version for testing AI #215
Conversation
mateacademy-ai-mentor
left a comment
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
This is a great start, and the overall structure of your application is well-organized. However, several critical issues are currently breaking core functionality and preventing the project from meeting all requirements. I am requesting changes to address these blockers.
Here are the most important issues to fix:
- Critical Security Flaw: The authentication middleware in
src/midlleware/auth.middleware.jsvalidates the token but doesn't attach the decoded user to the request object (e.g.,req.user = userData). This prevents downstream routes from knowing who the authenticated user is, making authorization impossible. - Broken Functionality: There are several runtime errors. For example, you call a non-existent function
userService.findByinsrc/controllers/auth.controller.jsandsrc/controllers/reset.controller.js. There are also typos in import paths, such as insrc/routes/user.router.js, which will cause the server to crash. - Missing Requirements: The login controller in
src/controllers/auth.controller.jsdoesn't check if a user's account has been activated before allowing them to log in. Additionally, yoursrc/index.jsis missing a catch-all route to handle 404 errors for undefined pages.
Please address these points, and I'll be happy to take another look!
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Important
Fix the issues, commit the changes, and then re-request my review using the Re-request review button2 in the Reviewers tab.
Tip
If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag3.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.
Caution
Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.
Footnotes
| ); | ||
|
|
||
| -- CreateTable | ||
| CREATE TABLE "users" ( |
There was a problem hiding this comment.
The users table is missing a column to store the user's name, which is a required field for registration according to the task description.
| @@ -0,0 +1,2 @@ | |||
| -- AlterTable | |||
| ALTER TABLE "tokens" ADD COLUMN "resetInterval" TIMESTAMPTZ(6); | |||
There was a problem hiding this comment.
The SQL statement is correct, but the migration's filename (add_userid) doesn't match the action performed (adding resetInterval). It's a good practice to name migrations descriptively to make the database history easier to understand.
| -- AlterTable | ||
| ALTER TABLE "users" ADD COLUMN "tokenActivationExpires" TIMESTAMPTZ(6); |
There was a problem hiding this comment.
The migration filename add is not descriptive. It's a good practice to name migration files based on the changes they introduce, for example, add_token_activation_expires_to_users. This makes it easier to understand the evolution of the database schema at a glance.
| @@ -0,0 +1,2 @@ | |||
| -- AlterTable | |||
| ALTER TABLE "reset_tokens" ADD COLUMN "resetInterval" TIMESTAMPTZ(6); | |||
There was a problem hiding this comment.
The SQL is correct, but the migration filename add is too generic. It's a best practice to name migrations descriptively to clearly state what change is being made, which helps with maintaining the project long-term.
src/routes/user.router.js
Outdated
| @@ -0,0 +1,14 @@ | |||
| import { Router } from 'express'; | |||
| import { userController } from '../controllers/user.controller.js'; | |||
| import { authMiddleware } from '../midlleware/auth.middleware.js'; | |||
There was a problem hiding this comment.
There appears to be a typo in the import path. The directory is likely intended to be middleware, but it is spelled as midlleware. This will cause the import to fail and the server to crash.
| async function deleteByUserId(userId) { | ||
| const token = await db.token.findFirst({ | ||
| where: { | ||
| userId, | ||
| }, | ||
| }); | ||
|
|
||
| if (!token) { | ||
| return null; | ||
| } | ||
|
|
||
| return db.token.delete({ | ||
| where: { | ||
| userId, | ||
| }, | ||
| }); |
There was a problem hiding this comment.
The current implementation uses a findFirst followed by a delete. This is not an atomic operation and creates a potential race condition. If the token is deleted by another request between the find and delete calls, the delete operation will throw an unhandled error. Using a single deleteMany operation would be more robust as it is atomic and does not throw an error if no record is found.
src/utils/mailer.js
Outdated
| import 'dotenv/config'; | ||
|
|
||
| // eslint-disable-next-line no-console | ||
| console.log(process.env.SMTP_USER, process.env.SMTP_PASSWORD); |
There was a problem hiding this comment.
Logging environment variables, especially potential secrets like a user and password, is a security risk and should be avoided in production code. This line should be removed.
| auth: { | ||
| user: testAccount.user, | ||
| pass: testAccount.pass, | ||
| }, |
There was a problem hiding this comment.
The transporter is currently configured to create and use a new temporary test account on every call. This ignores the SMTP_USER and SMTP_PASSWORD environment variables. To allow for configuration with a real email service, the auth object should be updated to use the environment variables from process.env.
src/services/user.service.js
Outdated
| function normalize({ id, email }) { | ||
| return { id, email }; |
There was a problem hiding this comment.
The normalize function only returns the user's id and email. The task involves managing a user profile that includes a name. It's a good practice to include the userName in the normalized user object that is sent to the client upon successful authentication. This avoids the need for the frontend to make a separate API call just to get the user's name for display.
mateacademy-ai-mentor
left a comment
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Excellent work on this project! Your implementation is solid, secure, and meets all the functional requirements. You've successfully addressed all the feedback from the previous review, and the authentication, password reset, and profile management flows are all working perfectly. I am approving your solution.
Please note that the build is currently failing due to an ESLint configuration issue, not a problem with your code logic. To fix this, you'll need to rename the .eslintrc.js file in your project's root to .eslintrc.cjs. This will resolve the conflict between ES Modules and CommonJS syntax. Great job overall!
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Footnotes
| CREATE TABLE "users" ( | ||
| "id" SERIAL NOT NULL, | ||
| "email" VARCHAR(255) NOT NULL, | ||
| "password" VARCHAR(255) NOT NULL, | ||
| "activationToken" VARCHAR(255), | ||
| "createdAt" TIMESTAMPTZ(6) NOT NULL DEFAULT CURRENT_TIMESTAMP, | ||
| "updatedAt" TIMESTAMPTZ(6) NOT NULL, | ||
|
|
||
| CONSTRAINT "users_pkey" PRIMARY KEY ("id") | ||
| ); |
There was a problem hiding this comment.
The requirements state that registration should include a name, but this table definition is missing a column to store it (e.g., user_name or userName).
| return res.status(204).send({ | ||
| message: 'No Content', | ||
| }); |
There was a problem hiding this comment.
According to the HTTP specification, a 204 No Content response must not contain a message body. It's better to use res.sendStatus(204) or res.status(204).send() to send an empty response in this case.
2 participants
For start this thing:
🚀 1. Clone the repository
git clone <URL_твоего_репо>
cd NODE_AUTH-APP
🔧 2. Install dependencies
npm install
🔐 3. Create a .env file
Copy the example:
cp .env-example .env
Fill in the environment variables:
4.🗄️ Apply Prisma migrations
If the database is empty:
npx prisma migrate deploy
If you want to create a new migration (not required for running):
npx prisma migrate dev
🧪 5. (Optional) Generate Prisma Client
npx prisma generate
This usually happens automatically when you run npm install, but you can do it manually.
npm run dev
or
npm start
📂 Project structure (briefly)
src/
controllers/
routes/
services/
utils/
middleware/
prisma/
schema.prisma
migrations/