hsp-gdh/routes/doctors.js

import express from 'express';
import { error } from '../modules/logManager';
import { pool } from '../modules/databaseManager';
import { verifyToken } from '../modules/tokenManager';
import { verifyPermissions, checkPermissions, checkBanned, checkEmailVerified } from '../modules/permissionManager';
import { respondWithStatus, respondWithStatusJSON } from '../modules/requestHandler';

const router = express.Router();

/**
 * Retrieves all doctors from the database.
 *
 * @returns {Promise<Array>} A promise that resolves to an array of doctor objects.
 */
router.get('/', verifyToken, checkBanned, checkPermissions('doctor', 1), async (req, res) => {
	try {
		const [rows] = await pool.execute('SELECT * FROM doctors WHERE 1');
		if (rows.length === 0) return await respondWithStatus(res, 404, 'Doctors not found');
		return await respondWithStatusJSON(res, 200, rows);
	}
	catch (err) {
		error(err);
		return await respondWithStatus(res, 500, 'An error has occured');
	}
});

/**
 * Inserts a new doctor record into the database.
 *
 * @param {number} user_id - The ID of the user associated with the doctor.
 * @param {string} email - The email of the doctor.
 * @param {string} phone - The phone number of the doctor.
 * @param {string} speciality - The speciality of the doctor.
 * @param {string} status - The status of the doctor.
 * @param {boolean} is_verified - The verification status of the doctor.
 * @returns {Promise} - A promise that resolves with the result of the insertion.
 */
router.post('/', verifyToken, checkBanned, checkPermissions('doctor', 2), async (req, res) => {
	const { user_id, email, phone, speciality, status, is_verified = false } = req.body;
	if (!['Available', 'Absent', 'Unavailable'].includes(status)) return await respondWithStatus(res, 400, 'Invalid status');
	if ([ user_id, email, phone, speciality, status ].every(Boolean)) {
		try {
			const [result] = await pool.execute(
				'INSERT INTO doctors (user_id, email, phone, speciality, status, is_verified) VALUES (?, ?, ?, ?, ?, ?)',
				[ user_id, email, phone, speciality, status, is_verified ],
			);
			if (result.affectedRows === 0) return await respondWithStatus(res, 500, 'Error storing doctor');
			return await respondWithStatus(res, 200, 'Doctor created successfully');
		}
		catch (err) {
			error(err);
			return await respondWithStatus(res, 500, 'An error has occured');
		}
	}
	else {
		return await respondWithStatus(res, 400, 'Missing fields');
	}
});

router.post('/register', verifyToken, checkEmailVerified, checkBanned, async (req, res) => {
	const { email, phone, speciality, status } = req.body;
	if (!['Available', 'Absent', 'Unavailable'].includes(status)) return await respondWithStatus(res, 400, 'Invalid status');
	if ([ email, phone, speciality, status ].every(Boolean)) {
		try {
			const [result] = await pool.execute(
				'INSERT INTO doctors (user_id, email, phone, speciality, status) VALUES (?, ?, ?, ?, ?)',
				[req.userId, email, phone, speciality, status],
			);
			if (result.affectedRows === 0) return await respondWithStatus(res, 500, 'Error storing doctor');
			return await respondWithStatus(res, 200, 'Doctor created successfully');
		}
		catch (err) {
			error(err);
			return await respondWithStatus(res, 500, 'An error has occured');
		}
	}
	else {
		return await respondWithStatus(res, 400, 'Missing fields');
	}
});

router.post('/:doctorId/validate', verifyToken, checkBanned, checkPermissions('doctor', 2), async (req, res) => {
	const { doctor_id } = req.body;
	if (doctor_id) {
		try {
			const [result] = await pool.execute('SELECT * FROM doctors WHERE id = ?',[doctor_id]);
			if(result.length === 0) return await respondWithStatus(res, 404, 'Doctor not found');
			if(result[0].is_verified) return await respondWithStatus(res, 400, 'Doctor already verified');
			const [result2] = await pool.execute('UPDATE doctors SET is_verified = 1 WHERE id = ?', [doctor_id]);
			if (result2.affectedRows === 0) return await respondWithStatus(res, 500, 'Error validating doctor');
			const [result3] = await pool.execute('INSERT INTO user_roles (user_id, role_id) VALUES (?, (SELECT id FROM roles WHERE name = ? LIMIT 1))', [result[0].user_id, 'Doctor']);
			if (result3.affectedRows === 0) return await respondWithStatus(res, 500, 'Error adding role to user');
			return await respondWithStatus(res, 200, 'Doctor validated successfully');
		}
		catch (err) {
			error(err);
			return await respondWithStatus(res, 500, 'An error has occured');
		}
	}
	else {
		return await respondWithStatus(res, 400, 'Missing fields');
	}
});

