Feature/be 01 endpoints for user and application

[heryandjaruma]

User description

Overview

• Improve authentication to use session cookie instead of id token and refresh token auth method.
• Add application endpoints, including endpoints which needed to fetch application questions.
• Add application PATCH method to fill in application questions in an appropriate state, with validation checking.
• Support for file upload.

Complete docs can be found in the postman docs shared in the group.

Future todo @heryandjaruma :

• Mobile metadata header to have a longer __session expiry.
• Might be good to implement role-based endpoints. The base code is there, and can be used to reject access if no custom roles attached to user like "Admin".

---

PR Type

Enhancement

---

Description

Migrate auth to session cookies with CSRF
Add application endpoints (patch, questions, status)
Implement file upload handling & validation
Enhance server (CORS, cookies, logging)

---

Changes walkthrough 📝

	Relevant files
Configuration changes	2 files firebase.ts Enable storageBucket & fake data populator                              +6/-5      index.ts Configure CORS options for API                                                      +4/-3
Enhancement	14 files application_controller.ts Add application controllers & validation                                  +817/-0  auth_controller.ts Migrate auth to session cookie & CSRF                                        +245/-65 auth_middleware.ts Implement session cookie auth middleware                                  +35/-40  csrf_middleware.ts Add CSRF protection middleware                                                      +35/-0    role_middleware.ts Add role-based access middleware                                                  +26/-0    role.ts Define RoleType enum                                                                          +4/-0      application.ts Create application routes                                                                +22/-0    auth.ts Update auth routes for session API                                              +5/-14    index.ts Register application routes                                                            +2/-0      server.ts Enhance server: cookies, CSRF, logging                                      +46/-6    application_types.ts Define application types & enums                                                  +92/-0    express.ts Add TypedRequestBody interface                                                      +3/-0      fake_data_populator.ts Extend fake data populator for questions                                  +119/-4  jwt.ts Add session JWT utilities                                                                +59/-0
Miscellaneous	2 files ticket.ts Remove auth middleware from ticket routes                                +2/-11    user.ts Adjust user routes middleware                                                        +2/-2
Documentation	1 files application-endpoints.md Document application endpoints                                                      +8/-0
Dependencies	1 files package.json Update dependencies & build scripts                                            +11/-5

---

Need help?

Type /help how to ... in the comments thread for any questions about PR-Agent usage.

Check out the documentation for more information.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Validation Logic The condition if (fieldValue === undefined && fieldValue === "") should likely use || instead of && to correctly skip missing or empty values. if (fieldValue === undefined && fieldValue === "") { continue; } Incorrect Cookie Access The code uses res.cookies.__session instead of req.cookies to extract the session cookie. const sessionCookie = res.cookies.__session Incorrect Log Message The warning Authorization token cannot be found in header or __session cookie. is logged even when an idToken is present. functions.logger.warn("Authorization token cannot be found in header or __session cookie.") return idToken; }

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Correct empty value check The condition to skip empty values should use logical OR instead of AND, otherwise it never matches. Change it to check if the value is undefined or an empty string. functions/src/controllers/application_controller.ts [210-212] -if (fieldValue === undefined && fieldValue === "") { +if (fieldValue === undefined || fieldValue === "") { continue; } Suggestion importance[1-10]: 8 __ Why: The condition fieldValue === undefined && fieldValue === "" can never be true; changing to OR correctly skips undefined or empty values and fixes the validation logic.	Medium
	Fix undefined status reference The response object references an undefined status variable. Replace it with the actual status code. functions/src/controllers/auth_controller.ts [235-244] } catch (error) { functions.logger.error("Error when trying to logout", err.message); // force remove cookies res.clearCookie("__session", { httpOnly: true, sameSite: "strict", secure: process.env.NODE_ENV === "production" }); - res.status(500).json({status, error: "Something went wrong."}); + res.status(500).json({status: 500, error: "Something went wrong."}); } Suggestion importance[1-10]: 7 __ Why: The JSON response uses an undefined status variable; explicitly setting status: 500 corrects the runtime error in error handling.	Medium
	Correct cookie retrieval Cookies are parsed on the request, not the response. Use req.cookies.__session instead of res.cookies. functions/src/middlewares/role_middleware.ts [7] -const sessionCookie = res.cookies.__session +const sessionCookie = req.cookies.__session; Suggestion importance[1-10]: 6 __ Why: Cookies are available on the request object, not the response object, so using req.cookies.__session fixes the lookup and prevents undefined errors.	Low
General	Parse allowedTypes string array allowedTypes is a comma-separated string, so .includes checks substrings not MIME entries. Split and trim it into an array before matching. functions/src/controllers/application_controller.ts [511-514] -if (!validation.allowedTypes || !validation.allowedTypes.includes(mimeType)) { +const allowedTypes = validation.allowedTypes.split(",").map(t => t.trim()); +if (!allowedTypes.includes(mimeType)) { file.resume(); // discard the file return; } Suggestion importance[1-10]: 6 __ Why: Splitting the comma-separated allowedTypes into an array and trimming ensures accurate MIME type matching instead of substring checks.	Low

[hib4]

LGTM!!