Upload 4 files

Dockerfile(1)

@@ -0,0 +1,16 @@
+FROM node:20-slim
+
+# Install SQLite dependencies
+RUN apt-get update && apt-get install -y python3 make g++ && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+COPY package.json ./
+RUN npm install
+
+COPY . .
+
+# HuggingFace Spaces requires port 7860
+EXPOSE 7860
+
+CMD ["node", "server.js"]

README.md

@@ -1,10 +1,8 @@
 ---
-title: Findit Backend
-emoji: ⚡
-colorFrom: purple
+title: FindIt Backend
+emoji: 🔍
+colorFrom: blue
 colorTo: indigo
 sdk: docker
-pinned: false
+pinned: true
 ---
-
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference

package.json

@@ -0,0 +1,19 @@
+{
+  "name": "findit-backend",
+  "version": "1.0.0",
+  "description": "FindIt backend — Express + SQLite",
+  "main": "server.js",
+  "scripts": {
+    "start": "node server.js"
+  },
+  "dependencies": {
+    "better-sqlite3": "^9.4.3",
+    "bcryptjs": "^2.4.3",
+    "cors": "^2.8.5",
+    "express": "^4.18.2",
+    "jsonwebtoken": "^9.0.2",
+    "multer": "^1.4.5-lts.1",
+    "nodemailer": "^6.9.9",
+    "uuid": "^9.0.0"
+  }
+}

server.js

@@ -0,0 +1,544 @@
+// ============================================================
+//  FindIt Backend — Express + SQLite
+//  Runs on HuggingFace Spaces (port 7860)
+// ============================================================
+
+const express    = require('express');
+const cors       = require('cors');
+const Database   = require('better-sqlite3');
+const jwt        = require('jsonwebtoken');
+const { v4: uuid } = require('uuid');
+const nodemailer = require('nodemailer');
+const path       = require('path');
+const fs         = require('fs');
+
+const app  = express();
+const PORT = 7860;
+
+// ── ENV / CONFIG ──────────────────────────────────────────────────────────────
+// Set these as HuggingFace Space secrets (Settings → Variables and secrets)
+const JWT_SECRET     = process.env.JWT_SECRET     || 'change_this_to_a_random_string';
+const FRONTEND_URL   = process.env.FRONTEND_URL   || '*';           // your Cloudflare Pages URL
+const EMAIL_HOST     = process.env.EMAIL_HOST     || '';            // e.g. smtp.gmail.com
+const EMAIL_PORT     = process.env.EMAIL_PORT     || '587';
+const EMAIL_USER     = process.env.EMAIL_USER     || '';            // your email
+const EMAIL_PASS     = process.env.EMAIL_PASS     || '';            // app password
+const EMAIL_FROM     = process.env.EMAIL_FROM     || 'FindIt <noreply@findit.app>';
+const SUPER_ADMIN_EMAIL = process.env.SUPER_ADMIN_EMAIL || '';      // your email — auto gets super_admin
+
+// ── DATABASE ──────────────────────────────────────────────────────────────────
+const DB_PATH = process.env.DB_PATH || '/data/findit.db';
+
+// Make sure /data directory exists (HuggingFace persistent storage)
+const dbDir = path.dirname(DB_PATH);
+if (!fs.existsSync(dbDir)) fs.mkdirSync(dbDir, { recursive: true });
+
+const db = new Database(DB_PATH);
+db.pragma('journal_mode = WAL');
+db.pragma('foreign_keys = ON');
+
+// ── SCHEMA ────────────────────────────────────────────────────────────────────
+db.exec(`
+  CREATE TABLE IF NOT EXISTS profiles (
+    id         TEXT PRIMARY KEY,
+    email      TEXT UNIQUE NOT NULL,
+    uid        TEXT UNIQUE NOT NULL,
+    name       TEXT NOT NULL,
+    initials   TEXT NOT NULL,
+    color      TEXT NOT NULL DEFAULT '#5b8dff',
+    role       TEXT NOT NULL DEFAULT 'user' CHECK(role IN ('user','admin','super_admin')),
+    is_banned  INTEGER NOT NULL DEFAULT 0,
+    points     INTEGER NOT NULL DEFAULT 0,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  CREATE TABLE IF NOT EXISTS magic_tokens (
+    id         TEXT PRIMARY KEY,