router.get('/:doctorId', verifyToken, checkBanned, async (req, res) => {
	try {
		const doctorId = await getDoctorId (req.userId);
		if (req.params.doctorId == '@me') {
			if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
			req.params.doctorId = doctorId;
		}
		if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'doctor', 2)) return await respondWithStatus(res, 403, 'Missing permission');
		const [rows] = await pool.execute('SELECT * FROM doctors WHERE id = ? LIMIT 1', [req.params.doctorId]);
		if (rows.length === 0) return await respondWithStatus(res, 404, 'Doctor not found');
		return await respondWithStatusJSON(res, 200, rows[0]);
	}
	catch (err) {
		error(err);
		return await respondWithStatus(res, 500, 'An error has occured');
	}
});

router.patch('/:doctorId', verifyToken, checkBanned, async (req, res) => {
	try {
		const { type, value } = req.body;
		const doctorId = await getDoctorId (req.userId);
		if (req.params.doctorId == '@me') {
			if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
			req.params.doctorId = doctorId;
		}
		if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'doctor', 2)) return await respondWithStatus(res, 403, 'Missing permission');
		const [rows] = await pool.execute('SELECT * FROM doctors WHERE id = ? LIMIT 1', [req.params.doctorId]);
		if (rows.length === 0) return await respondWithStatus(res, 404, 'Doctor not found');

		const excludedKeys = [ 'id', 'user_id' ];
		const fields = rows.map(row => Object.keys(row).filter(key => !excludedKeys.includes(key)));
		if (fields[0].includes(type)) {
			const [result] = await pool.execute(`UPDATE doctors SET ${type} = ? WHERE id = ?`, [value, req.params.doctorId]);
			if (result.affectedRows === 0) return await respondWithStatus(res, 500, 'Error updating doctor');
			return await respondWithStatus(res, 200, 'Doctor updated successfully');
		}
		else {
			return await respondWithStatus(res, 400, 'Invalid type');
		}
	}
	catch (err) {
		error(err);
		return await respondWithStatus(res, 500, 'An error has occured');
	}
});

router.put('/:doctorId', verifyToken, checkBanned, async (req, res) => {
	const { user_id, email, phone, speciality, status, is_verified } = req.body;
	if ([ user_id, email, phone, speciality, status, is_verified ].every(Boolean)) {
		try {
			const doctorId = await getDoctorId (req.userId);
			if (req.params.doctorId == '@me') {
				if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
				req.params.doctorId = doctorId;
			}
			if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'doctor', 2)) return await respondWithStatus(res, 403, 'Missing permission');
			const [rows] = await pool.execute('SELECT * FROM doctors WHERE id = ? LIMIT 1', [req.params.doctorId]);
			if (rows.length === 0) return await respondWithStatus(res, 404, 'Doctor not found');

			const [result] = await pool.execute(
				'UPDATE doctors SET name = ?, email = ?, phone = ?, speciality = ?, status = ?, is_verified = ? WHERE id = ?',
				[user_id, email, phone, speciality, status, is_verified, req.params.doctorId],
			);

			if (result.affectedRows === 0) return await respondWithStatus(res, 500, 'Error updating doctor');
			return await respondWithStatus(res, 200, 'Doctor updated successfully');
		}
		catch (err) {
			error(err);
			return await respondWithStatus(res, 500, 'An error has occured');
		}
	}
	else {
		return await respondWithStatus(res, 400, 'Missing fields');
	}
});

router.delete('/:doctorId', verifyToken, checkBanned, async (req, res) => {
	try {
		const doctorId = await getDoctorId (req.userId);
		if (req.params.doctorId == '@me') {
			if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
			req.params.doctorId = doctorId;
		}
		if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'doctor', 4)) return await respondWithStatus(res, 403, 'Missing permission');
		const [rows] = await pool.execute('SELECT * FROM doctors WHERE id = ? LIMIT 1', [req.params.doctorId]);
		if (rows.length === 0) return await respondWithStatus(res, 404, 'Doctor not found');

		const [result] = await pool.execute('DELETE FROM doctors WHERE id = ?', [req.params.doctorId]);
		if (result.affectedRows === 0) return await respondWithStatus(res, 500, 'Error removing doctor');
		return await respondWithStatus(res, 200, 'Doctor deleted successfully');
	}
	catch (err) {
		error(err);
		return await respondWithStatus(res, 500, 'An error has occured');
	}
});

