@blackcode_sa/metaestetics-api 1.13.3 → 1.13.5

package/src/services/auth/auth.service.ts

@@ -1,989 +1,989 @@
-import {
-  Auth,
-  User as FirebaseUser,
-  signInWithEmailAndPassword,
-  createUserWithEmailAndPassword,
-  signInAnonymously as firebaseSignInAnonymously,
-  signOut as firebaseSignOut,
-  GoogleAuthProvider,
-  signInWithPopup,
-  signInWithRedirect,
-  getRedirectResult,
-  linkWithCredential,
-  EmailAuthProvider,
-  onAuthStateChanged,
-  sendPasswordResetEmail,
-  verifyPasswordResetCode,
-  confirmPasswordReset,
-  fetchSignInMethodsForEmail,
-  signInWithCredential,
-} from 'firebase/auth';
-import {
-  getFirestore,
-  collection,
-  doc,
-  getDoc,
-  setDoc,
-  updateDoc,
-  deleteDoc,
-  query,
-  where,
-  getDocs,
-  orderBy,
-  limit,
-  startAfter,
-  Timestamp,
-  runTransaction,
-  Firestore,
-} from 'firebase/firestore';
-import { FirebaseApp } from 'firebase/app';
-import { User, UserRole, USERS_COLLECTION } from '../../types';
-import { z } from 'zod';
-import { emailSchema, passwordSchema, userRoleSchema } from '../../validations/schemas';
-import { AuthError, AUTH_ERRORS } from '../../errors/auth.errors';
-import { FirebaseErrorCode } from '../../errors/firebase.errors';
-import { FirebaseError } from '../../errors/firebase.errors';
-import { BaseService } from '../base.service';
-import { UserService } from '../user/user.service';
-import { throws } from 'assert';
-import {
-  ClinicGroup,
-  AdminToken,
-  AdminTokenStatus,
-  CreateClinicGroupData,
-  CreateClinicAdminData,
-  ContactPerson,
-  ClinicAdminSignupData,
-  SubscriptionModel,
-  CLINIC_GROUPS_COLLECTION,
-  ClinicAdmin,
-} from '../../types/clinic';
-import { clinicAdminSignupSchema } from '../../validations/clinic.schema';
-import { ClinicGroupService } from '../clinic/clinic-group.service';
-import { ClinicAdminService } from '../clinic/clinic-admin.service';
-import { ClinicService } from '../clinic/clinic.service';
-import {
-  Practitioner,
-  CreatePractitionerData,
-  PractitionerStatus,
-  PractitionerBasicInfo,
-  PractitionerCertification,
-} from '../../types/practitioner';
-import { PractitionerService } from '../practitioner/practitioner.service';
-import { practitionerSignupSchema } from '../../validations/practitioner.schema';
-import { CertificationLevel } from '../../backoffice/types/static/certification.types';
-import { MediaService } from '../media/media.service';
-// Import utility functions
-import {
-  checkEmailExists,
-  cleanupFirebaseUser,
-  handleFirebaseError,
-  handleSignupError,
-  buildPractitionerData,
-  validatePractitionerProfileData,
-} from './utils';
-
-export class AuthService extends BaseService {
-  private googleProvider = new GoogleAuthProvider();
-  private userService: UserService;
-
-  constructor(db: Firestore, auth: Auth, app: FirebaseApp, userService: UserService) {
-    super(db, auth, app);
-    this.userService = userService || new UserService(db, auth, app);
-  }
-
-  /**
-   * Registruje novog korisnika sa email-om i lozinkom
-   */
-  async signUp(
-    email: string,
-    password: string,
-    initialRole: UserRole = UserRole.PATIENT,
-    options?: {
-      patientInviteToken?: string;
-    },
-  ): Promise<User> {
-    const { user: firebaseUser } = await createUserWithEmailAndPassword(this.auth, email, password);
-
-    return this.userService.createUser(firebaseUser, [initialRole], options);
-  }
-
-  /**
-   * Registers a new clinic admin user with email and password
-   * Can either create a new clinic group or join an existing one with a token
-   *
-   * @param data - Clinic admin signup data
-   * @returns Object containing the created user, clinic group, and clinic admin
-   */
-  async signUpClinicAdmin(data: ClinicAdminSignupData): Promise<{
-    user: User;
-    clinicGroup: ClinicGroup;
-    clinicAdmin: ClinicAdmin;
-  }> {
-    try {
-      console.log('[AUTH] Starting clinic admin signup process', {
-        email: data.email,
-      });
-
-      // Validate data
-      try {
-        await clinicAdminSignupSchema.parseAsync(data);
-        console.log('[AUTH] Clinic admin signup data validation passed');
-      } catch (validationError) {
-        console.error('[AUTH] Validation error in signUpClinicAdmin:', validationError);
