SecureBananaLabs/bug-bounty: Bug: Multiple security vulnerabilities in API layer - registerUser() ID mismatch, missing auth, missing validation

The gap in what exists

The gap is the existing critical security vulnerabilities in the current codebase that need immediate professional attention.

Wedge to win

Solve pressing, named security flaws in their API to protect their users and data, offering a direct, high-value fix.

Reputation value (worth doing free for proof) — 70/100

Successfully resolving a public bug bounty on GitHub provides concrete proof of security expertise and coding proficiency, useful for attracting future dev or security contract work.

Likely monetization

fixed-price bounty

Incumbents to beat

Freelance security consultantsSoftware agencies specializing in security auditsInternal development teams

You are an expert full-stack developer specializing in Node.js, Express, and security best practices. The goal is to fix multiple identified security vulnerabilities in the SecureBananaLabs/bug-bounty repository's API layer. The project uses Node.js, Express, and likely a database. Your task is to provide the code changes required to address three specific vulnerabilities:

1.  **registerUser() ID mismatch:** In `apps/api/src/services/authService.js`, ensure `Date.now()` is called only once when generating the user ID and the JWT `sub` claim so they always match. Present the updated `registerUser` function.
2.  **Admin routes lack role-based authorization:** In `apps/api/src/routes/adminRoutes.js`, add a new `adminAuthMiddleware` to check if the authenticated user has an 'admin' role, and apply it to the `/api/admin/metrics` route. Assume the JWT payload includes a `role` field. Provide the new middleware and the updated `adminRoutes.js`.
3.  **Missing input validation on write controllers:** For `userController.js`, `messageController.js`, `paymentController.js`, `reviewController.js`, `proposalController.js`, and `notificationController.js` in `apps/api/src/controllers/`, implement basic input validation for `req.body` before passing data to the service layer. Use `Zod` for schema definition, similar to how `authController` and `jobController` use it. Provide an example for `userController.js` and suggest how to extend it to other controllers, assuming typical fields like `name`, `email`, `content`, `amount`, `status`, `title`, `description` for respective entities. Focus on preventing common injection and malformed data issues. For `userController.js` specifically, add a schema for `createUser` and `updateUser` operations, ensuring fields like `name` (string, min 2 chars), `email` (string, email format), and `password` (string, min 8 chars) are validated, and that no unexpected fields are allowed through (using `.strict()` or `.stripUnknown()`).

For each fix, provide the exact code changes and a brief explanation. Assume standard error handling and middleware application. Focus on delivering secure, maintainable code.