team access updated

nginx.conf

@@ -0,0 +1,30 @@
+user  nginx;
+worker_processes  auto;
+
+http {
+  # ...existing code...
+
+  server {
+    server_name kings.com;
+    root /var/www/kings-frontend;  # Path to your built frontend files
+    index index.html;
+    location / {
+      try_files $uri $uri/ /index.html;
+    }
+    # ...existing code...
+  }
+
+  server {
+    server_name backend.kings.com;
+    location / {
+      proxy_pass http://localhost:3000; // Forward to your Node.js backend
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_set_header Host $host;
+      # ...existing code...
+    }
+  }
+
+  # ...existing code...
+}

server/postman_collection.json

@@ -77,6 +77,10 @@
           {
             "key": "Content-Type",
             "value": "application/json"
+          },
+          {
+            "key": "Authorization",
+            "value": "Bearer <SESSION_TOKEN>"
           }
         ],
         "body": {
@@ -100,6 +104,10 @@
           {
             "key": "Content-Type",
             "value": "application/json"
+          },
+          {
+            "key": "Authorization",
+            "value": "Bearer <SESSION_TOKEN>"
           }
         ],
         "body": {
@@ -119,7 +127,12 @@
       "name": "Delete Team",
       "request": {
         "method": "DELETE",
-        "header": [],
+        "header": [
+          {
+            "key": "Authorization",
+            "value": "Bearer <SESSION_TOKEN>"
+          }
+        ],
         "url": {
           "raw": "http://localhost:3000/api/teams/1",
           "protocol": "http",

server/readme.md

@@ -106,9 +106,10 @@ The server will listen on the port specified in your `.env` file (default is 300
 
 ### Team Endpoints
 - **GET /api/teams**  
-  Retrieve all teams.
+  Retrieve all teams (public).
+
 - **POST /api/teams**  
-  Create a new team. Requires `name` and `announcement_time` in the body.
+  Create a new team (admin only, requires Bearer token).  
   _Request Body Example:_
   ```json
   {
@@ -116,10 +117,12 @@ The server will listen on the port specified in your `.env` file (default is 300
     "announcement_time": "02:30:00"
   }
   ```
+
 - **PUT /api/teams/:id**  
-  Update a team.
+  Update a team (admin only, requires Bearer token).
+
 - **DELETE /api/teams/:id**  
-  Delete a team.
+  Delete a team (admin only, requires Bearer token).
 
 ### Testing Sanitization
 A sample endpoint (POST /api/teams) will sanitize HTML input. For example, sending:

server/routes/team.js

@@ -2,13 +2,26 @@ const express = require('express');
 const router = express.Router();
 const teamController = require('../controllers/teamController');
 const { validateTeam } = require('../middlewares/validation');
+const db = require('../db');
+
+async function requireAdmin(req, res, next) {
+  try {
+    const token = req.headers.authorization?.split(' ')[1];
+    if (!token) return res.status(401).json({ error: 'Unauthorized' });
+    const [admin] = await db.query('SELECT id FROM admins WHERE session_token = ?', [token]);
+    if (!admin) return res.status(401).json({ error: 'Unauthorized' });
+    next();
+  } catch {
+    res.status(401).json({ error: 'Unauthorized' });
+  }
+}
 
 router.get('/', teamController.getAllTeams);
 
-router.post('/', validateTeam, teamController.createTeam);
+router.post('/', requireAdmin, validateTeam, teamController.createTeam);
 
-router.put('/:id', validateTeam, teamController.updateTeam);
+router.put('/:id', requireAdmin, validateTeam, teamController.updateTeam);
 
-router.delete('/:id', teamController.deleteTeam);
+router.delete('/:id', requireAdmin, teamController.deleteTeam);
 
 module.exports = router;