-        throw validationError;
-      }
-
-      // Create Firebase user
-      console.log('[AUTH] Creating Firebase user');
-      let firebaseUser;
-      try {
-        const result = await createUserWithEmailAndPassword(this.auth, data.email, data.password);
-        firebaseUser = result.user;
-        console.log('[AUTH] Firebase user created successfully', {
-          uid: firebaseUser.uid,
-        });
-      } catch (firebaseError) {
-        console.error('[AUTH] Firebase user creation failed:', firebaseError);
-        throw handleFirebaseError(firebaseError);
-      }
-
-      // Create user with CLINIC_ADMIN role
-      console.log('[AUTH] Creating user with CLINIC_ADMIN role');
-      let user;
-      try {
-        user = await this.userService.createUser(firebaseUser, [UserRole.CLINIC_ADMIN], {
-          skipProfileCreation: true,
-        });
-        console.log('[AUTH] User with CLINIC_ADMIN role created successfully', {
-          userId: user.uid,
-        });
-      } catch (userCreationError) {
-        console.error('[AUTH] User creation failed:', userCreationError);
-        throw userCreationError;
-      }
-
-      // Create contact person object
-      const contactPerson: ContactPerson = {
-        firstName: data.firstName,
-        lastName: data.lastName,
-        title: data.title,
-        email: data.email,
-        phoneNumber: data.phoneNumber,
-      };
-      console.log('[AUTH] Contact person object created');
-
-      // Initialize services
-      console.log('[AUTH] Initializing clinic services');
-      const clinicAdminService = new ClinicAdminService(this.db, this.auth, this.app);
-      const clinicGroupService = new ClinicGroupService(
-        this.db,
-        this.auth,
-        this.app,
-        clinicAdminService,
-      );
-      const mediaService = new MediaService(this.db, this.auth, this.app);
-      const clinicService = new ClinicService(
-        this.db,
-        this.auth,
-        this.app,
-        clinicGroupService,
-        clinicAdminService,
-        mediaService,
-      );
-
-      // Set services to resolve circular dependencies
-      clinicAdminService.setServices(clinicGroupService, clinicService);
-      console.log('[AUTH] Services initialized and circular dependencies resolved');
-
-      let clinicGroup: ClinicGroup | null = null;
-      let adminProfile: ClinicAdmin | null = null;
-
-      if (data.isCreatingNewGroup) {
-        console.log('[AUTH] Creating new clinic group flow');
-        // Create new clinic group
-        if (!data.clinicGroupData) {
-          console.error('[AUTH] Clinic group data is missing');
-          throw new Error('Clinic group data is required when creating a new group');
-        }
-
-        // First create the clinic admin without a group
-        console.log('[AUTH] Creating clinic admin first (without group)');
-        const createClinicAdminData: CreateClinicAdminData = {
-          userRef: firebaseUser.uid,
-          isGroupOwner: true,
-          clinicsManaged: [],
-          contactInfo: contactPerson,
-          roleTitle: data.title,
-          isActive: true,
-          // No clinicGroupId yet
-        };
-
-        try {
-          adminProfile = await clinicAdminService.createClinicAdmin(createClinicAdminData);
-          console.log('[AUTH] Clinic admin created successfully', {
-            adminId: adminProfile.id,
-          });
-        } catch (adminCreationError) {
-          console.error('[AUTH] Clinic admin creation failed:', adminCreationError);
-          throw adminCreationError;
-        }
-
-        // Update user document with admin profile reference
-        try {
-          console.log('[AUTH] Updating user with admin profile reference');
-          user = await this.userService.updateUser(firebaseUser.uid, {
-            adminProfile: adminProfile.id,
-          });
-          console.log('[AUTH] User updated with admin profile reference successfully');
-        } catch (userUpdateError) {
-          console.error('[AUTH] Failed to update user with admin profile:', userUpdateError);
-          throw userUpdateError;
-        }
-
-        // Then create clinic group
