPoolConfig();
const pool = cfg ? new Pool(cfg) : null;
export function getHrPool() {
return pool;
}
/**
* @param {string} text
* @param {unknown[]} [params]
*/
export async function queryHr(text, params) {
if (!pool) {
throw new Error('HR database not configured (set HR_DATABASE_URL)');
}
return pool.query(text, params);
}
export default { getHrPool, queryHr };
backend/src/db/migrations/001_initial.sql
+130
View File
@@ -0,0 +1,130 @@
-- Initial database schema for clinic tests application
-- Version: 1.0
-- Enable UUID extension
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
-- Departments table
CREATE TABLE IF NOT EXISTS departments (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
name VARCHAR(255) NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- User roles enum
CREATE TYPE user_role AS ENUM ('hr', 'manager', 'employee');
-- Users table
CREATE TABLE IF NOT EXISTS users (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
login VARCHAR(100) UNIQUE NOT NULL,
password_hash VARCHAR(255) NOT NULL,
full_name VARCHAR(255) NOT NULL,
role user_role NOT NULL DEFAULT 'employee',
department_id UUID REFERENCES departments(id),
is_active BOOLEAN DEFAULT true,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Create index for login lookup
CREATE INDEX IF NOT EXISTS idx_users_login ON users(login);
CREATE INDEX IF NOT EXISTS idx_users_department ON users(department_id);
-- Tests table
CREATE TABLE IF NOT EXISTS tests (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
title VARCHAR(255) NOT NULL,
description TEXT,
passing_threshold INTEGER DEFAULT 70,
time_limit INTEGER,
allow_back BOOLEAN DEFAULT true,
is_active BOOLEAN DEFAULT true,
is_versioned BOOLEAN DEFAULT false,
created_by UUID REFERENCES users(id),
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Test versions table
CREATE TABLE IF NOT EXISTS test_versions (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
test_id UUID REFERENCES tests(id) ON DELETE CASCADE,
version INTEGER NOT NULL DEFAULT 1,
is_active BOOLEAN DEFAULT false,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
UNIQUE(test_id, version)
);
-- Questions table
CREATE TABLE IF NOT EXISTS questions (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
test_version_id UUID REFERENCES test_versions(id) ON DELETE CASCADE,
text TEXT NOT NULL,
question_order INTEGER NOT NULL,
has_multiple_answers BOOLEAN DEFAULT false
);
-- Answer options table
CREATE TABLE IF NOT EXISTS answer_options (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
question_id UUID REFERENCES questions(id) ON DELETE CASCADE,
text TEXT NOT NULL,
is_correct BOOLEAN DEFAULT false,
option_order INTEGER NOT NULL
);
-- Test assignments table
CREATE TABLE IF NOT EXISTS test_assignments (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
test_version_id UUID REFERENCES test_versions(id) ON DELETE CASCADE,
assigned_by UUID REFERENCES users(id),
deadline DATE,
max_attempts INTEGER DEFAULT 1,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Assignment targets table
CREATE TYPE target_type AS ENUM ('department', 'user');
CREATE TABLE IF NOT EXISTS test_assignment_targets (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
assignment_id UUID REFERENCES test_assignments(id) ON DELETE CASCADE,
target_type target_type NOT NULL,
target_id UUID NOT NULL
);
-- Test attempts table
CREATE TYPE attempt_status AS ENUM ('in_progress', 'completed', 'expired');
CREATE TABLE IF NOT EXISTS test_attempts (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
test_version_id UUID REFERENCES test_versions(id) ON DELETE CASCADE,
user_id UUID REFERENCES users(id),
attempt_number INTEGER NOT NULL DEFAULT 1,
status attempt_status DEFAULT 'in_progress',
started_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
completed_at TIMESTAMP,
correct_count INTEGER DEFAULT 0,
total_questions INTEGER DEFAULT 0,
passed BOOLEAN DEFAULT false,
UNIQUE(test_version_id, user_id, attempt_number)
);
-- User answers table
CREATE TABLE IF NOT EXISTS user_answers (
id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
attempt_id UUID REFERENCES test_attempts(id) ON DELETE CASCADE,
question_id UUID REFERENCES questions(id) ON DELETE CASCADE,
selected_options UUID[] DEFAULT '{}'
);
-- Settings table
CREATE TABLE IF NOT EXISTS settings (
key VARCHAR(100) PRIMARY KEY,
value TEXT
);
-- Insert default admin user (password: admin123)
-- This will be done via application code to properly hash the password
backend/src/db/migrations/003_users_staff_id_hr_link.sql
+7
View File
@@ -0,0 +1,7 @@
-- Связь пользователя клиник-теста с сотрудником HR (staff_members.id) — card1 A.x
ALTER TABLE users
ADD COLUMN IF NOT EXISTS staff_id INTEGER UNIQUE;
COMMENT ON COLUMN users.staff_id IS 'id из hr_bot_test.staff_members; без дублирования кадров в clinic_tests';
CREATE INDEX IF NOT EXISTS idx_users_staff_id ON users(staff_id) WHERE staff_id IS NOT NULL;
backend/src/db/poolConfig.js
+23
View File
@@ -40,3 +40,26 @@ export function getPoolConfig(overrides = {}) {
...overrides,
};
}
/**
* Пул к БД `hr_bot_test` (сотрудники, users, RBAC) — отдельно от `clinic_tests`.
