## Final Section: System Summary and Architecture Overview

### High-Level System Diagram

```
┌─────────────────────────────────────────────────────────────────┐
│                    UNITE BACKEND SYSTEM                         │
└─────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                      PRESENTATION LAYER                         │
│  (REST API Endpoints + Socket.IO WebSocket)                     │
│  - /api/auth, /api/events, /api/eventRequests, /api/chat, ...  │
└────────────────┬────────────────────────────────────────────────┘
                 │
┌────────────────▼────────────────────────────────────────────────┐
│                    MIDDLEWARE LAYER                             │
│  - Authentication (JWT validation)                              │
│  - Authorization (Permission checking)                          │
│  - Validation (Input validation with Joi)                       │
│  - Error Handling (Centralized error middleware)                │
│  - Caching (Response caching)                                   │
│  - Rate Limiting (API rate limiting)                            │
└────────────────┬────────────────────────────────────────────────┘
                 │
┌────────────────▼────────────────────────────────────────────────┐
│                   CONTROLLERS LAYER                             │
│  Thin layer: Request handling, delegation to services           │
│  - users_controller, events_controller, chat_controller, ...    │
└────────────────┬────────────────────────────────────────────────┘
                 │
┌────────────────▼────────────────────────────────────────────────┐
│                    SERVICES LAYER                               │
│  Business Logic: Core application logic                         │
│  - Event management, Request workflows, Chat, RBAC, etc.        │
│  - State machines, Validations, Notifications                   │
└────────────────┬────────────────────────────────────────────────┘
                 │
┌────────────────▼────────────────────────────────────────────────┐
│                     DATA ACCESS LAYER                           │
│  Mongoose Models: Data retrieval and persistence                │
│  - User, Event, EventRequest, Chat, Location, Permission        │
└────────────────┬────────────────────────────────────────────────┘
                 │
┌────────────────▼────────────────────────────────────────────────┐
│                    DATABASE & EXTERNAL SERVICES                 │
│  - MongoDB (Primary datastore)                                  │
│  - AWS S3 (File storage)                                        │
│  - Nodemailer (Email notifications)                             │
│  - Redis (Optional caching)                                     │
└─────────────────────────────────────────────────────────────────┘
```

### Core Capabilities Matrix

| Capability | Technology | Files | Key Services |
|------------|-----------|-------|--------------|
| **User Management** | MongoDB + Mongoose | users_models/, users_controller/, user.service.js | User registration, profile, authentication |
| **Event Management** | MongoDB + Joi | events_models/, events_controller/, event.service.js | Event CRUD, scheduling rules, statistics |
| **Request Workflow** | State Machine | eventRequests_models/, requestStateMachine.js | Submission, approval, confirmation, rejection |
| **RBAC** | Permission System | rbac_controller/, permission.service.js | Role assignment, permission enforcement |
| **Real-Time Chat** | Socket.IO | chat_models/, chat_services/ | Messaging, presence, typing indicators |
| **Notifications** | Event-Driven | notification.service.js | Multi-type notifications, read tracking |
| **Geographic System** | Location Hierarchy | utility_models/, location.service.js | Province→District→Municipality→Barangay |
| **File Upload** | AWS S3 | s3.js | Presigned URLs, file management |
| **Caching** | node-cache | cache.js, cacheMiddleware.js | Response caching, performance optimization |
| **Security** | JWT + bcrypt | authenticate.js, jwt.js | Token-based auth, password hashing |

### Data Flow Example: Event Request Submission

```
1. Frontend sends request data
   ↓
2. Express receives POST /api/eventRequests
   ↓
3. Authentication middleware validates JWT token
   ↓
4. Validation middleware checks with Joi schema
   ↓
5. Data placed in req.validatedData
   ↓
6. Controller calls eventRequest.service.create()
   ↓
7. Service validates business rules
   - Check scheduling rules (max events, blood bag limits)
   - Verify coordinator coverage area
   - Check pending requests limit
   ↓
8. Service creates EventRequest document in MongoDB
   ↓
9. Service triggers automatic reviewer assignment
   ↓
10. Service creates notification for assigned reviewer
   ↓
11. Service emits Socket.IO event to notify admin dashboard
   ↓
12. Controller returns created request with 201 status
   ↓
13. Frontend receives response and updates UI
```

### Request Approval Flow

```
1. Admin views pending requests
   ↓
2. Admin calls POST /api/eventRequests/{id}/approve
   ↓
3. Service validates:
   - User is admin
   - Request is in ASSIGNED state
   - All scheduling rules pass
   ↓
4. Service transitions state to APPROVED
   ↓
5. Service updates statusHistory with actor info
   ↓
6. Service creates notification for coordinator
   ↓
7. Service sends email to coordinator (optional)
   ↓
8. Socket.IO event emitted to coordinator's client
   ↓
9. Coordinator sees "Confirm Approval" button
   ↓
10. Coordinator calls POST /api/eventRequests/{id}/confirm
    ↓
11. Service transitions to COORDINATOR_CONFIRMED
    ↓
12. Service creates Event document (event becomes scheduled)
    ↓
13. Service notifies stakeholders and staff
    ↓
14. Event appears in calendar views
```

### Deployment Considerations

#### **Environment Setup**
```bash
# Production
NODE_ENV=production
ALLOWED_ORIGINS=https://yourdomain.com
ENABLE_RATE_LIMITING=true

# Database
MONGODB_URI=mongodb+srv://user:pass@cluster.mongodb.net/db

# Security
JWT_SECRET=very-long-random-string-min-32-chars
```

#### **Performance Tuning**
1. Create all database indexes: `node src/utils/createIndexes.js`
2. Enable caching middleware
3. Enable rate limiting
4. Use production-grade MongoDB (MongoDB Atlas)
5. Consider Redis for distributed caching
6. Monitor response times and error rates

#### **Security Hardening**
1. Enable CORS properly
2. Use HTTPS only
3. Set secure JWT expiration
4. Implement rate limiting
5. Validate all user inputs
6. Sanitize database queries
7. Use environment variables for secrets
8. Implement audit logging

### Key Metrics and Monitoring

Monitor these metrics for system health:

- **Request Response Time**: Should be < 200ms average
- **Database Query Time**: Should be < 50ms
- **Error Rate**: Should be < 1%
- **Cache Hit Rate**: Should be > 60% for location queries
- **JWT Token Validation**: Track failed authentications
- **Permission Checks**: Monitor permission denial patterns
- **WebSocket Connections**: Track active socket connections
- **Message Throughput**: Chat messages per second

### Integration Points

The backend integrates with:

1. **Frontend** (UNITE Next.js app)
   - REST API for CRUD operations
   - WebSocket for real-time updates
   - File upload/download via S3

2. **MongoDB**
   - Primary data persistence
   - Indexes for query optimization

3. **AWS S3**
   - File storage
   - Presigned URLs for downloads

4. **Email Service** (Nodemailer/SendGrid)
   - Notifications
   - Account verification

5. **External Systems**
   - Can be extended for SMS, calendar sync, etc.

### Future Enhancement Areas

1. **Search Engine** - Elasticsearch for full-text search
2. **Analytics** - Event statistics and reporting
3. **Mobile App** - Dedicated mobile API
4. **SMS Notifications** - Twilio or similar
5. **Calendar Sync** - Google Calendar, Outlook integration
6. **Document Generation** - PDF reports
7. **Advanced RBAC** - Attribute-based access control
8. **Audit Logging** - Detailed action tracking
9. **API Versioning** - Support multiple API versions
10. **Load Balancing** - Horizontal scaling support

---

## End of Documentation

This comprehensive guide covers the UNITE Backend architecture, components, workflows, and development practices. Use this as your primary reference for:
- Understanding system design
- Making informed development decisions
- Troubleshooting issues
- Adding new features
- Maintaining code quality

For specific implementation details, refer to the referenced files and comments in the source code.

