Radosław Gierwiało
3788274f73
feat: add JWT authentication with complete test coverage
...
Phase 1 - Step 3: Authentication API
**Backend Authentication:**
- bcryptjs for password hashing (salt rounds: 10)
- JWT tokens with 24h expiration
- Secure password storage (never expose passwordHash)
**API Endpoints:**
- POST /api/auth/register - User registration
- Username validation (3-50 chars, alphanumeric + underscore)
- Email validation and normalization
- Password validation (min 6 chars)
- Duplicate email/username detection
- Auto-generated avatar (ui-avatars.com)
- POST /api/auth/login - User authentication
- Email + password credentials
- Returns JWT token + user data
- Invalid credentials protection
- GET /api/users/me - Get current user (protected)
- Requires valid JWT token
- Returns user data + stats (matches, ratings)
- Token validation via middleware
**Security Features:**
- express-validator for input sanitization
- Auth middleware for protected routes
- Token verification (Bearer token)
- Password never returned in responses
- Proper error messages (no information leakage)
**Frontend Integration:**
- API service layer (frontend/src/services/api.js)
- Updated AuthContext to use real API
- Token storage in localStorage
- Automatic token inclusion in requests
- Error handling for expired/invalid tokens
**Unit Tests (30 tests, 78.26% coverage):**
Auth Endpoints (14 tests):
- ✅ Register: success, duplicate email, duplicate username
- ✅ Register validation: invalid email, short password, short username
- ✅ Login: success, wrong password, non-existent user, invalid format
- ✅ Protected route: valid token, no token, invalid token, malformed header
Auth Utils (9 tests):
- ✅ Password hashing and comparison
- ✅ Different hashes for same password
- ✅ JWT generation and verification
- ✅ Token expiration validation
- ✅ Invalid token handling
All tests passing ✅
Coverage: 78.26% ✅
2025-11-12 22:16:14 +01:00
