fix: all fix; final code

src/app.js

@@ -5,7 +5,7 @@
 import compression from 'compression';
 import hpp from 'hpp';
 
 import { globalLimiter } from './middleware/rateLimiter.js';
 import { errorHandler } from './middleware/errorHandler.js';
 import { metricsMiddleware } from './middleware/metricsMiddleware.js';
 import { register } from './config/metrics.js';
@@ -87,7 +87,7 @@
   });
 });
 
-app.use(globalLimiter);
+//app.use(globalLimiter);
 
 app.use('/api/auth', authRoutes);
 app.use('/api/payment', paymentRoutes);

src/controllers/aptcontrol.js

@@ -85,7 +85,7 @@ const updateAppointment = async (req, res, next) => {
 
     if (
       req.user.role === "doctor" &&
-      appointment.doctor.toString() !== req.user.id
+      appointment.doctor.toString() !== req.user.id.toString()
     ) {
       return res.status(403).json({
         success: false,

src/controllers/authcontroller.js

@@ -47,6 +47,7 @@ export const login = async (req, res) => {
       role: user.role,
       token,
       user: {
+        id: user._id,
         email: user.email,
         role: user.role,
         status: user.status,

src/middleware/authmiddleware.js

@@ -31,7 +31,7 @@ export const protect = async (req, res, next) => {
 
       req.user = {
         id: user._id,
-        role: user.role.toLowerCase(),
+        role: String(user.role || '').trim().toLowerCase(),
         email: user.email,
       };
 
@@ -57,8 +57,9 @@ export const protect = async (req, res, next) => {
 export const authorize = (...roles) => {
   return (req, res, next) => {
     const allowedRoles = Array.isArray(roles[0]) ? roles[0] : roles;
+    const normalizedAllowed = allowedRoles.map((r) => String(r || '').trim().toLowerCase());
 
-    if (!req.user || !allowedRoles.includes(req.user.role)) {
+    if (!req.user || !normalizedAllowed.includes(String(req.user.role || '').trim().toLowerCase())) {
       return res.status(403).json({
         success: false,
         message: "Access denied",

src/routes/appointment.js

@@ -7,28 +7,28 @@ const router = express.Router();
 router.post(
   '/',
   protect,
-  authorize('admin', 'doctor', 'receptionist'),
+  authorize('admin', 'doctor', 'receptionist','billing'),
   appointmentController.createAppointment
 );
 
 router.get(
   '/',
   protect,
-  authorize('admin', 'doctor', 'receptionist', 'patient'),
+  authorize('admin', 'doctor', 'receptionist', 'patient', 'billing'),
   appointmentController.getAppointments
 );
 
 router.get(
   '/:id',
   protect,
-  authorize('admin', 'doctor', 'receptionist', 'patient'),
+  authorize('admin', 'doctor', 'receptionist', 'patient', 'billing'),
   appointmentController.getAppointmentById
 );
 
 router.put(
   '/:id',
   protect,
-  authorize('admin', 'doctor', 'receptionist'),
+  authorize('admin', 'doctor', 'receptionist','billing'),
   appointmentController.updateAppointment
 );
 

src/routes/patient.js

@@ -5,12 +5,14 @@ import * as patientController from '../controllers/patient.js';
 const router = express.Router();
 
 
-router.get('/', protect, authorize('admin', 'doctor','receptionist'), patientController.getPatients);
+router.get('/', protect, authorize('admin', 'doctor', 'receptionist','billing'), patientController.getPatients);
 
-router.post('/', protect, authorize('admin', 'doctor','receptionist'), patientController.createPatient);
+router.get('/:id', protect, authorize('admin', 'doctor', 'receptionist','billing'), patientController.getPatientById);
 
-router.put('/:id', protect, authorize('admin', 'doctor','receptionist'), patientController.updatePatient);
+router.post('/', protect, authorize('admin', 'doctor', 'receptionist','billing'), patientController.createPatient);
 
-router.delete('/:id', protect, authorize('admin','receptionist'), patientController.deletePatient);
+router.put('/:id', protect, authorize('admin', 'doctor', 'receptionist','billing'), patientController.updatePatient);
+
+router.delete('/:id', protect, authorize('admin'), patientController.deletePatient);
 
 export default router;