Messaging backend

README.md

@@ -0,0 +1,20 @@
+# how to set up secret key:
+python -c "import secrets; print(secrets.token_hex(16))"
+
+example: f7faaa9ab2e1b3145a527a573f3c7489
+
+then > set FLASK_SECRET_KEY=f7faaa9ab2e1b3145a527a573f3c7489 OR $env:FLASK_SECRET_KEY=f7faaa9ab2e1b3145a527a573f3c7489 if on PSH
+
+for now you can use: $env:FLASK_SECRET_KEY="a-secret-key-that-is-long-and-random"
+once set up, python main.py
+
+
+super admin login:
+testemail@gmail.com
+testpassword
+
+inv URL: http://localhost:8000/api/invitations
+inv URL with token: http://localhost:3000/accept-invitation?token=TOKENHERE
+
+Known issue:
+password encryption does not work as intended, will fix this asap (backend)

backend/app/auth.py

@@ -1,6 +1,22 @@
+import sqlite3
 from functools import wraps
 from flask import session, jsonify
 
+def get_current_user():
+    if 'email' not in session:
+        return None, None, None
+
+    conn = sqlite3.connect('database.db')
+    c = conn.cursor()
+    c.execute('SELECT id, role, organization_id FROM users WHERE email = ?', (session['email'],))
+    user = c.fetchone()
+    conn.close()
+
+    if not user:
+        return None, None, None
+
+    return user[0], user[1], user[2]
+
 def role_required(allowed_roles):
     def decorator(f):
         @wraps(f)
@@ -14,4 +30,4 @@ def decorated_function(*args, **kwargs):
 
             return f(*args, **kwargs)
         return decorated_function
-    return decorator
+    return decorator

backend/app/db_setup.py

@@ -1,3 +1,5 @@
+#backend/app/db_setup.py
+
 import sqlite3
 import os
 
@@ -96,6 +98,61 @@ def initialize_database():
         FOREIGN KEY (graded_by) REFERENCES users (id)
     )''')
 
+    # --- Invitations ---
+    c.execute('''
+    CREATE TABLE IF NOT EXISTS invitations (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    email TEXT NOT NULL,
+    token TEXT NOT NULL UNIQUE,
+    role TEXT NOT NULL,
+    organization_id INTEGER NOT NULL,
+    created_by INTEGER,
+    expires_at TIMESTAMP NOT NULL,
+    is_used INTEGER DEFAULT 0,
+    FOREIGN KEY (organization_id) REFERENCES organizations (id),
+    FOREIGN KEY (created_by) REFERENCES users (id)
+)
+''')
+
+    # --- Messaging Tables ---
+    c.execute('''CREATE TABLE IF NOT EXISTS conversations (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        name TEXT,
+        is_group_chat INTEGER NOT NULL DEFAULT 0,
+        created_by_id INTEGER,
+        created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+        FOREIGN KEY (created_by_id) REFERENCES users (id)
+    )''')
+
+    c.execute('''CREATE TABLE IF NOT EXISTS conversation_participants (
+        user_id INTEGER NOT NULL,
+        conversation_id INTEGER NOT NULL,
+        last_read_timestamp TIMESTAMP,
+        PRIMARY KEY (user_id, conversation_id),
+        FOREIGN KEY (user_id) REFERENCES users (id),
+        FOREIGN KEY (conversation_id) REFERENCES conversations (id)
+    )''')
+
+    c.execute('''CREATE TABLE IF NOT EXISTS messages (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        conversation_id INTEGER NOT NULL,
+        sender_id INTEGER NOT NULL,
+        content TEXT NOT NULL,
+        created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+        updated_at TIMESTAMP,
+        is_deleted INTEGER NOT NULL DEFAULT 0,
+        FOREIGN KEY (conversation_id) REFERENCES conversations (id),
+        FOREIGN KEY (sender_id) REFERENCES users (id)
+    )''')
+
+    c.execute('''CREATE TABLE IF NOT EXISTS message_read_status (
+        message_id INTEGER NOT NULL,
+        user_id INTEGER NOT NULL,
+        PRIMARY KEY (message_id, user_id),
+        FOREIGN KEY (message_id) REFERENCES messages (id),
+        FOREIGN KEY (user_id) REFERENCES users (id)
+    )''')
+
     conn.commit()
     conn.close()
     print(f"Database initialized at {DB_PATH}")

backend/app/init.py

@@ -9,7 +9,7 @@ def create_app():
     app = Flask(__name__)
     app.secret_key = "supersecretkey"
 
