fix: enforce security, validation, runtime stability, and dashboard correctness

app/(auth)/sign-in/[[...sign-in]]/page.tsx

@@ -8,7 +8,7 @@ export const metadata: Metadata = {
 
 export default function SignInPage() {
   return (
-    <div className="min-h-screen flex items-center justify-center bg-gradient-to-br from-indigo-950 via-indigo-900 to-purple-900">
+    <div className="min-h-screen flex items-center justify-center bg-linear-to-br from-indigo-950 via-indigo-900 to-purple-900">
       <div className="flex flex-col items-center gap-8">
         <div className="text-center">
           <h1 className="text-3xl font-bold text-white tracking-tight">EduDesk</h1>

app/(auth)/sign-up/[[...sign-up]]/page.tsx

@@ -2,7 +2,7 @@ import { SignUp } from '@clerk/nextjs'
 
 export default function SignUpPage() {
   return (
-    <div className="min-h-screen flex items-center justify-center bg-gradient-to-br from-indigo-950 via-indigo-900 to-purple-900">
+    <div className="min-h-screen flex items-center justify-center bg-linear-to-br from-indigo-950 via-indigo-900 to-purple-900">
       <div className="flex flex-col items-center gap-8">
         <div className="text-center">
           <h1 className="text-3xl font-bold text-white tracking-tight">EduDesk</h1>

app/api/announcements/[id]/route.ts

@@ -1,79 +1,115 @@
-import { auth } from '@clerk/nextjs/server'
-import { NextRequest, NextResponse } from 'next/server'
-import mongoose from 'mongoose'
-import { connectDB } from '@/lib/mongodb'
-import { Announcement } from '@/models/Announcement'
+import { auth } from "@clerk/nextjs/server";
+import { NextRequest, NextResponse } from "next/server";
+import mongoose from "mongoose";
+import { connectDB } from "@/lib/mongodb";
+import { Announcement } from "@/models/Announcement";
 
-const ALLOWED_FIELDS = ['title', 'content', 'body', 'audience', 'category', 'pinned', 'expiresAt']
+const ALLOWED_FIELDS = [
+  "title",
+  "content",
+  "body",
+  "audience",
+  "category",
+  "pinned",
+  "expiresAt",
+];
 
-export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string }> }) {
-  const { userId } = await auth()
-  if (!userId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+export async function PUT(
+  req: NextRequest,
+  ctx: { params: Promise<{ id: string }> },
+) {
+  const { userId } = await auth();
+  if (!userId)
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 
   try {
-    const { id } = await ctx.params
+    const { id } = await ctx.params;
 
     // Validate ObjectId
     if (!mongoose.Types.ObjectId.isValid(id)) {
-      return NextResponse.json({ error: 'Invalid id' }, { status: 400 })
+      return NextResponse.json({ error: "Invalid id" }, { status: 400 });
     }
 
-    await connectDB()
-    
-    let body
+    await connectDB();
+
+    let body;
     try {
-      body = await req.json()
+      body = await req.json();
     } catch {
-      return NextResponse.json({ error: 'Invalid JSON request body' }, { status: 400 })
+      return NextResponse.json(
+        { error: "Invalid JSON request body" },
+        { status: 400 },
+      );
+    }
+    if (body === null || typeof body !== "object" || Array.isArray(body)) {
+      // Valid JSON can still be a primitive/null/array, but this route requires an object payload.
+      return NextResponse.json(
+        { error: "Invalid JSON request body" },
+        { status: 400 },
+      );
     }
 
     // Sanitize: only allow whitelisted fields
-    const sanitizedBody: Record<string, unknown> = {}
+    const sanitizedBody: Record<string, unknown> = {};
     for (const key of ALLOWED_FIELDS) {
       if (key in body) {
-        sanitizedBody[key] = body[key]
+        sanitizedBody[key] = body[key];
       }
     }
 
     const announcement = await Announcement.findOneAndUpdate(
-      { _id: id },
+      { _id: id, teacherId: userId },
       { $set: sanitizedBody },
-      { new: true, runValidators: true, context: 'query' }
-    )
-    if (!announcement) return NextResponse.json({ error: 'Not found' }, { status: 404 })
-    return NextResponse.json(announcement)
+      { new: true, runValidators: true, context: "query" },
+    );
+    if (!announcement)
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
+    return NextResponse.json(announcement);
   } catch (error) {
     if (error instanceof Error) {
-      console.error('PUT /api/announcements/[id] error:', error.message)
+      console.error("PUT /api/announcements/[id] error:", error.message);
     }
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+    return NextResponse.json(
+      { error: "Internal server error" },
+      { status: 500 },
+    );
   }
 }
 
-export async function DELETE(_req: NextRequest, ctx: { params: Promise<{ id: string }> }) {
-  const { userId } = await auth()
-  if (!userId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+export async function DELETE(
+  _req: NextRequest,
+  ctx: { params: Promise<{ id: string }> },
+) {
+  const { userId } = await auth();
+  if (!userId)
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 
   try {
-    const { id } = await ctx.params
+    const { id } = await ctx.params;
 
     // Validate ObjectId
     if (!mongoose.Types.ObjectId.isValid(id)) {
-      return NextResponse.json({ error: 'Invalid id' }, { status: 400 })
+      return NextResponse.json({ error: "Invalid id" }, { status: 400 });
     }
 