+    email      TEXT NOT NULL,
+    token      TEXT UNIQUE NOT NULL,
+    used       INTEGER NOT NULL DEFAULT 0,
+    expires_at TEXT NOT NULL,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  CREATE TABLE IF NOT EXISTS posts (
+    id          TEXT PRIMARY KEY,
+    author_id   TEXT NOT NULL REFERENCES profiles(id),
+    title       TEXT NOT NULL,
+    description TEXT NOT NULL,
+    location    TEXT NOT NULL,
+    category    TEXT NOT NULL,
+    status      TEXT NOT NULL DEFAULT 'found' CHECK(status IN ('found','lost','waiting','recovered')),
+    image_url   TEXT,
+    is_deleted  INTEGER NOT NULL DEFAULT 0,
+    created_at  TEXT NOT NULL DEFAULT (datetime('now')),
+    updated_at  TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  CREATE TABLE IF NOT EXISTS comments (
+    id         TEXT PRIMARY KEY,
+    post_id    TEXT NOT NULL REFERENCES posts(id) ON DELETE CASCADE,
+    author_id  TEXT NOT NULL REFERENCES profiles(id),
+    parent_id  TEXT REFERENCES comments(id) ON DELETE CASCADE,
+    body       TEXT NOT NULL,
+    image_url  TEXT,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  CREATE TABLE IF NOT EXISTS admin_requests (
+    id          TEXT PRIMARY KEY,
+    user_id     TEXT NOT NULL REFERENCES profiles(id),
+    email       TEXT NOT NULL,
+    name        TEXT NOT NULL,
+    role_title  TEXT NOT NULL,
+    reason      TEXT NOT NULL,
+    status      TEXT NOT NULL DEFAULT 'pending' CHECK(status IN ('pending','approved','rejected')),
+    reviewed_by TEXT REFERENCES profiles(id),
+    created_at  TEXT NOT NULL DEFAULT (datetime('now')),
+    reviewed_at TEXT
+  );
+
+  CREATE TABLE IF NOT EXISTS mod_logs (
+    id          TEXT PRIMARY KEY,
+    admin_id    TEXT NOT NULL REFERENCES profiles(id),
+    target_user TEXT REFERENCES profiles(id),
+    target_post TEXT REFERENCES posts(id),
+    action      TEXT NOT NULL,
+    note        TEXT,
+    created_at  TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+`);
+
+// ── MIDDLEWARE ────────────────────────────────────────────────────────────────
+app.use(cors({
+  origin: FRONTEND_URL === '*' ? true : FRONTEND_URL.split(',').map(s => s.trim()),
+  credentials: true,
+}));
+app.use(express.json({ limit: '10mb' }));
+
+// JWT auth middleware
+function auth(req, res, next) {
+  const header = req.headers.authorization || '';
+  const token  = header.replace('Bearer ', '');
+  if (!token) return res.status(401).json({ error: 'No token' });
+  try {
+    req.user = jwt.verify(token, JWT_SECRET);
+    // Refresh profile from DB (role/banned may have changed)
+    const profile = db.prepare('SELECT * FROM profiles WHERE id = ?').get(req.user.id);
+    if (!profile) return res.status(401).json({ error: 'User not found' });
+    if (profile.is_banned) return res.status(403).json({ error: 'Account banned' });
+    req.profile = profile;
+    next();
+  } catch {
+    return res.status(401).json({ error: 'Invalid token' });
+  }
+}
+
+function adminOnly(req, res, next) {
+  if (!['admin','super_admin'].includes(req.profile.role))
+    return res.status(403).json({ error: 'Admin only' });
+  next();
+}
+
+function superAdminOnly(req, res, next) {
+  if (req.profile.role !== 'super_admin')
+    return res.status(403).json({ error: 'Super admin only' });
+  next();
+}
+
+// ── EMAIL ─────────────────────────────────────────────────────────────────────
+let transporter = null;
+if (EMAIL_HOST && EMAIL_USER && EMAIL_PASS) {
+  transporter = nodemailer.createTransport({
+    host: EMAIL_HOST, port: parseInt(EMAIL_PORT), secure: false,
+    auth: { user: EMAIL_USER, pass: EMAIL_PASS },
+  });
+}
+