* Только `HR_DATABASE_URL` (без каскадного fallback на `DATABASE_URL` — путаница опасна).
* @param {import('pg').PoolConfig} [overrides]
* @returns {import('pg').PoolConfig | null}
*/
export function getHrPoolConfig(overrides = {}) {
const url = process.env.HR_DATABASE_URL?.trim();
if (!url) {
return null;
}
return {
connectionString: url,
max: parseInt(process.env.HR_DB_POOL_MAX || '5', 10),
idleTimeoutMillis: parseInt(process.env.DB_IDLE_TIMEOUT || '30000', 10),
connectionTimeoutMillis: parseInt(
process.env.DB_CONNECTION_TIMEOUT || '2000',
10
),
...overrides,
};
}
backend/src/index.js
-52
View File
@@ -1,52 +0,0 @@
import express from 'express';
import cors from 'cors';
import cookieParser from 'cookie-parser';
import dotenv from 'dotenv';
import authRoutes from './routes/auth.js';
dotenv.config();
const app = express();
const PORT = process.env.PORT || 3001;
// Middleware
app.use(cors({
origin: process.env.NODE_ENV === 'production'
? process.env.FRONTEND_URL
: ['http://localhost:5173', 'http://localhost:3000'],
credentials: true,
}));
app.use(express.json());
app.use(cookieParser());
// Mount auth routes
app.use('/api/auth', authRoutes);
// Health check route
app.get('/api/health', (req, res) => {
res.json({
status: 'ok',
timestamp: new Date().toISOString(),
message: 'Server is running',
});
});
// Error handling middleware
app.use((err, req, res, _next) => {
console.error('Error:', err);
res.status(err.status || 500).json({
error: err.message || 'Internal Server Error',
});
});
// 404 handler
app.use((req, res) => {
res.status(404).json({ error: 'Not found' });
});
// Start server
app.listen(PORT, () => {
console.log(`Server is running on port ${PORT}`);
console.log(`Environment: ${process.env.NODE_ENV || 'development'}`);
});
backend/src/middleware/auth.js
+170
View File
@@ -0,0 +1,170 @@
/**
* Authorization Middleware
* JWT authentication and role-based access control
*/
import { verifyToken } from '../utils/auth.js';
import { query } from '../db/db.js';
/**
* Extract token from cookie
* @param {Object} req - Express request object
* @returns {string|null} Token from cookie
*/
function getTokenFromCookie(req) {
return req.cookies?.token || null;
}
/**
* Middleware to authenticate JWT token
* Adds user data to req.user
*/
export async function authenticate(req, res, next) {
try {
const token = getTokenFromCookie(req);
if (!token) {
return res.status(401).json({ error: 'Authentication required' });
}
const decoded = verifyToken(token);
if (!decoded) {
return res.status(401).json({ error: 'Invalid or expired token' });
}
const result = await query(
'SELECT id, login, full_name, role, department_id, staff_id FROM users WHERE id = $1',
[decoded.userId]
);
if (result.rows.length === 0) {
return res.status(401).json({ error: 'User not found' });
}
const user = result.rows[0];
const staffId = user.staff_id ?? decoded.staffId;
req.user = {
id: user.id,
login: user.login,
fullName: user.full_name,
role: user.role,
departmentId: user.department_id,
};
if (staffId != null) {
req.user.staffId = staffId;
}
next();
} catch (error) {
console.error('Auth middleware error:', error);
return res.status(500).json({ error: 'Authentication error' });
}
}
/**
* Middleware factory to require specific roles
* @param {string|string[]} roles - Required role(s)
* @returns {Function} Express middleware
*/
export function requireRole(roles) {
const allowedRoles = Array.isArray(roles) ? roles : [roles];
return (req, res, next) => {
if (!req.user) {
return res.status(401).json({ error: 'Authentication required' });
}
if (!allowedRoles.includes(req.user.role)) {
return res.status(403).json({ error: 'Insufficient permissions' });
}
next();
};
}
/**
* Middleware to require specific department access
* For managers to access their department's data
* @param {number} departmentId - Required department ID
* @returns {Function} Express middleware
*/
export function requireDepartment(departmentId) {
return (req, res, next) => {
