finish auth application#248
Conversation
mateacademy-ai-mentor
left a comment
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
You've built a solid foundation for the authentication system, and the registration and activation flows are a great start. However, this submission is missing several core features required by the task, so I am requesting a few changes before approval.
Specifically, the following functionalities need to be implemented:
- The complete logout and password reset flows.
- Endpoints for users to update their profile (name, email, and password).
- Password validation during registration to enforce complexity rules.
- Redirects to the profile page after a successful login and account activation. Instead of sending a token or text response in
src/controllers/auth.controller.js, you should useres.redirect('/profile')as required.
You can add the new logic in src/controllers/auth.controller.js and the corresponding routes in src/routes/auth.routes.js. Once these features are in place, the application will be complete. Keep up the great work!
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Important
Fix the issues, commit the changes, and then re-request my review using the Re-request review button2 in the Reviewers tab.
Tip
If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag3.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.
Caution
Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.
Footnotes
| if (!name || !email || !password) { | ||
| return res.status(400).send('Missing fields'); | ||
| } |
There was a problem hiding this comment.
According to the requirements, you need to check the password against defined rules. This validation is missing. It's also a good practice to check if a user with the provided email already exists to prevent duplicate accounts.
src/controllers/auth.controller.js
Outdated
| user.isActive = true; | ||
| delete user.activationToken; | ||
|
|
||
| res.send('Account activated'); |
There was a problem hiding this comment.
The task requires redirecting the user to the Profile page after account activation. Instead of sending a text response, you should perform a redirect, for example, by using res.redirect('/profile').
src/controllers/auth.controller.js
Outdated
| expiresIn: '1d', | ||
| }); | ||
|
|
||
| res.send({ token }); |
There was a problem hiding this comment.
The requirements state that the user should be redirected to the profile page after a successful login. Returning a token is a common practice for APIs, but for this task, a server-side redirect is expected.
| module.exports = { | ||
| register, | ||
| activate, | ||
| login, | ||
| profile, |
There was a problem hiding this comment.
This controller is missing several required functionalities:
- A
logoutfunction. - A complete
password resetflow (requesting and confirming). - Endpoints for updating the user's profile (name, password, and email).
| return res.status(401).send('Unauthorized'); | ||
| } | ||
|
|
||
| const token = header.split(' ')[1]; |
There was a problem hiding this comment.
The Authorization header is expected to be in the format Bearer <token>. This line assumes there will always be a space and the token will be the second element. It would be more robust to check for the Bearer scheme and ensure a token exists before attempting to use it.
| router.post('/register', register); | ||
|
|
||
| router.get('/activate/:token', activate); | ||
|
|
||
| router.post('/login', login); | ||
|
|
||
| router.get('/profile', authMiddleware, profile); |
There was a problem hiding this comment.
This router is missing endpoints for several required features. Based on the task description, you need to add routes for:
- Logout
- Password reset
- Profile updates (changing name, password, and email)
mateacademy-ai-mentor
left a comment
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Excellent work on implementing the core features! The application is very close to completion. I'm requesting a few changes to fully align with the project requirements and improve consistency.
Here are the key points to address in src/controllers/auth.controller.js:
- Registration Response: The registration endpoint sends back the entire
userobject, which exposes sensitive data like the password hash. Please change this to send a simple confirmation message, for example:res.status(201).send('Registration successful. Please check your email for the activation link.'); - Password Reset Flow: The password reset endpoints currently return plain text. The requirements specify showing an "email sent" page and a "success page." Please adjust these to send a response that helps the frontend render the correct pages, which is a more user-friendly approach.
- User Enumeration Vulnerability: The
requestPasswordResetfunction returns a 'User not found' error if the email doesn't exist. To prevent attackers from guessing registered emails, it's a security best practice to always return a generic success message, regardless of whether the user exists.
You've made great progress. Once these adjustments are made, the project will be complete!
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Important
Fix the issues, commit the changes, and then re-request my review using the Re-request review button2 in the Reviewers tab.
Tip
If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag3.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.
Caution
Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.
Footnotes
src/controllers/auth.controller.js
Outdated
|
|
||
| await sendActivationEmail(email, activationToken); | ||
|
|
||
| res.status(201).send(user); |
There was a problem hiding this comment.