-    CORS(app, supports_credentials=True)
+    CORS(app, supports_credentials=True, origins="http://localhost:3000")
 
     # Initialize DB (creates default org + default admin)
     initialize_database()

backend/app/insert_test_data.py

@@ -1,9 +1,16 @@
 # backend/app/insert_test_data.py
 import sqlite3
 import bcrypt
+import os
+import sys
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
+from app.db_setup import initialize_database
+
+DB_PATH = os.path.join(os.path.dirname(__file__), '..', 'database.db')
 
 def insert_test_data():
-    conn = sqlite3.connect('database.db')
+    initialize_database()
+    conn = sqlite3.connect(DB_PATH)
     c = conn.cursor()
 
     # --- Create a test organization ---
@@ -66,6 +73,21 @@ def insert_test_data():
     """, (3, "Personal Assignment", "Visible to employee1@test.com only", user_ids["admin@test.com"], 0))
     c.execute("INSERT OR IGNORE INTO user_assignments (user_id, assignment_id) VALUES (?, ?)", (employee1_id, 3))
 
+    # --- Create a test conversation ---
+    c.execute("INSERT OR IGNORE INTO conversations (id, name, is_group_chat, created_by_id) VALUES (?, ?, ?, ?)",
+              (1, "Test Group Chat", 1, user_ids["manager@test.com"]))
+    c.execute("INSERT OR IGNORE INTO conversation_participants (conversation_id, user_id) VALUES (?, ?)", (1, user_ids["manager@test.com"]))
+    c.execute("INSERT OR IGNORE INTO conversation_participants (conversation_id, user_id) VALUES (?, ?)", (1, user_ids["employee1@test.com"]))
+    c.execute("INSERT OR IGNORE INTO conversation_participants (conversation_id, user_id) VALUES (?, ?)", (1, user_ids["employee2@test.com"]))
+
+    # --- Create test messages ---
+    c.execute("INSERT OR IGNORE INTO messages (conversation_id, sender_id, content) VALUES (?, ?, ?)",
+              (1, user_ids["manager@test.com"], "Hello team!"))
+    c.execute("INSERT OR IGNORE INTO messages (conversation_id, sender_id, content) VALUES (?, ?, ?)",
+              (1, user_ids["employee1@test.com"], "Hello manager!"))
+    c.execute("INSERT OR IGNORE INTO messages (conversation_id, sender_id, content) VALUES (?, ?, ?)",
+                (1, user_ids["employee2@test.com"], "Hello!"))
+
     conn.commit()
     conn.close()
 