## Section 14: Quick Reference - Common Development Tasks

### Adding a New API Endpoint

**Step 1: Create Validator** (`src/validators/`)
```javascript
const schema = Joi.object({
  fieldName: Joi.string().required(),
  // ... define validation rules
});

const validateCreate = (req, res, next) => {
  const { error, value } = schema.validate(req.body);
  if (error) return res.status(400).json({ errors: error.details });
  req.validatedData = value;
  next();
};
```

**Step 2: Create Service** (`src/services/`)
```javascript
class ItemService {
  async create(data, user) {
    // Validate business logic
    // Create document
    // Send notifications
    return item;
  }
}
```

**Step 3: Create Controller** (`src/controller/`)
```javascript
const create = async (req, res, next) => {
  try {
    const item = await itemService.create(req.validatedData, req.user);
    res.status(201).json({ success: true, data: item });
  } catch (error) {
    next(error);
  }
};
```

**Step 4: Add Route** (`src/routes/`)
```javascript
router.post('/',
  authenticate,
  requirePermission('item.create'),
  validateCreate,
  controller.create
);
```

### Modifying the Request Workflow

**File to Edit:** `src/services/request_services/requestStateMachine.js`

1. **Add New State:**
   ```javascript
   REQUEST_STATES = {
     // ... existing states
     NEW_STATE: 'NEW_STATE'
   };
   ```

2. **Add Transition:**
   ```javascript
   STATE_TRANSITIONS = {
     // ... existing transitions
     FROM_STATE: ['NEW_STATE', 'OTHER_STATE']
   };
   ```

3. **Add Validation:**
   ```javascript
   validateTransition(currentState, action) {
     // ... validation logic for new transition
   }
   ```

4. **Update Documentation:**
   - Edit `STATE_MACHINE_README.md`
   - Update state diagram

### Debugging Tips

#### **Check JWT Token**
```bash
# Decode token (online at jwt.io or use node-jwt-decode)
# Check payload: userId, email, role, permissions
```

#### **Check Middleware Execution**
```javascript
// Add logging in middleware
const authenticate = (req, res, next) => {
  console.log('[AUTH MIDDLEWARE] Processing request:', req.path);
  // ... middleware logic
  console.log('[AUTH MIDDLEWARE] User:', req.user);
  next();
};
```

#### **Check Database**
```bash
# Connect to MongoDB
mongo <your-connection-string>

# Check collections
db.events.find()
db.requests.find()
db.users.findOne({ email: 'user@example.com' })
```

#### **Check Services**
```javascript
// Add console logs in key points
async create(data, user) {
  console.log('[SERVICE] Creating with data:', data);
  console.log('[SERVICE] User authority:', user.authority);
  // ... logic
}
```

### Common Errors and Solutions

| Error | Cause | Solution |
|-------|-------|----------|
| JWT invalid | Token expired or malformed | Re-login to get new token |
| Permission denied | Insufficient permissions | Check user roles and permissions |
| Validation failed | Invalid input | Check validator schema and error details |
| No coordinator found | Coordinator doesn't cover location | Verify coverage area setup |
| Database connection error | MongoDB not running | Start MongoDB, check connection string |
| Rate limit exceeded | Too many requests | Wait or disable rate limiter in dev |
| S3 upload failed | AWS credentials invalid | Verify S3 config and AWS credentials |

### Performance Optimization

1. **Add Database Indexes**
   ```bash
   node src/utils/createIndexes.js
   ```

2. **Enable Caching**
   ```javascript
   // In route handler
   const cached = cache.get('key');
   if (cached) return cached;
   // ... fetch data
   cache.set('key', data, 3600); // 1 hour TTL
   ```

3. **Use Lean Queries** (read-only)
   ```javascript
   // Instead of: Event.find()
   // Use: Event.find().lean()
   // Returns plain JS objects, not Mongoose documents
   ```

4. **Pagination**
   ```javascript
   const page = req.query.page || 1;
   const limit = req.query.limit || 20;
   const skip = (page - 1) * limit;
   
   const items = await Item.find()
     .skip(skip)
     .limit(limit);
   ```

### Testing Endpoints with cURL

```bash
# Login
curl -X POST http://localhost:3000/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin@example.com","password":"password123"}'

# Create event (with token)
curl -X POST http://localhost:3000/api/events \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"Event_Title":"Blood Drive","Location":"Manila"}'

# Get events
curl -X GET http://localhost:3000/api/events \
  -H "Authorization: Bearer <token>"
```

### Key Files for Different Tasks

| Task | File(s) |
|------|---------|
| Add permission | `src/utils/seedRoles.js` |
| Change request states | `src/services/request_services/requestStateMachine.js` |
| Add event category | `src/validators/eventRequests_validators/eventRequest.validators.js` |
| Modify auth | `src/middleware/authenticate.js`, `src/utils/jwt.js` |
| Add location | `src/utils/seedLocations.js` |
| Change notification logic | `src/services/utility_services/notification.service.js` |
| Modify chat | `src/services/chat_services/chat.service.js`, `server.js` |

### When Making Changes

✅ **Do:**
- Follow existing patterns in the codebase
- Add validation at route level
- Move business logic to services
- Update documentation
- Test with Postman/cURL
- Add meaningful error messages

❌ **Don't:**
- Bypass authentication middleware
- Put validation in controllers
- Ignore existing conventions
- Skip error handling
- Modify database directly
- Hard-code values

## Section 13: Geographic Coverage and Location Management

### Location Hierarchy

The system supports a four-level geographic hierarchy:

```
Province (Region Level)
    ↓
District (Province Subdivision)
    ↓
Municipality (Local Government)
    ↓
Barangay (Village/Community)
```

### Supported Regions

#### **Camarines Norte**
- Capital: Daet
- 35 municipalities
- Key municipalities: Daet, Cabanatuan, Tumbaga

#### **Camarines Sur**
- Capital: Naga City
- 35 municipalities
- Key municipalities: Naga, Iriga, Pili

#### **Masbate**
- Capital: Masbate City
- 21 municipalities
- Key municipalities: Masbate City, Cataingan, Aroroy

### Location Data Files

**File:** `src/utils/locations.json`

Complete location hierarchy with all provinces, districts, municipalities, and barangays.

**Files:** Barangay data per region
- `src/utils/camnorte-dis-barangay.txt` - Camarines Norte barangays
- `src/utils/camsur-dis-barangay.txt` - Camarines Sur barangays
- `src/utils/masbate-dis-barangay.txt` - Masbate barangays

### Location Service

**File:** `src/services/utility_services/location.service.js`

```javascript
// Get all provinces
const provinces = await locationService.getProvinces();

// Get districts in province
const districts = await locationService.getDistricts(provinceId);

// Get municipalities in district
const municipalities = await locationService.getMunicipalities(districtId);

// Get barangays in municipality
const barangays = await locationService.getBarangays(municipalityId);

// Search locations by name
const results = await locationService.search('Daet');

// Validate location hierarchy
const valid = await locationService.validateHierarchy({
  provinceId,
  districtId,
  municipalityId,
  barangayId
});
```

### Coverage Area System

**Files:**
- `src/models/utility_models/coverageArea.model.js`
- `src/services/utility_services/coverage.service.js`

#### **Coverage Area Model**
```javascript
{
  _id: ObjectId,
  userId: ObjectId,          // User's coverage
  coordinatorId: ObjectId,   // Coordinator reference
  
  // Geographic Coverage
  province: {
    _id: String,
    name: String
  },
  districts: [{
    _id: String,
    name: String,
    municipalities: [{
      _id: String,
      name: String,
      barangays: [String]
    }]
  }],
  
  // Coverage Type
  coverageType: String,      // 'full_province', 'district', 'municipality'
  
  createdAt: Date,
  updatedAt: Date
}
```

### Stakeholder Location-Based Filtering

**File:** `src/services/eventRequests_services/coordinatorResolver.service.js`

When filtering stakeholders:
1. Get coordinator's coverage area
2. Filter stakeholders in same location
3. Exclude inactive stakeholders
4. Order by authority/experience

```javascript
// Get available stakeholders for coordinator
const stakeholders = await coordinatorResolver.getAvailableStakeholders(
  coordinatorId,
  location
);

// Returns stakeholders who:
// - Cover the same location/district
// - Are active
// - Have proper permissions
```

### Location Caching

**File:** `src/utils/cache.js`

Locations are cached with TTL for performance:

```javascript
// Cache keys
'locations:all'
'locations:provinces'
'locations:districts:{provinceId}'
'locations:municipalities:{districtId}'
'locations:barangays:{municipalityId}'
```

### Location Validation Middleware

**File:** `src/middleware/validateJurisdiction.js`

Ensures:
- User operates within their jurisdiction
- Coordinator covers the requested location
- Geographic hierarchy is valid

### Seeding Location Data

**File:** `src/utils/seedLocations.js`

```bash
# Seed all locations
node src/utils/seedLocations.js

# Preview changes
node src/utils/seedLocations.js --dry-run
```

Populates:
- Provinces
- Districts
- Municipalities
- Barangays
- Hierarchical relationships

### Geographic Queries

Common location-based queries:

```javascript
// Find events in a location
const events = await Event.find({
  'Location.municipality': municipalityId
});

// Find users with coverage in location
const users = await User.find({
  'coverage.province': provinceId
});

// Get all municipalities in district
const municipalities = await Location.find({
  parentDistrictId: districtId
});

// Validate coordinator covers location
const covers = await coverageService.checkCoverage(
  coordinatorId,
  municipalityId
);
```

### Best Practices

1. **Hierarchy Validation**
   - Always validate complete hierarchy
   - Don't skip levels
   - Use seeded data only

