2025-11-15 18:03:40 +01:00
|
|
|
// Use relative URL - works for both dev (localhost:8080) and prod (localhost)
|
|
|
|
|
// Nginx proxies /api to backend
|
|
|
|
|
const API_URL = '/api';
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
|
|
|
|
|
class ApiError extends Error {
|
|
|
|
|
constructor(message, status, data) {
|
|
|
|
|
super(message);
|
|
|
|
|
this.name = 'ApiError';
|
|
|
|
|
this.status = status;
|
|
|
|
|
this.data = data;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-11-19 20:16:05 +01:00
|
|
|
// CSRF Token Management (Phase 3 - Security Hardening)
|
|
|
|
|
let csrfToken = null;
|
|
|
|
|
|
|
|
|
|
async function getCsrfToken() {
|
|
|
|
|
if (csrfToken) return csrfToken;
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
const response = await fetch(`${API_URL}/csrf-token`, {
|
|
|
|
|
credentials: 'include', // Important for cookies
|
|
|
|
|
});
|
|
|
|
|
const data = await response.json();
|
|
|
|
|
csrfToken = data.csrfToken;
|
|
|
|
|
return csrfToken;
|
|
|
|
|
} catch (error) {
|
|
|
|
|
console.warn('Failed to fetch CSRF token:', error);
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Reset CSRF token (call this on 403 CSRF errors)
|
|
|
|
|
function resetCsrfToken() {
|
|
|
|
|
csrfToken = null;
|
|
|
|
|
}
|
|
|
|
|
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
async function fetchAPI(endpoint, options = {}) {
|
|
|
|
|
const url = `${API_URL}${endpoint}`;
|
|
|
|
|
|
|
|
|
|
const config = {
|
|
|
|
|
...options,
|
2025-11-19 20:16:05 +01:00
|
|
|
credentials: 'include', // Include cookies for CSRF
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
headers: {
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
...options.headers,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Add auth token if available
|
|
|
|
|
const token = localStorage.getItem('token');
|
|
|
|
|
if (token) {
|
|
|
|
|
config.headers['Authorization'] = `Bearer ${token}`;
|
|
|
|
|
}
|
|
|
|
|
|
2025-11-19 20:16:05 +01:00
|
|
|
// Add CSRF token for state-changing requests (Phase 3)
|
|
|
|
|
if (['POST', 'PUT', 'DELETE', 'PATCH'].includes(options.method?.toUpperCase())) {
|
|
|
|
|
const csrf = await getCsrfToken();
|
|
|
|
|
if (csrf) {
|
|
|
|
|
config.headers['X-CSRF-Token'] = csrf;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
try {
|
|
|
|
|
const response = await fetch(url, config);
|
2025-11-13 15:59:01 +01:00
|
|
|
|
|
|
|
|
// Check if response is JSON before parsing
|
|
|
|
|
const contentType = response.headers.get('content-type');
|
|
|
|
|
if (!contentType || !contentType.includes('application/json')) {
|
|
|
|
|
throw new ApiError(
|
|
|
|
|
'Server returned non-JSON response',
|
|
|
|
|
response.status,
|
|
|
|
|
{ message: 'The server is not responding correctly. Please try again later.' }
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
const data = await response.json();
|
|
|
|
|
|
|
|
|
|
if (!response.ok) {
|
2025-11-19 20:16:05 +01:00
|
|
|
// Handle CSRF token errors (Phase 3)
|
|
|
|
|
if (response.status === 403 && data.error === 'Invalid CSRF token') {
|
|
|
|
|
resetCsrfToken();
|
|
|
|
|
// Retry the request once with a fresh CSRF token
|
|
|
|
|
if (!options._csrfRetry) {
|
|
|
|
|
return fetchAPI(endpoint, { ...options, _csrfRetry: true });
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
throw new ApiError(
|
|
|
|
|
data.error || 'API request failed',
|
|
|
|
|
response.status,
|
|
|
|
|
data
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return data;
|
|
|
|
|
} catch (error) {
|
|
|
|
|
if (error instanceof ApiError) {
|
|
|
|
|
throw error;
|
|
|
|
|
}
|
2025-11-13 15:59:01 +01:00
|
|
|
// Handle JSON parsing errors
|
|
|
|
|
if (error instanceof SyntaxError) {
|
|
|
|
|
throw new ApiError(
|
|
|
|
|
'Invalid server response',
|
|
|
|
|
0,
|
|
|
|
|
{ message: 'The server returned an invalid response. Please check if the server is running.' }
|
|
|
|
|
);
|
|
|
|
|
}
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