if (!req.user) {
return res.status(401).json({ error: 'Authentication required' });
}
// Admins can access all departments
if (req.user.role === 'admin') {
return next();
}
// Managers can only access their department
if (req.user.role === 'manager' && req.user.departmentId !== departmentId) {
return res.status(403).json({ error: 'Access denied to this department' });
}
next();
};
}
/**
* Optional authentication middleware
* Attaches user to request if token is valid, but doesn't require it
*/
export async function optionalAuth(req, res, next) {
try {
const token = getTokenFromCookie(req);
if (!token) {
req.user = null;
return next();
}
const decoded = verifyToken(token);
if (!decoded) {
req.user = null;
return next();
}
const result = await query(
'SELECT id, login, full_name, role, department_id, staff_id FROM users WHERE id = $1',
[decoded.userId]
);
if (result.rows.length === 0) {
req.user = null;
return next();
}
const user = result.rows[0];
const staffId = user.staff_id ?? decoded.staffId;
req.user = {
id: user.id,
login: user.login,
fullName: user.full_name,
role: user.role,
departmentId: user.department_id,
};
if (staffId != null) {
req.user.staffId = staffId;
}
next();
} catch (error) {
// Don't block request on auth errors
req.user = null;
next();
}
}
export default {
authenticate,
requireRole,
requireDepartment,
optionalAuth,
};
backend/src/routes/auth.js
+155
View File
@@ -0,0 +1,155 @@
/**
* A.1A.4: локальный bcrypt (dev) и HR (HR_AUTH=1 + Werkzeug + staff_id)
*/
import express from 'express';
import { query } from '../db/db.js';
import { comparePassword, generateToken } from '../utils/auth.js';
import { authenticate } from '../middleware/auth.js';
import { queryHr, getHrPool } from '../db/hrPool.js';
import { mapHrRoleToApp } from '../utils/hrRoleMap.js';
import {
isHrAuthEnabled,
HR_MANAGED_PASSWORD_PLACEHOLDER,
} from '../config/authConstants.js';
const router = express.Router();
router.post('/login', async (req, res) => {
try {
const { login, password } = req.body;
if (!login || !password) {
return res.status(400).json({ error: 'Login and password are required' });
}
if (isHrAuthEnabled()) {
if (!getHrPool()) {
return res.status(500).json({ error: 'HR_DATABASE_URL is not set' });
}
const u = await queryHr(
`SELECT id, username, password_hash, role
FROM users
WHERE LOWER(TRIM(username)) = LOWER(TRIM($1))`,
[login]
);
if (u.rows.length === 0 || !u.rows[0].password_hash) {
return res.status(401).json({ error: 'Invalid credentials' });
}
const row = u.rows[0];
const ok = await comparePassword(password, row.password_hash);
if (!ok) {
return res.status(401).json({ error: 'Invalid credentials' });
}
const s = await queryHr(
`SELECT id, fio FROM staff_members
WHERE LOWER(TRIM(COALESCE(web_login, ''))) = LOWER(TRIM($1))`,
[login]
);
if (s.rows.length === 0) {
return res
.status(403)
.json({ error: 'No staff link for this login (web_login)' });
}
const staffId = s.rows[0].id;
const fio = s.rows[0].fio || login;
const appRole = mapHrRoleToApp(row.role);
const up = await query(
`INSERT INTO users (login, password_hash, full_name, role, department_id, is_active, staff_id)
VALUES ($1, $2, $3, $4, null, true, $5)
ON CONFLICT (staff_id) DO UPDATE SET
login = EXCLUDED.login,
full_name = EXCLUDED.full_name,
role = EXCLUDED.role,
password_hash = EXCLUDED.password_hash
RETURNING id, login, full_name, role, department_id, staff_id`,
[login, HR_MANAGED_PASSWORD_PLACEHOLDER, fio, appRole, staffId]
);
const uu = up.rows[0];
const token = generateToken(
uu.id,
uu.role,
uu.department_id,
{ staffId: uu.staff_id }
);
res.cookie('token', token, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
maxAge: 7 * 24 * 60 * 60 * 1000,
});
return res.json({
user: {
id: uu.id,
login: uu.login,
fullName: uu.full_name,
role: uu.role,
departmentId: uu.department_id,
staffId: uu.staff_id,
},
});
}
const result = await query(
'SELECT id, login, password_hash, full_name, role, department_id FROM users WHERE login = $1 AND is_active = true',
