feat: initialize server with Express, add middleware and routes, and set up Swagger documentation

Author: ashwin31

.env.example

@@ -0,0 +1,18 @@
+GOOGLE_CLIENT_ID="your-google-client-id-here"
+GOOGLE_CLIENT_SECRET="your-google-client-secret-here"
+GOOGLE_LOGIN_DOMAIN="http://localhost:5173"
+DATABASE_URL="postgresql://username:password@localhost:5432/bottlecrm?schema=public"
+
+# API Configuration
+API_PORT=3001
+JWT_SECRET=your-super-secure-jwt-secret-key-change-this-in-production
+JWT_EXPIRES_IN=24h
+FRONTEND_URL=http://localhost:5173
+
+# Logging Configuration
+ENABLE_REQUEST_LOGGING=true
+LOG_REQUEST_BODY=false
+LOG_RESPONSE_BODY=false
+
+# Environment
+NODE_ENV=development

ENV.md

@@ -0,0 +1,137 @@
+# BottleCRM API
+
+Express.js API for BottleCRM with JWT authentication, Swagger documentation, and configurable request logging.
+
+## Features
+
+- **Google OAuth Authentication**: Secure Google Sign-In for mobile apps
+- **Multi-tenant**: Organization-based data isolation using existing Prisma schema
+- **Swagger Documentation**: Interactive API documentation at `/api-docs`
+- **Request Logging**: Configurable input/output HTTP request logging
+- **Security**: Helmet, CORS, rate limiting
+- **Organization Access Control**: Ensures users can only access their organization's data
+
+## Quick Start
+
+1. The required environment variables are already added to your existing `.env` file.
+
+2. **Generate a secure JWT secret** (required for production):
+```bash
+# Using Node.js
+node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+
+# Using OpenSSL (if available)
+openssl rand -hex 32
+
+# Using online generator (for development only)
+# Visit: https://generate-secret.vercel.app/32
+```
+
+3. Update your `.env` file with the generated secret:
+```env
+JWT_SECRET=your-generated-secret-key-here
+```
+
+4. Start the API server:
+```bash
+# Development with auto-reload
+pnpm run api:dev
+
+# Production
+pnpm run api:start
+```
+
+5. Visit Swagger documentation:
+```
+http://localhost:3001/api-docs
+```
+
+## Authentication
+
+1. **Google Login**: POST `/api/auth/google`
+   - Request: `{ "idToken": "google-id-token-from-mobile-app" }`
+   - Response: `{ "token": "jwt-token", "user": {...} }`
+
+2. **Use Token**: Include in Authorization header:
+   ```
+   Authorization: Bearer <jwt-token>
+   ```
+
+3. **Select Organization**: Include organization ID in header:
+   ```
+   X-Organization-ID: <organization-id>
+   ```
+
+## API Endpoints
+
+### Authentication
+- `POST /api/auth/google` - Google OAuth mobile login
+- `GET /api/auth/me` - Get current user profile
+
+### Leads
+- `GET /api/leads` - Get organization leads (paginated)
+- `GET /api/leads/:id` - Get lead by ID
+- `POST /api/leads` - Create new lead
+
+### Accounts
+- `GET /api/accounts` - Get organization accounts
+- `POST /api/accounts` - Create new account
+
+### Contacts
+- `GET /api/contacts` - Get organization contacts
+- `POST /api/contacts` - Create new contact
+
+### Opportunities
+- `GET /api/opportunities` - Get organization opportunities
+- `POST /api/opportunities` - Create new opportunity
+
+## Configuration
+
+### Environment Variables
+
+- `API_PORT`: Server port (default: 3001)
+- `JWT_SECRET`: Secret key for JWT tokens (required) - **Generate using the commands above**
+- `JWT_EXPIRES_IN`: Token expiration time (default: 24h)
+- `FRONTEND_URL`: Frontend URL for CORS (default: http://localhost:5173)
+
+### Logging Configuration
+
+- `LOG_LEVEL`: Logging level (info, debug, error)
+- `ENABLE_REQUEST_LOGGING`: Enable/disable request logging (true/false)
+- `LOG_REQUEST_BODY`: Log request bodies (true/false)
+- `LOG_RESPONSE_BODY`: Log response bodies (true/false)
+
+### Security Features
+
+- **Rate Limiting**: 100 requests per 15 minutes per IP
+- **Helmet**: Security headers
+- **CORS**: Cross-origin request handling
+- **JWT Validation**: Token verification on protected routes
+- **Organization Isolation**: Users can only access their organization's data
+
+## Data Access Control
+
+All API endpoints enforce organization-based access control:
+
+1. **Authentication Required**: All endpoints (except login) require valid JWT token
+2. **Organization Header**: Protected endpoints require `X-Organization-ID` header
+3. **Membership Validation**: User must be a member of the specified organization
+4. **Data Filtering**: All database queries are filtered by organization ID
+
+## Development
+
+The API uses the same Prisma schema as the main SvelteKit application, ensuring data consistency and leveraging existing:
+
+- Database models and relationships
+- Organization-based multi-tenancy
+- User role management (ADMIN/USER)
+- Super admin access (@micropyramid.com domain)
+
+## Testing with Swagger
+
+Access the interactive API documentation at `http://localhost:3001/api-docs` to:
+
+1. Test authentication endpoints
+2. Explore available endpoints
+3. Test API calls with different parameters
+4. View request/response schemas