throw new ApiError('Network error', 0, { message: error.message });
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Auth API
|
|
|
|
|
export const authAPI = {
|
feat: add email verification, password reset, and WSDC integration (Phase 1.5)
Backend features:
- AWS SES email service with HTML templates
- Email verification with dual method (link + 6-digit PIN code)
- Password reset workflow with secure tokens
- WSDC API proxy for dancer lookup and auto-fill registration
- Extended User model with verification and WSDC fields
- Email verification middleware for protected routes
Frontend features:
- Two-step registration with WSDC ID lookup
- Password strength indicator component
- Email verification page with code input
- Password reset flow (request + reset pages)
- Verification banner for unverified users
- Updated authentication context and API service
Testing:
- 65 unit tests with 100% coverage of new features
- Tests for auth utils, email service, WSDC controller, and middleware
- Integration tests for full authentication flows
- Comprehensive mocking of AWS SES and external APIs
Database:
- Migration: add WSDC fields (firstName, lastName, wsdcId)
- Migration: add email verification fields (token, code, expiry)
- Migration: add password reset fields (token, expiry)
Documentation:
- Complete Phase 1.5 documentation
- Test suite documentation and best practices
- Updated session context with new features
2025-11-13 15:47:54 +01:00
|
|
|
async register(username, email, password, firstName = null, lastName = null, wsdcId = null) {
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
const data = await fetchAPI('/auth/register', {
|
|
|
|
|
method: 'POST',
|
feat: add email verification, password reset, and WSDC integration (Phase 1.5)
Backend features:
- AWS SES email service with HTML templates
- Email verification with dual method (link + 6-digit PIN code)
- Password reset workflow with secure tokens
- WSDC API proxy for dancer lookup and auto-fill registration
- Extended User model with verification and WSDC fields
- Email verification middleware for protected routes
Frontend features:
- Two-step registration with WSDC ID lookup
- Password strength indicator component
- Email verification page with code input
- Password reset flow (request + reset pages)
- Verification banner for unverified users
- Updated authentication context and API service
Testing:
- 65 unit tests with 100% coverage of new features
- Tests for auth utils, email service, WSDC controller, and middleware
- Integration tests for full authentication flows
- Comprehensive mocking of AWS SES and external APIs
Database:
- Migration: add WSDC fields (firstName, lastName, wsdcId)
- Migration: add email verification fields (token, code, expiry)
- Migration: add password reset fields (token, expiry)
Documentation:
- Complete Phase 1.5 documentation
- Test suite documentation and best practices
- Updated session context with new features
2025-11-13 15:47:54 +01:00
|
|
|
body: JSON.stringify({ username, email, password, firstName, lastName, wsdcId }),
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Save token
|
|
|
|
|
if (data.data.token) {
|
|
|
|
|
localStorage.setItem('token', data.data.token);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
async login(email, password) {
|
|
|
|
|
const data = await fetchAPI('/auth/login', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ email, password }),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Save token
|
|
|
|
|
if (data.data.token) {
|
|
|
|
|
localStorage.setItem('token', data.data.token);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
async getCurrentUser() {
|
|
|
|
|
const data = await fetchAPI('/users/me');
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
|
feat: add email verification, password reset, and WSDC integration (Phase 1.5)
Backend features:
- AWS SES email service with HTML templates
- Email verification with dual method (link + 6-digit PIN code)
- Password reset workflow with secure tokens
