spotlightcam/backend/src/controllers/user.js

const { prisma } = require('../utils/db');
const { hashPassword, comparePassword, generateToken, generateVerificationToken, generateVerificationCode } = require('../utils/auth');
const { sendVerificationEmail } = require('../utils/email');
const { sanitizeForEmail } = require('../utils/sanitize');

/**
 * Update user profile
 * PATCH /api/users/me
 */
async function updateProfile(req, res, next) {
  try {
    const userId = req.user.id;
    const { firstName, lastName, email, wsdcId, youtubeUrl, instagramUrl, facebookUrl, tiktokUrl } = req.body;

    // Build update data
    const updateData = {};
    if (firstName !== undefined) updateData.firstName = firstName;
    if (lastName !== undefined) updateData.lastName = lastName;
    if (wsdcId !== undefined) updateData.wsdcId = wsdcId || null; // Allow empty string to clear WSDC ID
    if (youtubeUrl !== undefined) updateData.youtubeUrl = youtubeUrl || null;
    if (instagramUrl !== undefined) updateData.instagramUrl = instagramUrl || null;
    if (facebookUrl !== undefined) updateData.facebookUrl = facebookUrl || null;
    if (tiktokUrl !== undefined) updateData.tiktokUrl = tiktokUrl || null;

    // Check if email is being changed
    const currentUser = await prisma.user.findUnique({
      where: { id: userId },
      select: { email: true },
    });

    let emailChanged = false;
    if (email && email !== currentUser.email) {
      // Check if new email is already taken by another user
      const existingUser = await prisma.user.findUnique({
        where: { email },
      });

      if (existingUser && existingUser.id !== userId) {
        return res.status(400).json({
          success: false,
          error: 'Email is already registered to another account',
        });
      }

      // Email is being changed - require re-verification
      updateData.email = email;
      updateData.emailVerified = false;
      updateData.verificationToken = generateVerificationToken();
      updateData.verificationCode = generateVerificationCode();
      updateData.verificationTokenExpiry = new Date(Date.now() + 24 * 60 * 60 * 1000); // 24 hours

      emailChanged = true;
    }

    // Update user
    const updatedUser = await prisma.user.update({
      where: { id: userId },
      data: updateData,
    });

    // If email changed, send verification email
    if (emailChanged) {
      try {
        await sendVerificationEmail(
          updatedUser.email,
          sanitizeForEmail(updatedUser.firstName || updatedUser.username),
          updatedUser.verificationToken,
          updatedUser.verificationCode
        );
      } catch (emailError) {
        console.error('Failed to send verification email:', emailError);
        // Continue anyway - user is updated but email might not have been sent
      }
    }

    // Generate new JWT token (in case emailVerified changed)
    const token = generateToken({ userId: updatedUser.id });

    // Remove sensitive data
    const { passwordHash, verificationToken, verificationCode, verificationTokenExpiry, resetToken, resetTokenExpiry, ...userWithoutPassword } = updatedUser;

    res.json({
      success: true,
      message: emailChanged
        ? 'Profile updated. Please verify your new email address.'
        : 'Profile updated successfully',
      data: {
        user: userWithoutPassword,
        token,
        emailChanged,
      },
    });
  } catch (error) {
    next(error);
  }
}

/**
 * Change password
 * PATCH /api/users/me/password
 */
async function changePassword(req, res, next) {
  try {
    const userId = req.user.id;
    const { currentPassword, newPassword } = req.body;

    if (!currentPassword || !newPassword) {
      return res.status(400).json({
        success: false,
        error: 'Current password and new password are required',
      });
    }

    // Get user with password
    const user = await prisma.user.findUnique({
      where: { id: userId },
    });

    // Verify current password
    const isPasswordValid = await comparePassword(currentPassword, user.passwordHash);
    if (!isPasswordValid) {
      return res.status(401).json({
        success: false,
        error: 'Current password is incorrect',
      });
    }

    // Hash new password
    const hashedPassword = await hashPassword(newPassword);

    // Update password
    await prisma.user.update({
      where: { id: userId },
      data: { passwordHash: hashedPassword },
    });

    res.json({
      success: true,
      message: 'Password changed successfully',
    });
  } catch (error) {
    next(error);
  }
}

