RealDevSquad · iamitprakash · Feb 13, 2026 · Feb 6, 2026 · Feb 10, 2026 · Feb 10, 2026
diff --git a/constants/application.ts b/constants/application.ts
@@ -16,15 +16,20 @@ const APPLICATION_ROLES = {
 
 const API_RESPONSE_MESSAGES = {
   APPLICATION_CREATED_SUCCESS: "Application created successfully",
+  APPLICATION_UPDATED_SUCCESS: "Application updated successfully",
   APPLICATION_RETURN_SUCCESS: "Applications returned successfully",
   NUDGE_SUCCESS: "Nudge sent successfully",
   FEEDBACK_SUBMITTED_SUCCESS: "Application feedback submitted successfully",
 };
 
 const APPLICATION_ERROR_MESSAGES = {
   APPLICATION_ALREADY_REVIEWED: "Application has already been reviewed",
+  APPLICATION_NOT_FOUND: "Application not found",
+  APPLICATION_EDIT_UNAUTHORIZED: "You are not authorized to edit this application",
   NUDGE_TOO_SOON: "Nudge unavailable. You'll be able to nudge again after 24 hours.",
   NUDGE_ONLY_PENDING_ALLOWED: "Nudge unavailable. Only pending applications can be nudged.",
+  EDIT_TOO_SOON: "You can edit your application again 24 hours after your last edit.",
+  EMPTY_UPDATE_PAYLOAD: "Update payload must include at least one editable field.",
 };
 
 const APPLICATION_LOG_MESSAGES = {

diff --git a/controllers/applications.ts b/controllers/applications.ts
@@ -8,6 +8,7 @@ const { createApplicationService } = require("../services/applicationService");
 const { Conflict } = require("http-errors");
 const logger = require("../utils/logger");
 const { APPLICATION_STATUS_TYPES } = require("../constants/application");
+const { buildApplicationUpdatePayload } = require("../utils/application");
 
 const getAllOrUserApplication = async (req: CustomRequest, res: CustomResponse): Promise<any> => {
   try {
@@ -105,26 +106,26 @@ const updateApplication = async (req: CustomRequest, res: CustomResponse) => {
   try {
     const { applicationId } = req.params;
     const rawBody = req.body;
+    const dataToUpdate = buildApplicationUpdatePayload(rawBody);
+    const userId = req.userData.id;
+    const username = req.userData.username;
 
-    const applicationLog = {
-      type: logType.APPLICATION_UPDATED,
-      meta: {
-        applicationId,
-        username: req.userData.username,
-        userId: req.userData.id,
-      },
-      body: rawBody,
-    };
-
-    const promises = [
-      ApplicationModel.updateApplication(rawBody, applicationId),
-      addLog(applicationLog.type, applicationLog.meta, applicationLog.body),
-    ];
+    const result = await ApplicationModel.updateApplication(dataToUpdate, applicationId, userId, username, rawBody);
 
-    await Promise.all(promises);
-    return res.json({
-      message: "Application updated successfully!",
-    });
+    switch (result.status) {
+      case APPLICATION_STATUS.notFound:
+        return res.boom.notFound(APPLICATION_ERROR_MESSAGES.APPLICATION_NOT_FOUND);
+      case APPLICATION_STATUS.unauthorized:
+        return res.boom.unauthorized(APPLICATION_ERROR_MESSAGES.APPLICATION_EDIT_UNAUTHORIZED);
+      case APPLICATION_STATUS.tooSoon:
+        return res.boom.conflict(APPLICATION_ERROR_MESSAGES.EDIT_TOO_SOON);
+      case APPLICATION_STATUS.success:
+        return res.json({
+          message: API_RESPONSE_MESSAGES.APPLICATION_UPDATED_SUCCESS,
+        });
+      default:
+        return res.boom.badImplementation(INTERNAL_SERVER_ERROR);
+    }
   } catch (err) {
     logger.error(`Error while updating the application: ${err}`);
     return res.boom.badImplementation(INTERNAL_SERVER_ERROR);

