feat: Student Management System — Express + Mongoose with dual MongoDB connections

[devin-ai-integration]

Summary

Adds a new student-management-system/ Express.js project with full CRUD REST APIs for Students and Teachers, each backed by a separate MongoDB database via Mongoose's createConnection().

• student-mongo-db — stores Student documents (name, email, grade, subjects, address, etc.)
• teacher-mongo-db — stores Teacher documents (name, email, department, qualification, salary, etc.)

Both resources expose Create, Read (single + list with pagination/filtering), Update, Delete, and Search endpoints under /api/students and /api/teachers.

Key files:

• src/config/database.js — dual mongoose.createConnection() setup
• src/models/ — Mongoose schemas registered on their respective connections
• src/controllers/ — CRUD + search logic with error handling
• src/routes/ — Express routers wired to controllers
• src/server.js — app entry point with CORS, JSON middleware, 404/error handlers

Review & Testing Checklist for Human

• Express 5 compatibility: package.json pins Express ^5.2.1 which has breaking changes from v4 (error handling middleware, query parsing, etc.). Verify the 4-arg error handler and route patterns work as expected at runtime.
• Regex injection in search endpoints: User-supplied q param is passed directly into $regex without escaping special characters — could allow ReDoS or unintended query behavior. Consider adding regex escaping (e.g., q.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')).
• No runtime testing performed: Code was only syntax-checked (node -c), never started against actual MongoDB instances. Run npm start with two MongoDB databases available and hit all endpoints with curl to verify.
• Missing .gitignore in subdirectory: No .gitignore was committed inside student-management-system/ to exclude node_modules/. Confirm the parent repo's .gitignore covers this, or add one.
• package-lock.json excluded: The original project .gitignore excluded package-lock.json. For reproducible installs, consider committing it.

Recommended test plan:

1. cd student-management-system && npm install
2. Start two MongoDB instances (or one instance with two DBs)
3. Copy .env.example to .env and adjust URIs if needed
4. npm start — verify server starts and both DB connections log "Connected"
5. Use the curl examples in the README to test Create, Get All, Get By ID, Update, Delete, and Search for both Students and Teachers

Notes

• Mongoose 9.x is used — createConnection() API is stable but worth a quick sanity check if you haven't used v9 before.
• Pagination uses string-to-number coercion from query params — works due to JS type coercion but parseInt is applied inconsistently (limit is parsed, page in .skip() calculation is not).

Link to Devin session: https://partner-workshops.devinenterprise.com/sessions/a4a2e8223c55457eb67c4fabcbe1ef5b

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

Devin Review found 2 potential issues.

View 4 additional findings in Devin Review.

[devin-ai-integration]

🔴 Unsanitized user input passed to MongoDB $regex allows ReDoS and regex injection

The q query parameter from the user is passed directly as the pattern to MongoDB's $regex operator without any escaping of special regex characters. A malicious user can craft a search query containing regex metacharacters (e.g., (a+)+$, .*, (?:) that cause catastrophic backtracking (ReDoS) on the MongoDB server, or unintended broad matching. For example, GET /api/students/search?q=(a%2B)%2B%24 would send a ReDoS pattern. The same issue exists in teacher.controller.js:146-153.

Suggested change

	const students = await Student.find({
	$or: [
	{ firstName: { $regex: q, $options: "i" } },
	{ lastName: { $regex: q, $options: "i" } },
	{ email: { $regex: q, $options: "i" } },
	],
	});
	const escapedQ = q.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
	const students = await Student.find({
	$or: [
	{ firstName: { $regex: escapedQ, $options: "i" } },
	{ lastName: { $regex: escapedQ, $options: "i" } },
	{ email: { $regex: escapedQ, $options: "i" } },
	],
	});

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🔴 Unsanitized user input passed to MongoDB $regex in teacher search allows ReDoS and regex injection

Same regex injection vulnerability as in the student controller. The q query parameter is passed directly to $regex in teacher.controller.js:146-153 without escaping special regex characters, enabling ReDoS attacks and unintended pattern matching against teacher records.

Suggested change

	const teachers = await Teacher.find({
	$or: [
	{ firstName: { $regex: q, $options: "i" } },
	{ lastName: { $regex: q, $options: "i" } },
	{ email: { $regex: q, $options: "i" } },
	{ department: { $regex: q, $options: "i" } },
	],
	});
	const escapedQ = q.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
	const teachers = await Teacher.find({
	$or: [
	{ firstName: { $regex: escapedQ, $options: "i" } },
	{ lastName: { $regex: escapedQ, $options: "i" } },
	{ email: { $regex: escapedQ, $options: "i" } },
	{ department: { $regex: escapedQ, $options: "i" } },
	],
	});

---

Was this helpful? React with 👍 or 👎 to provide feedback.