feat: completed backend tasks including RBAC, file upload, cleanup command, and frontend updates

Author: sathwik4329

.gitignore

@@ -1,33 +1,49 @@
-# Logs
-logs
+# LOGS
+
+logs/
 *.log
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 pnpm-debug.log*
 lerna-debug.log*
 
-# Editor directories and files
+# EDITORS / OS
 .vscode/*
 !.vscode/extensions.json
-.idea
+.idea/
 .DS_Store
 *.suo
 *.ntvs*
 *.njsproj
 *.sln
 *.sw?
 
-# Client
-client/node_modules
-client/dist
-client/dist-ssr
-client/*.local
+# NODE / NEXT.JS
+node_modules/
+.next/
+out/
+
+# PYTHON
+venv/
+__pycache__/
+*.pyc
+
+# ENV FILES
+.env
+.env.local
+
+# FRONTEND
+
+frontend/node_modules/
+frontend/.next/
+
 
-# Server
-server/.env
-server/node_modules
-server/dist
+# BACKEND
+backend/venv/
+backend/__pycache__/
+backend/uploads/
 
-# prompts
+# TEMP / NOTES
+*.txt
 prompts/debug

backend/authentication/migrations/0002_customuser_role_alter_customuser_is_active.py

@@ -0,0 +1,30 @@
+# Generated by Django 5.0.2 on 2026-01-29 18:22
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentication", "0001_initial"),
+        ("chat", "0004_uploadedfile_uploaded_by"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="customuser",
+            name="role",
+            field=models.ForeignKey(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                related_name="users",
+                to="chat.role",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="customuser",
+            name="is_active",
+            field=models.BooleanField(default=True),
+        ),
+    ]

backend/authentication/models.py

@@ -1,4 +1,8 @@
-from django.contrib.auth.models import AbstractBaseUser, BaseUserManager, PermissionsMixin
+from django.contrib.auth.models import (
+    AbstractBaseUser,
+    BaseUserManager,
+    PermissionsMixin,
+)
 from django.db import models
 
 
@@ -17,8 +21,8 @@ def create_user(self, email, password, **extra_fields):
         email = self.normalize_email(email)
         user = self.model(email=email, **extra_fields)
         user.set_password(password)
+        user.is_active = True
         user.save(using=self._db)
-
         return user
 
     def create_superuser(self, email, password, **extra_fields):
@@ -31,9 +35,20 @@ def create_superuser(self, email, password, **extra_fields):
 
 class CustomUser(AbstractBaseUser, PermissionsMixin):
     email = models.EmailField(unique=True)
-    is_active = models.BooleanField(default=False)
+
+    #  Django auth flags
+    is_active = models.BooleanField(default=True)
     is_staff = models.BooleanField(default=False)
 
+    #  ROLE-BASED ACCESS CONTROL
+    role = models.ForeignKey(
+        "chat.Role",
+        on_delete=models.SET_NULL,
+        null=True,
+        blank=True,
+        related_name="users",
+    )
+
     objects = CustomUserManager()
 
     USERNAME_FIELD = "email"

backend/authentication/views.py

@@ -2,78 +2,107 @@
 from django.contrib.auth import authenticate, login, logout
 from django.http import JsonResponse
 from django.middleware.csrf import get_token
+from django.views.decorators.csrf import csrf_exempt
+
 from rest_framework import status
-from rest_framework.decorators import api_view
+from rest_framework.decorators import (
+    api_view,
+    permission_classes,
+    authentication_classes,
+)
+from rest_framework.permissions import AllowAny, IsAuthenticated
 
 from authentication.models import CustomUser
 
 
 @api_view(["GET"])
+@permission_classes([AllowAny])
 def auth_root_view(request):
     return JsonResponse({"message": "Auth endpoint works!"})
 
 
 @api_view(["GET"])
+@permission_classes([AllowAny])
 def csrf_token(request):
-    token = get_token(request)
-    return JsonResponse({"data": token})
+    return JsonResponse({"csrfToken": get_token(request)})
+
 
 
+@csrf_exempt
 @api_view(["POST"])
+@authentication_classes([])     
+@permission_classes([AllowAny])
 def login_view(request):
     email = request.data.get("email")
     password = request.data.get("password")
 
-    try:
-        user = CustomUser.objects.get(email=email)
-    except CustomUser.DoesNotExist:
-        return JsonResponse({"error": "Invalid credentials"}, status=status.HTTP_401_UNAUTHORIZED)
-
-    # Check if the user is active
-    if not user.is_active:
-        return JsonResponse({"error": "User is not active"}, status=status.HTTP_401_UNAUTHORIZED)
+    if not email or not password:
+        return JsonResponse(
+            {"error": "Email and password required"},
+            status=status.HTTP_400_BAD_REQUEST,
+        )
 
     user = authenticate(request, email=email, password=password)
-    if user is not None:
-        login(request, user)
-        response = JsonResponse({"data": "Login successful"})
+    if not user:
+        return JsonResponse(
+            {"error": "Invalid credentials"},
+            status=status.HTTP_401_UNAUTHORIZED,
+        )
 