diff --git a/controllers/discordactions.js b/controllers/discordactions.js
@@ -23,7 +23,8 @@ const DISCORD_BASE_URL = config.get("services.discordBot.baseUrl");
 
 const createGroupRole = async (req, res) => {
   try {
-    const rolename = `group-${req.body.rolename}`;
+    const { role = false } = req.query;
+    const rolename = role ? req.body.rolename : `group-${req.body.rolename}`;
 
     const { roleExists } = await discordRolesModel.isGroupRoleExists({ rolename });
 
@@ -505,6 +506,7 @@ const generateInviteForUser = async (req, res) => {
 
     const inviteOptions = {
       channelId: channelId,
+      role: req.approvedApplicationRole,
     };
     const response = await fetch(`${DISCORD_BASE_URL}/invite`, {
       method: "POST",

diff --git a/controllers/external-accounts.js b/controllers/external-accounts.js
@@ -5,7 +5,6 @@ const { addOrUpdate, getUsersByRole, updateUsersInBatch } = require("../models/u
 const { retrieveDiscordUsers, fetchUsersForKeyValues } = require("../services/dataAccessLayer");
 const { EXTERNAL_ACCOUNTS_POST_ACTIONS } = require("../constants/external-accounts");
 const removeDiscordRoleUtils = require("../utils/removeDiscordRoleFromUser");
-const addDiscordRoleUtils = require("../utils/addDiscordRoleToUser");
 const config = require("config");
 const logger = require("../utils/logger");
 const { markUnDoneTasksOfArchivedUsersBacklog } = require("../models/tasks");
@@ -80,30 +79,7 @@ const linkExternalAccount = async (req, res) => {
     );
 
     if (!unverifiedRoleRemovalResponse.success) {
-      // Tolerable errors that should not block role assignment
-      const tolerableErrors = ["Role doesn't exist", "Role deletion from database failed"];
-      const isTolerableError = tolerableErrors.some((err) => unverifiedRoleRemovalResponse.message.includes(err));
-
-      if (!isTolerableError) {
-        const message = `User details updated but ${unverifiedRoleRemovalResponse.message}. Please contact admin`;
-        return res.boom.internal(message, { message });
-      }
-      logger.info(
-        `Tolerable error during unverified role removal for Discord ID: ${attributes.discordId}: ${unverifiedRoleRemovalResponse.message}`
-      );
-    }
-
-    const developerRoleId = config.get("discordDeveloperRoleId");
-    const newRoleId = config.get("discordNewRoleId");
-
-    try {
-      await addDiscordRoleUtils.addDiscordRoleToUser(attributes.discordId, developerRoleId, "Developer");
-      await addDiscordRoleUtils.addDiscordRoleToUser(attributes.discordId, newRoleId, "New");
-      logger.info(`Roles (Developer, New) assigned successfully for Discord ID: ${attributes.discordId}`);
-    } catch (roleError) {
-      logger.error(`Error assigning roles after verification: ${roleError}`);
-      const message = `Your discord profile has been linked but role assignment failed. Please contact admin`;
-      return res.boom.internal(message, { message });
+      return res.boom.internal(null, { message: "Unverified role removal failed. Please contact admin" });
     }
 
     return res.status(200).json({ message: "Your discord profile has been linked successfully" });

diff --git a/middlewares/checkCanGenerateDiscordLink.ts b/middlewares/checkCanGenerateDiscordLink.ts
@@ -23,11 +23,16 @@ const checkCanGenerateDiscordLink = async (req: CustomRequest, res: CustomRespon
     }
 
     const approvedApplication = applications.find((application: { status: string; }) => application.status === 'accepted');
-    
+
     if (!approvedApplication) {
       return res.boom.forbidden("Only users with an accepted application can generate a Discord invite link.");
     }
 