[login]
);
if (result.rows.length === 0) {
return res.status(401).json({ error: 'Invalid credentials' });
}
const user = result.rows[0];
if (user.password_hash === HR_MANAGED_PASSWORD_PLACEHOLDER) {
return res.status(401).json({ error: 'Use HR login' });
}
const isValidPassword = await comparePassword(password, user.password_hash);
if (!isValidPassword) {
return res.status(401).json({ error: 'Invalid credentials' });
}
const token = generateToken(user.id, user.role, user.department_id);
res.cookie('token', token, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
maxAge: 7 * 24 * 60 * 60 * 1000,
});
return res.json({
user: {
id: user.id,
login: user.login,
fullName: user.full_name,
role: user.role,
departmentId: user.department_id,
staffId: null,
},
});
} catch (error) {
if (error.message?.includes('HR database not configured')) {
return res.status(500).json({ error: 'HR database not configured' });
}
console.error('Login error:', error);
return res.status(500).json({ error: 'Login failed' });
}
});
router.post('/logout', (req, res) => {
try {
res.clearCookie('token', {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
});
res.json({ message: 'Logged out successfully' });
} catch (error) {
console.error('Logout error:', error);
res.status(500).json({ error: 'Logout failed' });
}
});
router.get('/me', authenticate, async (req, res) => {
try {
res.json({ user: req.user });
} catch (error) {
console.error('Get current user error:', error);
res.status(500).json({ error: 'Failed to get user data' });
}
});
export default router;
backend/src/routes/tests.js
+243
View File
@@ -0,0 +1,243 @@
/**
* V.4V.6, D.1 API тестов, версий, импорт файла
*/
import express from 'express';
import fs from 'fs/promises';
import os from 'os';
import multer from 'multer';
import pool, { query } from '../db/db.js';
import { authenticate } from '../middleware/auth.js';
import { hasAnyAttemptForTest } from '../services/testChainService.js';
import { saveTestDraft, createTestWithVersion } from '../services/testDraftService.js';
const router = express.Router();
const upload = multer({
dest: os.tmpdir(),
limits: { fileSize: 10 * 1024 * 1024 },
});
function asyncHandler(fn) {
return (req, res, next) => {
Promise.resolve(fn(req, res, next)).catch((err) => {
if (err.status) {
res.status(err.status).json({ error: err.message });
} else {
next(err);
}
});
};
}
/** D.1 — раньше /:id, иначе id = "import" */
router.post(
'/import/document',
authenticate,
upload.single('file'),
asyncHandler(async (req, res) => {
if (!req.file) {
return res.status(400).json({ error: 'file field required' });
}
const p = req.file.path;
let size = 0;
try {
const st = await fs.stat(p);
size = st.size;
await fs.unlink(p);
} catch {
try {
await fs.unlink(p);
} catch {
// ignore
}
return res.status(500).json({ error: 'upload failed' });
}
res.json({
received: true,
originalName: req.file.originalname,
size,
message:
'Файл принят; извлечение текста и генерация (D.2–D.3) — в следующем шаге',
});
})
);
router.get(
'/',
authenticate,
asyncHandler(async (req, res) => {
const { rows } = await query(
`SELECT t.id, t.title, t.description, t.is_active AS chain_active,
t.created_at, t.updated_at, tv.id AS active_version_id, tv.version
FROM tests t
INNER JOIN test_versions tv ON tv.test_id = t.id AND tv.is_active = true
WHERE t.is_active = true
ORDER BY t.updated_at DESC NULLS LAST, t.created_at DESC`
);
res.json({ tests: rows });
})
);
router.post(
'/',
authenticate,
asyncHandler(async (req, res) => {
const { title, description } = req.body;
if (!title || typeof title !== 'string') {
return res.status(400).json({ error: 'title required' });
}
const out = await createTestWithVersion(pool, req.user.id, {
title,
description,
});
res.status(201).json(out);
})
);
router.get(
'/:id/versions',
authenticate,
asyncHandler(async (req, res) => {
const testId = req.params.id;
const { rows: t } = await query(`SELECT id, created_by FROM tests WHERE id = $1`, [
testId,
]);