// Appointments endpoints
router.get('/:doctorId/appointments', verifyToken, checkBanned, async (req, res) => {
	try {
		const doctorId = await getDoctorId (req.userId);
		if (req.params.doctorId == '@me') {
			if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
			req.params.doctorId = doctorId;
		}
		if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'appointment', 1)) return await respondWithStatus(res, 403, 'Missing permission');
		const [rows] = await pool.execute(
			'SELECT a.*, u.first_name, u.last_name, p.gender, p.date_of_birth, s.service_name, a.service_id FROM appointments AS a JOIN patients AS p ON a.patient_id = p.id JOIN users AS u ON p.user_id = u.id JOIN services AS s ON a.service_id = s.id WHERE a.doctor_id = ?',
			[req.params.doctorId],
		);
		if (rows.length === 0) return await respondWithStatus(res, 404, 'Appointments not found');
		return await respondWithStatusJSON(res, 200, rows);
	}
	catch (err) {
		error(err);
		return await respondWithStatus(res, 500, 'An error has occured');
	}
});

router.post('/:doctorId/appointments', verifyToken, checkBanned, async (req, res) => {
	const { patient_id, service_id, hospital_id, room_id = null, date, time, status } = req.body;
	if (!['Confirmed', 'Completed', 'Absent', 'Cancelled by Patient', 'Cancelled by Doctor'].includes(status)) return await respondWithStatus(res, 400, 'Invalid status');
	const doctorId = await getDoctorId (req.userId);
	if (req.params.doctorId == '@me') {
		if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
		req.params.doctorId = doctorId;
	}
	if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'appointment', 2)) return await respondWithStatus(res, 403, 'Missing permission');
	if ([patient_id, service_id, hospital_id, date, time, status].every(Boolean)) {
		try {
			const [result] = await pool.execute(
				'INSERT INTO appointments (patient_id, doctor_id, service_id, hospital_id, room_id, date, time, status) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
				[patient_id, req.params.doctorId, service_id, hospital_id, room_id, date, time, status],
			);
			if (result.affectedRows === 0) return await respondWithStatus(res, 500, 'Error storing appointment');
			return await respondWithStatus(res, 200, 'Appointment created successfully');
		}
		catch (err) {
			error(err);
			return await respondWithStatus(res, 500, 'An error has occured');
		}
	}
	else {
		return await respondWithStatus(res, 400, 'Missing fields');
	}
});

router.get('/:doctorId/appointments/:appointmentId', verifyToken, checkBanned, async (req, res) => {
	try {
		const doctorId = await getDoctorId (req.userId);
		if (req.params.doctorId == '@me') {
			if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
			req.params.doctorId = doctorId;
		}
		if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'appointment', 1)) return await respondWithStatus(res, 403, 'Missing permission');
		const [rows] = await pool.execute(
			'SELECT a.*, u.first_name, u.last_name, p.gender, p.date_of_birth, s.service_name, a.service_id FROM appointments AS a JOIN patients AS p ON a.patient_id = p.id JOIN users AS u ON p.user_id = u.id WHERE a.id = ? AND a.doctor_id = ? LIMIT 1',
			[req.params.appointmentId, req.params.doctorId],
		);
		if (rows.length === 0) return await respondWithStatus(res, 404, 'Appointment not found');
		return await respondWithStatusJSON(res, 200, rows[0]);
	}
	catch (err) {
		error(err);
		return await respondWithStatus(res, 500, 'An error has occured');
	}
});

router.patch('/:doctorId/appointments/:appointmentId', verifyToken, checkBanned, async (req, res) => {
	try {
		const { type, value } = req.body;
		const doctorId = await getDoctorId (req.userId);
		if (req.params.doctorId == '@me') {
			if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
			req.params.doctorId = doctorId;
		}
		if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'appointment', 2)) return await respondWithStatus(res, 403, 'Missing permission');
		const [rows] = await pool.execute('SELECT * FROM appointments WHERE id = ? LIMIT 1', [req.params.appointmentId]);
		if (rows.length === 0) return await respondWithStatus(res, 404, 'Appointment not found');

