Admin controllers / services parte 2

Appointment and time block management is an essential component of any reservation system. Properly implementing the administrative part of your application not only improves the user experience, but also provides efficient control over availability and reservations. In this content, we will explore how to create administrative services to manage time blocks and list reservations, all with a focus on security and user roles.

How to implement administrative services in your application?

To implement the administrative part of our application, we need to create a specific service that handles the business logic related to managing time blocks and reservations. This service will act as an intermediary between our controllers and the database.

First, we create a new file called admin.service.js where we will implement all the necessary logic. The first thing we need is to import Prisma to communicate with our database:

const { PrismaClient } = require('@prisma/client');constprisma = new PrismaClient();

What services do we need for administrative management?

We need to implement two main services:

1. Service to create time blocks: this service will allow administrators to define availability periods.

const createTimeBlockService = async (startTime, endTime) => { const newTimeBlock = await prisma.timeBlock.create({ data: { startTime: new Date(startTime), endTime: new Date(endTime) } } );  
 return newTimeBlock;};

2. Service to list reservations: This service will allow administrators to view all scheduled appointments.

const listReservationService = async () => { const reservations = await prisma.appointments.findMany({ include: { user: true, timeBlock: true } } });  
 return reservations;};
module.exports = { createTimeBlockService, listReservationService};

It is important to note that the reservation listing service includes information on both the user and the associated time block, providing a complete view of each reservation.

How to protect administrative routes with authentication?

Security is a crucial aspect in any application, especially when it comes to administrative functionalities. To protect our routes, we implement an authentication middleware that verifies both the validity of the token and the role of the user.

In our administrative controller, we need to import this middleware:

const authenticateToken = require('../middlewares/authorization');

Then, we apply this middleware to our administrative routes:

router.get('/reservations', authenticateToken, async (req, res) => { // Logic to list reservations});
router.post('/time-blocks', authenticateToken, async (req, res) => { // Logic to create time blocks});

How does role validation work?

The authentication middleware not only verifies that the token is valid, but also checks if the user has the role of administrator. This ensures that only users with appropriate permissions can access these functionalities.

If a user without an administrator role attempts to access these paths, they will receive an "Access denied" message, even if their token is valid. This provides an additional layer of security to protect sensitive information.

How to test our administrative services?

To test our administrative services, we can use tools like Postman. Here are some important testing scenarios:

1. List reservations with an admin user: it should return all reservations with detailed information.
2. Listing reservations with an invalid token: Should return an authentication error.
3. List reservations with a non-admin user: Should return an "Access denied" message.
4. Create a time block with an administrator user: Should successfully create a new time block.

It is critical to verify that the routes are correctly defined. A common mistake is to use incorrect path names, which will result in 404 (Not Found) errors.

Implementing robust administrative services significantly improves the management of your application, allowing efficient control over availability and reservations. Always remember to prioritize security by properly validating tokens and user roles. Have you ever implemented a similar system in your projects? Share your experience in the comments and tell us what challenges you encountered during the process.