if (!t.length) {
return res.status(404).json({ error: 'Test not found' });
}
if (t[0].created_by !== req.user.id) {
return res.status(403).json({ error: 'Forbidden' });
}
const { rows } = await query(
`SELECT id, version, is_active, parent_id, created_at
FROM test_versions WHERE test_id = $1 ORDER BY version`,
[testId]
);
const hasAttempts = await hasAnyAttemptForTest(pool, testId);
res.json({ versions: rows, hasAttempts });
})
);
router.post(
'/:id/versions/:vid/activate',
authenticate,
asyncHandler(async (req, res) => {
const testId = req.params.id;
const versionId = req.params.vid;
const { rows: t } = await query(
`SELECT id, created_by FROM tests WHERE id = $1`,
[testId]
);
if (!t.length) {
return res.status(404).json({ error: 'Test not found' });
}
if (t[0].created_by !== req.user.id) {
return res.status(403).json({ error: 'Forbidden' });
}
const { rows: v } = await query(
`SELECT id FROM test_versions WHERE test_id = $1 AND id = $2`,
[testId, versionId]
);
if (!v.length) {
return res.status(404).json({ error: 'Version not found' });
}
const client = await pool.connect();
try {
await client.query('BEGIN');
await client.query(
`UPDATE test_versions SET is_active = false WHERE test_id = $1`,
[testId]
);
await client.query(
`UPDATE test_versions SET is_active = true WHERE id = $1`,
[versionId]
);
await client.query('COMMIT');
} catch (e) {
await client.query('ROLLBACK');
throw e;
} finally {
client.release();
}
res.json({ ok: true, activeVersionId: versionId });
})
);
router.patch(
'/:id',
authenticate,
asyncHandler(async (req, res) => {
const testId = req.params.id;
const { isActive, chainActive } = req.body;
const chain = chainActive ?? isActive;
if (typeof chain !== 'boolean') {
return res.status(400).json({ error: 'chainActive (boolean) required' });
}
const { rows: t } = await query(
`SELECT id, created_by FROM tests WHERE id = $1`,
[testId]
);
if (!t.length) {
return res.status(404).json({ error: 'Test not found' });
}
if (t[0].created_by !== req.user.id) {
return res.status(403).json({ error: 'Forbidden' });
}
await query(
`UPDATE tests SET is_active = $2, updated_at = CURRENT_TIMESTAMP WHERE id = $1`,
[testId, chain]
);
res.json({ id: testId, chainActive: chain });
})
);
router.post(
'/:id/draft',
authenticate,
asyncHandler(async (req, res) => {
const out = await saveTestDraft(pool, req.user.id, req.params.id, req.body);
res.json(out);
})
);
router.post(
'/:id/attempts/start',
authenticate,
asyncHandler(async (req, res) => {
const testId = req.params.id;
const { rows: tv } = await query(
`SELECT tv.id AS test_version_id
FROM test_versions tv
WHERE tv.test_id = $1 AND tv.is_active = true LIMIT 1`,
[testId]
);
if (!tv.length) {
return res.status(404).json({ error: 'No active version' });
}
const testVersionId = tv[0].test_version_id;
const { rows: mx } = await query(
`SELECT COALESCE(MAX(attempt_number), 0) AS n FROM test_attempts
WHERE test_version_id = $1 AND user_id = $2`,
[testVersionId, req.user.id]
);
const nextN = (mx[0].n || 0) + 1;
const { rows: a } = await query(
`INSERT INTO test_attempts (test_version_id, user_id, attempt_number, status)
VALUES ($1, $2, $3, 'in_progress')
RETURNING id, test_version_id, user_id, attempt_number, status, started_at`,
[testVersionId, req.user.id, nextN]
);
res.status(201).json({ attempt: a[0] });
})
);
router.get(
'/:id/chain-info',
authenticate,
asyncHandler(async (req, res) => {
const testId = req.params.id;
const has = await hasAnyAttemptForTest(pool, testId);
res.json({ testId, hasAnyAttempt: has });
})
);
export default router;
backend/src/server.js
+8
View File
@@ -0,0 +1,8 @@
import { createApp } from './app.js';
const app = createApp();
const PORT = process.env.PORT || 3001;
app.listen(PORT, () => {
console.log(`Server is running on port ${PORT}`);
console.log(`Environment: ${process.env.NODE_ENV || 'development'}`);
});
backend/src/services/testDraftService.js
+204
View File
@@ -0,0 +1,204 @@
/**
* V.3 saveTestDraft, fork версии, контент вопросов.