- WSDC API proxy for dancer lookup and auto-fill registration
- Extended User model with verification and WSDC fields
- Email verification middleware for protected routes
Frontend features:
- Two-step registration with WSDC ID lookup
- Password strength indicator component
- Email verification page with code input
- Password reset flow (request + reset pages)
- Verification banner for unverified users
- Updated authentication context and API service
Testing:
- 65 unit tests with 100% coverage of new features
- Tests for auth utils, email service, WSDC controller, and middleware
- Integration tests for full authentication flows
- Comprehensive mocking of AWS SES and external APIs
Database:
- Migration: add WSDC fields (firstName, lastName, wsdcId)
- Migration: add email verification fields (token, code, expiry)
- Migration: add password reset fields (token, expiry)
Documentation:
- Complete Phase 1.5 documentation
- Test suite documentation and best practices
- Updated session context with new features
2025-11-13 15:47:54 +01:00
|
|
|
async verifyEmailByToken(token) {
|
|
|
|
|
const data = await fetchAPI(`/auth/verify-email?token=${token}`);
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
async verifyEmailByCode(email, code) {
|
|
|
|
|
const data = await fetchAPI('/auth/verify-code', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ email, code }),
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
async resendVerification(email) {
|
|
|
|
|
const data = await fetchAPI('/auth/resend-verification', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ email }),
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
async requestPasswordReset(email) {
|
|
|
|
|
const data = await fetchAPI('/auth/request-password-reset', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ email }),
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
async resetPassword(token, newPassword) {
|
|
|
|
|
const data = await fetchAPI('/auth/reset-password', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ token, newPassword }),
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
2025-11-13 20:26:49 +01:00
|
|
|
async updateProfile(profileData) {
|
|
|
|
|
const data = await fetchAPI('/users/me', {
|
|
|
|
|
method: 'PATCH',
|
|
|
|
|
body: JSON.stringify(profileData),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Update token if it was returned (email changed)
|
|
|
|
|
if (data.data?.token) {
|
|
|
|
|
localStorage.setItem('token', data.data.token);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
async changePassword(currentPassword, newPassword) {
|
|
|
|
|
const data = await fetchAPI('/users/me/password', {
|
|
|
|
|
method: 'PATCH',
|
|
|
|
|
body: JSON.stringify({ currentPassword, newPassword }),
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
2025-11-13 21:03:37 +01:00
|
|
|
async getUserByUsername(username) {
|
|
|
|
|
const data = await fetchAPI(`/users/${username}`);
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
logout() {
|
|
|
|
|
localStorage.removeItem('token');
|
|
|
|
|
localStorage.removeItem('user');
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
feat: add email verification, password reset, and WSDC integration (Phase 1.5)
Backend features:
- AWS SES email service with HTML templates
- Email verification with dual method (link + 6-digit PIN code)
- Password reset workflow with secure tokens
- WSDC API proxy for dancer lookup and auto-fill registration
- Extended User model with verification and WSDC fields
- Email verification middleware for protected routes
Frontend features:
- Two-step registration with WSDC ID lookup
- Password strength indicator component
- Email verification page with code input
- Password reset flow (request + reset pages)
- Verification banner for unverified users
- Updated authentication context and API service
Testing:
- 65 unit tests with 100% coverage of new features
- Tests for auth utils, email service, WSDC controller, and middleware