+    if (approvedApplication.isNew !== true || !approvedApplication.role) {
+      return res.boom.forbidden("You are not eligible to generate a Discord invite link.");
+    }
+
+    req.approvedApplicationRole = approvedApplication.role;
     return next();
   } catch (error) {
     return res.boom.badImplementation("An error occurred while checking user applications.");

diff --git a/middlewares/validators/application.ts b/middlewares/validators/application.ts
@@ -6,24 +6,24 @@ const { APPLICATION_STATUS_TYPES, APPLICATION_ROLES } = require("../../constants
 const { phoneNumberRegex } = require("../../constants/subscription-validator");
 const logger = require("../../utils/logger");
 
+const socialLinkSchema = joi
+  .object({
+    phoneNumber: joi.string().optional().regex(phoneNumberRegex).message('"phoneNumber" must be in a valid format'),
+    github: joi.string().min(1).optional(),
+    instagram: joi.string().min(1).optional(),
+    linkedin: joi.string().min(1).optional(),
+    twitter: joi.string().min(1).optional(),
+    peerlist: joi.string().min(1).optional(),
+    behance: joi.string().min(1).optional(),
+    dribbble: joi.string().min(1).optional(),
+  })
+  .optional();
+
 const validateApplicationData = async (req: CustomRequest, res: CustomResponse, next: NextFunction) => {
-  if (req.body.socialLink?.phoneNo) {
-    req.body.socialLink.phoneNo = req.body.socialLink.phoneNo.trim();
+  if (req.body.socialLink?.phoneNumber) {
+    req.body.socialLink.phoneNumber = req.body.socialLink.phoneNumber.trim();
   }
 
-  const socialLinkSchema = joi
-    .object({
-      phoneNo: joi.string().optional().regex(phoneNumberRegex).message('"phoneNo" must be in a valid format'),
-      github: joi.string().min(1).optional(),
-      instagram: joi.string().min(1).optional(),
-      linkedin: joi.string().min(1).optional(),
-      twitter: joi.string().min(1).optional(),
-      peerlist: joi.string().min(1).optional(),
-      behance: joi.string().min(1).optional(),
-      dribbble: joi.string().min(1).optional(),
-    })
-    .optional();
-
   const schema = joi
     .object()
     .strict()
@@ -65,11 +65,11 @@ const validateApplicationData = async (req: CustomRequest, res: CustomResponse,
     next();
   } catch (error) {
     logger.error(`Error in validating application data: ${error}`);
-    res.boom.badRequest(error.details[0].message);
+    return res.boom.badRequest(error.details[0].message);
   }
 };
 
-const validateApplicationUpdateData = async (req: CustomRequest, res: CustomResponse, next: NextFunction) => {
+const validateApplicationFeedbackData = async (req: CustomRequest, res: CustomResponse, next: NextFunction) => {
   const schema = joi
   .object({
     status: joi
@@ -109,7 +109,56 @@ const validateApplicationUpdateData = async (req: CustomRequest, res: CustomResp
     next();
   } catch (error) {
     logger.error(`Error in validating recruiter data: ${error}`);
-    res.boom.badRequest(error.details[0].message);
+    return res.boom.badRequest(error.details[0].message);
+  }
+};
+
+const validateApplicationUpdateData = async (req: CustomRequest, res: CustomResponse, next: NextFunction) => {
+  if (req.body.socialLink?.phoneNumber) {
+    req.body.socialLink.phoneNumber = req.body.socialLink.phoneNumber.trim();
+  }
+
+  const professionalSchema = joi
+    .object({
+      institution: joi.string().min(1).optional(),
+      skills: joi.string().min(5).optional(),
+    })
+    .optional();
+
+  const schema = joi
+    .object()
+    .strict()
+    .min(1)
+    .keys({
+      imageUrl: joi.string().uri().optional(),
+      foundFrom: joi.string().min(1).optional(),
+      introduction: joi.string().min(1).optional(),
+      forFun: joi
+        .string()
+        .custom((value, helpers) => customWordCountValidator(value, helpers, 100))
+        .optional(),
+      funFact: joi
+        .string()
+        .custom((value, helpers) => customWordCountValidator(value, helpers, 100))
+        .optional(),
+      whyRds: joi
+        .string()
+        .custom((value, helpers) => customWordCountValidator(value, helpers, 100))
+        .optional(),
+      numberOfHours: joi.number().min(1).max(168).optional(),
+      professional: professionalSchema,
+      socialLink: socialLinkSchema,
+    })
+    .messages({
+      "object.min": "Update payload must contain at least one allowed field.",
+    });
+
+  try {
+    await schema.validateAsync(req.body);
+    next();
+  } catch (error) {
+    logger.error(`Error in validating application update data: ${error}`);
+    return res.boom.badRequest(error.details[0].message);
   }
 };
 