*/
import { hasAnyAttemptForTest } from './testChainService.js';
/**
* @param {import('pg').PoolClient} client
* @param {string} testId
*/
export async function getActiveVersionRow(client, testId) {
const { rows } = await client.query(
`SELECT * FROM test_versions WHERE test_id = $1 AND is_active = true LIMIT 1`,
[testId]
);
return rows[0] || null;
}
/**
* @param {import('pg').PoolClient} client
* @param {string} fromVersionId
* @param {string} toVersionId
*/
export async function copyQuestionTree(client, fromVersionId, toVersionId) {
const { rows: questions } = await client.query(
`SELECT * FROM questions WHERE test_version_id = $1 ORDER BY question_order`,
[fromVersionId]
);
for (const q of questions) {
const { rows: insQ } = await client.query(
`INSERT INTO questions (test_version_id, text, question_order, has_multiple_answers)
VALUES ($1, $2, $3, $4) RETURNING id`,
[toVersionId, q.text, q.question_order, q.has_multiple_answers]
);
const nqid = insQ[0].id;
const { rows: options } = await client.query(
`SELECT * FROM answer_options WHERE question_id = $1 ORDER BY option_order`,
[q.id]
);
for (const o of options) {
await client.query(
`INSERT INTO answer_options (question_id, text, is_correct, option_order)
VALUES ($1, $2, $3, $4)`,
[nqid, o.text, o.is_correct, o.option_order]
);
}
}
}
/**
* @param {import('pg').PoolClient} client
* @param {string} testVersionId
* @param {{ questions?: Array<{ text: string, question_order?: number, hasMultipleAnswers?: boolean, options?: Array<{ text: string, isCorrect?: boolean, option_order?: number }> }> }} payload
*/
export async function replaceVersionContent(client, testVersionId, payload) {
await client.query(
`DELETE FROM answer_options WHERE question_id IN
(SELECT id FROM questions WHERE test_version_id = $1)`,
[testVersionId]
);
await client.query(`DELETE FROM questions WHERE test_version_id = $1`, [
testVersionId,
]);
const questions = payload.questions || [];
for (let i = 0; i < questions.length; i++) {
const q = questions[i];
const { rows: insQ } = await client.query(
`INSERT INTO questions (test_version_id, text, question_order, has_multiple_answers)
VALUES ($1, $2, $3, $4) RETURNING id`,
[
testVersionId,
q.text,
q.question_order ?? i + 1,
q.hasMultipleAnswers || false,
]
);
const qid = insQ[0].id;
const opts = q.options || [];
for (let j = 0; j < opts.length; j++) {
const o = opts[j];
await client.query(
`INSERT INTO answer_options (question_id, text, is_correct, option_order)
VALUES ($1, $2, $3, $4)`,
[qid, o.text, !!o.isCorrect, o.option_order ?? j + 1]
);
}
}
}
/**
* @param {import('pg').PoolClient} client
* @param {string} testId
*/
export async function forkNewVersion(client, testId) {
const av = await getActiveVersionRow(client, testId);
if (!av) {
throw new Error('no active version');
}
const { rows: mx } = await client.query(
`SELECT COALESCE(MAX(version), 0) AS v FROM test_versions WHERE test_id = $1`,
[testId]
);
const nextV = (mx[0].v || 0) + 1;
const { rows: nv } = await client.query(
`INSERT INTO test_versions (test_id, version, is_active, parent_id)
VALUES ($1, $2, true, $3) RETURNING *`,
[testId, nextV, av.id]
);
const newRow = nv[0];
await client.query(
`UPDATE test_versions SET is_active = false WHERE test_id = $1 AND id <> $2`,
[testId, newRow.id]
);
await copyQuestionTree(client, av.id, newRow.id);
return newRow;
}
/**
* @param {import('pg').Pool} pool
* @param {string} authorId
* @param {string} testId
* @param {{ title?: string, description?: string, questions?: Array<unknown> }} payload
*/
export async function saveTestDraft(pool, authorId, testId, payload) {
const { rows: tr } = await pool.query(
`SELECT id, created_by FROM tests WHERE id = $1`,
[testId]
);
if (!tr.length) {
const e = new Error('Test not found');
e.status = 404;
throw e;
}
const t = tr[0];
if (t.created_by !== authorId) {
const e = new Error('Forbidden');
e.status = 403;
throw e;
}
const client = await pool.connect();
let forked = false;
try {
await client.query('BEGIN');
if (payload.title != null || payload.description != null) {
await client.query(
`UPDATE tests SET title = COALESCE($2, title), description = COALESCE($3, description),
updated_at = CURRENT_TIMESTAMP WHERE id = $1`,
[testId, payload.title ?? null, payload.description ?? null]
);
}
const hasAttempts = await hasAnyAttemptForTest(client, testId);
let versionRow = await getActiveVersionRow(client, testId);
if (!versionRow) {
const e = new Error('No active version');
e.status = 500;
throw e;
}
if (hasAttempts && payload.questions !== undefined) {
versionRow = await forkNewVersion(client, testId);
forked = true;
}
if (payload.questions) {
await replaceVersionContent(client, versionRow.id, payload);
}
await client.query('COMMIT');
return { testId, versionId: versionRow.id, forked };
} catch (e) {
await client.query('ROLLBACK');
throw e;
} finally {
client.release();
}
}
/**
* Создать пустой тест (цепочка) с одной версией 1.
