fix: harden EduDesk API handlers and dashboard state

app/api/announcements/[id]/route.ts

@@ -4,7 +4,7 @@ import mongoose from 'mongoose'
 import { connectDB } from '@/lib/mongodb'
 import { Announcement } from '@/models/Announcement'
 
-const ALLOWED_FIELDS = ['title', 'content', 'body', 'audience', 'category', 'pinned', 'expiresAt']
+const ALLOWED_FIELDS = ['title', 'content', 'audience', 'category', 'pinned']
 
 export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string }> }) {
   const { userId } = await auth()
@@ -35,8 +35,12 @@ export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string
       }
     }
 
+    if (Object.keys(sanitizedBody).length === 0) {
+      return NextResponse.json({ error: 'No valid announcement fields provided' }, { status: 400 })
+    }
+
     const announcement = await Announcement.findOneAndUpdate(
-      { _id: id },
+      { _id: id, teacherId: userId },
       { $set: sanitizedBody },
       { new: true, runValidators: true, context: 'query' }
     )
@@ -46,6 +50,16 @@ export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string
     if (error instanceof Error) {
       console.error('PUT /api/announcements/[id] error:', error.message)
     }
+    if (error instanceof mongoose.Error.ValidationError) {
+      const firstError = Object.values(error.errors)[0]
+      return NextResponse.json(
+        { error: firstError?.message ?? 'Invalid announcement update' },
+        { status: 400 }
+      )
+    }
+    if (error instanceof mongoose.Error.CastError) {
+      return NextResponse.json({ error: error.message }, { status: 400 })
+    }
     return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
   }
 }
@@ -63,7 +77,7 @@ export async function DELETE(_req: NextRequest, ctx: { params: Promise<{ id: str
     }
 
     await connectDB()
-    const deleted = await Announcement.findOneAndDelete({ _id: id })
+    const deleted = await Announcement.findOneAndDelete({ _id: id, teacherId: userId })
 
     if (!deleted) {
       return NextResponse.json({ error: 'Not found' }, { status: 404 })

app/api/assignments/[id]/route.ts

@@ -4,7 +4,7 @@ import mongoose from 'mongoose'
 import { connectDB } from '@/lib/mongodb'
 import { Assignment } from '@/models/Assignment'
 
-const ALLOWED_UPDATE_FIELDS = ['title', 'description', 'dueDate', 'deadline', 'subject', 'class', 'status', 'kanbanStatus', 'maxMarks']
+const ALLOWED_UPDATE_FIELDS = ['title', 'description', 'deadline', 'subject', 'class', 'status', 'kanbanStatus', 'maxMarks']
 
 export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string }> }) {
   const { userId } = await auth()
@@ -35,17 +35,31 @@ export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string
       }
     }
 
+    if (Object.keys(sanitizedBody).length === 0) {
+      return NextResponse.json({ error: 'No valid assignment fields provided' }, { status: 400 })
+    }
+
     const assignment = await Assignment.findOneAndUpdate(
-      { _id: id },
+      { _id: id, teacherId: userId },
       sanitizedBody,
-      { new: true }
+      { new: true, runValidators: true, context: 'query' }
     )
     if (!assignment) return NextResponse.json({ error: 'Not found' }, { status: 404 })
     return NextResponse.json(assignment)
   } catch (error) {
     if (error instanceof Error) {
       console.error('PUT /api/assignments/[id] error:', error.message)
     }
+    if (error instanceof mongoose.Error.ValidationError) {
+      const firstError = Object.values(error.errors)[0]
+      return NextResponse.json(
+        { error: firstError?.message ?? 'Invalid assignment update' },
+        { status: 400 }
+      )
+    }
+    if (error instanceof mongoose.Error.CastError) {
+      return NextResponse.json({ error: error.message }, { status: 400 })
+    }
     return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
   }
 }
@@ -63,7 +77,7 @@ export async function DELETE(_req: NextRequest, ctx: { params: Promise<{ id: str
     }
 