		const excludedKeys = [ 'id', 'patient_id', 'doctor_id' ];
		const fields = rows.map(row => Object.keys(row).filter(key => !excludedKeys.includes(key)));
		if (type === 'status' && !['Confirmed', 'Completed', 'Absent', 'Cancelled by Patient', 'Cancelled by Doctor'].includes(value)) return await respondWithStatus(res, 400, 'Invalid status');
		if (fields[0].includes(type)) {
			const [result] = await pool.execute(`UPDATE appointments SET ${type} = ? WHERE id = ?`, [value, req.params.appointmentId]);
			if (result.affectedRows === 0) return await respondWithStatus(res, 500, 'Error updating appointment');
			return await respondWithStatus(res, 200, 'Appointment updated successfully');
		}
		else {
			return await respondWithStatus(res, 400, 'Invalid type');
		}
	}
	catch (err) {
		error(err);
		return await respondWithStatus(res, 500, 'An error has occured');
	}
});

router.put('/:doctorId/appointments/:appointmentId', verifyToken, checkBanned, async (req, res) => {
	const { patient_id, service_id, hospital_id, room_id, date, time, status } = req.body;
	if (!['Confirmed', 'Completed', 'Absent', 'Cancelled by Patient', 'Cancelled by Doctor'].includes(status)) return await respondWithStatus(res, 400, 'Invalid status');
	const doctorId = await getDoctorId (req.userId);
	if (req.params.doctorId == '@me') {
		if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
		req.params.doctorId = doctorId;
	}
	if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'appointment', 2)) return await respondWithStatus(res, 403, 'Missing permission');
	if ([patient_id, service_id, hospital_id, room_id, date, time, status].every(Boolean)) {
		try {
			const [rows] = await pool.execute('SELECT * FROM appointments WHERE id = ? LIMIT 1', [req.params.appointmentId]);
			if (rows.length === 0) return await respondWithStatus(res, 404, 'Appointment not found');

			const [result] = await pool.execute(
				'UPDATE appointments SET patient_id = ?, doctor_id = ?, service_id = ?, hospital_id = ?, room_id = ?, date = ?, time = ?, status = ? WHERE id = ?',
				[patient_id, req.params.doctorId, service_id, hospital_id, room_id, date, time, status, req.params.appointmentId],
			);
			if (result.affectedRows === 0) return await respondWithStatus(res, 500, 'Error updating appointment');
			return await respondWithStatus(res, 200, 'Appointment updated successfully');
		}
		catch (err) {
			error(err);
			return await respondWithStatus(res, 500, 'An error has occured');
		}
	}
	else {
		return await respondWithStatus(res, 400, 'Missing fields');
	}
});

router.delete('/:doctorId/appointments/:appointmentId', verifyToken, checkBanned, async (req, res) => {
	try {
		const doctorId = await getDoctorId (req.userId);
		if (req.params.doctorId == '@me') {
			if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
			req.params.doctorId = doctorId;
		}
		if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'appointment', 4)) return await respondWithStatus(res, 403, 'Missing permission');
		const [rows] = await pool.execute('SELECT * FROM appointments WHERE id = ? LIMIT 1', [req.params.appointmentId]);
		if (rows.length === 0) return await respondWithStatus(res, 404, 'Appointment not found');

		const [result] = await pool.execute('DELETE FROM appointments WHERE id = ?', [req.params.appointmentId]);
		if (result.affectedRows === 0) return await respondWithStatus(res, 500, 'Error removing appointment');
		return await respondWithStatus(res, 200, 'Appointment deleted successfully');
	}
	catch (err) {
		error(err);
		return await respondWithStatus(res, 500, 'An error has occured');
	}
});

