spotlightcam/backend/src/routes/users.js

const express = require('express');
const { authenticate } = require('../middleware/auth');
const { prisma } = require('../utils/db');
const { updateProfile, changePassword } = require('../controllers/user');
const { updateProfileValidation, changePasswordValidation } = require('../middleware/validators');

const router = express.Router();

// GET /api/users/me - Get current authenticated user
router.get('/me', authenticate, async (req, res, next) => {
  try {
    // req.user is set by authenticate middleware
    const user = await prisma.user.findUnique({
      where: { id: req.user.id },
      select: {
        id: true,
        username: true,
        email: true,
        emailVerified: true,
        firstName: true,
        lastName: true,
        wsdcId: true,
        youtubeUrl: true,
        instagramUrl: true,
        facebookUrl: true,
        tiktokUrl: true,
        avatar: true,
        createdAt: true,
        updatedAt: true,
        _count: {
          select: {
            matchesAsUser1: true,
            matchesAsUser2: true,
            ratingsReceived: true,
          },
        },
      },
    });

    if (!user) {
      return res.status(404).json({
        success: false,
        error: 'User not found',
      });
    }

    // Calculate total matches
    const totalMatches = user._count.matchesAsUser1 + user._count.matchesAsUser2;

    // Calculate average rating
    const ratings = await prisma.rating.findMany({
      where: { ratedId: user.id },
      select: { score: true },
    });

    const averageRating = ratings.length > 0
      ? ratings.reduce((sum, r) => sum + r.score, 0) / ratings.length
      : 0;

    res.json({
      success: true,
      data: {
        ...user,
        stats: {
          matchesCount: totalMatches,
          ratingsCount: user._count.ratingsReceived,
          rating: averageRating.toFixed(1),
        },
      },
    });
  } catch (error) {
    next(error);
  }
});

// PATCH /api/users/me - Update user profile
router.patch('/me', authenticate, updateProfileValidation, updateProfile);

// PATCH /api/users/me/password - Change password
router.patch('/me/password', authenticate, changePasswordValidation, changePassword);

module.exports = router;
feat: add JWT authentication with complete test coverage Phase 1 - Step 3: Authentication API Backend Authentication: - bcryptjs for password hashing (salt rounds: 10) - JWT tokens with 24h expiration - Secure password storage (never expose passwordHash) API Endpoints: - POST /api/auth/register - User registration - Username validation (3-50 chars, alphanumeric + underscore) - Email validation and normalization - Password validation (min 6 chars) - Duplicate email/username detection - Auto-generated avatar (ui-avatars.com) - POST /api/auth/login - User authentication - Email + password credentials - Returns JWT token + user data - Invalid credentials protection - GET /api/users/me - Get current user (protected) - Requires valid JWT token - Returns user data + stats (matches, ratings) - Token validation via middleware Security Features: - express-validator for input sanitization - Auth middleware for protected routes - Token verification (Bearer token) - Password never returned in responses - Proper error messages (no information leakage) Frontend Integration: - API service layer (frontend/src/services/api.js) - Updated AuthContext to use real API - Token storage in localStorage - Automatic token inclusion in requests - Error handling for expired/invalid tokens Unit Tests (30 tests, 78.26% coverage): Auth Endpoints (14 tests): - ✅ Register: success, duplicate email, duplicate username - ✅ Register validation: invalid email, short password, short username - ✅ Login: success, wrong password, non-existent user, invalid format - ✅ Protected route: valid token, no token, invalid token, malformed header Auth Utils (9 tests): - ✅ Password hashing and comparison - ✅ Different hashes for same password - ✅ JWT generation and verification - ✅ Token expiration validation - ✅ Invalid token handling All tests passing ✅ Coverage: 78.26% ✅ 2025-11-12 22:16:14 +01:00			`const express = require('express');`
			`const { authenticate } = require('../middleware/auth');`
			`const { prisma } = require('../utils/db');`
feat: add user profile editing with email re-verification Backend changes: - Add PATCH /api/users/me endpoint for profile updates (firstName, lastName, email) - Add PATCH /api/users/me/password endpoint for password change - Email change triggers re-verification flow (emailVerified=false, new verification token/code) - Send verification email automatically on email change - Return new JWT token when email changes (to update emailVerified status) - Add validation for profile update and password change - Create user controller with updateProfile and changePassword functions Frontend changes: - Add ProfilePage with tabbed interface (Profile & Password tabs) - Profile tab: Edit firstName, lastName, email - Password tab: Change password (requires current password) - Add Profile link to navigation bar - Add authAPI.updateProfile() and authAPI.changePassword() functions - Update AuthContext user data when profile is updated - Display success/error messages for profile and password updates Security: - Username cannot be changed (permanent identifier) - Email uniqueness validation - Password change requires current password - Email change forces re-verification to prevent hijacking User flow: 1. User edits profile and changes email 2. Backend sets emailVerified=false and generates new verification tokens 3. Verification email sent to new address 4. User must verify new email to access all features 5. Banner appears until email is verified 2025-11-13 20:26:49 +01:00			`const { updateProfile, changePassword } = require('../controllers/user');`
			`const { updateProfileValidation, changePasswordValidation } = require('../middleware/validators');`
feat: add JWT authentication with complete test coverage Phase 1 - Step 3: Authentication API Backend Authentication: - bcryptjs for password hashing (salt rounds: 10) - JWT tokens with 24h expiration - Secure password storage (never expose passwordHash) API Endpoints: - POST /api/auth/register - User registration - Username validation (3-50 chars, alphanumeric + underscore) - Email validation and normalization - Password validation (min 6 chars) - Duplicate email/username detection - Auto-generated avatar (ui-avatars.com) - POST /api/auth/login - User authentication - Email + password credentials - Returns JWT token + user data - Invalid credentials protection - GET /api/users/me - Get current user (protected) - Requires valid JWT token - Returns user data + stats (matches, ratings) - Token validation via middleware Security Features: - express-validator for input sanitization - Auth middleware for protected routes - Token verification (Bearer token) - Password never returned in responses - Proper error messages (no information leakage) Frontend Integration: - API service layer (frontend/src/services/api.js) - Updated AuthContext to use real API - Token storage in localStorage - Automatic token inclusion in requests - Error handling for expired/invalid tokens Unit Tests (30 tests, 78.26% coverage): Auth Endpoints (14 tests): - ✅ Register: success, duplicate email, duplicate username - ✅ Register validation: invalid email, short password, short username - ✅ Login: success, wrong password, non-existent user, invalid format - ✅ Protected route: valid token, no token, invalid token, malformed header Auth Utils (9 tests): - ✅ Password hashing and comparison - ✅ Different hashes for same password - ✅ JWT generation and verification - ✅ Token expiration validation - ✅ Invalid token handling All tests passing ✅ Coverage: 78.26% ✅ 2025-11-12 22:16:14 +01:00
			`const router = express.Router();`