backend/app/invitation_routes.py

@@ -0,0 +1,174 @@
+#backend/app/invitation_routes.py
+import sqlite3
+import secrets
+from datetime import datetime, timedelta
+from flask import request, jsonify, session
+import bcrypt
+from app.auth import role_required
+
+# -------------------------
+# Helper DB Connection
+# -------------------------
+def get_db_connection():
+    conn = sqlite3.connect("database.db")
+    conn.row_factory = sqlite3.Row
+    return conn
+
+# -------------------------
+# Initialize Invitation Routes
+# -------------------------
+def init_invitation_routes(app):
+
+    # -------------------------
+    # CORS PREFLIGHT (OPTIONS)
+    # -------------------------
+    @app.route('/api/invitations', methods=['OPTIONS'])
+    @app.route('/api/invitations/<int:invitation_id>', methods=['OPTIONS'])
+    def invitations_options(invitation_id=None):
+        return jsonify({}), 200
+
+    # -------------------------
+    # CREATE INVITATION
+    # -------------------------
+    @app.route('/api/invitations', methods=['POST'])
+    @role_required(['super_admin'])
+    def create_invitation():
+        data = request.get_json()
+        email = data.get('email')
+        role = data.get('role')
+        organization_id = data.get('organization_id')
+
+        if not all([email, role, organization_id]):
+            return jsonify({'message': 'Email, role, and organization ID are required'}), 400
+
+        token = secrets.token_urlsafe(16)
+        expires_at = datetime.now() + timedelta(days=7)
+        created_by = session.get('user_id', 0)
+
+        conn = get_db_connection()
+        c = conn.cursor()
+        c.execute("""
+            INSERT INTO invitations
+            (email, token, role, organization_id, created_by, expires_at, is_used)
+            VALUES (?, ?, ?, ?, ?, ?, 0)
+        """, (email, token, role, organization_id, created_by, expires_at))
+        conn.commit()
+        conn.close()
+
+        invite_link = f"http://localhost:3000/accept-invitation?token={token}"
+
+        return jsonify({
+            "message": "Invitation created successfully",
+            "token": token,
+            "invite_link": invite_link
+        }), 201
+
+    # -------------------------
+    # GET ALL INVITATIONS
+    # -------------------------
+    @app.route('/api/invitations', methods=['GET'])
+    @role_required(['super_admin'])
+    def get_invitations():
+        conn = get_db_connection()
+        c = conn.cursor()
+        c.execute('SELECT id, email, role, organization_id, expires_at, is_used FROM invitations ORDER BY id DESC')
+        invitations = [dict(row) for row in c.fetchall()]
+        conn.close()
+        return jsonify({'invitations': invitations}), 200
+
+    # -------------------------
+    # DELETE INVITATION
+    # -------------------------
+    @app.route('/api/invitations/<int:invitation_id>', methods=['DELETE'])
+    @role_required(['super_admin'])
+    def delete_invitation(invitation_id):
+        conn = get_db_connection()
+        c = conn.cursor()
+
+        # Check if invitation exists
+        c.execute('SELECT id FROM invitations WHERE id = ?', (invitation_id,))
+        inv = c.fetchone()
+        if not inv:
+            conn.close()
+            return jsonify({'message': 'Invitation not found'}), 404
+
+        # Delete the invitation
+        c.execute('DELETE FROM invitations WHERE id = ?', (invitation_id,))
+        conn.commit()
+        conn.close()
+
+        return jsonify({'message': 'Invitation deleted successfully'}), 200
+
+    # -------------------------
+    # VERIFY INVITATION TOKEN
+    # -------------------------
+    @app.route('/api/invitations/<token>', methods=['GET'])
+    def verify_invitation(token):
+        conn = get_db_connection()
+        c = conn.cursor()
+        c.execute('SELECT email, role, organization_id, expires_at, is_used FROM invitations WHERE token = ?', (token,))
+        invitation = c.fetchone()
+        conn.close()
+
+        if not invitation:
+            return jsonify({'message': 'Invalid token'}), 404
+
+        expires_at = invitation['expires_at']
+        if isinstance(expires_at, str):
+            expires_at = datetime.strptime(expires_at, '%Y-%m-%d %H:%M:%S.%f')
+
+        if expires_at < datetime.now():
+            return jsonify({'message': 'Token has expired'}), 400
+
+        if invitation['is_used']:
+            return jsonify({'message': 'Token has already been used'}), 400
+
+        return jsonify({
+            'email': invitation['email'],
+            'role': invitation['role'],
+            'organization_id': invitation['organization_id']
+        }), 200
+
+    # -------------------------
+    # REGISTER USER FROM INVITATION
+    # -------------------------
+    @app.route('/api/register', methods=['POST'])
+    def register_from_invitation():
+        data = request.get_json()
+        email = data.get("email")
+        password = data.get("password")
+        role = data.get("role")
+        organization_id = data.get("organization_id")
+        token = data.get("token")
+
+        if not all([email, password, role, organization_id, token]):
+            return jsonify({"message": "All fields are required"}), 400
+
+        conn = get_db_connection()
+        c = conn.cursor()
+
+        # Check invitation
+        c.execute("SELECT is_used FROM invitations WHERE token = ?", (token,))
+        inv = c.fetchone()
+        if not inv:
+            conn.close()
+            return jsonify({"message": "Invalid invitation token"}), 404
+        if inv['is_used']:
+            conn.close()
+            return jsonify({"message": "Invitation already used"}), 400
+
+        # Hash password
+        hashed_password = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
+
+        # Create user
+        c.execute(
+            "INSERT INTO users (email, password, role, organization_id) VALUES (?, ?, ?, ?)",
+            (email, hashed_password, role, organization_id)
+        )
+
+        # Mark invitation as used
+        c.execute("UPDATE invitations SET is_used = 1 WHERE token = ?", (token,))
+        conn.commit()
+        conn.close()
+
+        return jsonify({"message": "User registered successfully"}), 201