refactor: full TypeScript migration, update dependencies, and code cleanup

[Marbot-claw]

Summary

Full TypeScript migration + major refactor of the Express + Sequelize server. This PR addresses multiple bugs, improves code quality, updates all dependencies, and converts the entire codebase to TypeScript with strict mode enabled.

Changes

🔷 TypeScript Migration

• Full conversion to TypeScript with strict: true
• Proper type definitions for Express Request, Response, Sequelize models
• Type-safe controllers, middlewares, and routes
• Added tsconfig.json with modern compiler options
• Source code moved to src/ directory

🐛 Bug Fixes

• Auth middleware: Removed duplicate !access_token check (dead code)
• Authorize middleware: Removed redundant token re-verification (already done in authUser), fixed != → !==
• User controller: Fixed createToken() → signToken() typo that would cause runtime error
• Show controller: Fixed splice() mutating original array, replaced res.redirect("/") with proper 400 JSON response
• CORS: Removed duplicate origin property in config
• Body parsing: Removed redundant body-parser + express.json() duplication

🔒 Security Improvements

• JWT: Added expiresIn: "24h" to access tokens
• bcrypt: Switched from sync to async (non-blocking event loop)
• Config: Moved hardcoded credentials from config.json to environment variables
• Error messages: Standardized error responses, removed stack traces from production

🏗 Architecture & Code Quality

• Cloudinary upload: Refactored from callback hell to Promise-based pattern
• Controllers: Consistent class-based pattern with proper error propagation
• Middlewares: Clean separation of auth, authorize, and error handling
• Models: Proper TypeScript interfaces alongside Sequelize definitions
• Routes: Consistent naming, proper middleware ordering

📦 Dependencies Updated

Package	Before	After
express	4.18.2	4.21.x
jsonwebtoken	8.5.1 (CVE!)	9.0.2
sequelize	6.25.5	6.37.x
bcryptjs	2.4.3	2.4.3 (latest)
axios	1.1.3	1.7.x
cloudinary	1.32.0	2.5.x
sharp	0.31.2	0.33.x
dotenv	16.0.3	16.4.x
cors	2.8.5	2.8.5 (latest)
multer	1.4.5-lts.1	1.4.5-lts.1
nodemailer	6.8.0	6.9.x
pg	8.8.0	8.13.x
google-auth-library	8.6.0	9.x

🆕 New Dev Dependencies

• typescript, @types/* packages
• ts-node, tsx for development
• @types/bcryptjs, @types/jsonwebtoken, @types/multer, etc.

How to Test

Setup

npm install
cp .env.template .env
# Fill in your .env values

Development

npm run dev
# Starts with tsx (TypeScript execution)

Build

npm run build
# Compiles to dist/
npm start
# Runs compiled JS

Database

npm run db:dev
# Drop, create, and migrate

Key Endpoints to Test

• POST /users/register — User registration with email verification
• POST /users/login — Login with JWT response
• POST /users/google-login — Google OAuth login
• GET / — Fetch shows (paginated)
• GET /search?q=... — Search shows
• GET /:showId — Get show by ID
• GET /rents/myrent — Get user's rented shows (requires auth)
• POST /rents/:ShowId — Rent a show (requires auth + multipart upload)
• DELETE /rents/:id — Unrent (requires auth + ownership)

Breaking Changes

• Entry point changed from app.js to dist/app.js (after build)
• JWT tokens now have 24h expiry (previously no expiry)
• Config now requires environment variables instead of config.json for production
• CORS origin needs to be set via CORS_ORIGIN env var