-        const createClinicGroupData: CreateClinicGroupData = {
-          name: data.clinicGroupData.name,
-          hqLocation: data.clinicGroupData.hqLocation,
-          contactInfo: data.clinicGroupData.contactInfo,
-          contactPerson: contactPerson,
-          ownerId: adminProfile.id, // Use admin profile ID, not user UID
-          isActive: true,
-          logo: data.clinicGroupData.logo || null,
-          subscriptionModel:
-            data.clinicGroupData.subscriptionModel || SubscriptionModel.NO_SUBSCRIPTION,
-          onboarding: {
-            completed: false,
-            step: 1,
-          },
-        };
-        console.log('[AUTH] Clinic group data prepared', {
-          groupName: createClinicGroupData.name,
-        });
-
-        // Create clinic group
-        try {
-          clinicGroup = await clinicGroupService.createClinicGroup(
-            createClinicGroupData,
-            adminProfile.id, // Use admin profile ID, not user UID
-            false, // This is not a default group since we're providing complete data
-          );
-          console.log('[AUTH] Clinic group created successfully', {
-            groupId: clinicGroup.id,
-          });
-
-          // Now update the admin with the group ID
-          console.log('[AUTH] Updating admin with clinic group ID');
-          await clinicAdminService.updateClinicAdmin(adminProfile.id, {
-            // Use admin profile ID, not user UID
-            clinicGroupId: clinicGroup.id,
-          });
-          console.log('[AUTH] Admin updated with clinic group ID successfully');
-
-          // Get the updated admin profile
-          adminProfile = await clinicAdminService.getClinicAdmin(adminProfile.id);
-        } catch (groupCreationError) {
-          console.error('[AUTH] Clinic group creation failed:', groupCreationError);
-          throw groupCreationError;
-        }
-      } else {
-        console.log('[AUTH] Joining existing clinic group flow');
-        // Join existing clinic group with token
-        if (!data.inviteToken) {
-          console.error('[AUTH] Invite token is missing');
-          throw new Error('Invite token is required when joining an existing group');
-        }
-        console.log('[AUTH] Invite token provided', {
-          token: data.inviteToken,
-        });
-
-        // Find the token in the database
-        console.log('[AUTH] Searching for token in clinic groups');
-        const groupsRef = collection(this.db, CLINIC_GROUPS_COLLECTION);
-        const q = query(groupsRef);
-        const querySnapshot = await getDocs(q);
-
-        let foundGroup: ClinicGroup | null = null;
-        let foundToken: AdminToken | null = null;
-
-        console.log('[AUTH] Found', querySnapshot.size, 'clinic groups to check');
-        for (const docSnapshot of querySnapshot.docs) {
-          const group = docSnapshot.data() as ClinicGroup;
-          console.log('[AUTH] Checking group', {
-            groupId: group.id,
-            groupName: group.name,
-          });
-
-          // Find the token in the group's tokens
-          const token = group.adminTokens.find(t => {
-            const isMatch =
-              t.token === data.inviteToken &&
-              t.status === AdminTokenStatus.ACTIVE &&
-              new Date(t.expiresAt.toDate()) > new Date();
-
-            console.log('[AUTH] Checking token', {
-              tokenId: t.id,
-              tokenMatch: t.token === data.inviteToken,
-              tokenStatus: t.status,
-              tokenActive: t.status === AdminTokenStatus.ACTIVE,
-              tokenExpiry: new Date(t.expiresAt.toDate()),
-              tokenExpired: new Date(t.expiresAt.toDate()) <= new Date(),
-              isMatch,
-            });
-
-            return isMatch;
-          });
-
-          if (token) {
-            foundGroup = group;
-            foundToken = token;
-            console.log('[AUTH] Found matching token in group', {
-              groupId: group.id,
-              tokenId: token.id,
-            });
-            break;
-          }
-        }
-
-        if (!foundGroup || !foundToken) {
-          console.error('[AUTH] No valid token found in any clinic group');
-          throw new Error('Invalid or expired invite token');