module.exports = {
  updateProfile,
  changePassword,
};
feat: add user profile editing with email re-verification Backend changes: - Add PATCH /api/users/me endpoint for profile updates (firstName, lastName, email) - Add PATCH /api/users/me/password endpoint for password change - Email change triggers re-verification flow (emailVerified=false, new verification token/code) - Send verification email automatically on email change - Return new JWT token when email changes (to update emailVerified status) - Add validation for profile update and password change - Create user controller with updateProfile and changePassword functions Frontend changes: - Add ProfilePage with tabbed interface (Profile & Password tabs) - Profile tab: Edit firstName, lastName, email - Password tab: Change password (requires current password) - Add Profile link to navigation bar - Add authAPI.updateProfile() and authAPI.changePassword() functions - Update AuthContext user data when profile is updated - Display success/error messages for profile and password updates Security: - Username cannot be changed (permanent identifier) - Email uniqueness validation - Password change requires current password - Email change forces re-verification to prevent hijacking User flow: 1. User edits profile and changes email 2. Backend sets emailVerified=false and generates new verification tokens 3. Verification email sent to new address 4. User must verify new email to access all features 5. Banner appears until email is verified 2025-11-13 20:26:49 +01:00			`const { prisma } = require('../utils/db');`
			`const { hashPassword, comparePassword, generateToken, generateVerificationToken, generateVerificationCode } = require('../utils/auth');`
			`const { sendVerificationEmail } = require('../utils/email');`
			`const { sanitizeForEmail } = require('../utils/sanitize');`

			`/**`
			`* Update user profile`
			`* PATCH /api/users/me`
			`*/`
			`async function updateProfile(req, res, next) {`
			`try {`
			`const userId = req.user.id;`
feat: add social media links to user profile - Add YouTube, Instagram, Facebook, and TikTok URL fields to User model - Create database migration for social media link columns - Add custom validators to ensure URLs contain correct domains - Update profile page with social media input fields - Include social media URLs in GET /api/users/me response - Add icons for each social platform in the UI Users can now add links to their social media profiles. Each field validates that the URL contains the appropriate domain (e.g., instagram.com for Instagram, youtube.com/youtu.be for YouTube). 2025-11-13 20:47:57 +01:00			`const { firstName, lastName, email, wsdcId, youtubeUrl, instagramUrl, facebookUrl, tiktokUrl } = req.body;`
feat: add user profile editing with email re-verification Backend changes: - Add PATCH /api/users/me endpoint for profile updates (firstName, lastName, email) - Add PATCH /api/users/me/password endpoint for password change - Email change triggers re-verification flow (emailVerified=false, new verification token/code) - Send verification email automatically on email change - Return new JWT token when email changes (to update emailVerified status) - Add validation for profile update and password change - Create user controller with updateProfile and changePassword functions Frontend changes: - Add ProfilePage with tabbed interface (Profile & Password tabs) - Profile tab: Edit firstName, lastName, email - Password tab: Change password (requires current password) - Add Profile link to navigation bar - Add authAPI.updateProfile() and authAPI.changePassword() functions - Update AuthContext user data when profile is updated - Display success/error messages for profile and password updates Security: - Username cannot be changed (permanent identifier) - Email uniqueness validation - Password change requires current password - Email change forces re-verification to prevent hijacking User flow: 1. User edits profile and changes email 2. Backend sets emailVerified=false and generates new verification tokens 3. Verification email sent to new address 4. User must verify new email to access all features 5. Banner appears until email is verified 2025-11-13 20:26:49 +01:00
			`// Build update data`
			`const updateData = {};`
			`if (firstName !== undefined) updateData.firstName = firstName;`
			`if (lastName !== undefined) updateData.lastName = lastName;`
fix: profile page form pre-population and WSDC ID editing - Add useEffect to pre-fill profile form with current user data - Add WSDC ID field to profile edit form with numeric validation - Update backend to accept wsdcId in profile updates with null handling - Add wsdcId validation to updateProfileValidation middleware - Include firstName, lastName, wsdcId in GET /api/users/me response Fixes issue where profile inputs were empty on page load and allows users to update their WSDC ID. 2025-11-13 20:38:36 +01:00			`if (wsdcId !== undefined) updateData.wsdcId = wsdcId \|\| null; // Allow empty string to clear WSDC ID`
feat: add social media links to user profile - Add YouTube, Instagram, Facebook, and TikTok URL fields to User model - Create database migration for social media link columns - Add custom validators to ensure URLs contain correct domains - Update profile page with social media input fields - Include social media URLs in GET /api/users/me response - Add icons for each social platform in the UI Users can now add links to their social media profiles. Each field validates that the URL contains the appropriate domain (e.g., instagram.com for Instagram, youtube.com/youtu.be for YouTube). 2025-11-13 20:47:57 +01:00			`if (youtubeUrl !== undefined) updateData.youtubeUrl = youtubeUrl \|\| null;`
			`if (instagramUrl !== undefined) updateData.instagramUrl = instagramUrl \|\| null;`
			`if (facebookUrl !== undefined) updateData.facebookUrl = facebookUrl \|\| null;`
			`if (tiktokUrl !== undefined) updateData.tiktokUrl = tiktokUrl \|\| null;`
feat: add user profile editing with email re-verification Backend changes: - Add PATCH /api/users/me endpoint for profile updates (firstName, lastName, email) - Add PATCH /api/users/me/password endpoint for password change - Email change triggers re-verification flow (emailVerified=false, new verification token/code) - Send verification email automatically on email change - Return new JWT token when email changes (to update emailVerified status) - Add validation for profile update and password change - Create user controller with updateProfile and changePassword functions Frontend changes: - Add ProfilePage with tabbed interface (Profile & Password tabs) - Profile tab: Edit firstName, lastName, email - Password tab: Change password (requires current password) - Add Profile link to navigation bar - Add authAPI.updateProfile() and authAPI.changePassword() functions - Update AuthContext user data when profile is updated - Display success/error messages for profile and password updates Security: - Username cannot be changed (permanent identifier) - Email uniqueness validation - Password change requires current password - Email change forces re-verification to prevent hijacking User flow: 1. User edits profile and changes email 2. Backend sets emailVerified=false and generates new verification tokens 3. Verification email sent to new address 4. User must verify new email to access all features 5. Banner appears until email is verified 2025-11-13 20:26:49 +01:00
			`// Check if email is being changed`
			`const currentUser = await prisma.user.findUnique({`
			`where: { id: userId },`
			`select: { email: true },`
			`});`