@@ -127,12 +176,13 @@ const validateApplicationQueryParam = async (req: CustomRequest, res: CustomResp
     next();
   } catch (error) {
     logger.error(`Error validating query params : ${error}`);
-    res.boom.badRequest(error.details[0].message);
+    return res.boom.badRequest(error.details[0].message);
   }
 };
 
 module.exports = {
   validateApplicationData,
+  validateApplicationFeedbackData,
   validateApplicationUpdateData,
   validateApplicationQueryParam,
 };
diff --git a/middlewares/validators/discordactions.js b/middlewares/validators/discordactions.js
@@ -1,14 +1,20 @@
 const Joi = require("joi");
 const { validateMillisecondsTimestamp } = require("./utils");
+const logger = require("../../utils/logger");
 
 const validateGroupRoleBody = async (req, res, next) => {
-  const schema = Joi.object({
+  const bodySchema = Joi.object({
     rolename: Joi.string().trim().required(),
     description: Joi.string().trim(),
   });
 
+  const querySchema = Joi.object({
+    role: Joi.boolean().default(false).optional(),
+  });
+
   try {
-    await schema.validateAsync(req.body);
+    await bodySchema.validateAsync(req.body);
+    req.query = await querySchema.validateAsync(req.query);
     next();
   } catch (error) {
     logger.error(`Error validating createGroupRole payload : ${error}`);

diff --git a/models/applications.ts b/models/applications.ts
@@ -1,4 +1,6 @@
 import { application } from "../types/application";
+import { addLog } from "./logs";
+const { logType } = require("../constants/logs");
 const firestore = require("../utils/firestore");
 const logger = require("../utils/logger");
 const ApplicationsModel = firestore.collection("applicants");
@@ -128,13 +130,58 @@ const addApplication = async (data: application) => {
   }
 };
 
-const updateApplication = async (dataToUpdate: object, applicationId: string) => {
-  try {
-    await ApplicationsModel.doc(applicationId).update(dataToUpdate);
-  } catch (err) {
-    logger.error("Error in updating intro", err);
-    throw err;
+const updateApplication = async (
+  dataToUpdate: object,
+  applicationId: string,
+  userId: string,
+  username: string,
+  rawBody: object
+) => {
+  const result = await firestore.runTransaction(async (transaction) => {
+    const currentTime = Date.now();
+    const twentyFourHoursInMilliseconds = convertDaysToMilliseconds(1);
+
+    const applicationRef = ApplicationsModel.doc(applicationId);
+    const applicationDoc = await transaction.get(applicationRef);
+
+    if (!applicationDoc.exists) {
+      return { status: APPLICATION_STATUS.notFound };
+    }
+
+    const application = applicationDoc.data();
+
+    if (application.userId !== userId) {
+      return { status: APPLICATION_STATUS.unauthorized };
+    }
+
+    const lastEditAt = application.lastEditAt;
+    if (lastEditAt) {
+      const lastEditTimestamp = new Date(lastEditAt).getTime();
+      const timeDifference = currentTime - lastEditTimestamp;
+
+      if (timeDifference < twentyFourHoursInMilliseconds) {
+        return { status: APPLICATION_STATUS.tooSoon };
+      }
+    }
+
+    const requestBody = {
+      ...dataToUpdate,
+      lastEditAt: new Date(currentTime).toISOString(),
+    };
+    transaction.update(applicationRef, requestBody);
+
+    return { status: APPLICATION_STATUS.success };
+  });
+
+  if (result.status === APPLICATION_STATUS.success) {
+    await addLog(
+      logType.APPLICATION_UPDATED,
+      { applicationId, username, userId },
+      rawBody
+    );
   }
+
+  return result;
 };
 