			`// GET /api/users/me - Get current authenticated user`
			`router.get('/me', authenticate, async (req, res, next) => {`
			`try {`
			`// req.user is set by authenticate middleware`
			`const user = await prisma.user.findUnique({`
			`where: { id: req.user.id },`
			`select: {`
			`id: true,`
			`username: true,`
			`email: true,`
fix: include emailVerified field in /api/users/me endpoint The verification banner was reappearing after login/refresh because the /api/users/me endpoint was not returning the emailVerified field. This ensures the frontend always has access to the current email verification status when loading user data. 2025-11-13 19:03:39 +01:00			`emailVerified: true,`
fix: profile page form pre-population and WSDC ID editing - Add useEffect to pre-fill profile form with current user data - Add WSDC ID field to profile edit form with numeric validation - Update backend to accept wsdcId in profile updates with null handling - Add wsdcId validation to updateProfileValidation middleware - Include firstName, lastName, wsdcId in GET /api/users/me response Fixes issue where profile inputs were empty on page load and allows users to update their WSDC ID. 2025-11-13 20:38:36 +01:00			`firstName: true,`
			`lastName: true,`
			`wsdcId: true,`
feat: add social media links to user profile - Add YouTube, Instagram, Facebook, and TikTok URL fields to User model - Create database migration for social media link columns - Add custom validators to ensure URLs contain correct domains - Update profile page with social media input fields - Include social media URLs in GET /api/users/me response - Add icons for each social platform in the UI Users can now add links to their social media profiles. Each field validates that the URL contains the appropriate domain (e.g., instagram.com for Instagram, youtube.com/youtu.be for YouTube). 2025-11-13 20:47:57 +01:00			`youtubeUrl: true,`
			`instagramUrl: true,`
			`facebookUrl: true,`
			`tiktokUrl: true,`
feat: add JWT authentication with complete test coverage Phase 1 - Step 3: Authentication API Backend Authentication: - bcryptjs for password hashing (salt rounds: 10) - JWT tokens with 24h expiration - Secure password storage (never expose passwordHash) API Endpoints: - POST /api/auth/register - User registration - Username validation (3-50 chars, alphanumeric + underscore) - Email validation and normalization - Password validation (min 6 chars) - Duplicate email/username detection - Auto-generated avatar (ui-avatars.com) - POST /api/auth/login - User authentication - Email + password credentials - Returns JWT token + user data - Invalid credentials protection - GET /api/users/me - Get current user (protected) - Requires valid JWT token - Returns user data + stats (matches, ratings) - Token validation via middleware Security Features: - express-validator for input sanitization - Auth middleware for protected routes - Token verification (Bearer token) - Password never returned in responses - Proper error messages (no information leakage) Frontend Integration: - API service layer (frontend/src/services/api.js) - Updated AuthContext to use real API - Token storage in localStorage - Automatic token inclusion in requests - Error handling for expired/invalid tokens Unit Tests (30 tests, 78.26% coverage): Auth Endpoints (14 tests): - ✅ Register: success, duplicate email, duplicate username - ✅ Register validation: invalid email, short password, short username - ✅ Login: success, wrong password, non-existent user, invalid format - ✅ Protected route: valid token, no token, invalid token, malformed header Auth Utils (9 tests): - ✅ Password hashing and comparison - ✅ Different hashes for same password - ✅ JWT generation and verification - ✅ Token expiration validation - ✅ Invalid token handling All tests passing ✅ Coverage: 78.26% ✅ 2025-11-12 22:16:14 +01:00			`avatar: true,`
			`createdAt: true,`
			`updatedAt: true,`
			`_count: {`
			`select: {`
			`matchesAsUser1: true,`
			`matchesAsUser2: true,`
			`ratingsReceived: true,`
			`},`
			`},`
			`},`
			`});`