-    await connectDB()
-    const deleted = await Announcement.findOneAndDelete({ _id: id })
-
+    await connectDB();
+    const deleted = await Announcement.findOneAndDelete({
+      _id: id,
+      teacherId: userId,
+    });
+
     if (!deleted) {
-      return NextResponse.json({ error: 'Not found' }, { status: 404 })
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
     }
-    
-    return NextResponse.json({ success: true })
+
+    return NextResponse.json({ success: true });
   } catch (error) {
     if (error instanceof Error) {
-      console.error('DELETE /api/announcements/[id] error:', error.message)
+      console.error("DELETE /api/announcements/[id] error:", error.message);
     }
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+    return NextResponse.json(
+      { error: "Internal server error" },
+      { status: 500 },
+    );
   }
 }

app/api/assignments/[id]/route.ts

@@ -1,79 +1,116 @@
-import { auth } from '@clerk/nextjs/server'
-import { NextRequest, NextResponse } from 'next/server'
-import mongoose from 'mongoose'
-import { connectDB } from '@/lib/mongodb'
-import { Assignment } from '@/models/Assignment'
+import { auth } from "@clerk/nextjs/server";
+import { NextRequest, NextResponse } from "next/server";
+import mongoose from "mongoose";
+import { connectDB } from "@/lib/mongodb";
+import { Assignment } from "@/models/Assignment";
 
-const ALLOWED_UPDATE_FIELDS = ['title', 'description', 'dueDate', 'deadline', 'subject', 'class', 'status', 'kanbanStatus', 'maxMarks']
+const ALLOWED_UPDATE_FIELDS = [
+  "title",
+  "description",
+  "dueDate",
+  "deadline",
+  "subject",
+  "class",
+  "status",
+  "kanbanStatus",
+  "maxMarks",
+];
 
-export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string }> }) {
-  const { userId } = await auth()
-  if (!userId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+export async function PUT(
+  req: NextRequest,
+  ctx: { params: Promise<{ id: string }> },
+) {
+  const { userId } = await auth();
+  if (!userId)
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 
   try {
-    const { id } = await ctx.params
+    const { id } = await ctx.params;
 
     // Validate ObjectId
     if (!mongoose.Types.ObjectId.isValid(id)) {
-      return NextResponse.json({ error: 'Invalid id' }, { status: 400 })
+      return NextResponse.json({ error: "Invalid id" }, { status: 400 });
     }
 
-    await connectDB()
-    
-    let body
+    await connectDB();
+
+    let body;
     try {
-      body = await req.json()
+      body = await req.json();
     } catch {
-      return NextResponse.json({ error: 'Invalid JSON in request body' }, { status: 400 })
+      return NextResponse.json(
+        { error: "Invalid JSON in request body" },
+        { status: 400 },
+      );
+    }
+    if (body === null || typeof body !== "object" || Array.isArray(body)) {
+      return NextResponse.json(
+        { error: "Invalid JSON in request body" },
+        { status: 400 },
+      );
     }
 
     // Sanitize: only allow whitelisted fields
-    const sanitizedBody: Record<string, unknown> = {}
+    const sanitizedBody: Record<string, unknown> = {};
     for (const key of ALLOWED_UPDATE_FIELDS) {
       if (key in body) {
-        sanitizedBody[key] = body[key]
+        sanitizedBody[key] = body[key];
       }
     }
 
     const assignment = await Assignment.findOneAndUpdate(
-      { _id: id },
+      { _id: id, teacherId: userId },
       sanitizedBody,
-      { new: true }
-    )
-    if (!assignment) return NextResponse.json({ error: 'Not found' }, { status: 404 })
-    return NextResponse.json(assignment)
+      { new: true, runValidators: true, context: "query" },
+    );
+    if (!assignment)
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
+    return NextResponse.json(assignment);
   } catch (error) {
     if (error instanceof Error) {
-      console.error('PUT /api/assignments/[id] error:', error.message)
+      console.error("PUT /api/assignments/[id] error:", error.message);
     }
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+    return NextResponse.json(
+      { error: "Internal server error" },
+      { status: 500 },
+    );
   }
 }
 
-export async function DELETE(_req: NextRequest, ctx: { params: Promise<{ id: string }> }) {
-  const { userId } = await auth()
-  if (!userId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+export async function DELETE(
+  _req: NextRequest,
+  ctx: { params: Promise<{ id: string }> },
+) {
+  const { userId } = await auth();
+  if (!userId)
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 
   try {
-    const { id } = await ctx.params
+    const { id } = await ctx.params;
 
     // Validate ObjectId
     if (!mongoose.Types.ObjectId.isValid(id)) {
-      return NextResponse.json({ error: 'Invalid id' }, { status: 400 })
+      return NextResponse.json({ error: "Invalid id" }, { status: 400 });
     }
 
-    await connectDB()
-    const deleted = await Assignment.findOneAndDelete({ _id: id })
-
+    await connectDB();
+    const deleted = await Assignment.findOneAndDelete({
+      _id: id,
+      teacherId: userId,
+    });
+
     if (!deleted) {
-      return NextResponse.json({ error: 'Not found' }, { status: 404 })
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
     }
-    
-    return NextResponse.json({ success: true })
+
+    return NextResponse.json({ success: true });
   } catch (error) {
     if (error instanceof Error) {
-      console.error('DELETE /api/assignments/[id] error:', error.message)
+      console.error("DELETE /api/assignments/[id] error:", error.message);
     }
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+    return NextResponse.json(
+      { error: "Internal server error" },
+      { status: 500 },
+    );
   }
 }

app/api/assignments/route.ts

@@ -52,7 +52,7 @@ export async function GET(req: NextRequest) {
     if (error instanceof Error) {
       console.error('GET /api/assignments error:', error.message)
     }
-    return NextResponse.json({ error: error instanceof Error ? error.stack : 'Internal server error' }, { status: 500 })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
   }
 }