2. **Caching Strategy**
   - Cache location lists (read-heavy)
   - Invalidate on updates (rare)
   - Use 1-hour TTL

3. **Coverage Checks**
   - Verify jurisdiction in middleware
   - Check before request approval
   - Validate coordinator-stakeholder match

4. **Location Search**
   - Use indexed searches
   - Cache popular searches
   - Normalize input (lowercase, trim)

## Section 12: RBAC (Role-Based Access Control) System

### Role Hierarchy

The system implements a hierarchical role structure:

```
┌─────────────────────────────────────────┐
│         ROLE HIERARCHY                  │
├─────────────────────────────────────────┤
│  System Admin (Authority: 100)          │
│  ├─ Can manage everything                │
│  ├─ Override scheduling rules            │
│  └─ Manage all users and roles           │
│                                          │
│  Admin (Authority: 50)                   │
│  ├─ Review and approve requests          │
│  ├─ Manage events in jurisdiction        │
│  └─ Assign reviewers                     │
│                                          │
│  Coordinator (Authority: 30)             │
│  ├─ Create event requests                │
│  ├─ Submit event confirmations           │
│  └─ Manage own events                    │
│                                          │
│  Stakeholder (Authority: 10)             │
│  ├─ Submit event requests                │
│  ├─ Participate in events                │
│  └─ View calendar                        │
└─────────────────────────────────────────┘
```

### Permissions System

Each role has associated permissions (permission codes):

**System Admin Permissions:**
```
event.create
event.edit
event.delete
event.view_all

request.create
request.review
request.approve
request.reject
request.reschedule

user.create
user.edit
user.delete
user.view_all
user.manage_roles

rbac.manage
rbac.create_roles
rbac.assign_permissions

notification.manage

organization.manage
location.manage
```

**Coordinator Permissions:**
```
event.create
event.edit (own)
event.view (own + jurisdiction)

request.create
request.edit (own, pending)
request.confirm

notification.view
notification.read
```

**Stakeholder Permissions:**
```
event.create
event.view

request.create
request.confirm

chat.send
chat.read
```

### Permission Checking

**File:** `src/services/users_services/permission.service.js`

```javascript
// Check if user has permission
const hasPermission = async (userId, permissionCode) => {
  const user = await User.findById(userId).populate('roles');
  for (const role of user.roles) {
    const permissions = await Permission.find({ 
      roleId: role._id,
      code: permissionCode
    });
    if (permissions.length > 0) return true;
  }
  return false;
};

// Check user authority level
const checkAuthority = (user1, user2) => {
  return user1.authority > user2.authority;
};
```

### RBAC Routes and Endpoints

**File:** `src/routes/rbac.routes.js`

```
GET    /api/rbac/roles                    - List all roles
GET    /api/rbac/roles/:roleId            - Get role details
POST   /api/rbac/roles                    - Create new role (admin)
PUT    /api/rbac/roles/:roleId            - Update role (admin)
DELETE /api/rbac/roles/:roleId            - Delete role (admin)

GET    /api/rbac/permissions              - List all permissions
GET    /api/rbac/permissions/:permId      - Get permission details

POST   /api/rbac/role-permissions         - Assign permission to role
DELETE /api/rbac/role-permissions/:id     - Remove permission from role

GET    /api/rbac/user-roles               - Get user's roles
POST   /api/rbac/user-roles               - Assign role to user
DELETE /api/rbac/user-roles/:id           - Remove role from user

GET    /api/rbac/user-permissions         - Get user's all permissions
```

### RBAC Middleware

**File:** `src/middleware/requirePermission.js`

```javascript
// Usage in routes
router.post('/events', 
  authenticate,
  requirePermission('event.create'),
  controller.create
);

// Implementation
const requirePermission = (permissionCode) => async (req, res, next) => {
  try {
    const hasPermission = await permissionService.check(
      req.user.id,
      permissionCode
    );
    
    if (!hasPermission) {
      return res.status(403).json({
        success: false,
        message: 'Insufficient permissions'
      });
    }
    
    next();
  } catch (error) {
    next(error);
  }
};
```

### RBAC Controllers

**File:** `src/controller/rbac_controller/`

Handles:
- Role CRUD operations
- Permission management
- Role-permission associations
- User role assignments
- Permission queries

### Data Models for RBAC

#### **Role Model**
```javascript
{
  _id: ObjectId,
  code: String,           // 'SYSTEM_ADMIN', 'COORDINATOR', etc.
  name: String,          // Display name
  description: String,
  authority: Number,     // Hierarchy level (10, 30, 50, 100)
  permissions: [ObjectId], // References to Permission documents
  createdAt: Date,
  updatedAt: Date
}
```

#### **Permission Model**
```javascript
{
  _id: ObjectId,
  code: String,          // 'event.create', 'request.review', etc.
  name: String,          // Display name
  description: String,
  category: String,      // 'event', 'request', 'user', 'rbac'
  createdAt: Date
}
```

#### **UserRole Model**
```javascript
{
  _id: ObjectId,
  userId: ObjectId,      // Reference to User
  roleId: ObjectId,      // Reference to Role
  authority: Number,     // User's authority level
  jurisdiction: {        // Geographic jurisdiction
    provinceIds: [String],
    districtIds: [String],
    municipalityIds: [String]
  },
  assignedAt: Date,
  assignedBy: ObjectId   // Who assigned this role
}
```

### Seeding RBAC

**File:** `src/utils/seedRoles.js`

```bash
# Preview changes
node src/utils/seedRoles.js --dry-run

# Apply changes
node src/utils/seedRoles.js
```

Creates default roles and permissions for the system.

### Best Practices

1. **Granular Permissions**
   - Use specific permission codes
   - Example: `event.create` not just `event`

2. **Authority Checking**
   - Always verify authority levels
   - Prevent privilege escalation

3. **Jurisdiction Validation**
   - Check geographic coverage
   - Prevent cross-jurisdiction access

4. **Permission Caching**
   - Cache permission checks
   - Invalidate on role changes

5. **Audit Trail**
   - Log permission assignments
   - Track role changes
   - Document admin actions

## Section 11: Real-Time Communication and WebSocket

### Socket.IO Integration

**File:** `server.js`

Socket.IO provides real-time bidirectional communication for:
- Chat messaging
- Live notifications
- Presence tracking
- Typing indicators

### WebSocket Authentication

Socket connections require JWT authentication:

```javascript
// Client-side connection
const socket = io('http://localhost:3000', {
  auth: {
    token: jwtToken  // JWT token from login
  }
});

// Alternative: Query parameter
const socket = io('http://localhost:3000', {
  query: {
    token: jwtToken
  }
});
```

### Chat System Architecture

**Files:** `src/services/chat_services/`

#### **Chat Rooms**
- Created between users or groups
- Contains multiple messages
- Tracks participants

#### **Messages**
- Text or file attachments
- Read/unread status
- Timestamp and sender tracking
- Deletion support (soft delete)

#### **Presence System**
- Online/offline/idle status
- Last activity timestamp
- Active room tracking

### Socket Events

#### **Emitted from Client**
```javascript
// Chat Events
socket.emit('chat:join-room', { roomId });
socket.emit('chat:send-message', { roomId, content });
socket.emit('chat:mark-read', { messageId });
socket.emit('chat:typing', { roomId });

// Presence Events
socket.emit('user:set-status', { status: 'online' });
socket.emit('user:last-activity', { timestamp });
```

#### **Received from Server**
```javascript
// Chat Events
socket.on('chat:message-received', (message) => {});
socket.on('chat:message-deleted', (messageId) => {});
socket.on('chat:read-receipt', (messageId) => {});

// Presence Events
socket.on('user:status-changed', (userStatus) => {});
socket.on('typing-indicator', (typingUser) => {});

// Notifications
socket.on('notification:new', (notification) => {});
socket.on('notification:update', (notification) => {});
```

### Chat Service Methods

**File:** `src/services/chat_services/chat.service.js`

```javascript
// Create chat room
await chatService.createRoom({
  name: 'Support Room',
  participants: [user1Id, user2Id]
});

// Send message
await chatService.sendMessage({
  roomId,
  senderId,
  content,
  attachments: []
});

// Get message history
const messages = await chatService.getMessages(roomId, { limit: 50 });

// Mark as read
await chatService.markMessageAsRead(messageId, userId);

// Get unread count
const count = await chatService.getUnreadCount(userId);
```

### Notification System

**Files:** `src/services/utility_services/notification.service.js`

#### **Notification Types**

1. **Request Updates**
   - Request approved/rejected/rescheduled
   - Coordinator confirmation request
   - State transition notifications

2. **Admin Actions**
   - Request assigned to reviewer
   - Action taken by admin
   - System alerts

3. **Chat Notifications**
   - New message received
   - Mention in message
   - User joined room

