chore: sync latest demo-ready API updates#32
Conversation
- update title, description, url, and thumbnail url for education content - change category for some education content
- add temporary support for userId in request body for testing purposes - modify google login to return user id - update all controllers to support temporary user id
…d data (#31) feat(auth, db): add temporary userId support and update education seed data
There was a problem hiding this comment.
Pull Request Overview
This PR syncs development changes into the main branch to prepare the API for demo readiness. The changes primarily introduce temporary backend testing support and refresh educational content with new Indonesian-language resources.
Key changes:
- Added temporary
userIdsupport via request body as a fallback when authentication is not yet integrated - Modified Google login to return both JWT token and user ID in the response
- Completely refreshed education seed data with 14 new Indonesian YouTube videos covering mental health, productivity, and self-improvement topics
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
| src/database/seed/education.seed.ts | Replaced all education content entries with new Indonesian-language YouTube videos |
| src/api/users/user.controller.ts | Added temporary userId body parameter support to 3 handlers |
| src/api/routine/routine.controller.ts | Added temporary userId body parameter support to 2 handlers |
| src/api/journals/journal.controller.ts | Added temporary userId body parameter support to 2 handlers |
| src/api/community/community.controller.ts | Added temporary userId body parameter support to 3 handlers |
| src/api/auth/auth.service.ts | Changed return type to include both token and userId |
| src/api/auth/auth.controller.ts | Updated to handle new service return format and added temporary userId support |
| src/api/ai/ai.controller.ts | Added temporary userId body parameter support to 2 handlers |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| export const getMeHandler = asyncHandler(async (req: Request, res: Response) => { | ||
| const userId = req.user?.id; | ||
| const userId = req.user?.id || req.body.userId; // Temporary support for userId in body for testing purposes |
There was a problem hiding this comment.
The fallback to req.body.userId creates a critical security vulnerability, allowing any client to impersonate any user by simply passing a userId in the request body. This bypasses authentication entirely. Even for testing, this should be protected by environment checks (e.g., only allow in development mode) or use a separate testing endpoint.
|
|
||
| export const dailyCheckinHandler = asyncHandler(async (req: Request, res: Response) => { | ||
| const userId = req.user?.id; | ||
| const userId = req.user?.id || req.body.userId; // Temporary support for userId in body for testing purposes |
There was a problem hiding this comment.
The fallback to req.body.userId creates a critical security vulnerability, allowing any client to impersonate any user by simply passing a userId in the request body. This bypasses authentication entirely. Even for testing, this should be protected by environment checks (e.g., only allow in development mode) or use a separate testing endpoint.
|
|
||
| export const createJournalHandler = asyncHandler(async (req: Request, res: Response) => { | ||
| const userId = req.user?.id; | ||
| const userId = req.user?.id || req.body.userId; // Temporary support for userId in body for testing purposes |
There was a problem hiding this comment.
The fallback to req.body.userId creates a critical security vulnerability, allowing any client to impersonate any user by simply passing a userId in the request body. This bypasses authentication entirely. Even for testing, this should be protected by environment checks (e.g., only allow in development mode) or use a separate testing endpoint.
|
|
||
| export const createPostHandler = asyncHandler(async (req: Request, res: Response) => { | ||
| const userId = req.user?.id; | ||
| const userId = req.user?.id || req.body.userId; // Temporary support for userId in body for testing purposes |
There was a problem hiding this comment.
The fallback to req.body.userId creates a critical security vulnerability, allowing any client to impersonate any user by simply passing a userId in the request body. This bypasses authentication entirely. Even for testing, this should be protected by environment checks (e.g., only allow in development mode) or use a separate testing endpoint.
|
|
||
| export const onboardingHandler = asyncHandler(async (req: Request, res: Response) => { | ||
| const userId = req.user?.id; | ||
| const userId = req.user?.id || req.body.userId; // Temporary support for userId in body for testing purposes |
There was a problem hiding this comment.
The fallback to req.body.userId creates a critical security vulnerability, allowing any client to impersonate any user by simply passing a userId in the request body. This bypasses authentication entirely. Even for testing, this should be protected by environment checks (e.g., only allow in development mode) or use a separate testing endpoint.
| const userId = req.user?.id || req.body.userId; // Temporary support for userId in body for testing purposes | |
| let userId = req.user?.id; | |
| // Only allow fallback to req.body.userId in development mode | |
| if (!userId && process.env.NODE_ENV === 'development') { | |
| userId = req.body.userId; | |
| } |
|
|
||
| export const getJournalsHandler = asyncHandler(async (req: Request, res: Response) => { | ||
| const userId = req.user?.id; | ||
| const userId = req.user?.id || req.body.userId; // Temporary support for userId in body for testing purposes |
There was a problem hiding this comment.
The fallback to req.body.userId creates a critical security vulnerability, allowing any client to impersonate any user by simply passing a userId in the request body. This bypasses authentication entirely. Even for testing, this should be protected by environment checks (e.g., only allow in development mode) or use a separate testing endpoint.
|
|
||
| export const createCommentHandler = asyncHandler(async (req: Request, res: Response) => { | ||
| const userId = req.user?.id; | ||
| const userId = req.user?.id || req.body.userId; // Temporary support for userId in body for testing purposes |
There was a problem hiding this comment.
The fallback to req.body.userId creates a critical security vulnerability, allowing any client to impersonate any user by simply passing a userId in the request body. This bypasses authentication entirely. Even for testing, this should be protected by environment checks (e.g., only allow in development mode) or use a separate testing endpoint.
|
|
||
| export const addLikeHandler = asyncHandler(async (req: Request, res: Response) => { | ||
| const userId = req.user?.id; | ||
| const userId = req.user?.id || req.body.userId; // Temporary support for userId in body for testing purposes |
There was a problem hiding this comment.
The fallback to req.body.userId creates a critical security vulnerability, allowing any client to impersonate any user by simply passing a userId in the request body. This bypasses authentication entirely. Even for testing, this should be protected by environment checks (e.g., only allow in development mode) or use a separate testing endpoint.
|
|
||
| export const getSummaryHandler = asyncHandler(async (req: Request, res: Response) => { | ||
| const userId = req.user?.id; | ||
| const userId = req.user?.id || req.body.userId; // Temporary support for userId in body for testing purposes |
There was a problem hiding this comment.
The fallback to req.body.userId creates a critical security vulnerability, allowing any client to impersonate any user by simply passing a userId in the request body. This bypasses authentication entirely. Even for testing, this should be protected by environment checks (e.g., only allow in development mode) or use a separate testing endpoint.
| const client = new OAuth2Client(config.google.clientId); | ||
|
|
||
| export async function verifyGoogleTokenAndLogin(googleToken: string): Promise<string> { | ||
| export async function verifyGoogleTokenAndLogin(googleToken: string) { |
There was a problem hiding this comment.
The return type annotation was removed from this function. This makes the API contract unclear and reduces type safety. The return type should be explicitly declared, for example: Promise<{ token: string; userId: string }>.
| export async function verifyGoogleTokenAndLogin(googleToken: string) { | |
| export async function verifyGoogleTokenAndLogin(googleToken: string): Promise<{ token: string; userId: string }> { |
Summary
Merge the latest development updates into the main branch for demo readiness.
Highlights
userIdsupport for backend testingNotes
The
userIdtesting mechanism is temporary and will be reverted once authentication flow is fully integrated.