+async function sendEmail(to, subject, html) {
+  if (!transporter) {
+    console.log(`[EMAIL SKIPPED — no SMTP config]\nTo: ${to}\nSubject: ${subject}`);
+    return true;
+  }
+  await transporter.sendMail({ from: EMAIL_FROM, to, subject, html });
+  return true;
+}
+
+// ── HELPERS ───────────────────────────────────────────────────────────────────
+function makeUid(email) {
+  return email.split('@')[0].toLowerCase().replace(/[^a-z0-9]/g, '_');
+}
+function makeInitials(name) {
+  return name.split(/[\s._@]/).filter(Boolean).slice(0,2).map(w => w[0].toUpperCase()).join('') || name.substring(0,2).toUpperCase();
+}
+const COLORS = ['#5b8dff','#22c97a','#e05a5a','#a084f5','#ffb347','#4da6ff','#e8a838','#ff6b6b'];
+function randomColor() { return COLORS[Math.floor(Math.random()*COLORS.length)]; }
+
+function issueJWT(profile) {
+  return jwt.sign(
+    { id: profile.id, uid: profile.uid, role: profile.role },
+    JWT_SECRET,
+    { expiresIn: '30d' }
+  );
+}
+
+// ── ROUTES: HEALTH ────────────────────────────────────────────────────────────
+app.get('/', (req, res) => res.json({ ok: true, service: 'FindIt API', version: '1.0' }));
+app.get('/health', (req, res) => res.json({ ok: true }));
+
+// ── ROUTES: AUTH ──────────────────────────────────────────────────────────────
+
+// Request magic link
+app.post('/auth/magic', async (req, res) => {
+  const { email } = req.body;
+  if (!email || !email.includes('@')) return res.status(400).json({ error: 'Invalid email' });
+
+  const lowerEmail = email.toLowerCase().trim();
+
+  // Create profile if first time
+  let profile = db.prepare('SELECT * FROM profiles WHERE email = ?').get(lowerEmail);
+  if (!profile) {
+    const id       = uuid();
+    const uid      = makeUid(lowerEmail);
+    const name     = lowerEmail.split('@')[0];
+    const initials = makeInitials(name);
+    const color    = randomColor();
+    // Auto-promote super admin
+    const role = (SUPER_ADMIN_EMAIL && lowerEmail === SUPER_ADMIN_EMAIL.toLowerCase()) ? 'super_admin' : 'user';
+    db.prepare(`INSERT INTO profiles (id,email,uid,name,initials,color,role) VALUES (?,?,?,?,?,?,?)`)
+      .run(id, lowerEmail, uid, name, initials, color, role);
+    profile = db.prepare('SELECT * FROM profiles WHERE id = ?').get(id);
+  }
+
+  // Generate token
+  const token   = uuid() + uuid(); // 72-char random string
+  const expires = new Date(Date.now() + 15 * 60 * 1000).toISOString(); // 15 min
+  db.prepare(`INSERT INTO magic_tokens (id,email,token,expires_at) VALUES (?,?,?,?)`)
+    .run(uuid(), lowerEmail, token, expires);
+
+  // Build magic link
+  const frontendUrl = FRONTEND_URL === '*' ? 'http://localhost:8080' : FRONTEND_URL.split(',')[0].trim();
+  const magicLink   = `${frontendUrl}?token=${token}`;
+
+  await sendEmail(lowerEmail, 'Your FindIt sign-in link', `
+    <div style="font-family:sans-serif;max-width:400px;margin:0 auto;padding:24px">
+      <h2 style="font-size:22px;margin-bottom:8px">Sign in to FindIt</h2>
+      <p style="color:#666;margin-bottom:20px">Click the button below to sign in. This link expires in 15 minutes.</p>
+      <a href="${magicLink}" style="display:inline-block;background:#5b8dff;color:#fff;padding:12px 24px;border-radius:10px;text-decoration:none;font-weight:600">Sign in to FindIt</a>
+      <p style="color:#aaa;font-size:12px;margin-top:20px">If you didn't request this, ignore this email.</p>
+    </div>
+  `);
+
+  res.json({ ok: true });
+});
+
+// Verify magic link token → return JWT
+app.post('/auth/verify', (req, res) => {
+  const { token } = req.body;
+  if (!token) return res.status(400).json({ error: 'No token' });
+