4. **System Notifications**
   - Database events
   - Scheduled events starting
   - Important updates

#### **Notification Model**
```javascript
{
  userId: ObjectId,           // Recipient
  type: String,              // notification type
  title: String,             // Display title
  message: String,           // Display message
  relatedEntity: {
    type: String,            // 'Request', 'Event', 'Message'
    id: ObjectId
  },
  read: Boolean,             // Read status
  readAt: Date,              // When marked read
  createdAt: Date,           // Creation timestamp
  expiresAt: Date            // Auto-delete after this
}
```

#### **Notification Routes**
```
GET    /api/utility/notifications       - List user notifications
GET    /api/utility/notifications/unread-count - Count unread
POST   /api/utility/notifications/read  - Mark as read
DELETE /api/utility/notifications/:id   - Delete notification
```

### Connection Lifecycle

```
Client Connects with JWT
        ↓
Server Validates Token
        ↓
User Authenticated
        ↓
Socket Added to User Room
        ↓
'connection' event fired
        ↓
Client Ready for Events
        
        ... (communication) ...
        
Client Disconnects
        ↓
'disconnection' event fired
        ↓
Cleanup (close rooms, update presence)
```

### Best Practices for Real-Time Features

1. **Namespace Organization**
   - `/chat` - Chat-related events
   - `/notifications` - Notification events
   - `/presence` - Presence events

2. **Error Handling**
   - Acknowledge events with status
   - Emit error events for failures
   - Retry logic on client

3. **Security**
   - Validate token on every connection
   - Verify permissions for room access
   - Sanitize message content

4. **Performance**
   - Limit message history queries
   - Compress large payloads
   - Use rooms for broadcasting

5. **Testing**
   - Use Socket.IO test client
   - Mock socket emissions
   - Test reconnection scenarios

## Section 10: Request and Event Management Workflow

### Event Request Lifecycle

The core workflow follows a state machine pattern with double-confirmation:

```
┌─────────────────────────────────────────────────────────────┐
│              EVENT REQUEST WORKFLOW STATE MACHINE            │
└─────────────────────────────────────────────────────────────┘

1. SUBMITTED
   ↓ (Coordinator submits request)
   └─→ Actions: approve, reject, reschedule

2. ASSIGNED
   ↓ (Reviewer assigned automatically)
   └─→ Actions: approve, reject, reschedule

3. APPROVED
   ↓ (Admin approves request)
   └─→ Actions: confirm (coordinator), cancel

4. COORDINATOR_CONFIRMED
   ↓ (Coordinator confirms approval - FINAL)
   └─→ Status: FINALIZED (Event scheduled)

Alternative Paths:
- APPROVED → REJECTED (if coordinator declines)
- APPROVED → RESCHEDULED (if reschedule proposed)
- RESCHEDULED → COORDINATOR_CONFIRMED or CANCELLED
```

### Scheduling Rules Enforcement

Before approval, the system checks:

1. **Daily Capacity**
   - Max 3 events per day
   - Check all approved events on that date

2. **Blood Bag Limit**
   - Max 200 blood bags per day for blood drives
   - Cumulative across all blood drive events

3. **Weekend Restriction**
   - No events on weekends (Saturday/Sunday)
   - Admin can override this rule

4. **Pending Request Limit**
   - Max 1 pending request per coordinator
   - Prevents request accumulation

5. **Requester Validation**
   - Coordinator must have coverage in location
   - Location-based jurisdiction check

### Automatic Reviewer Assignment

**File:** `src/services/eventRequests_services/reviewerAssignment.service.js`

Assignment rules (in priority order):
1. **Stakeholder-to-Coordinator**: Stakeholder request → Their coordinator
2. **Coordinator-to-Admin**: Coordinator request → District admin
3. **Coordinator-to-Stakeholder**: Fallback → Available stakeholder
4. **Admin-to-Coordinator**: Admin override → Specified coordinator
5. **Manual Assignment**: Explicit assignment by admin

### Event Categories and Specific Fields

#### **Blood Drive**
```javascript
{
  Category: 'BloodDrive',
  Target_Donation: 50,      // Number of blood bags target
  VenueType: 'Hospital',    // Location type
  // Core fields: Event_Title, Date, Location, Email (optional), Phone_Number (optional)
}
```

#### **Training**
```javascript
{
  Category: 'Training',
  TrainingType: 'Basic Life Support',  // Type of training
  MaxParticipants: 100,                // Maximum participants
  Topic: 'First Aid',                  // Training topic
  // Core fields: Event_Title, Date, Location
}
```

#### **Advocacy**
```javascript
{
  Category: 'Advocacy',
  TargetAudience: 'Students',          // Target demographic
  ExpectedAudienceSize: 200,           // Expected attendance
  Topic: 'Blood Donation Awareness',   // Advocacy topic
  // Core fields: Event_Title, Date, Location
}
```

### Event Publication Flow

```
Request Approved + Coordinator Confirmed
            ↓
Event_ID Generated
            ↓
Event Document Created
            ↓
Staff Assignment Notification Sent
            ↓
Event Listed in Calendar Views
            ↓
Notifications Sent to Stakeholders
```

### Coordinator and Stakeholder Resolution

**File:** `src/services/eventRequests_services/coordinatorResolver.service.js`

Determines:
- Which coordinators can create requests in a location
- Which stakeholders can participate
- Coverage area filtering
- Jurisdiction validation

### Key Services for Event Management

1. **eventRequest.service.js** - Core request operations
2. **requestStateMachine.js** - State transitions and validation
3. **reviewerAssignment.service.js** - Reviewer selection
4. **coordinatorResolver.service.js** - Coordinator/stakeholder resolution
5. **event.service.js** - Event creation and updates
6. **eventStatistics.service.js** - Analytics and reporting

### Validation in Request Workflow

**Joi Validators:** `src/validators/eventRequests_validators/`

- `eventRequest.validators.js` - Main request validation
- `batchEvent.validators.js` - Batch creation validation

Key fields validation:
```javascript
{
  Event_Title: required, min 3 chars
  Location: required, min 3 chars
  Date: required, not in past
  Email: optional, valid email if provided
  Phone_Number: optional, valid format if provided
  Event_Description: optional, max 2000 chars
  Category: optional, specific types allowed
}
```

### API Workflow Example

```javascript
// 1. Create Request
POST /api/eventRequests
Body: {
  Event_Title: "Blood Drive 2026",
  Location: "Manila City",
  Date: "2026-02-15",
  Category: "BloodDrive",
  Target_Donation: 100
}
Response: { success: true, data: { Request_ID: "REQ123...", status: "SUBMITTED" } }

// 2. Admin Reviews
GET /api/eventRequests/REQ123

// 3. Admin Approves
POST /api/eventRequests/REQ123/approve
Body: { notes: "Approved" }
Response: { success: true, data: { status: "APPROVED" } }

// 4. Coordinator Confirms
POST /api/eventRequests/REQ123/confirm
Response: { success: true, data: { status: "COORDINATOR_CONFIRMED" } }

// 5. Event Created and Scheduled
GET /api/events/EVT123
// Event now appears in calendar views
```

## Section 9: Development Environment Setup

### Environment Variables

Create a `.env` file in the project root with the following variables:

```bash
# Database Configuration
MONGODB_URI=mongodb://localhost:27017/unite-blood-bank
MONGO_DB_NAME=unite-blood-bank

# Server Configuration
NODE_ENV=development
PORT=3000

# JWT Configuration
JWT_SECRET=your-super-secret-jwt-key-min-32-characters

# CORS Configuration
ALLOWED_ORIGINS=http://localhost:3000,http://localhost:3001

# AWS S3 Configuration
S3_BUCKET_NAME=your-s3-bucket-name
AWS_ACCESS_KEY_ID=your-aws-access-key
AWS_SECRET_ACCESS_KEY=your-aws-secret-key
AWS_REGION=ap-southeast-1

# Email Configuration
EMAIL_USER=your-email@gmail.com
EMAIL_PASS=your-app-specific-password
EMAIL_PORT=587

# Redis Configuration (optional)
REDIS_URL=redis://localhost:6379

# Feature Flags
ENABLE_RATE_LIMITING=false
```

### Starting the Development Server

```bash
# Install dependencies
npm install

# Create indexes (first time setup)
node src/utils/createIndexes.js

# Seed initial data
node src/utils/seedRoles.js
node src/utils/seedLocations.js
node src/utils/seedOrganizations.js

# Create initial admin user
node src/utils/createSysAdmin.js

# Start server with auto-reload
npm run dev

# Server will be running at http://localhost:3000
```

### Health Check

Verify server is running:
```bash
curl http://localhost:3000/health
# Response: { "status": "ok", "database": "connected" }
```

### Project Structure Best Practices

1. **Keep Controllers Thin**
   - Move business logic to services
   - Controllers only handle HTTP concerns