     await connectDB()
-    const deleted = await Assignment.findOneAndDelete({ _id: id })
+    const deleted = await Assignment.findOneAndDelete({ _id: id, teacherId: userId })
 
     if (!deleted) {
       return NextResponse.json({ error: 'Not found' }, { status: 404 })

app/api/assignments/route.ts

@@ -1,5 +1,6 @@
 import { auth } from '@clerk/nextjs/server'
 import { NextRequest, NextResponse } from 'next/server'
+import mongoose from 'mongoose'
 import { connectDB } from '@/lib/mongodb'
 import { Assignment } from '@/models/Assignment'
 import { z } from 'zod'
@@ -52,7 +53,7 @@ export async function GET(req: NextRequest) {
     if (error instanceof Error) {
       console.error('GET /api/assignments error:', error.message)
     }
-    return NextResponse.json({ error: error instanceof Error ? error.stack : 'Internal server error' }, { status: 500 })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
   }
 }
 
@@ -80,6 +81,16 @@ export async function POST(req: NextRequest) {
       if (dbError instanceof Error) {
         console.error('Assignment.create error:', dbError.message)
       }
+      if (dbError instanceof mongoose.Error.ValidationError) {
+        const firstError = Object.values(dbError.errors)[0]
+        return NextResponse.json(
+          { error: firstError?.message ?? 'Invalid assignment payload' },
+          { status: 400 }
+        )
+      }
+      if (dbError instanceof mongoose.Error.CastError) {
+        return NextResponse.json({ error: dbError.message }, { status: 400 })
+      }
       return NextResponse.json({ error: 'Failed to create assignment' }, { status: 500 })
     }
   } catch (error) {

app/api/attendance/route.ts

@@ -1,18 +1,19 @@
 import { auth } from '@clerk/nextjs/server'
 import { NextRequest, NextResponse } from 'next/server'
+import mongoose from 'mongoose'
 import { connectDB } from '@/lib/mongodb'
 import { Attendance } from '@/models/Attendance'
+import { Student } from '@/models/Student'
+import { normalizeDateOnly } from '@/lib/date'
 import { z } from 'zod'
 
 const AttendanceSchema = z.object({
   studentId: z.string().min(1),
-  studentName: z.string().min(1),
-  class: z.string().min(1),
   date: z.string().min(1),
   status: z.enum(['present', 'absent', 'late']),
 })
 
-const BulkSchema = z.array(AttendanceSchema)
+const BulkSchema = z.array(AttendanceSchema).min(1, 'At least one attendance record is required')
 
 export async function GET(req: NextRequest) {
   const { userId } = await auth()
@@ -30,21 +31,8 @@ export async function GET(req: NextRequest) {
 
     const query: Record<string, unknown> = { teacherId: userId };
 
-    // Helper to validate and normalize date strings to YYYY-MM-DD format
-    const normalizeDate = (dateStr: string): string | null => {
-      try {
-        // Try to parse as ISO date (YYYY-MM-DD or full ISO 8601)
-        const d = new Date(dateStr);
-        if (isNaN(d.getTime())) return null;
-        // Return in YYYY-MM-DD format for MongoDB string comparison
-        return d.toISOString().split("T")[0];
-      } catch {
-        return null;
-      }
-    };
-
     if (date) {
-      const normalized = normalizeDate(date);
+      const normalized = normalizeDateOnly(date);
       if (normalized) {
         query.date = normalized;
       } else {
@@ -56,7 +44,7 @@ export async function GET(req: NextRequest) {
     } else if (startDate || endDate) {
       const dateRange: Record<string, string> = {};
       if (startDate) {
-        const normalized = normalizeDate(startDate);
+        const normalized = normalizeDateOnly(startDate);
         if (normalized) dateRange.$gte = normalized;
         else
           return NextResponse.json(
@@ -65,7 +53,7 @@ export async function GET(req: NextRequest) {
           );
       }
       if (endDate) {
-        const normalized = normalizeDate(endDate);
+        const normalized = normalizeDateOnly(endDate);
         if (normalized) dateRange.$lte = normalized;
         else
           return NextResponse.json(
@@ -76,7 +64,12 @@ export async function GET(req: NextRequest) {
       query.date = dateRange;
     }
     if (cls) query.class = cls;
-    if (studentId) query.studentId = studentId;
+    if (studentId) {
+      if (!mongoose.Types.ObjectId.isValid(studentId)) {
+        return NextResponse.json({ error: 'Invalid studentId' }, { status: 400 })
+      }
+      query.studentId = studentId;
+    }
 