+  const row = db.prepare('SELECT * FROM magic_tokens WHERE token = ? AND used = 0').get(token);
+  if (!row) return res.status(400).json({ error: 'Invalid or expired token' });
+  if (new Date(row.expires_at) < new Date()) {
+    return res.status(400).json({ error: 'Token expired' });
+  }
+
+  // Mark used
+  db.prepare('UPDATE magic_tokens SET used = 1 WHERE id = ?').run(row.id);
+
+  const profile = db.prepare('SELECT * FROM profiles WHERE email = ?').get(row.email);
+  if (!profile) return res.status(400).json({ error: 'Profile not found' });
+
+  const jwt_token = issueJWT(profile);
+  res.json({ token: jwt_token, profile });
+});
+
+// Get current user
+app.get('/auth/me', auth, (req, res) => {
+  res.json({ profile: req.profile });
+});
+
+// Sign out (client just discards token — stateless JWT)
+app.post('/auth/signout', (req, res) => res.json({ ok: true }));
+
+// ── ROUTES: PROFILES ──────────────────────────────────────────────────────────
+
+app.get('/profiles', auth, adminOnly, (req, res) => {
+  const profiles = db.prepare('SELECT * FROM profiles ORDER BY created_at ASC').all();
+  res.json(profiles);
+});
+
+app.get('/profiles/:uid', (req, res) => {
+  const p = db.prepare('SELECT id,uid,name,initials,color,role,points,created_at FROM profiles WHERE uid = ?').get(req.params.uid);
+  if (!p) return res.status(404).json({ error: 'Not found' });
+  // post count
+  const postCount = db.prepare('SELECT COUNT(*) as c FROM posts WHERE author_id = ? AND is_deleted = 0').get(p.id).c;
+  res.json({ ...p, postCount });
+});
+
+app.patch('/profiles/:id', auth, (req, res) => {
+  const { id } = req.params;
+  // Only self or admin can update
+  if (req.profile.id !== id && !['admin','super_admin'].includes(req.profile.role))
+    return res.status(403).json({ error: 'Forbidden' });
+  const allowed = ['name','initials','color'];
+  // admins can also change role / is_banned
+  if (['admin','super_admin'].includes(req.profile.role)) {
+    allowed.push('role','is_banned','points');
+  }
+  const fields = {};
+  for (const k of allowed) if (req.body[k] !== undefined) fields[k] = req.body[k];
+  if (!Object.keys(fields).length) return res.status(400).json({ error: 'Nothing to update' });
+
+  const sets = Object.keys(fields).map(k => `${k} = ?`).join(', ');
+  db.prepare(`UPDATE profiles SET ${sets} WHERE id = ?`).run(...Object.values(fields), id);
+  res.json({ ok: true });
+});
+
+// ── ROUTES: POSTS ─────────────────────────────────────────────────────────────
+
+// List posts (with author info + comment count)
+app.get('/posts', (req, res) => {
+  const { status, location, search, author_uid } = req.query;
+  let sql = `
+    SELECT p.*, pr.uid as author_uid, pr.name as author_name,
+           pr.initials as author_initials, pr.color as author_color,
+           pr.role as author_role,
+           (SELECT COUNT(*) FROM comments c WHERE c.post_id = p.id) as comment_count
+    FROM posts p
+    JOIN profiles pr ON pr.id = p.author_id
+    WHERE p.is_deleted = 0`;
+  const params = [];
+  if (status)     { sql += ' AND p.status = ?';              params.push(status); }
+  if (location)   { sql += ' AND p.location LIKE ?';         params.push('%'+location+'%'); }
+  if (author_uid) { sql += ' AND pr.uid = ?';                params.push(author_uid); }
+  if (search)     { sql += ' AND (p.title LIKE ? OR p.description LIKE ? OR p.location LIKE ?)';
+                    params.push('%'+search+'%','%'+search+'%','%'+search+'%'); }
+  sql += ' ORDER BY p.created_at DESC';
+  res.json(db.prepare(sql).all(...params));
+});
+
+// Create post
+app.post('/posts', auth, (req, res) => {