The response for a successful registration should guide the user on the next step. Sending back the entire user object is inconsistent with other flows (like login or activation which redirect) and also exposes sensitive information like the password hash.
A better approach would be to send a clear message, for example:
res.status(201).send('Registration successful. Please check your email for the activation link.');
src/controllers/auth.controller.js
Outdated
| if (!user) { | ||
| return res.status(404).send('User not found'); | ||
| } |
There was a problem hiding this comment.
Returning a 'User not found' error here can lead to a security issue known as user enumeration, where an attacker could guess which email addresses are registered. It's a best practice to always return the same generic success message, regardless of whether the user exists or not. The email-sending logic should, of course, only run if the user is found.
src/controllers/auth.controller.js
Outdated
| user.password = await bcrypt.hash(password, 10); | ||
| delete user.resetToken; | ||
|
|
||
| res.send('Password updated'); |
There was a problem hiding this comment.
While this response is correct, the requirement mentions showing a "Success page with a link to login". To better support the frontend in creating this page, consider sending a more descriptive response. For instance, a JSON object could provide both a message and the login path:
res.json({
message: 'Password has been successfully reset.',
loginLink: '/login'
});| 'use strict'; | ||
|
|
||
| const jwt = require('jsonwebtoken'); | ||
|
|
||
| const authMiddleware = (req, res, next) => { | ||
| const header = req.headers.authorization; | ||
|
|
||
| if (!header) { | ||
| return res.status(401).send('Unauthorized'); | ||
| } | ||
|
|
||
| const token = header.split(' ')[1]; | ||
|
|
||
| try { | ||
| const user = jwt.verify(token, 'secret'); | ||
|
|
||
| req.user = user; | ||
|
|
||
| next(); | ||
| } catch { | ||
| res.status(401).send('Invalid token'); | ||
| } | ||
| }; | ||
|
|
||
| module.exports = authMiddleware; |
There was a problem hiding this comment.
This file seems to be an unused duplicate. The application's routes use src/middleware/auth_middleware.js instead. To avoid confusion and keep the project clean, it's best to remove this file.
mateacademy-ai-mentor
left a comment
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Great job on this submission! I am approving it as an educational override to help you move forward, but there are a few important improvements to consider for your next project.
You've done excellent work implementing the core features, especially with the secure authentication middleware and clean routing. The progress you've made is fantastic!
To make it perfect, please remember to:
- Validate password strength everywhere: In
src/controllers/auth.controller.js, reuse yourisPasswordValidfunction when users reset their password (resetPassword) or update it (updateProfilePassword) to ensure all new passwords are secure. - Confirm the new email: The
updateProfileEmailfunction should check for a matchingconfirmNewEmailfield in the request, as per the requirements. - Clean up unused files: The file
src/middleware/auth.middleware.jsisn't being used and can be safely removed to keep the project tidy.
Keep up the great work!
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Footnotes
| return res.status(401).send('Unauthorized'); | ||
| } | ||
|
|
||
| const token = header.split(' ')[1]; |
There was a problem hiding this comment.
This line assumes the header format is correct but doesn't validate it. For instance, a header like 'Basic dXNlcjpwYXNz' would pass this split, but jwt.verify would fail. The check in your other middleware file, auth_middleware.js, which verifies the 'Bearer' scheme and token existence, is a much more robust approach.
|
|
||
| if (password !== confirmPassword) { | ||
| return res.status(400).send('Passwords do not match'); | ||
| } |
There was a problem hiding this comment.
After this check, you should also validate the new password's strength using the isPasswordValid function. This ensures consistency with the registration requirements and keeps all user passwords secure.
|
|
||
| if (newPassword !== confirmPassword) { | ||
| return res.status(400).send('Passwords do not match'); | ||
| } |
There was a problem hiding this comment.
The newPassword should be validated against the strength requirements using isPasswordValid. This is to ensure consistency with the password rules set during registration.
| }; | ||
|
|
||
| const updateProfileEmail = async (req, res) => { | ||
| const { password, newEmail } = req.body; |
There was a problem hiding this comment.
The requirement says to 'confirm the new email'. This usually means the request should include a confirmation field (e.g., confirmNewEmail) that must match the newEmail field. Please add this validation check.
2 participants
No description provided.