-        }
-
-        clinicGroup = foundGroup;
-
-        // Create clinic admin
-        console.log('[AUTH] Creating clinic admin');
-        const createClinicAdminData: CreateClinicAdminData = {
-          userRef: firebaseUser.uid,
-          clinicGroupId: foundGroup.id,
-          isGroupOwner: false,
-          clinicsManaged: [],
-          contactInfo: contactPerson,
-          roleTitle: data.title,
-          isActive: true,
-        };
-
-        try {
-          adminProfile = await clinicAdminService.createClinicAdmin(createClinicAdminData);
-          console.log('[AUTH] Clinic admin created successfully', {
-            adminId: adminProfile.id,
-          });
-        } catch (adminCreationError) {
-          console.error('[AUTH] Clinic admin creation failed:', adminCreationError);
-          throw adminCreationError;
-        }
-
-        // Mark token as used
-        try {
-          await clinicGroupService.verifyAndUseAdminToken(
-            foundGroup.id,
-            data.inviteToken,
-            firebaseUser.uid,
-          );
-          console.log('[AUTH] Token marked as used successfully');
-        } catch (tokenUseError) {
-          console.error('[AUTH] Failed to mark token as used:', tokenUseError);
-          throw tokenUseError;
-        }
-      }
-
-      console.log('[AUTH] Clinic admin signup completed successfully', {
-        userId: user.uid,
-        clinicGroupId: clinicGroup.id,
-        clinicAdminId: adminProfile?.id || 'unknown',
-      });
-
-      // Ensure we have all required data before returning
-      if (!clinicGroup || !adminProfile) {
-        throw new Error('Failed to create or retrieve clinic group or admin profile');
-      }
-
-      return {
-        user,
-        clinicGroup,
-        clinicAdmin: adminProfile,
-      };
-    } catch (error) {
-      if (error instanceof z.ZodError) {
-        console.error(
-          '[AUTH] Zod validation error in signUpClinicAdmin:',
-          JSON.stringify(error.errors, null, 2),
-        );
-        throw AUTH_ERRORS.VALIDATION_ERROR;
-      }
-
-      const firebaseError = error as FirebaseError;
-      if (firebaseError.code === FirebaseErrorCode.EMAIL_ALREADY_IN_USE) {
-        console.error('[AUTH] Email already in use:', data.email);
-        throw AUTH_ERRORS.EMAIL_ALREADY_EXISTS;
-      }
-
-      console.error('[AUTH] Unhandled error in signUpClinicAdmin:', error);
-      throw error;
-    }
-  }
-
-  /**
-   * Prijavljuje korisnika sa email-om i lozinkom
-   */
-  async signIn(email: string, password: string): Promise<User> {
-    const { user: firebaseUser } = await signInWithEmailAndPassword(this.auth, email, password);
-
-    return this.userService.getOrCreateUser(firebaseUser);
-  }
-
-  /**
-   * Prijavljuje korisnika sa email-om i lozinkom samo za clinic_admin role
-   * @param email - Email korisnika
-   * @param password - Lozinka korisnika
-   * @returns Objekat koji sadrži korisnika, admin profil i grupu klinika
-   * @throws {AUTH_ERRORS.INVALID_ROLE} Ako korisnik nema clinic_admin rolu
-   * @throws {AUTH_ERRORS.NOT_FOUND} Ako admin profil nije pronađen
-   */
-  async signInClinicAdmin(
-    email: string,
-    password: string,
-  ): Promise<{
-    user: User;
-    clinicAdmin: ClinicAdmin;
-    clinicGroup: ClinicGroup;
-  }> {
-    try {
-      // Initialize required services
-      const clinicAdminService = new ClinicAdminService(this.db, this.auth, this.app);
-      const clinicGroupService = new ClinicGroupService(
-        this.db,
-        this.auth,
-        this.app,
-        clinicAdminService,
-      );
-      const mediaService = new MediaService(this.db, this.auth, this.app);
-      const clinicService = new ClinicService(
-        this.db,
-        this.auth,
-        this.app,
-        clinicGroupService,
-        clinicAdminService,
-        mediaService,
-      );
-
-      // Set services to resolve circular dependencies
-      clinicAdminService.setServices(clinicGroupService, clinicService);
-
-      // Sign in with email/password
-      const { user: firebaseUser } = await signInWithEmailAndPassword(this.auth, email, password);
-
-      // Get or create user
-      const user = await this.userService.getOrCreateUser(firebaseUser);