+  if (req.profile.is_banned) return res.status(403).json({ error: 'Banned' });
+  const { title, description, location, category, status, image_url } = req.body;
+  if (!title || !description || !location || !category)
+    return res.status(400).json({ error: 'Missing required fields' });
+  const id = uuid();
+  db.prepare(`INSERT INTO posts (id,author_id,title,description,location,category,status,image_url) VALUES (?,?,?,?,?,?,?,?)`)
+    .run(id, req.profile.id, title, description, location, category, status||'found', image_url||null);
+  // award points
+  db.prepare('UPDATE profiles SET points = points + 50 WHERE id = ?').run(req.profile.id);
+  res.json(db.prepare('SELECT * FROM posts WHERE id = ?').get(id));
+});
+
+// Update post
+app.patch('/posts/:id', auth, (req, res) => {
+  const post = db.prepare('SELECT * FROM posts WHERE id = ? AND is_deleted = 0').get(req.params.id);
+  if (!post) return res.status(404).json({ error: 'Not found' });
+  const isOwner = post.author_id === req.profile.id;
+  const isAdmin = ['admin','super_admin'].includes(req.profile.role);
+  if (!isOwner && !isAdmin) return res.status(403).json({ error: 'Forbidden' });
+
+  const allowed = ['title','description','location','category','status','image_url'];
+  const fields = {};
+  for (const k of allowed) if (req.body[k] !== undefined) fields[k] = req.body[k];
+  fields.updated_at = new Date().toISOString();
+  const sets = Object.keys(fields).map(k => `${k} = ?`).join(', ');
+  db.prepare(`UPDATE posts SET ${sets} WHERE id = ?`).run(...Object.values(fields), req.params.id);
+  res.json({ ok: true });
+});
+
+// Delete post (soft)
+app.delete('/posts/:id', auth, (req, res) => {
+  const post = db.prepare('SELECT * FROM posts WHERE id = ?').get(req.params.id);
+  if (!post) return res.status(404).json({ error: 'Not found' });
+  const isOwner = post.author_id === req.profile.id;
+  const isAdmin = ['admin','super_admin'].includes(req.profile.role);
+  if (!isOwner && !isAdmin) return res.status(403).json({ error: 'Forbidden' });
+  db.prepare('UPDATE posts SET is_deleted = 1 WHERE id = ?').run(req.params.id);
+  if (isAdmin && !isOwner) {
+    db.prepare(`INSERT INTO mod_logs (id,admin_id,target_post,action,note) VALUES (?,?,?,?,?)`)
+      .run(uuid(), req.profile.id, req.params.id, 'delete_post', 'Deleted via admin action');
+  }
+  res.json({ ok: true });
+});
+
+// ── ROUTES: COMMENTS ──────────────────────────────────────────────────────────
+
+app.get('/posts/:id/comments', (req, res) => {
+  const comments = db.prepare(`
+    SELECT c.*, pr.uid as author_uid, pr.name as author_name,
+           pr.initials as author_initials, pr.color as author_color
+    FROM comments c
+    JOIN profiles pr ON pr.id = c.author_id
+    WHERE c.post_id = ?
+    ORDER BY c.created_at ASC
+  `).all(req.params.id);
+  res.json(comments);
+});
+
+app.post('/posts/:id/comments', auth, (req, res) => {
+  if (req.profile.is_banned) return res.status(403).json({ error: 'Banned' });
+  const { body, parent_id, image_url } = req.body;
+  if (!body?.trim()) return res.status(400).json({ error: 'Empty comment' });
+  const id = uuid();
+  db.prepare(`INSERT INTO comments (id,post_id,author_id,parent_id,body,image_url) VALUES (?,?,?,?,?,?)`)
+    .run(id, req.params.id, req.profile.id, parent_id||null, body, image_url||null);
+  db.prepare('UPDATE profiles SET points = points + 10 WHERE id = ?').run(req.profile.id);
+  res.json(db.prepare(`
+    SELECT c.*, pr.uid as author_uid, pr.name as author_name,
+           pr.initials as author_initials, pr.color as author_color
+    FROM comments c JOIN profiles pr ON pr.id = c.author_id WHERE c.id = ?