* @param {import('pg').Pool} pool
* @param {string} authorId
* @param {{ title: string, description?: string }} meta
*/
export async function createTestWithVersion(pool, authorId, meta) {
const client = await pool.connect();
try {
await client.query('BEGIN');
const { rows: t } = await client.query(
`INSERT INTO tests (title, description, created_by, is_active, is_versioned)
VALUES ($1, $2, $3, true, true) RETURNING id`,
[meta.title, meta.description || null, authorId]
);
const testId = t[0].id;
const { rows: v } = await client.query(
`INSERT INTO test_versions (test_id, version, is_active, parent_id)
VALUES ($1, 1, true, NULL) RETURNING id`,
[testId]
);
await client.query('COMMIT');
return { testId, versionId: v[0].id };
} catch (e) {
await client.query('ROLLBACK');
throw e;
} finally {
client.release();
}
}
backend/src/utils/auth.js
+94
View File
@@ -0,0 +1,94 @@
/**
* Authentication Utilities
* Password hashing and JWT token management
*/
import bcrypt from 'bcrypt';
import jwt from 'jsonwebtoken';
import dotenv from 'dotenv';
import { checkWerkzeugPassword } from './werkzeugPassword.js';
import { HR_MANAGED_PASSWORD_PLACEHOLDER } from '../config/authConstants.js';
dotenv.config();
const JWT_SECRET = process.env.JWT_SECRET;
const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || '7d';
// Salt rounds for bcrypt
const SALT_ROUNDS = 10;
/**
* Hash a password using bcrypt
* @param {string} password - Plain text password
* @returns {Promise<string>} Hashed password
*/
export async function hashPassword(password) {
return bcrypt.hash(password, SALT_ROUNDS);
}
/**
* Compare a plain text password with a hashed password
* @param {string} password - Plain text password
* @param {string} hash - Hashed password
* @returns {Promise<boolean>} True if passwords match
*/
export async function comparePassword(password, hash) {
if (!hash) {
return false;
}
if (hash === HR_MANAGED_PASSWORD_PLACEHOLDER) {
return false;
}
if (hash.startsWith('scrypt:') || hash.startsWith('pbkdf2:')) {
return checkWerkzeugPassword(hash, password);
}
if (hash.startsWith('$2')) {
return bcrypt.compare(password, hash);
}
return checkWerkzeugPassword(hash, password);
}
/**
* @param {string} userId - clinic_tests.users.id
* @param {string} role
* @param {string|null|undefined} departmentId
* @param {{ staffId?: number } | null} [meta]
* @returns {string}
*/
export function generateToken(userId, role, departmentId = null, meta = null) {
const payload = {
userId,
role,
};
if (departmentId !== null && departmentId !== undefined) {
payload.departmentId = departmentId;
}
if (meta?.staffId != null) {
payload.staffId = meta.staffId;
}
return jwt.sign(payload, JWT_SECRET, {
expiresIn: JWT_EXPIRES_IN,
});
}
/**
* Verify and decode a JWT token
* @param {string} token - JWT token
* @returns {Object|null} Decoded token payload or null if invalid
*/
export function verifyToken(token) {
try {
return jwt.verify(token, JWT_SECRET);
} catch (error) {
return null;
}
}
export default {
hashPassword,
comparePassword,
generateToken,
verifyToken,
};
backend/src/utils/hrRoleMap.js
+21
View File
@@ -0,0 +1,21 @@
/**
* Сопоставление role из hr_bot_test.users (varchar) с ролью в модуле тестов.
