fix: apply showMemberMiddleware to flowsheet write routes

The middleware was imported but never applied, allowing any authenticated
DJ to modify flowsheet entries regardless of show membership.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: jakebromberg

apps/backend/app.ts

@@ -10,7 +10,6 @@ import { library_route } from './routes/library.route.js';
 import { schedule_route } from './routes/schedule.route.js';
 import { events_route } from './routes/events.route.js';
 import { request_line_route } from './routes/requestLine.route.js';
-import { showMemberMiddleware } from './middleware/checkShowMember.js';
 import { activeShow } from './middleware/checkActiveShow.js';
 import errorHandler from './middleware/errorHandler.js';
 import { requirePermissions } from '@wxyc/authentication';

apps/backend/middleware/checkShowMember.ts

@@ -2,16 +2,17 @@ import { RequestHandler } from 'express';
 import { getDJsInCurrentShow } from '../services/flowsheet.service.js';
 
 export const showMemberMiddleware: RequestHandler = async (req, res, next) => {
-  const show_djs = await getDJsInCurrentShow();
-  // Get user ID from JWT - check both req.auth (from better-auth middleware) and res.locals (legacy)
-  const user_id = req.auth?.id || req.auth?.sub || res.locals.decodedJWT?.id || res.locals.decodedJWT?.userId;
-  const dj_in_show = show_djs.filter((dj) => {
-    return dj.id === user_id;
-  }).length;
+  try {
+    const show_djs = await getDJsInCurrentShow();
+    const user_id = req.auth?.id || req.auth?.sub || res.locals.decodedJWT?.id || res.locals.decodedJWT?.userId;
+    const dj_in_show = show_djs.some((dj) => dj.id === user_id);
 
-  if (dj_in_show > 0) {
-    next();
-  } else {
-    res.status(400).json({ message: 'Bad Request: DJ not a member of show' });
+    if (dj_in_show) {
+      next();
+    } else {
+      res.status(400).json({ message: 'Bad Request: DJ not a member of show' });
+    }
+  } catch {
+    res.status(500).json({ message: 'Internal server error checking show membership' });
   }
 };

apps/backend/routes/flowsheet.route.ts

@@ -3,6 +3,7 @@ import { Router } from 'express';
 import * as flowsheetController from '../controllers/flowsheet.controller';
 import { flowsheetMirror } from '../middleware/legacy/flowsheet.mirror';
 import { conditionalGet } from '../middleware/conditionalGet';
+import { showMemberMiddleware } from '../middleware/checkShowMember';
 
 export const flowsheet_route = Router();
 
@@ -11,20 +12,23 @@ flowsheet_route.get('/', conditionalGet, flowsheetMirror.getEntries, flowsheetCo
 flowsheet_route.post(
   '/',
   requirePermissions({ flowsheet: ['write'] }),
+  showMemberMiddleware,
   flowsheetMirror.addEntry,
   flowsheetController.addEntry
 );
 
 flowsheet_route.patch(
   '/',
   requirePermissions({ flowsheet: ['write'] }),
+  showMemberMiddleware,
   flowsheetMirror.updateEntry,
   flowsheetController.updateEntry
 );
 
 flowsheet_route.delete(
   '/',
   requirePermissions({ flowsheet: ['write'] }),
+  showMemberMiddleware,
   flowsheetMirror.deleteEntry,
   flowsheetController.deleteEntry
 );

tests/unit/middleware/checkShowMember.test.ts

@@ -0,0 +1,84 @@
+import { jest } from '@jest/globals';
+import type { Request, Response, NextFunction } from 'express';
+
+const mockGetDJsInCurrentShow = jest.fn<() => Promise<{ id: string }[]>>();
+
+jest.mock('../../../apps/backend/services/flowsheet.service', () => ({
+  getDJsInCurrentShow: mockGetDJsInCurrentShow,
+}));
+
+import { showMemberMiddleware } from '../../../apps/backend/middleware/checkShowMember';
+
+function createMockReqResNext(userId: string) {
+  const req = {
+    auth: { id: userId },
+  } as unknown as Request;
+
+  const res = {
+    status: jest.fn().mockReturnThis(),
+    json: jest.fn().mockReturnThis(),
+    locals: {},
+  } as unknown as Response;
+
+  const next = jest.fn() as unknown as NextFunction;
+
+  return { req, res, next };
+}
+
+describe('showMemberMiddleware', () => {
+  it('rejects a DJ who is not in the current show', async () => {
+    mockGetDJsInCurrentShow.mockResolvedValue([
+      { id: 'dj-alice' },
+      { id: 'dj-bob' },
+    ]);
+
+    const { req, res, next } = createMockReqResNext('dj-charlie');
+
+    await showMemberMiddleware(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.json).toHaveBeenCalledWith({
+      message: 'Bad Request: DJ not a member of show',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('allows a DJ who is in the current show', async () => {
+    mockGetDJsInCurrentShow.mockResolvedValue([
+      { id: 'dj-alice' },
+      { id: 'dj-bob' },
+    ]);
+
+    const { req, res, next } = createMockReqResNext('dj-alice');
+
+    await showMemberMiddleware(req, res, next);
+
+    expect(next).toHaveBeenCalled();
+    expect(res.status).not.toHaveBeenCalled();
+  });
+
+  it('rejects when there are no DJs in the current show', async () => {
+    mockGetDJsInCurrentShow.mockResolvedValue([]);
+
+    const { req, res, next } = createMockReqResNext('dj-alice');
+
+    await showMemberMiddleware(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('returns 500 when getDJsInCurrentShow throws', async () => {
+    mockGetDJsInCurrentShow.mockRejectedValue(new Error('DB connection lost'));
+
+    const { req, res, next } = createMockReqResNext('dj-alice');
+
+    await showMemberMiddleware(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(500);
+    expect(res.json).toHaveBeenCalledWith({
+      message: 'Internal server error checking show membership',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+});