-
-      // Check if user has clinic_admin role
-      if (!user.roles?.includes(UserRole.CLINIC_ADMIN)) {
-        console.error('[AUTH] User is not a clinic admin:', user.uid);
-        // Sign out the user immediately for security
-        await this.auth.signOut();
-        throw AUTH_ERRORS.UNAUTHORIZED_ROLE;
-      }
-
-      // Check and get admin profile
-      if (!user.adminProfile) {
-        console.error('[AUTH] User has no admin profile:', user.uid);
-        throw AUTH_ERRORS.NOT_FOUND;
-      }
-
-      // Get clinic admin profile
-      const adminProfile = await clinicAdminService.getClinicAdmin(user.adminProfile);
-      if (!adminProfile) {
-        console.error('[AUTH] Admin profile not found:', user.adminProfile);
-        throw AUTH_ERRORS.NOT_FOUND;
-      }
-
-      // Get clinic group
-      const clinicGroup = await clinicGroupService.getClinicGroup(adminProfile.clinicGroupId);
-      if (!clinicGroup) {
-        console.error('[AUTH] Clinic group not found:', adminProfile.clinicGroupId);
-        throw AUTH_ERRORS.NOT_FOUND;
-      }
-
-      return {
-        user,
-        clinicAdmin: adminProfile,
-        clinicGroup,
-      };
-    } catch (error) {
-      console.error('[AUTH] Error in signInClinicAdmin:', error);
-      throw error;
-    }
-  }
-
-  /**
-   * Prijavljuje korisnika anonimno
-   */
-  async signInAnonymously(): Promise<User> {
-    const { user: firebaseUser } = await firebaseSignInAnonymously(this.auth);
-
-    return this.userService.getOrCreateUser(firebaseUser);
-  }
-
-  /**
-   * Odjavljuje trenutnog korisnika
-   */
-  async signOut(): Promise<void> {
-    await firebaseSignOut(this.auth);
-  }
-
-  /**
-   * Vraća trenutno prijavljenog korisnika
-   */
-  async getCurrentUser(): Promise<User | null> {
-    const firebaseUser = this.auth.currentUser;
-    if (!firebaseUser) return null;
-
-    return this.userService.getUserById(firebaseUser.uid);
-  }
-
-  /**
-   * Registruje callback za promene stanja autentifikacije
-   */
-  onAuthStateChange(callback: (user: FirebaseUser | null) => void): () => void {
-    return onAuthStateChanged(this.auth, callback);
-  }
-
-  async upgradeAnonymousUser(email: string, password: string): Promise<User> {
-    try {
-      await emailSchema.parseAsync(email);
-      await passwordSchema.parseAsync(password);
-
-      const currentUser = this.auth.currentUser;
-      if (!currentUser) {
-        throw AUTH_ERRORS.NOT_AUTHENTICATED;
-      }
-      if (!currentUser.isAnonymous) {
-        throw new AuthError('User is not anonymous', 'AUTH/NOT_ANONYMOUS_USER', 400);
-      }
-
-      const credential = EmailAuthProvider.credential(email, password);
-      await linkWithCredential(currentUser, credential);
-
-      return await this.userService.upgradeAnonymousUser(currentUser.uid, email);
-    } catch (error) {
-      if (error instanceof z.ZodError) {
-        throw AUTH_ERRORS.VALIDATION_ERROR;
-      }
-      const firebaseError = error as FirebaseError;
-      if (firebaseError.code === FirebaseErrorCode.EMAIL_ALREADY_IN_USE) {
-        throw AUTH_ERRORS.EMAIL_ALREADY_EXISTS;
-      }
-      throw error;
-    }
-  }
-
-  /**
-   * Šalje email za resetovanje lozinke korisniku
-   * @param email Email adresa korisnika
-   * @returns Promise koji se razrešava kada je email poslat
-   */
-  async sendPasswordResetEmail(email: string): Promise<void> {
-    try {
-      await emailSchema.parseAsync(email);
-
-      // Šaljemo email za resetovanje lozinke
-      await sendPasswordResetEmail(this.auth, email);
-    } catch (error) {
-      if (error instanceof z.ZodError) {
-        throw AUTH_ERRORS.VALIDATION_ERROR;
-      }
-
-      const firebaseError = error as FirebaseError;
-      if (firebaseError.code === FirebaseErrorCode.USER_NOT_FOUND) {
-        throw AUTH_ERRORS.USER_NOT_FOUND;
-      }
-
-      throw error;
-    }
-  }
-
-  /**
-   * Verifikuje kod za resetovanje lozinke iz email linka
-   * @param oobCode Kod iz URL-a za resetovanje lozinke
-   * @returns Promise koji se razrešava sa email adresom korisnika ako je kod validan
-   */
-  async verifyPasswordResetCode(oobCode: string): Promise<string> {
-    try {