- Integration tests for full authentication flows
- Comprehensive mocking of AWS SES and external APIs
Database:
- Migration: add WSDC fields (firstName, lastName, wsdcId)
- Migration: add email verification fields (token, code, expiry)
- Migration: add password reset fields (token, expiry)
Documentation:
- Complete Phase 1.5 documentation
- Test suite documentation and best practices
- Updated session context with new features
2025-11-13 15:47:54 +01:00
|
|
|
// WSDC API (Phase 1.5)
|
|
|
|
|
export const wsdcAPI = {
|
|
|
|
|
async lookupDancer(wsdcId) {
|
|
|
|
|
const data = await fetchAPI(`/wsdc/lookup?id=${wsdcId}`);
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
// Events API
|
|
|
|
|
export const eventsAPI = {
|
|
|
|
|
async getAll() {
|
|
|
|
|
const data = await fetchAPI('/events');
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
|
2025-11-13 21:43:58 +01:00
|
|
|
async getBySlug(slug) {
|
|
|
|
|
const data = await fetchAPI(`/events/${slug}`);
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
return data.data;
|
|
|
|
|
},
|
2025-11-13 20:16:58 +01:00
|
|
|
|
2025-11-13 21:43:58 +01:00
|
|
|
async getMessages(slug, before = null, limit = 20) {
|
2025-11-13 20:16:58 +01:00
|
|
|
const params = new URLSearchParams({ limit: limit.toString() });
|
|
|
|
|
if (before) {
|
|
|
|
|
params.append('before', before.toString());
|
|
|
|
|
}
|
2025-11-13 21:43:58 +01:00
|
|
|
const data = await fetchAPI(`/events/${slug}/messages?${params}`);
|
2025-11-13 20:16:58 +01:00
|
|
|
return data;
|
|
|
|
|
},
|
2025-11-14 14:11:24 +01:00
|
|
|
|
|
|
|
|
async getDetails(slug) {
|
|
|
|
|
const data = await fetchAPI(`/events/${slug}/details`);
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
async checkin(token) {
|
|
|
|
|
const data = await fetchAPI(`/events/checkin/${token}`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
async leave(slug) {
|
|
|
|
|
const data = await fetchAPI(`/events/${slug}/leave`, {
|
|
|
|
|
method: 'DELETE',
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
};
|
|
|
|
|
|
2025-11-14 17:34:15 +01:00
|
|
|
// Divisions API (Phase 1.6)
|
|
|
|
|
export const divisionsAPI = {
|
|
|
|
|
async getAll() {
|
|
|
|
|
const data = await fetchAPI('/divisions');
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Competition Types API (Phase 1.6)
|
|
|
|
|
export const competitionTypesAPI = {
|
|
|
|
|
async getAll() {
|
|
|
|
|
const data = await fetchAPI('/competition-types');
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Heats API (Phase 1.6)
|
|
|
|
|
export const heatsAPI = {
|
|
|
|
|
async saveHeats(slug, heats) {
|
|
|
|
|
const data = await fetchAPI(`/events/${slug}/heats`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ heats }),
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
async getMyHeats(slug) {
|
|
|
|
|
const data = await fetchAPI(`/events/${slug}/heats/me`);
|
2025-11-23 17:55:25 +01:00
|
|
|
// Returns { data: heats[], competitorNumber: number|null }
|
|
|
|
|
return data;
|
2025-11-14 17:34:15 +01:00
|
|
|
},
|
|
|
|
|
|
|
|
|
|
async getAllHeats(slug) {
|
|
|
|
|
const data = await fetchAPI(`/events/${slug}/heats/all`);
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
async deleteHeat(slug, heatId) {
|
|
|
|
|
const data = await fetchAPI(`/events/${slug}/heats/${heatId}`, {
|
|
|
|
|
method: 'DELETE',
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
2025-11-23 17:55:25 +01:00
|
|
|
|
|
|
|
|
async setCompetitorNumber(slug, competitorNumber) {
|
|
|
|
|
const data = await fetchAPI(`/events/${slug}/competitor-number`, {
|
|
|
|
|
method: 'PUT',
|
|
|
|
|
body: JSON.stringify({ competitorNumber }),
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
2025-11-14 17:34:15 +01:00
|
|
|
};
|
|
|
|
|
|
2025-11-14 19:22:23 +01:00
|
|
|
// Matches API (Phase 2)
|
|
|
|
|
export const matchesAPI = {
|
|
|
|
|
async createMatch(targetUserId, eventSlug) {
|
|
|
|
|
const data = await fetchAPI('/matches', {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ targetUserId, eventSlug }),