-        # Set session cookie manually
-        session_key = request.session.session_key
-        session_cookie_name = settings.SESSION_COOKIE_NAME
-        max_age = settings.SESSION_COOKIE_AGE
-        response.set_cookie(session_cookie_name, session_key, max_age=max_age, httponly=True)
-
-        return response
-    else:
-        return JsonResponse({"error": "Invalid credentials"}, status=status.HTTP_401_UNAUTHORIZED)
+    if not user.is_active:
+        return JsonResponse(
+            {"error": "User inactive"},
+            status=status.HTTP_403_FORBIDDEN,
+        )
+
+    login(request, user)
+
+    response = JsonResponse({"message": "Login successful"})
+    response.set_cookie(
+        settings.SESSION_COOKIE_NAME,
+        request.session.session_key,
+        httponly=True,
+    )
+    return response
 
 
+@csrf_exempt
 @api_view(["POST"])
+@authentication_classes([])   
+@permission_classes([AllowAny])
 def logout_view(request):
     logout(request)
-    response = JsonResponse({"data": "Logout successful"})
+    response = JsonResponse({"message": "Logout successful"})
     response.delete_cookie(settings.SESSION_COOKIE_NAME)
-
     return response
 
 
 @api_view(["POST"])
+@permission_classes([AllowAny])
 def register_view(request):
     email = request.data.get("email")
     password = request.data.get("password")
+
     if not email or not password:
-        return JsonResponse({"error": "Email and password are required"}, status=status.HTTP_400_BAD_REQUEST)
+        return JsonResponse(
+            {"error": "Email and password required"},
+            status=status.HTTP_400_BAD_REQUEST,
+        )
 
     if CustomUser.objects.filter(email=email).exists():
-        return JsonResponse({"error": "Email is already taken"}, status=status.HTTP_400_BAD_REQUEST)
+        return JsonResponse(
+            {"error": "Email already exists"},
+            status=status.HTTP_400_BAD_REQUEST,
+        )
 
-    CustomUser.objects.create_user(email, password=password)
-    return JsonResponse({"data": "User created successfully"}, status=status.HTTP_201_CREATED)
+    CustomUser.objects.create_user(email=email, password=password)
+    return JsonResponse(
+        {"message": "User created"},
+        status=status.HTTP_201_CREATED,
+    )
 
 
 @api_view(["GET"])
+@permission_classes([IsAuthenticated])
 def verify_session(request):
-    session_cookie = request.COOKIES.get("sessionid")
-    is_authenticated = request.user.is_authenticated and session_cookie == request.session.session_key
-    return JsonResponse({"data": is_authenticated})
+    return JsonResponse({"authenticated": True})

backend/backend/settings.py

@@ -30,10 +30,10 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True
 
-ALLOWED_HOSTS = []
-
+ALLOWED_HOSTS = [
+    "*"
+]
 # Application definition
-
 INSTALLED_APPS = [
     "django.contrib.admin",
     "django.contrib.auth",
@@ -44,11 +44,13 @@
     "corsheaders",
     "rest_framework",
     "nested_admin",
+    "django_crontab",  
     "authentication",
     "chat",
     "gpt",
 ]
 
+
 MIDDLEWARE = [
     "corsheaders.middleware.CorsMiddleware",
     "django.middleware.security.SecurityMiddleware",
@@ -57,7 +59,6 @@
     "django.middleware.csrf.CsrfViewMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
-    "django.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
 
 ROOT_URLCONF = "backend.urls"
@@ -81,13 +82,14 @@
 WSGI_APPLICATION = "backend.wsgi.application"
 
 
-# Database
-# https://docs.djangoproject.com/en/4.2/ref/settings/#databases
-
 DATABASES = {
     "default": {
-        "ENGINE": "django.db.backends.sqlite3",
-        "NAME": BASE_DIR / "db.sqlite3",
+        "ENGINE": "django.db.backends.postgresql",
+        "NAME": "soulpage_db",
+        "USER": "soulpage_user",
+        "PASSWORD": "strongpassword",
+        "HOST": "localhost",
+        "PORT": "5432",
     }
 }
 
@@ -138,14 +140,36 @@
 DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
 
 CORS_ALLOWED_ORIGINS = [
-    FRONTEND_URL,
+    "http://localhost:3000",
+    "http://127.0.0.1:3000",
 ]
+
 CORS_ALLOW_CREDENTIALS = True
 
+
 CSRF_TRUSTED_ORIGINS = [
     FRONTEND_URL,
 ]
 
 SESSION_COOKIE_SECURE = True
 CSRF_COOKIE_SECURE = True
 CSRF_COOKIE_SAMESITE = "None"
+
+#  BYPASS AUTHENTICATION 
+REST_FRAMEWORK = {
+    "DEFAULT_AUTHENTICATION_CLASSES": [
+        "rest_framework.authentication.BasicAuthentication",
+        "rest_framework.authentication.SessionAuthentication",
+    ],
+}
+
+
+# Cron jobs
+
+CRONJOBS = [
+    (
+        "*/1 * * * *",
+        "django.core.management.call_command",
+        ["cleanup_conversations"],
+    ),
+]