-      // Verifikujemo kod i vraćamo email korisnika
-      return await verifyPasswordResetCode(this.auth, oobCode);
-    } catch (error) {
-      const firebaseError = error as FirebaseError;
-      if (firebaseError.code === FirebaseErrorCode.EXPIRED_ACTION_CODE) {
-        throw AUTH_ERRORS.EXPIRED_ACTION_CODE;
-      } else if (firebaseError.code === FirebaseErrorCode.INVALID_ACTION_CODE) {
-        throw AUTH_ERRORS.INVALID_ACTION_CODE;
-      }
-
-      throw error;
-    }
-  }
-
-  /**
-   * Potvrđuje resetovanje lozinke i postavlja novu lozinku
-   * @param oobCode Kod iz URL-a za resetovanje lozinke
-   * @param newPassword Nova lozinka
-   * @returns Promise koji se razrešava kada je lozinka promenjena
-   */
-  async confirmPasswordReset(oobCode: string, newPassword: string): Promise<void> {
-    try {
-      await passwordSchema.parseAsync(newPassword);
-
-      // Potvrđujemo resetovanje lozinke i postavljamo novu lozinku
-      await confirmPasswordReset(this.auth, oobCode, newPassword);
-    } catch (error) {
-      if (error instanceof z.ZodError) {
-        throw AUTH_ERRORS.VALIDATION_ERROR;
-      }
-
-      const firebaseError = error as FirebaseError;
-      if (firebaseError.code === FirebaseErrorCode.EXPIRED_ACTION_CODE) {
-        throw AUTH_ERRORS.EXPIRED_ACTION_CODE;
-      } else if (firebaseError.code === FirebaseErrorCode.INVALID_ACTION_CODE) {
-        throw AUTH_ERRORS.INVALID_ACTION_CODE;
-      } else if (firebaseError.code === FirebaseErrorCode.WEAK_PASSWORD) {
-        throw AUTH_ERRORS.WEAK_PASSWORD;
-      }
-
-      throw error;
-    }
-  }
-
-  /**
-   * Registers a new practitioner user with email and password (ATOMIC VERSION)
-   * Uses Firestore transactions to ensure atomicity and proper rollback on failures
-   *
-   * @param data - Practitioner signup data containing either new profile details or token for claiming draft profile
-   * @returns Object containing the created user and practitioner profile
-   */
-  async signUpPractitioner(data: {
-    email: string;
-    password: string;
-    firstName?: string;
-    lastName?: string;
-    token?: string;
-    profileData?: Partial<CreatePractitionerData>;
-  }): Promise<{
-    user: User;
-    practitioner: Practitioner;
-  }> {
-    let firebaseUser: any = null;
-
-    try {
-      console.log('[AUTH] Starting atomic practitioner signup process', {
-        email: data.email,
-        hasToken: !!data.token,
-      });
-
-      // Step 1: Pre-validate all data before any mutations
-      await this.validateSignupData(data);
-
-      // Step 2: Create Firebase user (outside transaction - can't be easily rolled back)
-      console.log('[AUTH] Creating Firebase user');
-      try {
-        const result = await createUserWithEmailAndPassword(this.auth, data.email, data.password);
-        firebaseUser = result.user;
-        console.log('[AUTH] Firebase user created successfully', {
-          uid: firebaseUser.uid,
-        });
-      } catch (firebaseError) {
-        console.error('[AUTH] Firebase user creation failed:', firebaseError);
-        throw handleFirebaseError(firebaseError);
-      }
-
-      // Step 3: Execute all database operations in a single transaction
-      console.log('[AUTH] Starting Firestore transaction');
-      const transactionResult = await runTransaction(this.db, async transaction => {
-        console.log('[AUTH] Transaction started - creating user and practitioner');
-
-        // Initialize services
-        const practitionerService = new PractitionerService(this.db, this.auth, this.app);
-
-        // Create user document using existing method (not in transaction for now)
-        console.log('[AUTH] Creating user document');
-        const user = await this.userService.createUser(firebaseUser, [UserRole.PRACTITIONER], {
-          skipProfileCreation: true,
-        });
-
-        let practitioner: Practitioner;
-
-        // Handle practitioner profile creation/claiming
-        if (data.token) {
-          console.log('[AUTH] Claiming existing practitioner profile with token');
-          const claimedPractitioner = await practitionerService.validateTokenAndClaimProfile(
-            data.token,
-            firebaseUser.uid,
-          );
-          if (!claimedPractitioner) {