+  `).get(id));
+});
+
+// ── ROUTES: IMAGE UPLOAD ──────────────────────────────────────────────────────
+
+const UPLOAD_DIR = process.env.UPLOAD_DIR || '/data/uploads';
+if (!fs.existsSync(UPLOAD_DIR)) fs.mkdirSync(UPLOAD_DIR, { recursive: true });
+app.use('/uploads', express.static(UPLOAD_DIR));
+
+app.post('/upload', auth, (req, res) => {
+  const { data, filename } = req.body; // base64 data URL
+  if (!data) return res.status(400).json({ error: 'No data' });
+  try {
+    const [meta, b64] = data.split(',');
+    const ext = (meta.match(/\/(\w+);/) || ['','jpg'])[1].replace('jpeg','jpg');
+    const name = `${Date.now()}-${Math.random().toString(36).slice(2)}.${ext}`;
+    fs.writeFileSync(path.join(UPLOAD_DIR, name), Buffer.from(b64, 'base64'));
+    const baseUrl = process.env.SPACE_URL || `http://localhost:${PORT}`;
+    res.json({ url: `${baseUrl}/uploads/${name}` });
+  } catch(e) {
+    console.error('Upload error:', e);
+    res.status(500).json({ error: 'Upload failed' });
+  }
+});
+
+// ── ROUTES: ADMIN REQUESTS ────────────────────────────────────────────────────
+
+app.post('/admin-requests', auth, (req, res) => {
+  const { name, role_title, reason } = req.body;
+  if (!name || !role_title || !reason) return res.status(400).json({ error: 'Missing fields' });
+  // Check no duplicate pending
+  const existing = db.prepare(`SELECT id FROM admin_requests WHERE user_id = ? AND status = 'pending'`).get(req.profile.id);
+  if (existing) return res.status(400).json({ error: 'You already have a pending request' });
+  const id = uuid();
+  db.prepare(`INSERT INTO admin_requests (id,user_id,email,name,role_title,reason) VALUES (?,?,?,?,?,?)`)
+    .run(id, req.profile.id, req.profile.email, name, role_title, reason);
+  // Email super admin
+  if (SUPER_ADMIN_EMAIL) {
+    sendEmail(SUPER_ADMIN_EMAIL, `[FindIt] New admin request from ${name}`,
+      `<p><strong>${name}</strong> (${req.profile.email}) has requested admin access.</p>
+       <p><strong>Role:</strong> ${role_title}</p>
+       <p><strong>Reason:</strong> ${reason}</p>
+       <p>Log in to the admin dashboard to review.</p>`
+    );
+  }
+  res.json({ ok: true });
+});
+
+app.get('/admin-requests', auth, adminOnly, (req, res) => {
+  const rows = db.prepare(`
+    SELECT ar.*, pr.uid as requester_uid, pr.role as current_role
+    FROM admin_requests ar
+    JOIN profiles pr ON pr.id = ar.user_id
+    WHERE ar.status = 'pending'
+    ORDER BY ar.created_at ASC
+  `).all();
+  res.json(rows);
+});
+
+app.patch('/admin-requests/:id', auth, adminOnly, (req, res) => {
+  const { status } = req.body;
+  if (!['approved','rejected'].includes(status)) return res.status(400).json({ error: 'Invalid status' });
+  const row = db.prepare('SELECT * FROM admin_requests WHERE id = ?').get(req.params.id);
+  if (!row) return res.status(404).json({ error: 'Not found' });
+  db.prepare(`UPDATE admin_requests SET status=?,reviewed_by=?,reviewed_at=? WHERE id=?`)
+    .run(status, req.profile.id, new Date().toISOString(), req.params.id);
+  if (status === 'approved') {
+    db.prepare(`UPDATE profiles SET role='admin' WHERE id=?`).run(row.user_id);
+    db.prepare(`INSERT INTO mod_logs (id,admin_id,target_user,action,note) VALUES (?,?,?,?,?)`)
+      .run(uuid(), req.profile.id, row.user_id, 'promote', 'Approved admin request');
+    sendEmail(row.email, '[FindIt] Your admin request was approved',
+      `<p>Hi ${row.name}, your request for admin access on FindIt has been <strong>approved</strong>.</p>
+       <p>Sign in again and you'll see the Admin Dashboard in your menu.</p>`
+    );
+  } else {
+    sendEmail(row.email, '[FindIt] Your admin request was reviewed',
+      `<p>Hi ${row.name}, your request for admin access was reviewed and was not approved at this time.</p>`