2. **Validation**
   - Use Joi schemas in validators/
   - Place parsed data in `req.validatedData`
   - Validate at route level, not in controller

3. **Error Handling**
   - Use try-catch in controllers
   - Pass errors to next() for error middleware
   - Return meaningful error messages

4. **Database Queries**
   - Use Mongoose methods (findById, find, etc.)
   - Apply indexes for frequent queries
   - Use lean() for read-only queries

5. **Authentication**
   - Apply authenticate middleware to protected routes
   - Check permissions in requirePermission middleware
   - Access user info via req.user

6. **Naming Conventions**
   - Database fields: PascalCase (Email, Phone_Number)
   - JavaScript variables: camelCase (email, phoneNumber)
   - Routes: kebab-case (/api/event-requests)
   - File names: camelCase.js or kebab-case.js

## Section 8: Utility Functions and Helpers

### Database Connection
**File:** `src/utils/dbConnection.js`
- Establishes MongoDB connection using Mongoose
- Handles connection errors and retries
- Called during server startup in `server.js`
- Environment variables: `MONGODB_URI`, `MONGO_DB_NAME`

### JWT Utilities
**File:** `src/utils/jwt.js`
- `generateToken(user)` - Creates JWT token with user payload
- `verifyToken(token)` - Validates and decodes token
- `refreshToken(token)` - Extends token expiration
- Token payload includes: userId, email, role, authority, permissions
- Uses `JWT_SECRET` from environment

### AWS S3 Integration
**File:** `src/utils/s3.js`
- Upload file to S3 bucket
- Generate presigned URLs (temporary download links)
- Delete files from S3
- Configuration: `S3_BUCKET_NAME`, `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`
- Uses AWS SDK v3

**Example Usage:**
```javascript
// Generate presigned URL for download
const url = await s3Util.getPresignedUrl(key, expiresIn);

// Upload file
const key = await s3Util.uploadFile(fileBuffer, filename);

// Delete file
await s3Util.deleteFile(key);
```

### Caching Utilities
**File:** `src/utils/cache.js`
- In-memory caching using `node-cache`
- Store frequently accessed data
- Configurable TTL (time-to-live)
- Common cache keys: locations, organizations, roles, permissions

**Cache Keys Pattern:**
```
locations:all
locations:provinces
locations:districts:{provinceId}
organizations:all
roles:all
permissions:{roleId}
```

### Authority Checking
**File:** `src/utils/checkAuthorities.js`
- Validate user authority level
- Authority hierarchy: System Admin > Admin > Coordinator > Stakeholder
- Check jurisdiction overlap
- Validate operational permissions

### Location Management
**Files:**
- `src/utils/locations.json` - Complete location hierarchy
- `src/utils/{region}-dis-barangay.txt` - Regional barangay data
  - `camnorte-dis-barangay.txt` - Camarines Norte
  - `camsur-dis-barangay.txt` - Camarines Sur
  - `masbate-dis-barangay.txt` - Masbate

**Supported Regions:**
- Camarines Norte (35 municipalities)
- Camarines Sur (35 municipalities)
- Masbate (21 municipalities)

### Seeding and Migration Scripts

#### **seedRoles.js** - Initialize RBAC System
```bash
node src/utils/seedRoles.js          # Run seed
node src/utils/seedRoles.js --dry-run # Preview changes
```
Creates roles:
- System Admin
- Admin
- Coordinator
- Stakeholder

With permissions:
- `event.create`, `event.edit`, `event.delete`
- `request.create`, `request.review`, `request.approve`
- `user.manage`, `user.create`, `user.delete`
- `chat.send`, `chat.read`
- `rbac.manage`

#### **seedLocations.js** - Populate Location Hierarchy
```bash
node src/utils/seedLocations.js      # Run seed
node src/utils/seedLocations.js --dry-run
```
Imports all provinces, districts, municipalities, and barangays

#### **seedOrganizations.js** - Seed Organization Types
```bash
node src/utils/seedOrganizations.js
```
Creates organization records for:
- LGU (Local Government Units)
- NGO (Non-Governmental Organizations)
- Hospital
- Red Cross
- Non-LGU
- Other

#### **seedCoverageSystem.js** - Initialize Coverage Areas
```bash
node src/utils/seedCoverageSystem.js
```
Sets up coverage area definitions for coordinators

#### **createIndexes.js** - Create Database Indexes
```bash
node src/utils/createIndexes.js
```
Creates indexes on frequently queried fields:
- Unique indexes: email, userId, Request_ID
- Single-field indexes: status, Date, coordinator_id
- Compound indexes: multi-field queries

#### **createSysAdmin.js** - Create System Administrator
```bash
node src/utils/createSysAdmin.js
```
Creates initial system admin account with prompts

#### **createAdmin.js** - Create Admin User
```bash
node src/utils/createAdmin.js
```
Creates admin user account with specific authorities

#### **migrateAll.js** - Run All Migrations
```bash
node src/utils/migrateAll.js          # Run all migrations
node src/utils/migrateAll.js --step=1 # Run specific step
```
Manages database schema migrations

### Diagnostic and Testing Utilities

#### **checkDatabase.js**
- Verify MongoDB connection
- Check database initialization
- Validate schema integrity

#### **detectBrokenUsers.js**
- Identify users with missing references
- Find inconsistent data
- Report data quality issues

#### **diagnoseStakeholderFiltering.js**
- Test location-based filtering logic
- Validate stakeholder queries
- Debug filtering issues

#### **fixStakeholderRoles.js**
- Correct stakeholder role assignments
- Fix authority level issues
- Data consistency repairs

#### **comprehensiveTest.js**
- Run full system health check
- Validate all major components
- Report issues

### Key Patterns and Best Practices

```javascript
// Error Handling Pattern
try {
  const result = await someOperation();
  return result;
} catch (error) {
  console.error('Operation failed:', error);
  throw new AppError('User-friendly message', 400);
}

// Async/Await Pattern
const getUser = async (userId) => {
  const user = await User.findById(userId);
  if (!user) throw new NotFoundError('User not found');
  return user;
};

// Caching Pattern
const getCachedLocations = async () => {
  const cached = cache.get('locations:all');
  if (cached) return cached;
  
  const locations = await Location.find();
  cache.set('locations:all', locations, 3600); // 1 hour TTL
  return locations;
};
```

## Section 7: Services Layer - Business Logic

### Service Organization

Services implement core business logic, separated from controllers to maintain clean architecture:

```
src/services/
├── users_services/
│   ├── user.service.js
│   ├── permission.service.js
│   └── role.service.js
│
├── event_services/
│   ├── event.service.js
│   ├── eventStatistics.service.js
│   └── staffAssignment.service.js
│
├── eventRequests_services/
│   ├── eventRequest.service.js
│   ├── requestStateMachine.js
│   ├── reviewerAssignment.service.js
│   └── coordinatorResolver.service.js
│
├── request_services/
│   ├── request.service.js
│   ├── requestStateMachine.js
│   └── requestHistory.service.js
│
├── chat_services/
│   ├── chat.service.js
│   ├── message.service.js
│   └── presence.service.js
│
└── utility_services/
    ├── notification.service.js
    ├── location.service.js
    ├── organization.service.js
    └── coverage.service.js
```

### Key Services Overview

#### **User Service** (`users_services/user.service.js`)
- User creation, update, deletion
- Profile management
- Account activation/deactivation
- Legacy ID handling

#### **Permission Service** (`users_services/permission.service.js`)
- Permission assignment to roles
- Permission checking for users
- RBAC enforcement
- Permission codes: `event.create`, `request.review`, `user.manage`, etc.