api/README.md

@@ -0,0 +1,22 @@
+export const createLogger = () => {
+  return {
+    info: (message, meta) => {
+      console.log(`[INFO] ${message}`);
+      if (meta) {
+        console.log(JSON.stringify(meta, null, 2));
+      }
+    },
+    error: (message, meta) => {
+      console.error(`[ERROR] ${message}`);
+      if (meta) {
+        console.error(JSON.stringify(meta, null, 2));
+      }
+    },
+    warn: (message, meta) => {
+      console.warn(`[WARN] ${message}`);
+      if (meta) {
+        console.warn(JSON.stringify(meta, null, 2));
+      }
+    }
+  };
+};

api/config/logger.js

@@ -0,0 +1,78 @@
+import jwt from 'jsonwebtoken';
+import { PrismaClient } from '@prisma/client';
+
+const prisma = new PrismaClient();
+
+export const verifyToken = async (req, res, next) => {
+  try {
+    const token = req.header('Authorization')?.replace('Bearer ', '');
+    
+    if (!token) {
+      return res.status(401).json({ error: 'Access denied. No token provided.' });
+    }
+
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    
+    const user = await prisma.user.findUnique({
+      where: { id: decoded.userId },
+      include: {
+        userOrganizations: {
+          include: {
+            organization: true
+          }
+        }
+      }
+    });
+
+    if (!user) {
+      return res.status(401).json({ error: 'Invalid token. User not found.' });
+    }
+
+    req.user = user;
+    req.userId = user.id;
+    next();
+  } catch (error) {
+    return res.status(401).json({ error: 'Invalid token.' });
+  }
+};
+
+export const requireOrganization = async (req, res, next) => {
+  try {
+    const organizationId = req.header('X-Organization-ID');
+    
+    if (!organizationId) {
+      return res.status(400).json({ error: 'Organization ID is required in X-Organization-ID header.' });
+    }
+
+    const userOrg = req.user.userOrganizations.find(
+      uo => uo.organizationId === organizationId
+    );
+
+    if (!userOrg) {
+      return res.status(403).json({ error: 'Access denied to this organization.' });
+    }
+
+    req.organizationId = organizationId;
+    req.userRole = userOrg.role;
+    req.organization = userOrg.organization;
+    next();
+  } catch (error) {
+    return res.status(500).json({ error: 'Internal server error.' });
+  }
+};
+
+export const requireRole = (roles) => {
+  return (req, res, next) => {
+    if (!roles.includes(req.userRole)) {
+      return res.status(403).json({ error: 'Insufficient permissions.' });
+    }
+    next();
+  };
+};
+
+export const requireSuperAdmin = (req, res, next) => {
+  if (!req.user.email.endsWith('@micropyramid.com')) {
+    return res.status(403).json({ error: 'Super admin access required.' });
+  }
+  next();
+};

api/middleware/auth.js

@@ -0,0 +1,24 @@
+import { createLogger } from '../config/logger.js';
+
+const logger = createLogger();
+
+export const errorHandler = (err, req, res, next) => {
+  logger.error('Unhandled Error', {
+    error: err.message,
+    stack: err.stack,
+    method: req.method,
+    url: req.url,
+    userId: req.user?.id,
+    organizationId: req.organizationId,
+    timestamp: new Date().toISOString(),
+  });
+
+  if (process.env.NODE_ENV === 'production') {
+    res.status(500).json({ error: 'Internal server error' });
+  } else {
+    res.status(500).json({ 
+      error: err.message,
+      stack: err.stack 
+    });
+  }
+};

api/middleware/errorHandler.js

@@ -0,0 +1,76 @@
+export const requestLogger = (req, res, next) => {
+  const start = Date.now();
+  
+  const originalSend = res.send;
+  const originalJson = res.json;
+  
+  let responseBody = null;
+  let requestBody = null;
+
+  if (req.body && Object.keys(req.body).length > 0) {
+    requestBody = { ...req.body };
+    if (requestBody.password) requestBody.password = '[REDACTED]';
+    if (requestBody.token) requestBody.token = '[REDACTED]';
+  }
+
+  res.send = function(body) {
+    responseBody = body;
+    return originalSend.call(this, body);
+  };
+
+  res.json = function(body) {
+    responseBody = body;
+    return originalJson.call(this, body);
+  };
+
+  res.on('finish', () => {
+    const duration = Date.now() - start;
+    
+    const logData = {
+      method: req.method,
+      url: req.url,
+      statusCode: res.statusCode,
+      duration: `${duration}ms`,
+      userAgent: req.get('User-Agent'),
+      ip: req.ip,
+      timestamp: new Date().toISOString(),
+    };
+
+    if (process.env.LOG_REQUEST_BODY === 'true' && requestBody) {
+      logData.requestBody = requestBody;
+    }
+
+    if (process.env.LOG_RESPONSE_BODY === 'true' && responseBody) {
+      try {
+        logData.responseBody = typeof responseBody === 'string' ? JSON.parse(responseBody) : responseBody;
+      } catch (e) {
+        logData.responseBody = responseBody;
+      }
+    }
+
+    if (req.user) {
+      logData.userId = req.user.id;
+      logData.userEmail = req.user.email;
+    }
+
+    if (req.organizationId) {
+      logData.organizationId = req.organizationId;
+    }
+
+    console.log(`\n=== HTTP REQUEST LOG ===`);
+    console.log(`${req.method} ${req.url} - ${res.statusCode} - ${duration}ms`);
+    
+    if (requestBody) {
+      console.log('REQUEST BODY:', JSON.stringify(requestBody, null, 2));
+    }
+    
+    if (responseBody) {
+      console.log('RESPONSE BODY:', JSON.stringify(responseBody, null, 2));
+    }
+    
+    console.log('FULL LOG DATA:', JSON.stringify(logData, null, 2));
+    console.log(`=== END LOG ===\n`);
+  });
+
+  next();
+};