Secure Node.js + Express + PostgreSQL API for the PowerZone expense tracker.
cp .env.example .env
npm install
npm run db:setup
npm run devDatabase name expected:
powerzone
Owner: admin / admin123
Worker: ali / ali123
Worker: hassan / hassan123
Change these passwords immediately before real use.
- Passwords are hashed with bcrypt.
- APIs use JWT bearer tokens.
- Owner and Worker routes have role checks.
- SQL is parameterized through
pg. - Request bodies are validated with Zod.
- Helmet, CORS allowlist, rate limits, and small JSON body limits are enabled.
Use the returned JWT as:
Authorization: Bearer YOUR_TOKEN
POST /api/auth/login
GET /api/auth/me
GET /api/dashboard/owner
GET /api/categories
GET /api/workers
POST /api/workers
GET /api/workers/:id
POST /api/workers/:id/balance
GET /api/sites
POST /api/sites
PATCH /api/sites/:id/status
POST /api/sites/:id/costs
GET /api/sites/:id/expenses
POST /api/expenses
GET /api/expenses/my
GET /api/expenses/my/balance
GET /api/audit?type=monthly&month=2026-06
GET /api/audit?type=annual&year=2026
Create site example:
{
"name": "Site A",
"projectAmount": 200000,
"initialCosts": [
{ "category": "Panel", "description": "panel", "amount": 90000 },
{ "category": "Inverter", "description": "inverter", "amount": 100000 },
{ "category": "Fabricator / Welder", "description": "welder", "amount": 15000 }
]
}