#### **Event Service** (`event_services/event.service.js`)
- Event creation with validation
- Category-specific field handling
- Event scheduling rules enforcement
- Conflict detection (max events per day, blood bag limits)

#### **Event Request Service** (`eventRequests_services/eventRequest.service.js`)
- Request creation and validation
- State transition handling
- Approval/rejection/reschedule logic
- Double-confirmation workflow

#### **State Machine Service** (`eventRequests_services/requestStateMachine.js`)
- Central workflow control
- Request state transitions
- Action validation
- Transition rules enforcement

**Key States:**
- `SUBMITTED` - Initial submission
- `ASSIGNED` - Reviewer assigned
- `APPROVED` - Admin approved
- `COORDINATOR_CONFIRMED` - Coordinator confirmed approval
- `REJECTED` - Rejected by admin
- `RESCHEDULED` - Reschedule offered
- `CANCELLED` - Cancelled

**Allowed Transitions:**
```
SUBMITTED → ASSIGNED
ASSIGNED → APPROVED | REJECTED | RESCHEDULED
APPROVED → COORDINATOR_CONFIRMED | CANCELLED
RESCHEDULED → COORDINATOR_CONFIRMED | CANCELLED
```

#### **Reviewer Assignment Service** (`eventRequests_services/reviewerAssignment.service.js`)
- Automatic reviewer assignment
- Assignment rules based on hierarchy
- Manual override support
- Jurisdiction validation

#### **Chat Service** (`chat_services/chat.service.js`)
- Room creation and management
- Message sending
- Read status tracking
- Message history retrieval

#### **Notification Service** (`utility_services/notification.service.js`)
- Create notifications for events
- Track read/unread status
- Multi-type notifications (request updates, admin actions, chat)
- Notification history

#### **Location Service** (`utility_services/location.service.js`)
- Geographic location hierarchy (Province → District → Municipality → Barangay)
- Location search and filtering
- Coverage area validation

### Controller vs Service Pattern

**Controller:** Thin, focused on HTTP handling
```javascript
// src/controller/eventRequests_controller/eventRequest.controller.js
const createEventRequest = async (req, res, next) => {
  try {
    // Validation already done by middleware
    const data = req.validatedData;
    
    // Delegate to service
    const request = await eventRequestService.create(data, req.user);
    
    res.status(201).json({
      success: true,
      message: 'Request created successfully',
      data: request
    });
  } catch (error) {
    next(error);
  }
};
```

**Service:** Complex business logic
```javascript
// src/services/eventRequests_services/eventRequest.service.js
class EventRequestService {
  async create(data, user) {
    // Validation
    this.validateEventData(data);
    
    // Check scheduling rules
    await this.checkSchedulingRules(data);
    
    // Check for pending requests
    await this.checkPendingRequests(user);
    
    // Create request
    const request = await EventRequest.create({
      Request_ID: generateRequestId(),
      ...data,
      requester: user.id,
      status: REQUEST_STATES.SUBMITTED
    });
    
    // Assign reviewer
    await this.assignReviewer(request);
    
    // Send notifications
    await this.notifyCreated(request);
    
    return request;
  }
}
```

### Service Responsibilities

Each service encapsulates:
1. **Validation** - Business rule validation
2. **Processing** - Core logic
3. **Side Effects** - Notifications, cache updates
4. **Error Handling** - Meaningful error messages
5. **Transactions** - Multi-document operations

### Key Principles

- Keep services independent and testable
- Use dependency injection for external services
- Throw meaningful errors with context
- Return data in consistent format
- Document complex business logic with comments
- Handle edge cases and validation edge cases

## Section 6: API Routes and Endpoints

### Route Structure

All API endpoints are prefixed with `/api` and organized by feature domain.

### Authentication Routes
**File:** `src/routes/auth.routes.js`
```
POST   /api/auth/login              - User login (email + password)
POST   /api/auth/logout             - User logout (clear session)
GET    /api/auth/me                 - Get current user profile
POST   /api/auth/refresh-token      - Refresh JWT token
```

### User Management Routes
**File:** `src/routes/users.routes.js`
```
GET    /api/users                   - List all users (admin only)
GET    /api/users/:userId           - Get user details
POST   /api/users                   - Create new user
PUT    /api/users/:userId           - Update user profile
DELETE /api/users/:userId           - Delete user (admin only)
GET    /api/users/coordinators      - List all coordinators
GET    /api/users/stakeholders      - List all stakeholders
POST   /api/users/validate-code     - Validate registration code
```

### Event Management Routes
**File:** `src/routes/events.routes.js`
```
GET    /api/events                  - List all events
GET    /api/events/calendar         - Calendar view (day/week/month)
GET    /api/events/:eventId         - Get event details
POST   /api/events                  - Create new event
PUT    /api/events/:eventId         - Update event
DELETE /api/events/:eventId         - Delete event
GET    /api/events/statistics       - Event statistics
POST   /api/events/:eventId/assign-staff - Assign staff members
```

### Event Requests Routes
**File:** `src/routes/eventRequests.routes.js`
```
GET    /api/eventRequests           - List event requests
GET    /api/eventRequests/:requestId - Get request details
POST   /api/eventRequests           - Create new request
PUT    /api/eventRequests/:requestId - Update request
POST   /api/eventRequests/:requestId/approve   - Admin approve
POST   /api/eventRequests/:requestId/reject    - Admin reject
POST   /api/eventRequests/:requestId/reschedule - Admin reschedule
POST   /api/eventRequests/:requestId/confirm  - Coordinator confirm
POST   /api/eventRequests/batch     - Batch create requests
```

### Requests Routes
**File:** `src/routes/requests.routes.js`
```
GET    /api/requests                - List requests
GET    /api/requests/:requestId     - Get request details
POST   /api/requests/action         - Perform request action
GET    /api/requests/history/:requestId - Get request history
```

### Chat & Messaging Routes
**File:** `src/routes/chat.routes.js`
```
GET    /api/chat/rooms              - List chat rooms
POST   /api/chat/rooms              - Create new chat room
GET    /api/chat/rooms/:roomId/messages - Get messages in room
POST   /api/chat/messages           - Send message
PUT    /api/chat/messages/:messageId - Update message
DELETE /api/chat/messages/:messageId - Delete message
GET    /api/chat/unread-count       - Get unread message count
```

### RBAC Routes
**File:** `src/routes/rbac.routes.js`
```
GET    /api/rbac/roles              - List all roles
GET    /api/rbac/permissions        - List all permissions
GET    /api/rbac/roles/:roleId      - Get role details
POST   /api/rbac/roles              - Create new role (admin only)
PUT    /api/rbac/roles/:roleId      - Update role (admin only)
POST   /api/rbac/user-roles         - Assign role to user
DELETE /api/rbac/user-roles/:userRoleId - Remove role from user
```

### Stakeholder Routes
**File:** `src/routes/stakeholder.routes.js`
```
GET    /api/stakeholder             - List stakeholders
GET    /api/stakeholder/:stakeholderId - Get stakeholder details
POST   /api/stakeholder             - Create stakeholder
PUT    /api/stakeholder/:stakeholderId - Update stakeholder
DELETE /api/stakeholder/:stakeholderId - Delete stakeholder
```

### Inventory Routes
**File:** `src/routes/inventory.routes.js`
```
GET    /api/inventory               - List blood bag inventory
POST   /api/inventory               - Add inventory item
PUT    /api/inventory/:itemId       - Update inventory
DELETE /api/inventory/:itemId       - Remove inventory item
POST   /api/inventory/requests      - Create inventory request
GET    /api/inventory/requests/:requestId - Get request details
```

### Location Routes
**File:** `src/routes/locations.routes.js`
```
GET    /api/locations               - List all locations
GET    /api/locations/provinces     - List provinces
GET    /api/locations/districts/:provinceId - List districts
GET    /api/locations/municipalities/:districtId - List municipalities
GET    /api/locations/barangays/:municipalityId - List barangays
POST   /api/locations/search        - Search locations
```

### Coverage Areas Routes
**File:** `src/routes/coverageAreas.routes.js`
```
GET    /api/coverage                - List coverage areas
GET    /api/coverage/:userId        - Get user's coverage
POST   /api/coverage                - Create coverage area
PUT    /api/coverage/:coverageId    - Update coverage
DELETE /api/coverage/:coverageId    - Delete coverage
```

### Organizations Routes
**File:** `src/routes/organizations.routes.js`
```
GET    /api/organizations           - List organizations
GET    /api/organizations/:orgId    - Get organization details
POST   /api/organizations           - Create organization
PUT    /api/organizations/:orgId    - Update organization
DELETE /api/organizations/:orgId    - Delete organization
```

### Utility Routes
**File:** `src/routes/utility.routes.js`
```
GET    /api/utility/notifications   - List notifications
POST   /api/utility/notifications/read - Mark as read
DELETE /api/utility/notifications/:notificationId - Delete notification
POST   /api/utility/signup-requests - Public signup request
GET    /api/utility/districts       - List districts
GET    /api/utility/organizations   - List organization types
```

### Pages Routes
**File:** `src/routes/pages.routes.js`
```
GET    /api/pages/:pageName         - Get page content
POST   /api/pages/:pageName         - Create page (admin only)
PUT    /api/pages/:pageName         - Update page (admin only)
```

### Response Format

All endpoints return standardized JSON responses:

```javascript
// Success Response
{
  "success": true,
  "message": "Operation completed successfully",
  "data": { /* response data */ },
  "pagination": {
    "page": 1,
    "limit": 20,
    "total": 100
  }
}

// Error Response
{
  "success": false,
  "message": "Error description",
  "errors": [ /* detailed errors */ ]
}
```

### HTTP Status Codes

- `200 OK` - Success
- `201 Created` - Resource created
- `204 No Content` - Success with no response body
- `400 Bad Request` - Invalid input
- `401 Unauthorized` - Missing/invalid token
- `403 Forbidden` - Insufficient permissions
- `404 Not Found` - Resource not found
- `409 Conflict` - Business logic conflict
- `500 Internal Server Error` - Server error