     const records = await Attendance.find(query)
       .sort({ date: -1, studentName: 1 })
@@ -123,20 +116,91 @@ export async function POST(req: NextRequest) {
         { status: 400 },
       );
 
+    const records = isBulk
+      ? (parsed.data as z.infer<typeof BulkSchema>)
+      : [parsed.data as z.infer<typeof AttendanceSchema>]
+
+    const normalizedRecords = records.map((record) => {
+      const normalizedDate = normalizeDateOnly(record.date)
+      if (!normalizedDate) {
+        return null
+      }
+
+      return {
+        ...record,
+        date: normalizedDate,
+      }
+    })
+
+    if (normalizedRecords.some((record) => record === null)) {
+      return NextResponse.json(
+        { error: 'Invalid date format. Use YYYY-MM-DD or ISO 8601' },
+        { status: 400 },
+      )
+    }
+
+    const safeRecords = normalizedRecords as (z.infer<typeof AttendanceSchema> & { date: string })[]
+
+    const studentIds = [...new Set(safeRecords.map((record) => record.studentId))]
+    if (!studentIds.every((studentId) => mongoose.Types.ObjectId.isValid(studentId))) {
+      return NextResponse.json({ error: 'Invalid studentId' }, { status: 400 })
+    }
+
+    const students = await Student.find({
+      _id: { $in: studentIds },
+      teacherId: userId,
+    })
+      .select('_id name class')
+      .lean()
+
+    const studentMap = new Map(
+      students.map((student) => [String(student._id), student]),
+    )
+
+    if (studentMap.size !== studentIds.length) {
+      return NextResponse.json(
+        { error: 'One or more students were not found for this teacher' },
+        { status: 400 },
+      )
+    }
+
     if (isBulk) {
-      const ops = (parsed.data as z.infer<typeof BulkSchema>).map((record) => ({
+      const ops = safeRecords.map((record) => {
+        const student = studentMap.get(record.studentId)!
+
+        return {
         updateOne: {
           filter: { teacherId: userId, studentId: record.studentId, date: record.date },
-          update: { $set: { ...record, teacherId: userId } },
+          update: {
+            $set: {
+              teacherId: userId,
+              studentId: record.studentId,
+              studentName: student.name,
+              class: student.class,
+              date: record.date,
+              status: record.status,
+            },
+          },
           upsert: true,
         },
-      }))
+      }})
       await Attendance.bulkWrite(ops)
       return NextResponse.json({ success: true, count: ops.length })
     } else {
+      const recordData = safeRecords[0]
+      const student = studentMap.get(recordData.studentId)!
       const record = await Attendance.findOneAndUpdate(
-        { teacherId: userId, studentId: (parsed.data as z.infer<typeof AttendanceSchema>).studentId, date: (parsed.data as z.infer<typeof AttendanceSchema>).date },
-        { $set: { ...(parsed.data as z.infer<typeof AttendanceSchema>), teacherId: userId } },
+        { teacherId: userId, studentId: recordData.studentId, date: recordData.date },
+        {
+          $set: {
+            teacherId: userId,
+            studentId: recordData.studentId,
+            studentName: student.name,
+            class: student.class,
+            date: recordData.date,
+            status: recordData.status,
+          },
+        },
         { upsert: true, new: true }
       )
       return NextResponse.json(record, { status: 201 })