			`if (!user) {`
			`return res.status(404).json({`
			`success: false,`
			`error: 'User not found',`
			`});`
			`}`

			`// Calculate total matches`
			`const totalMatches = user._count.matchesAsUser1 + user._count.matchesAsUser2;`

			`// Calculate average rating`
			`const ratings = await prisma.rating.findMany({`
			`where: { ratedId: user.id },`
			`select: { score: true },`
			`});`

			`const averageRating = ratings.length > 0`
			`? ratings.reduce((sum, r) => sum + r.score, 0) / ratings.length`
			`: 0;`

			`res.json({`
			`success: true,`
			`data: {`
			`...user,`
			`stats: {`
			`matchesCount: totalMatches,`
			`ratingsCount: user._count.ratingsReceived,`
			`rating: averageRating.toFixed(1),`
			`},`
			`},`
			`});`
			`} catch (error) {`
			`next(error);`
			`}`
			`});`

feat: add user profile editing with email re-verification Backend changes: - Add PATCH /api/users/me endpoint for profile updates (firstName, lastName, email) - Add PATCH /api/users/me/password endpoint for password change - Email change triggers re-verification flow (emailVerified=false, new verification token/code) - Send verification email automatically on email change - Return new JWT token when email changes (to update emailVerified status) - Add validation for profile update and password change - Create user controller with updateProfile and changePassword functions Frontend changes: - Add ProfilePage with tabbed interface (Profile & Password tabs) - Profile tab: Edit firstName, lastName, email - Password tab: Change password (requires current password) - Add Profile link to navigation bar - Add authAPI.updateProfile() and authAPI.changePassword() functions - Update AuthContext user data when profile is updated - Display success/error messages for profile and password updates Security: - Username cannot be changed (permanent identifier) - Email uniqueness validation - Password change requires current password - Email change forces re-verification to prevent hijacking User flow: 1. User edits profile and changes email 2. Backend sets emailVerified=false and generates new verification tokens 3. Verification email sent to new address 4. User must verify new email to access all features 5. Banner appears until email is verified 2025-11-13 20:26:49 +01:00			`// PATCH /api/users/me - Update user profile`
			`router.patch('/me', authenticate, updateProfileValidation, updateProfile);`

			`// PATCH /api/users/me/password - Change password`
			`router.patch('/me/password', authenticate, changePasswordValidation, changePassword);`

feat: add JWT authentication with complete test coverage Phase 1 - Step 3: Authentication API Backend Authentication: - bcryptjs for password hashing (salt rounds: 10) - JWT tokens with 24h expiration - Secure password storage (never expose passwordHash) API Endpoints: - POST /api/auth/register - User registration - Username validation (3-50 chars, alphanumeric + underscore) - Email validation and normalization - Password validation (min 6 chars) - Duplicate email/username detection - Auto-generated avatar (ui-avatars.com) - POST /api/auth/login - User authentication - Email + password credentials - Returns JWT token + user data - Invalid credentials protection - GET /api/users/me - Get current user (protected) - Requires valid JWT token - Returns user data + stats (matches, ratings) - Token validation via middleware Security Features: - express-validator for input sanitization - Auth middleware for protected routes - Token verification (Bearer token) - Password never returned in responses - Proper error messages (no information leakage) Frontend Integration: - API service layer (frontend/src/services/api.js) - Updated AuthContext to use real API - Token storage in localStorage - Automatic token inclusion in requests - Error handling for expired/invalid tokens Unit Tests (30 tests, 78.26% coverage): Auth Endpoints (14 tests): - ✅ Register: success, duplicate email, duplicate username - ✅ Register validation: invalid email, short password, short username - ✅ Login: success, wrong password, non-existent user, invalid format - ✅ Protected route: valid token, no token, invalid token, malformed header Auth Utils (9 tests): - ✅ Password hashing and comparison - ✅ Different hashes for same password - ✅ JWT generation and verification - ✅ Token expiration validation - ✅ Invalid token handling All tests passing ✅ Coverage: 78.26% ✅ 2025-11-12 22:16:14 +01:00			`module.exports = router;`