+    );
+  }
+  res.json({ ok: true });
+});
+
+// ── ROUTES: MODERATION ────────────────────────────────────────────────────────
+
+app.post('/mod/ban/:userId', auth, adminOnly, (req, res) => {
+  db.prepare('UPDATE profiles SET is_banned=1 WHERE id=?').run(req.params.userId);
+  db.prepare(`INSERT INTO mod_logs (id,admin_id,target_user,action,note) VALUES (?,?,?,?,?)`)
+    .run(uuid(), req.profile.id, req.params.userId, 'ban', req.body.note||'');
+  res.json({ ok: true });
+});
+
+app.post('/mod/unban/:userId', auth, adminOnly, (req, res) => {
+  db.prepare('UPDATE profiles SET is_banned=0 WHERE id=?').run(req.params.userId);
+  db.prepare(`INSERT INTO mod_logs (id,admin_id,target_user,action,note) VALUES (?,?,?,?,?)`)
+    .run(uuid(), req.profile.id, req.params.userId, 'unban', req.body.note||'');
+  res.json({ ok: true });
+});
+
+app.post('/mod/role/:userId', auth, superAdminOnly, (req, res) => {
+  const { role } = req.body;
+  if (!['user','admin','super_admin'].includes(role)) return res.status(400).json({ error: 'Invalid role' });
+  db.prepare('UPDATE profiles SET role=? WHERE id=?').run(role, req.params.userId);
+  db.prepare(`INSERT INTO mod_logs (id,admin_id,target_user,action,note) VALUES (?,?,?,?,?)`)
+    .run(uuid(), req.profile.id, req.params.userId, role==='user'?'demote':'promote', `Set role to ${role}`);
+  res.json({ ok: true });
+});
+
+app.post('/mod/alert/:userId', auth, adminOnly, (req, res) => {
+  const target = db.prepare('SELECT * FROM profiles WHERE id=?').get(req.params.userId);
+  if (!target) return res.status(404).json({ error: 'Not found' });
+  db.prepare(`INSERT INTO mod_logs (id,admin_id,target_user,action,note) VALUES (?,?,?,?,?)`)
+    .run(uuid(), req.profile.id, req.params.userId, 'alert', req.body.note||'');
+  if (target.email) {
+    sendEmail(target.email, '[FindIt] A notice from the moderation team',
+      `<p>The FindIt moderation team has sent you a notice:</p>
+       <blockquote style="border-left:3px solid #ccc;padding-left:12px;color:#555">${req.body.note||'Please review our community guidelines.'}</blockquote>`
+    );
+  }
+  res.json({ ok: true });
+});
+
+app.get('/mod/logs', auth, adminOnly, (req, res) => {
+  const logs = db.prepare(`
+    SELECT ml.*,
+      a.uid as admin_uid, a.name as admin_name,
+      t.uid as target_uid, t.name as target_name
+    FROM mod_logs ml
+    JOIN profiles a ON a.id = ml.admin_id
+    LEFT JOIN profiles t ON t.id = ml.target_user
+    ORDER BY ml.created_at DESC LIMIT 150
+  `).all();
+  res.json(logs);
+});
+
+// ── ROUTES: STATS ─────────────────────────────────────────────────────────────
+
+app.get('/stats', auth, adminOnly, (req, res) => {
+  const totalPosts      = db.prepare('SELECT COUNT(*) as c FROM posts WHERE is_deleted=0').get().c;
+  const activePosts     = db.prepare("SELECT COUNT(*) as c FROM posts WHERE is_deleted=0 AND status!='recovered'").get().c;
+  const totalUsers      = db.prepare('SELECT COUNT(*) as c FROM profiles').get().c;
+  const bannedUsers     = db.prepare('SELECT COUNT(*) as c FROM profiles WHERE is_banned=1').get().c;
+  const admins          = db.prepare("SELECT COUNT(*) as c FROM profiles WHERE role IN ('admin','super_admin')").get().c;
+  const pendingRequests = db.prepare("SELECT COUNT(*) as c FROM admin_requests WHERE status='pending'").get().c;
+  res.json({ totalPosts, activePosts, totalUsers, bannedUsers, admins, pendingRequests });
+});
+
+// ── START ─────────────────────────────────────────────────────────────────────
+app.listen(PORT, '0.0.0.0', () => {
+  console.log(`FindIt backend running on port ${PORT}`);
+  console.log(`DB: ${DB_PATH}`);
+  console.log(`SUPER_ADMIN_EMAIL: ${SUPER_ADMIN_EMAIL || '(not set)'}`);
+});