 const nudgeApplication = async ({ applicationId, userId }: { applicationId: string; userId: string }) => {

diff --git a/routes/applications.ts b/routes/applications.ts
@@ -17,11 +17,12 @@
 );
 router.get("/:applicationId", authenticate, authorizeRoles([SUPERUSER]), applications.getApplicationById);
 router.post("/", authenticate, applicationValidator.validateApplicationData, applications.addApplication);
+router.patch("/:applicationId", authenticate, applicationValidator.validateApplicationUpdateData, applications.updateApplication);
@@ -5,9 +5,17 @@
 const applications = require("../controllers/applications");
 const { authorizeOwnOrSuperUser } = require("../middlewares/authorizeOwnOrSuperUser");
 const applicationValidator = require("../middlewares/validators/application");
+const RateLimit = require("express-rate-limit");
 const router = express.Router();
+const limiter = RateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // limit each IP to 100 requests per windowMs
+});
+
+router.use(limiter);
+
 router.get(
  "/",
  authenticate,
@@ -42,7 +42,8 @@
    "passport-github2": "0.1.12",
    "passport-google-oauth20": "^2.0.0",
    "rate-limiter-flexible": "5.0.3",
-    "winston": "3.13.0"
+    "winston": "3.13.0",
+    "express-rate-limit": "^8.2.1"
  },
  "devDependencies": {
    "@types/chai": "4.3.16",
@@ -5,9 +5,17 @@
 const applications = require("../controllers/applications");
 const { authorizeOwnOrSuperUser } = require("../middlewares/authorizeOwnOrSuperUser");
 const applicationValidator = require("../middlewares/validators/application");
+const RateLimit = require("express-rate-limit");

 const router = express.Router();

+const limiter = RateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // limit each IP to 100 requests per windowMs
+});
+
+router.use(limiter);
+
 router.get(
  "/",
  authenticate,
@@ -42,7 +42,8 @@
    "passport-github2": "0.1.12",
    "passport-google-oauth20": "^2.0.0",
    "rate-limiter-flexible": "5.0.3",
-    "winston": "3.13.0"
+    "winston": "3.13.0",
+    "express-rate-limit": "^8.2.1"
  },
  "devDependencies": {
    "@types/chai": "4.3.16",
 router.patch(
   "/:applicationId/feedback",
   authenticate,
   authorizeRoles([SUPERUSER]),
-  applicationValidator.validateApplicationUpdateData,
+  applicationValidator.validateApplicationFeedbackData,
   applications.submitApplicationFeedback
 );
 router.patch("/:applicationId/nudge", authenticate, applications.nudgeApplication);