-            throw new Error('Invalid or expired invitation token');
-          }
-          practitioner = claimedPractitioner;
-        } else {
-          console.log('[AUTH] Creating new practitioner profile');
-          const practitionerData = buildPractitionerData(data, firebaseUser.uid);
-          practitioner = await practitionerService.createPractitioner(practitionerData);
-        }
-
-        // Link practitioner to user
-        console.log('[AUTH] Linking practitioner to user');
-        await this.userService.updateUser(firebaseUser.uid, {
-          practitionerProfile: practitioner.id,
-        });
-
-        console.log('[AUTH] Transaction operations completed successfully');
-        return { user, practitioner };
-      });
-
-      console.log('[AUTH] Atomic practitioner signup completed successfully', {
-        userId: transactionResult.user.uid,
-        practitionerId: transactionResult.practitioner.id,
-      });
-
-      return transactionResult;
-    } catch (error) {
-      console.error('[AUTH] Atomic signup failed, initiating cleanup...', error);
-
-      // Cleanup Firebase user if transaction failed
-      if (firebaseUser) {
-        await cleanupFirebaseUser(firebaseUser);
-      }
-
-      throw handleSignupError(error);
-    }
-  }
-
-  /**
-   * Pre-validate all signup data before any mutations
-   * Prevents partial creation by catching issues early
-   */
-  private async validateSignupData(data: {
-    email: string;
-    password: string;
-    firstName?: string;
-    lastName?: string;
-    token?: string;
-    profileData?: Partial<CreatePractitionerData>;
-  }): Promise<void> {
-    console.log('[AUTH] Pre-validating signup data');
-
-    try {
-      // 1. Schema validation
-      await practitionerSignupSchema.parseAsync(data);
-      console.log('[AUTH] Schema validation passed');
-
-      // 2. Check if email already exists (before creating Firebase user)
-      const emailExists = await checkEmailExists(this.auth, data.email);
-      if (emailExists) {
-        console.log('[AUTH] Email already exists:', data.email);
-        throw AUTH_ERRORS.EMAIL_ALREADY_EXISTS;
-      }
-      console.log('[AUTH] Email availability confirmed');
-
-      // 3. Validate token if provided
-      if (data.token) {
-        const practitionerService = new PractitionerService(this.db, this.auth, this.app);
-        const isValidToken = await practitionerService.validateToken(data.token);
-        if (!isValidToken) {
-          console.log('[AUTH] Invalid token provided:', data.token);
-          throw new Error('Invalid or expired invitation token');
-        }
-        console.log('[AUTH] Token validation passed');
-      }
-
-      // 4. Validate profile data structure if provided
-      if (data.profileData) {
-        await validatePractitionerProfileData(data.profileData);
-        console.log('[AUTH] Profile data validation passed');
-      }
-
-      console.log('[AUTH] All pre-validation checks passed');
-    } catch (error) {
-      console.error('[AUTH] Pre-validation failed:', error);
-      throw error;
-    }
-  }
-
-  /**
-   * Signs in a user with email and password specifically for practitioner role
-   * @param email - User's email
-   * @param password - User's password
-   * @returns Object containing the user and practitioner profile
-   * @throws {AUTH_ERRORS.INVALID_ROLE} If user doesn't have practitioner role
-   * @throws {AUTH_ERRORS.NOT_FOUND} If practitioner profile is not found
-   */
-  async signInPractitioner(
-    email: string,
-    password: string,
-  ): Promise<{
-    user: User;
-    practitioner: Practitioner;
-  }> {
-    try {
-      console.log('[AUTH] Starting practitioner signin process', {
-        email: email,
-      });
-
-      // Initialize required service
-      const practitionerService = new PractitionerService(this.db, this.auth, this.app);
-
-      // Sign in with email/password
-      const { user: firebaseUser } = await signInWithEmailAndPassword(this.auth, email, password);
-
-      // Get or create user
-      const user = await this.userService.getOrCreateUser(firebaseUser);
-      console.log('[AUTH] User retrieved', { uid: user.uid });
-