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
async getMatches(eventSlug = null, status = null) {
|
|
|
|
|
const params = new URLSearchParams();
|
|
|
|
|
if (eventSlug) params.append('eventSlug', eventSlug);
|
|
|
|
|
if (status) params.append('status', status);
|
|
|
|
|
|
|
|
|
|
const queryString = params.toString();
|
|
|
|
|
const endpoint = queryString ? `/matches?${queryString}` : '/matches';
|
|
|
|
|
|
|
|
|
|
const data = await fetchAPI(endpoint);
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
2025-11-14 22:22:11 +01:00
|
|
|
async getMatch(matchSlug) {
|
|
|
|
|
const data = await fetchAPI(`/matches/${matchSlug}`);
|
2025-11-14 19:22:23 +01:00
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
2025-11-14 22:22:11 +01:00
|
|
|
async acceptMatch(matchSlug) {
|
|
|
|
|
const data = await fetchAPI(`/matches/${matchSlug}/accept`, {
|
2025-11-14 19:22:23 +01:00
|
|
|
method: 'PUT',
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
|
2025-11-14 22:22:11 +01:00
|
|
|
async deleteMatch(matchSlug) {
|
|
|
|
|
const data = await fetchAPI(`/matches/${matchSlug}`, {
|
2025-11-14 19:22:23 +01:00
|
|
|
method: 'DELETE',
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
2025-11-14 22:22:11 +01:00
|
|
|
|
|
|
|
|
async getMatchMessages(matchSlug) {
|
|
|
|
|
const data = await fetchAPI(`/matches/${matchSlug}/messages`);
|
|
|
|
|
return data;
|
|
|
|
|
},
|
2025-11-14 22:35:32 +01:00
|
|
|
|
|
|
|
|
async createRating(matchSlug, { score, comment, wouldCollaborateAgain }) {
|
|
|
|
|
const data = await fetchAPI(`/matches/${matchSlug}/ratings`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
body: JSON.stringify({ score, comment, wouldCollaborateAgain }),
|
|
|
|
|
});
|
|
|
|
|
return data;
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Ratings API
|
|
|
|
|
export const ratingsAPI = {
|
|
|
|
|
async getUserRatings(username) {
|
|
|
|
|
const data = await fetchAPI(`/users/${username}/ratings`);
|
|
|
|
|
return data;
|
|
|
|
|
},
|
2025-11-14 19:22:23 +01:00
|
|
|
};
|
|
|
|
|
|
2025-11-21 21:12:25 +01:00
|
|
|
// Dashboard API
|
|
|
|
|
export const dashboardAPI = {
|
|
|
|
|
async getData() {
|
|
|
|
|
const data = await fetchAPI('/dashboard');
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
2025-11-23 18:50:35 +01:00
|
|
|
// Recording Matching API (Auto-matching for recording partners)
|
|
|
|
|
export const matchingAPI = {
|
|
|
|
|
// Get match suggestions for current user
|
|
|
|
|
async getSuggestions(slug) {
|
|
|
|
|
const data = await fetchAPI(`/events/${slug}/match-suggestions`);
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Run matching algorithm (admin/trigger)
|
|
|
|
|
async runMatching(slug) {
|
|
|
|
|
const data = await fetchAPI(`/events/${slug}/run-matching`, {
|
|
|
|
|
method: 'POST',
|
|
|
|
|
});
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Accept or reject a suggestion
|
|
|
|
|
async updateSuggestionStatus(slug, suggestionId, status) {
|
|
|
|
|
const data = await fetchAPI(`/events/${slug}/match-suggestions/${suggestionId}/status`, {
|
|
|
|
|
method: 'PUT',
|
|
|
|
|
body: JSON.stringify({ status }),
|
|
|
|
|
});
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Set recorder opt-out preference
|
|
|
|
|
async setRecorderOptOut(slug, optOut) {
|
|
|
|
|
const data = await fetchAPI(`/events/${slug}/recorder-opt-out`, {
|
|
|
|
|
method: 'PUT',
|
|
|
|
|
body: JSON.stringify({ optOut }),
|
|
|
|
|
});
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Set registration deadline (admin)
|
|
|
|
|
async setRegistrationDeadline(slug, deadline) {
|
|
|
|
|
const data = await fetchAPI(`/events/${slug}/registration-deadline`, {
|
|
|
|
|
method: 'PUT',
|
|
|
|
|
body: JSON.stringify({ registrationDeadline: deadline }),
|
|
|
|
|
});
|
|
|
|
|
return data.data;
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
feat: add JWT authentication with complete test coverage
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
|
|
|
export { ApiError };
|