			`let emailChanged = false;`
			`if (email && email !== currentUser.email) {`
			`// Check if new email is already taken by another user`
			`const existingUser = await prisma.user.findUnique({`
			`where: { email },`
			`});`

			`if (existingUser && existingUser.id !== userId) {`
			`return res.status(400).json({`
			`success: false,`
			`error: 'Email is already registered to another account',`
			`});`
			`}`

			`// Email is being changed - require re-verification`
			`updateData.email = email;`
			`updateData.emailVerified = false;`
			`updateData.verificationToken = generateVerificationToken();`
			`updateData.verificationCode = generateVerificationCode();`
			`updateData.verificationTokenExpiry = new Date(Date.now() + 24 * 60 * 60 * 1000); // 24 hours`

			`emailChanged = true;`
			`}`

			`// Update user`
			`const updatedUser = await prisma.user.update({`
			`where: { id: userId },`
			`data: updateData,`
			`});`

			`// If email changed, send verification email`
			`if (emailChanged) {`
			`try {`
			`await sendVerificationEmail(`
			`updatedUser.email,`
			`sanitizeForEmail(updatedUser.firstName \|\| updatedUser.username),`
			`updatedUser.verificationToken,`
			`updatedUser.verificationCode`
			`);`
			`} catch (emailError) {`
			`console.error('Failed to send verification email:', emailError);`
			`// Continue anyway - user is updated but email might not have been sent`
			`}`
			`}`

			`// Generate new JWT token (in case emailVerified changed)`
			`const token = generateToken({ userId: updatedUser.id });`

			`// Remove sensitive data`
			`const { passwordHash, verificationToken, verificationCode, verificationTokenExpiry, resetToken, resetTokenExpiry, ...userWithoutPassword } = updatedUser;`

			`res.json({`
			`success: true,`
			`message: emailChanged`
			`? 'Profile updated. Please verify your new email address.'`
			`: 'Profile updated successfully',`
			`data: {`
			`user: userWithoutPassword,`
			`token,`
			`emailChanged,`
			`},`
			`});`
			`} catch (error) {`
			`next(error);`
			`}`
			`}`

			`/**`
			`* Change password`
			`* PATCH /api/users/me/password`
			`*/`
			`async function changePassword(req, res, next) {`
			`try {`
			`const userId = req.user.id;`
			`const { currentPassword, newPassword } = req.body;`

			`if (!currentPassword \|\| !newPassword) {`
			`return res.status(400).json({`
			`success: false,`
			`error: 'Current password and new password are required',`
			`});`
			`}`

			`// Get user with password`
			`const user = await prisma.user.findUnique({`
			`where: { id: userId },`
			`});`

			`// Verify current password`
			`const isPasswordValid = await comparePassword(currentPassword, user.passwordHash);`
			`if (!isPasswordValid) {`
			`return res.status(401).json({`
			`success: false,`
			`error: 'Current password is incorrect',`
			`});`
			`}`

			`// Hash new password`
			`const hashedPassword = await hashPassword(newPassword);`

			`// Update password`
			`await prisma.user.update({`
			`where: { id: userId },`
			`data: { passwordHash: hashedPassword },`
			`});`

			`res.json({`
			`success: true,`
			`message: 'Password changed successfully',`
			`});`
			`} catch (error) {`
			`next(error);`
			`}`
			`}`

			`module.exports = {`
			`updateProfile,`
			`changePassword,`
			`};`