diff --git a/routes/discordactions.js b/routes/discordactions.js
@@ -47,7 +47,7 @@
  * Short-circuit this POST method for this endpoint
  * Refer https://github.com/Real-Dev-Squad/todo-action-items/issues/269 for more details.
  */
-router.post("/invite", disableRoute, authenticate, checkCanGenerateDiscordLink, generateInviteForUser);
+router.post("/invite", authenticate, checkCanGenerateDiscordLink, generateInviteForUser);
@@ -32,8 +32,14 @@
 const { verifyCronJob } = require("../middlewares/authorizeBot");
 const { authorizeAndAuthenticate } = require("../middlewares/authorizeUsersAndService");
 const { disableRoute } = require("../middlewares/shortCircuit");
+const rateLimit = require("express-rate-limit");
 const router = express.Router();
+const inviteRateLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // limit each IP to 100 invite requests per windowMs
+});
+
 router.post("/groups", authenticate, checkIsVerifiedDiscord, validateGroupRoleBody, createGroupRole);
 router.get("/groups", authenticate, checkIsVerifiedDiscord, validateLazyLoadingParams, getPaginatedAllGroupRoles);
 router.delete("/groups/:groupId", authenticate, checkIsVerifiedDiscord, authorizeRoles([SUPERUSER]), deleteGroupRole);
@@ -47,7 +51,7 @@
 * Short-circuit this POST method for this endpoint
 * Refer https://github.com/Real-Dev-Squad/todo-action-items/issues/269 for more details.
 */
-router.post("/invite", authenticate, checkCanGenerateDiscordLink, generateInviteForUser);
+router.post("/invite", authenticate, inviteRateLimiter, checkCanGenerateDiscordLink, generateInviteForUser);
 router.delete("/roles", authenticate, checkIsVerifiedDiscord, deleteRole);
 router.get("/roles", authenticate, checkIsVerifiedDiscord, getGroupsRoleId);
@@ -42,7 +42,8 @@
    "passport-github2": "0.1.12",
    "passport-google-oauth20": "^2.0.0",
    "rate-limiter-flexible": "5.0.3",
-    "winston": "3.13.0"
+    "winston": "3.13.0",
+    "express-rate-limit": "^8.2.1"
  },
  "devDependencies": {
    "@types/chai": "4.3.16",
@@ -32,8 +32,14 @@
 const { verifyCronJob } = require("../middlewares/authorizeBot");
 const { authorizeAndAuthenticate } = require("../middlewares/authorizeUsersAndService");
 const { disableRoute } = require("../middlewares/shortCircuit");
+const rateLimit = require("express-rate-limit");
 const router = express.Router();

+const inviteRateLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // limit each IP to 100 invite requests per windowMs
+});
+
 router.post("/groups", authenticate, checkIsVerifiedDiscord, validateGroupRoleBody, createGroupRole);
 router.get("/groups", authenticate, checkIsVerifiedDiscord, validateLazyLoadingParams, getPaginatedAllGroupRoles);
 router.delete("/groups/:groupId", authenticate, checkIsVerifiedDiscord, authorizeRoles([SUPERUSER]), deleteGroupRole);
@@ -47,7 +51,7 @@
 * Short-circuit this POST method for this endpoint
 * Refer https://github.com/Real-Dev-Squad/todo-action-items/issues/269 for more details.
 */
-router.post("/invite", authenticate, checkCanGenerateDiscordLink, generateInviteForUser);
+router.post("/invite", authenticate, inviteRateLimiter, checkCanGenerateDiscordLink, generateInviteForUser);

 router.delete("/roles", authenticate, checkIsVerifiedDiscord, deleteRole);
 router.get("/roles", authenticate, checkIsVerifiedDiscord, getGroupsRoleId);
@@ -42,7 +42,8 @@
    "passport-github2": "0.1.12",
    "passport-google-oauth20": "^2.0.0",
    "rate-limiter-flexible": "5.0.3",
-    "winston": "3.13.0"
+    "winston": "3.13.0",
+    "express-rate-limit": "^8.2.1"
  },
  "devDependencies": {
    "@types/chai": "4.3.16",
 
 router.delete("/roles", authenticate, checkIsVerifiedDiscord, deleteRole);
 router.get("/roles", authenticate, checkIsVerifiedDiscord, getGroupsRoleId);