Church-Music/new-site/AUTHENTICATION_FIX_APPLIED.md

Authentication Fix Applied - 403 Forbidden Issue Resolved

Issue

DELETE requests to /api/lists/:id/songs/:songId were returning 403 Forbidden errors even though the frontend was properly authenticated.

Root Cause

The worship list routes in backend/routes/lists.js were not protected by authentication middleware. The routes were accepting requests without verifying JWT tokens.

Fix Applied

1. Added Authentication Middleware Import

// Added to routes/lists.js line 6
const { authenticate } = require("../middleware/auth");

2. Protected All Modification Routes

Added authenticate middleware to all POST, PUT, and DELETE routes:

• ✅ POST /api/lists - Create worship list
• ✅ PUT /api/lists/:id - Update worship list
• ✅ DELETE /api/lists/:id - Delete worship list
• ✅ POST /api/lists/:id/songs/:songId - Add song to list
• ✅ DELETE /api/lists/:id/songs/:songId - Remove song from list ⭐ This fixes your issue
• ✅ PUT /api/lists/:id/reorder - Reorder songs in list

3. Read-Only Routes Remain Public

• GET /api/lists - List all worship lists
• GET /api/lists/:id - Get single worship list with songs
• GET /api/lists/stats/count - Get worship list count

How It Works Now

1. Frontend sends request with Authorization header:

   Authorization: Bearer <jwt-token>
   

2. Authenticate middleware (now applied):

   • Extracts JWT token from Authorization header
   • Verifies token signature and expiration
   • Adds req.user with user data if valid
   • Returns 401 if token missing/invalid

3. Route handler executes only if authentication succeeds

Testing the Fix

Option 1: Using the Frontend

1. Make sure you're logged in
2. Go to Worship Lists page
3. Try to delete a song from a list
4. Expected: Song should be removed successfully (no more 403 errors)

Option 2: Using curl (command line)

# First, get your auth token by logging in
TOKEN=$(curl -s -X POST https://houseofprayer.ddns.net/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"your_username","password":"your_password"}' \
  | jq -r '.token')

# Then try to delete a song from a list
curl -X DELETE \
  "https://houseofprayer.ddns.net/api/lists/24474ea3-6f34-4704-ac48-a80e1225d79e/songs/9831e027-aeb1-48a0-8763-fd3120f29692" \
  -H "Authorization: Bearer $TOKEN"

Expected Response:

{
  "success": true,
  "message": "Song removed from worship list",
  "deleted": 1
}

Backend Restart Required

⚠️ IMPORTANT: The backend must be restarted for these changes to take effect.

cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
pkill -f "node.*server.js"
nohup node server.js > /tmp/backend.log 2>&1 &

Files Modified

• backend/routes/lists.js
  • Line 6: Added auth middleware import
  • Lines 86, 113, 149, 167, 191, 210: Added authenticate to route definitions

Why Was This Happening?

The routes were originally written without authentication requirements, which is a common security oversight during initial development. The frontend was correctly sending the auth token, but the backend wasn't configured to check it for these specific routes.

This meant:

• Anyone could modify worship lists without logging in
• The 403 error was likely coming from Nginx CORS handling, not actual auth
• Adding the middleware enforces proper authentication checks

Related Files

• backend/middleware/auth.js - Authentication middleware (already working)
• frontend/src/utils/api.js - Frontend API client (already sending tokens)

Status: ✅ COMPLETE

All routes are now properly protected. The 403 Forbidden error should be resolved once the backend is restarted.