// Services endpoints
router.get('/:doctorId/services', verifyToken, checkBanned, async (req, res) => {
	try {
		const doctorId = await getDoctorId (req.userId);
		if (req.params.doctorId == '@me') {
			if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
			req.params.doctorId = doctorId;
		}
		if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'service', 1)) return await respondWithStatus(res, 403, 'Missing permission');
		const [rows] = await pool.execute('SELECT s.* FROM services s INNER JOIN service_doctors sd ON s.id = sd.service_id WHERE sd.doctor_id = ?', [req.params.doctorId]);
		if (rows.length === 0) return await respondWithStatus(res, 404, 'Services not found');
		return await respondWithStatusJSON(res, 200, rows);
	}
	catch (err) {
		error(err);
		return await respondWithStatus(res, 500, 'An error has occured');
	}
});

router.post('/:doctorId/services', verifyToken, checkBanned, async (req, res) => {
	const { service_id } = req.body;
	const doctorId = await getDoctorId (req.userId);
	if (req.params.doctorId == '@me') {
		if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
		req.params.doctorId = doctorId;
	}
	if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'service', 2)) return await respondWithStatus(res, 403, 'Missing permission');
	if (service_id) {
		try {
			const [result] = await pool.execute('INSERT INTO service_doctors (doctor_id, service_id) VALUES (?, ?)', [req.params.doctorId, service_id]);
			if (result.affectedRows === 0) return await respondWithStatus(res, 500, 'Error storing service');
			return await respondWithStatus(res, 200, 'Service added successfully');
		}
		catch (err) {
			error(err);
			return await respondWithStatus(res, 500, 'An error has occured');
		}
	}
	else {
		return await respondWithStatus(res, 400, 'Missing fields');
	}
});

router.patch('/:doctorId/services/:serviceId', verifyToken, checkBanned, async (req, res) => {
	const { type, value } = req.body;
	const doctorId = await getDoctorId (req.userId);
	if (req.params.doctorId == '@me') {
		if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
		req.params.doctorId = doctorId;
	}
	if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'service', 2)) return await respondWithStatus(res, 403, 'Missing permission');
	if (type === 'service_id') {
		try {
			const [result] = await pool.execute('UPDATE service_doctors SET service_id = ? WHERE doctor_id = ? AND service_id = ?', [value, req.params.doctorId, req.params.serviceId]);
			if (result.affectedRows === 0) return await respondWithStatus(res, 500, 'Error updating service');
			return await respondWithStatus(res, 200, 'Service updated successfully');
		}
		catch (err) {
			error(err);
			return await respondWithStatus(res, 500, 'An error has occured');
		}
	}
	else {
		return await respondWithStatus(res, 400, 'Invalid type');
	}
});

router.delete('/:doctorId/services/:serviceId', verifyToken, checkBanned, async (req, res) => {
	const doctorId = await getDoctorId (req.userId);
	if (req.params.doctorId == '@me') {
		if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
		req.params.doctorId = doctorId;
	}
	if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'service', 4)) return await respondWithStatus(res, 403, 'Missing permission');
	try {
		const [result] = await pool.execute('DELETE FROM service_doctors WHERE doctor_id = ? AND service_id = ?', [req.params.doctorId, req.params.serviceId]);
		if (result.affectedRows === 0) return await respondWithStatus(res, 500, 'Error removing service');
		return await respondWithStatus(res, 200, 'Service removed successfully');
	}
	catch (err) {
		error(err);
		return await respondWithStatus(res, 500, 'An error has occured');
	}
});

router.get('/:doctorId/hospitals', verifyToken, checkBanned, async (req,res) => {
	const doctorId = await getDoctorId(req.userId);
	if (req.params.doctorId == '@me') {
		if (!doctorId) return await respondWithStatus(res, 404, 'Doctor not found');
		req.params.doctorId = doctorId;
	}
	if (doctorId != req.params.doctorId && !verifyPermissions(req.userId, 'service', 4)) return await respondWithStatus(res, 403, 'Missing permission');
	try {
										//'SELECT s.* FROM services s INNER JOIN service_doctors sd ON s.id = sd.service_id WHERE sd.doctor_id = ?', [req.params.doctorId]
		const [rows] = await pool.execute('SELECT h.* FROM hospitals h INNER JOIN hospital_doctors hd ON h.id = hd.hospital_id WHERE hd.doctor_id = ?', [req.params.doctorId]);
		if (rows.length === 0) return await respondWithStatus(res, 404, 'Hospitals not found');
		return await respondWithStatusJSON(res, 200, rows);
	}
	catch (err) {
		error(err);
		return await respondWithStatus(res, 500, 'An error has occured');
	}
})

export default router;


async function getDoctorId(userId) {
	const [rows] = await pool.execute('SELECT id FROM doctors WHERE user_id = ? LIMIT 1', [userId]);
	return rows.length ? rows[0].id : null;
}