WXYC · jakebromberg · Apr 1, 2026 · Feb 21, 2026 · Apr 1, 2026 · Apr 1, 2026
diff --git a/apps/backend/routes/schedule.route.ts b/apps/backend/routes/schedule.route.ts
@@ -1,11 +1,12 @@
+import { requirePermissions } from '@wxyc/authentication';
 import { Router } from 'express';
 import * as scheduleController from '../controllers/schedule.controller.js';
 
 export const schedule_route = Router();
 
 schedule_route.get('/', scheduleController.getSchedule);
 
-schedule_route.post('/', scheduleController.addToSchedule);
+schedule_route.post('/', requirePermissions({ flowsheet: ['write'] }), scheduleController.addToSchedule);
 
 /*
 schedule_route.delete('/', scheduleController.removeFromSchedule);

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -57,6 +57,7 @@
     "@types/node": "^24.12.0",
     "@types/pg": "^8.20.0",
     "@types/ssh2": "^1.15.5",
+    "@types/supertest": "^6.0.3",
     "@types/swagger-ui-express": "^4.1.8",
     "concurrently": "^9.2.1",
     "drizzle-kit": "^0.31.10",

diff --git a/tests/mocks/authentication.mock.ts b/tests/mocks/authentication.mock.ts
@@ -1,3 +1,5 @@
+import { Request, Response, NextFunction } from 'express';
+
 /**
  * Minimal mock for @wxyc/authentication workspace package.
  * Tests that need auth should provide their own jest.mock() factory.
@@ -8,4 +10,12 @@ export const auth = {
   },
 };
 
-export const requirePermissions = () => (_req: unknown, _res: unknown, next: () => void) => next();
+export function requirePermissions(_required: Record<string, string[]>) {
+  return (req: Request, res: Response, next: NextFunction) => {
+    const authHeader = req.headers.authorization;
+    if (!authHeader) {
+      return res.status(401).json({ error: 'Unauthorized: Missing Authorization header.' });
+    }
+    return next();
+  };
+}
diff --git a/tests/mocks/database.mock.ts b/tests/mocks/database.mock.ts
@@ -115,6 +115,7 @@ export const user = {
   capabilities: 'capabilities',
 };
 export const specialty_shows = {};
+export const schedule = {};
 
 // Mock enum
 export const flowsheetEntryTypeEnum = () => ({});
@@ -173,3 +174,4 @@ export type BinEntry = {
   track_title: string | null;
 };
 export type NewBinEntry = Omit<BinEntry, 'id'>;
+export type NewShift = Record<string, unknown>;
diff --git a/tests/unit/routes/schedule.route.test.ts b/tests/unit/routes/schedule.route.test.ts
@@ -0,0 +1,19 @@
+import express from 'express';
+import request from 'supertest';
+import { schedule_route } from '../../../apps/backend/routes/schedule.route';
+
+const app = express();
+app.use(express.json());
+app.use('/schedule', schedule_route);
+
+describe('schedule route', () => {
+  it('POST /schedule requires authentication', async () => {
+    const response = await request(app).post('/schedule').send({});
+    expect(response.status).toBe(401);
+  });
+
+  it('GET /schedule is publicly accessible', async () => {
+    const response = await request(app).get('/schedule');
+    expect(response.status).toBe(200);
+  });
+});