* A.5 MVP уточняется при подключении staff_role_assignments.
* @param {string|null|undefined} hrRole
* @returns {'hr' | 'manager' | 'employee'}
*/
export function mapHrRoleToApp(hrRole) {
const r = String(hrRole || '')
.toLowerCase()
.trim();
if (!r) {
return 'employee';
}
if (r === 'admin' || r.includes('hr') || r.includes('дире')) {
return 'hr';
}
if (r.includes('manager') || r.includes('рук') || r.includes('завед')) {
return 'manager';
}
return 'employee';
}
backend/src/utils/werkzeugPassword.js
+74
View File
@@ -0,0 +1,74 @@
/**
* Проверка хеша в формате Werkzeug 3 (scrypt: / pbkdf2:).
* @see https://github.com/pallets/werkzeug/blob/main/src/werkzeug/security.py
*/
import crypto from 'crypto';
/**
* @param {string} pwhash
* @param {string} password
* @returns {boolean}
*/
function hashInternal(method, salt, password) {
const methodParts = method.split(':');
const kind = methodParts[0];
const saltBytes = Buffer.from(salt, 'utf8');
const passwordBytes = Buffer.from(password, 'utf8');
if (kind === 'scrypt') {
const n = methodParts[1] ? parseInt(methodParts[1], 10) : 2 ** 15;
const r = methodParts[2] ? parseInt(methodParts[2], 10) : 8;
const p = methodParts[3] ? parseInt(methodParts[3], 10) : 1;
const maxmem = 132 * n * r * p;
return crypto
.scryptSync(passwordBytes, saltBytes, 64, { N: n, r, p, maxmem })
.toString('hex');
}
if (kind === 'pbkdf2') {
const hashName = methodParts[1] || 'sha256';
const iterStr = methodParts[2];
if (!iterStr) {
throw new Error('pbkdf2: missing iterations');
}
const iterations = parseInt(iterStr, 10);
return crypto
.pbkdf2Sync(passwordBytes, saltBytes, iterations, 32, hashName)
.toString('hex');
}
throw new Error(`Invalid hash method: ${kind}`);
}
/**
* @param {string} pwhash
* @param {string} password
* @returns {boolean}
*/
export function checkWerkzeugPassword(pwhash, password) {
if (!pwhash || pwhash.length < 3) {
return false;
}
const parts = pwhash.split('$');
if (parts.length < 3) {
return false;
}
const hashval = parts.pop();
const salt = parts.pop();
const method = parts.join('$');
if (!method || !salt || !hashval) {
return false;
}
let computed;
try {
computed = hashInternal(method, salt, password);
} catch {
return false;
}
const a = Buffer.from(computed, 'hex');
const b = Buffer.from(hashval, 'hex');
if (a.length !== b.length) {
return false;
}
return crypto.timingSafeEqual(a, b);
}
backend/src/utils/werkzeugPassword.test.js
+31
View File
@@ -0,0 +1,31 @@
import { test } from 'node:test';
import assert from 'node:assert/strict';
import crypto from 'crypto';
import { checkWerkzeugPassword } from './werkzeugPassword.js';
test('pbkdf2:sha256 self-consistency', () => {
const salt = 'AbCdEfGhIjKlMnOp';
const iterations = 1000;
const password = 'secret';
const hashval = crypto
.pbkdf2Sync(password, salt, iterations, 32, 'sha256')
.toString('hex');
const pwhash = `pbkdf2:sha256:${iterations}$${salt}$${hashval}`;
assert.equal(checkWerkzeugPassword(pwhash, 'secret'), true);
assert.equal(checkWerkzeugPassword(pwhash, 'wrong'), false);
});
test('scrypt self-consistency', () => {
const salt = 'AbCdEfGhIjKlMnOp';
const n = 32768;
const r = 8;
const p = 1;
const maxmem = 132 * n * r * p;
const method = `scrypt:${n}:${r}:${p}`;
const password = 'x';
const h = crypto
.scryptSync(password, salt, 64, { N: n, r, p, maxmem })
.toString('hex');
const pwhash = `${method}$${salt}$${h}`;
assert.equal(checkWerkzeugPassword(pwhash, 'x'), true);
});