## Section 5: Database Models and Data Layer

### Model Organization

Models are organized by feature domain in `src/models/`:

#### **Users Models** (`src/models/users_models/`)
- **User** - Unified user model (System Admin, Coordinator, Stakeholder)
- **UserRole** - Role definitions and associations
- **Permission** - Granular permission definitions
- **Key Fields**: userId, email, password, organizationType, authority, roles

#### **Events Models** (`src/models/events_models/`)
- **Event** - Published events
- **Category-Specific Fields**: Blood drives, advocacy, training
- **Key Fields**: Event_ID, Event_Title, Date, Location, Category, participants, staff

#### **Event Requests Models** (`src/models/eventRequests_models/`)
- **EventRequest** - Request workflow (state machine based)
- **Embedded Sub-Schemas**: 
  - statusHistory - All state transitions
  - reviewer - Assigned reviewer info
  - decision - Admin decisions
  - reschedule - Reschedule proposals
  - confirmation - Final confirmations
- **Key Fields**: Request_ID, Event_ID, Email, Phone_Number, Date, status

#### **Request Models** (`src/models/request_models/`)
- **EventRequest** - Alternative request model
- **EventRequestHistory** - Audit trail

#### **Chat Models** (`src/models/chat_models/`)
- **Chat** - Chat rooms/conversations
- **Message** - Individual messages
- **Key Fields**: participants, content, timestamp, read status

#### **Utility Models** (`src/models/utility_models/`)
- **Notification** - System notifications
- **Location** - Geographic locations (Province → District → Municipality → Barangay)
- **Organization** - Organization/Institution data
- **CoverageArea** - Geographic coverage definitions
- **SignupRequest** - Public signup requests
- **RegistrationCode** - User registration codes

### Database Schema Patterns

#### Field Naming Conventions
- **PascalCase**: Database field names (Email, Phone_Number, Event_ID)
- **camelCase**: JavaScript variable names
- **Required Fields**: Explicitly marked with `required: true`
- **Optional Fields**: `required: false` or omitted

#### Timestamp Fields
- **createdAt**: Auto-generated on document creation
- **updatedAt**: Auto-updated on modification
- Built-in Mongoose support using `timestamps: true`

#### References and Relationships
```javascript
// Reference to another model
userId: { type: mongoose.Schema.Types.ObjectId, ref: 'User' }

// Array of references
participants: [{ type: mongoose.Schema.Types.ObjectId, ref: 'User' }]

// Embedded sub-documents
reviewer: { type: reviewerSchema }
```

#### Indexing Strategy
- **Unique Indexes**: email, Request_ID, Event_ID
- **Performance Indexes**: Frequently queried fields (status, Date, coordinator_id)
- **Compound Indexes**: Multi-field queries (user + status)
- Created via `src/utils/createIndexes.js`

### Common Model Operations

```javascript
// Create
const event = await Event.create({ Event_Title: "Blood Drive", ... });

// Read
const event = await Event.findById(id);
const events = await Event.find({ status: 'approved' });

// Update
await Event.findByIdAndUpdate(id, { status: 'scheduled' });

// Delete
await Event.findByIdAndDelete(id);

// Aggregate
const stats = await Event.aggregate([
  { $match: { Category: 'BloodDrive' } },
  { $group: { _id: null, total: { $sum: 1 } } }
]);
```

### Validation Layer

**File:** `src/validators/` - Joi schemas

Validation happens at two levels:
1. **Route Level**: Joi schema validation via middleware
2. **Database Level**: Mongoose schema validation

**Pattern:**
```javascript
// Joi validation schema
const eventSchema = Joi.object({
  Event_Title: Joi.string().required().min(3).max(200),
  Email: Joi.string().email().optional(),
  // ...
});

// Applied in middleware
const validateCreateEvent = (req, res, next) => {
  const { error, value } = eventSchema.validate(req.body);
  if (error) res.status(400).json({ errors: error.details });
  else { req.validatedData = value; next(); }
};
```

### Key Principles

- Use `req.validatedData` instead of `req.body` in controllers
- Always validate before saving to database
- Maintain data consistency with middleware validation
- Optional fields are explicitly marked (not mandatory)
- Store user context in nested objects for audit trail

## Section 4: Middleware Components

### Core Middleware Components

#### 1. **authenticate.js** - JWT Validation
- Validates JWT tokens from headers or cookies
- Extracts user information and attaches to `req.user`
- Normalizes role information across different user types
- Required for all protected routes

#### 2. **requirePermission.js** - Permission Enforcement
- Checks if user has specific permission code
- Example permissions: `event.create`, `request.review`, `user.manage`
- Works with the RBAC system
- Usage: `router.post('/events', requirePermission('event.create'), controller)`

#### 3. **requireAdminAuthority.js** - Admin Validation
- Ensures user is a System Administrator
- Throws 403 Forbidden if user is not admin
- Critical for sensitive operations

#### 4. **requireStaffManagement.js** - Staff Permission
- Validates staff management access rights
- Checks authority level for coordinator/stakeholder operations
- Location-based filtering

#### 5. **requireFeature.js** - Feature Flag Validation
- Enables/disables features based on user type or config
- Useful for beta features or experimental endpoints

#### 6. **requirePageAccess.js** - Page-Level Access
- Restricts access to specific pages/sections
- Used for UI feature gating

#### 7. **validateJurisdiction.js** - Geographic Validation
- Ensures user operates within their jurisdiction
- Validates coordinator/stakeholder coverage areas
- Prevents cross-jurisdiction access

#### 8. **validateRequestAccess.js** - Request Ownership
- Validates user can access specific request
- Checks ownership and permissions
- Prevents unauthorized access to requests

#### 9. **validateRequestAction.js** - Action Validation
- Validates specific actions on requests (approve, reject, reschedule)
- Enforces workflow state transitions
- Permission and state-based validation

#### 10. **validateCoordinatorAssignment.js** - Assignment Rules
- Validates coordinator assignment to events
- Checks authority and jurisdiction
- Enforces assignment rules

#### 11. **cacheMiddleware.js** - Response Caching
- Caches GET responses based on key
- Reduces database queries
- Configurable TTL (time-to-live)
- Usage: Cacheable endpoints like location listings

#### 12. **rateLimiter.js** - Rate Limiting
- Prevents API abuse through rate limiting
- Configurable per-endpoint or global
- Currently disabled for development (see `rateLimiter.js.bak` for production setup)
- Uses `rate-limiter-flexible` library

### Middleware Pipeline Order

```
Express Request
     ↓
1. CORS & Security Headers
     ↓
2. Body Parser & Compression
     ↓
3. authenticate.js (extract user)
     ↓
4. Route-specific middleware (permission, jurisdiction, etc.)
     ↓
5. cacheMiddleware (check cache)
     ↓
6. rateLimiter (if enabled)
     ↓
7. Controller Handler
     ↓
Express Response
```

### Custom Middleware Patterns

```javascript
// Pattern 1: Simple Guard
const requireAdmin = (req, res, next) => {
  if (req.user.isSystemAdmin) next();
  else res.status(403).json({ success: false });
};

// Pattern 2: Permission-Based
const requirePermission = (permissionCode) => (req, res, next) => {
  if (req.user.permissions.includes(permissionCode)) next();
  else res.status(403).json({ success: false });
};

// Pattern 3: Data Validation
const validateInput = (schema) => (req, res, next) => {
  const { error, value } = schema.validate(req.body);
  if (error) res.status(400).json({ errors: error.details });
  else { req.validatedData = value; next(); }
};
```

### Key Files Location

- `src/middleware/` - All middleware implementations
- Middleware is applied in `src/app.js` and specific routes

## Section 3: Authentication and Authorization System

### Authentication Flow

The system uses **JWT (JSON Web Tokens)** for stateless authentication:

```
User Login Request
       ↓
POST /api/auth/login (email + password)
       ↓
Password validation (bcrypt compare)
       ↓
JWT Token Generation & Signing
       ↓
Token returned to client (cookie or header)
       ↓
Client stores token (HttpOnly cookie or localStorage)
       ↓
Subsequent requests include token
       ↓
authenticate middleware validates token
       ↓
Request continues with user context
```

### JWT Configuration

**File:** `src/utils/jwt.js`

- **Token Format**: `Authorization: Bearer <token>` or Cookie: `unite_user`
- **Secret**: Stored in `JWT_SECRET` environment variable
- **Payload**: Contains user ID, email, role, authority level
- **Expiration**: Configurable (typically 24 hours)

### Authentication Middleware

**File:** `src/middleware/authenticate.js`

```javascript
// Validates JWT token from:
// 1. Authorization header (Bearer token)
// 2. HttpOnly cookie (unite_user)

// Attaches user object to req.user with:
// - userId
// - email
// - role
// - authority
// - permissions (array)
```

### Session Management

- **HttpOnly Cookies**: Secure, cannot be accessed by JavaScript
- **Token Refresh**: Automatic on each request (if approaching expiration)
- **Logout**: Token revocation by clearing cookies
- **Multi-Device Support**: Independent tokens per session

### Authorization Patterns

1. **Middleware-Based**: `requirePermission`, `requireAdminAuthority`
2. **Service-Level**: Permission checks in business logic
3. **Resource-Level**: Document ownership validation
4. **Role-Based**: Role enumeration and authority levels

### Key Files

- `src/middleware/authenticate.js` - Token validation
- `src/utils/jwt.js` - Token generation and verification
- `src/services/users_services/permission.service.js` - Permission management
- `src/middleware/requirePermission.js` - Permission enforcement

## Section 2: Architecture and Project Structure

### Layered Architecture

The backend follows a clean, modular MVC-like architecture with clear separation of concerns:

```
┌─────────────────────────────────────┐
│         Express Server              │
│  (server.js - Entry Point)          │
└──────────────┬──────────────────────┘
               │
       ┌───────┴────────┐
       │                │
┌──────▼──────┐  ┌──────▼──────┐
│   Routes    │  │  Socket.IO   │
│  (REST API) │  │  (WebSocket) │
└──────┬──────┘  └──────┬───────┘
       │                │
┌──────▼────────────────▼──────┐
│      Middleware Layer         │
│  (Auth, Rate Limiting, CORS)  │
└──────┬───────────────────────┘
       │
┌──────▼──────────────┐
│   Controllers       │
│ (Request Handlers)  │
└──────┬──────────────┘
       │
┌──────▼──────────────┐
│    Services         │
│  (Business Logic)   │
└──────┬──────────────┘
       │
┌──────▼──────────────┐
│    Models           │
│  (MongoDB Schemas)  │
└─────────────────────┘
```

### Directory Structure

```
src/
├── models/                          # MongoDB schemas
│   ├── users_models/                # User-related models (User, UserRole, Permission)
│   ├── events_models/               # Event-related models
│   ├── eventRequests_models/        # Event request models with state machine
│   ├── request_models/              # Additional request models
│   ├── chat_models/                 # Chat and messaging models
│   └── utility_models/              # Utility models (Notifications, Locations, Organizations)
│
├── controllers/                     # Request handlers
│   ├── users_controller/            # User management endpoints
│   ├── events_controller/           # Event operations
│   ├── eventRequests_controller/    # Event request workflow
│   ├── request_controller/          # Request management
│   ├── chat_controller/             # Chat and messaging
│   ├── rbac_controller/             # Role-based access control
│   ├── stakeholder_controller/      # Stakeholder management
│   ├── inventory_controller/        # Blood bag inventory
│   └── utility_controller/          # Utility endpoints
│
├── routes/                          # Express route definitions
│   ├── auth.routes.js               # /api/auth
│   ├── users.routes.js              # /api/users
│   ├── events.routes.js             # /api/events
│   ├── eventRequests.routes.js      # /api/eventRequests
│   ├── requests.routes.js           # /api/requests
│   ├── chat.routes.js               # /api/chat
│   ├── rbac.routes.js               # /api/rbac
│   ├── stakeholder.routes.js        # /api/stakeholder
│   ├── inventory.routes.js          # /api/inventory
│   ├── locations.routes.js          # /api/locations
│   ├── coverageAreas.routes.js      # /api/coverage
│   ├── organizations.routes.js      # /api/organizations
│   ├── utility.routes.js            # /api/utility
│   └── pages.routes.js              # /api/pages
│
├── middleware/                      # Express middleware
│   ├── authenticate.js              # JWT authentication
│   ├── requirePermission.js         # Permission checking
│   ├── requireAdminAuthority.js     # Admin authority validation
│   ├── requireStaffManagement.js    # Staff management access
│   ├── requireFeature.js            # Feature flag validation
│   ├── requirePageAccess.js         # Page access control
│   ├── validateJurisdiction.js      # Jurisdiction validation
│   ├── validateRequestAccess.js     # Request access control
│   ├── validateRequestAction.js     # Request action validation
│   ├── validateCoordinatorAssignment.js  # Coordinator assignment validation
│   ├── cacheMiddleware.js           # Response caching
│   └── rateLimiter.js               # Rate limiting
│
├── services/                        # Business logic layer
│   ├── users_services/              # User-related business logic
│   ├── event_services/              # Event management logic
│   ├── eventRequests_services/      # Event request processing
│   ├── request_services/            # Request workflow (state machine)
│   ├── chat_services/               # Chat and messaging logic
│   └── utility_services/            # Utility logic
│
├── validators/                      # Joi validation schemas
│   ├── users_validators/
│   ├── event_validatos/
│   ├── eventRequests_validators/
│   ├── request_validators/
│   └── utility_validators/
│
├── utils/                           # Helper functions
│   ├── dbConnection.js              # MongoDB connection setup
│   ├── jwt.js                       # JWT token utilities
│   ├── s3.js                        # AWS S3 integration
│   ├── cache.js                     # Cache management
│   ├── checkAuthorities.js          # Authority checking
│   ├── seedRoles.js                 # Seed RBAC roles
│   ├── seedLocations.js             # Seed location data
│   ├── seedOrganizations.js         # Seed organization data
│   ├── seedCoverageSystem.js        # Seed coverage areas
│   ├── createIndexes.js             # Create database indexes
│   ├── migrateAll.js                # Database migrations
│   └── [location data files]        # Barangay data for regions
│
├── config/                          # Configuration
│   └── reviewerAssignmentRules.js   # Reviewer assignment logic
│
├── scripts/                         # Utility scripts
│   └── migrate_request_active_responder.js
│
└── app.js                           # Express app configuration

server.js                            # Entry point (Express + Socket.IO)
```

### Key Architectural Patterns

1. **Layered Pattern**: Clear separation between routes → controllers → services → models
2. **Service Layer**: Business logic isolated in services (not controllers)
3. **Middleware Pipeline**: Security, caching, and validation through middleware
4. **Validation Layer**: Input validation using Joi before processing
5. **State Machine**: Request workflow controlled by state machine in services
6. **RBAC System**: Permissions enforced at middleware and service levels
7. **Real-Time Events**: Socket.IO for WebSocket communication

## Section 1: System Overview and Technology Stack

### Purpose
The UNITE Backend is a comprehensive RESTful API and WebSocket server designed for the Bicol Medical Center Blood Bank Event Management System. It streamlines the planning, approval, scheduling, and monitoring of blood-related activities through a centralized platform.

### Primary Users
- **System Administrators**: Full system control, event approval, user management
- **Coordinators**: Event request submission, confirmation, staff coordination  
- **Stakeholders**: Event creation, participation in workflow

### Core Objectives
- Enable coordinators to request, modify, and confirm blood-related events
- Allow admins to review, approve, reject, or reschedule event requests
- Enforce operational rules (daily capacity, bag limits, weekend restrictions)
- Operate a double-confirmation approval process
- Generate notifications across the event lifecycle
- Provide calendar-based and list-based visibility into scheduled events

### Technology Stack

| Component | Technology | Version |
|-----------|-----------|---------|
| **Runtime** | Node.js | Latest LTS |
| **Framework** | Express.js | ^4.21.2 |
| **Database** | MongoDB + Mongoose | 6.20.0 |
| **Authentication** | JWT (jsonwebtoken) | ^9.0.2 |
| **Real-Time** | Socket.IO | ^4.8.1 |
| **Validation** | Joi | ^18.0.1 |
| **Security** | bcrypt | ^6.0.0 |
| **Caching** | node-cache | ^5.1.2 |
| **Rate Limiting** | rate-limiter-flexible | ^8.3.0 |
| **File Storage** | AWS S3 SDK | ^3.432.0 |
| **Email** | Nodemailer + SendGrid | ^6.9.0 |
| **Dev Tools** | Nodemon | ^3.1.10 |

### Key Features Summary
- Event management with multiple categories (Blood Drives, Advocacy, Training)
- Sophisticated request workflow with state machine approval process
- Real-time WebSocket communication and chat system
- Role-based access control (RBAC) with hierarchy enforcement
- Inventory management for blood bag tracking
- Multi-tier notification system
- Geographic location management (provinces, districts, municipalities)

# UNITE Backend System - Comprehensive Guide

**Last Updated:** January 2026  
**Purpose:** Complete reference documentation for the UNITE Blood Bank Event Management System backend

## Quick Navigation
This notebook provides in-depth context about the UNITE backend architecture, components, and implementation patterns. Use this as your primary reference for understanding system structure and making informed development decisions.