-      // Check if user has practitioner role
-      if (!user.roles?.includes(UserRole.PRACTITIONER)) {
-        console.error('[AUTH] User is not a practitioner:', user.uid);
-        throw AUTH_ERRORS.INVALID_ROLE;
-      }
-
-      // Check and get practitioner profile
-      if (!user.practitionerProfile) {
-        console.error('[AUTH] User has no practitioner profile:', user.uid);
-        throw AUTH_ERRORS.NOT_FOUND;
-      }
-
-      // Get practitioner profile
-      const practitioner = await practitionerService.getPractitioner(user.practitionerProfile);
-      if (!practitioner) {
-        console.error('[AUTH] Practitioner profile not found:', user.practitionerProfile);
-        throw AUTH_ERRORS.NOT_FOUND;
-      }
-
-      console.log('[AUTH] Practitioner signin completed successfully', {
-        userId: user.uid,
-        practitionerId: practitioner.id,
-      });
-
-      return {
-        user,
-        practitioner,
-      };
-    } catch (error) {
-      console.error('[AUTH] Error in signInPractitioner:', error);
-      throw error;
-    }
-  }
-
-  /**
-   * Signs in a user with a Google ID token from a mobile client.
-   * If the user does not exist, a new user is created.
-   * @param idToken - The Google ID token obtained from the mobile app.
-   * @param initialRole - The role to assign to the user if they are being created.
-   * @returns The signed-in or newly created user.
-   */
-  async signInWithGoogleIdToken(
-    idToken: string,
-    initialRole: UserRole = UserRole.PATIENT,
-  ): Promise<User> {
-    try {
-      console.log('[AUTH] Signing in with Google ID Token');
-
-      // 1) Extract the email claim from the raw JWT so we can check Auth records *before* sign-in
-      let email: string | undefined;
-      try {
-        const payloadBase64 = idToken.split('.')[1];
-        const payloadJson = globalThis.atob
-          ? globalThis.atob(payloadBase64)
-          : Buffer.from(payloadBase64, 'base64').toString('utf8');
-        const payload = JSON.parse(payloadJson);
-        email = payload.email as string | undefined;
-      } catch (decodeError) {
-        console.warn('[AUTH] Failed to decode email from Google ID token:', decodeError);
-      }
-
-      if (!email) {
-        throw new AuthError(
-          'Unable to read email from Google token. Please try again or use another sign-in method.',
-          'AUTH/INVALID_GOOGLE_TOKEN',
-          400,
-        );
-      }
-
-      // 2) Check if this email already has a Google credential in Firebase Auth.
-      //    If not, abort early so we *never* create an unwanted Auth user.
-      const methods = await fetchSignInMethodsForEmail(this.auth, email);
-      console.log('[AUTH] Fetch sign in methods for email:', email, methods);
-      const hasGoogleMethod = methods.includes(GoogleAuthProvider.GOOGLE_SIGN_IN_METHOD);
-      console.log('[AUTH] Has Google method:', hasGoogleMethod);
-      if (!hasGoogleMethod) {
-        console.log('[AUTH] No existing Google credential for email, aborting login:', email);
-        throw new AuthError(
-          'No account found for this Google user. Please complete registration first.',
-          'AUTH/USER_NOT_FOUND',
-          404,
-        );
-      }
-
-      // 3) Safe to sign-in – we know the credential belongs to an existing Auth account.
-      const credential = GoogleAuthProvider.credential(idToken);
-      const { user: firebaseUser } = await signInWithCredential(this.auth, credential);
-      console.log('[AUTH] Firebase user signed in:', firebaseUser.uid);
-
-      // 4) Load our domain user document.
-      const existingUser = await this.userService.getUserById(firebaseUser.uid);
-      if (existingUser) {
-        console.log('[AUTH] Existing user found, returning profile:', existingUser.uid);
-        return existingUser;
-      }
-
-      // 5) If no profile exists we sign out immediately and error – but crucially no phantom user was created.
-      console.log('[AUTH] No existing MetaEstetics user for Google account – signing out.');
-      await firebaseSignOut(this.auth);
-      throw new AuthError(
-        'No account found. Please complete registration by starting with "Get Started".',
-        'AUTH/USER_NOT_FOUND',
-        404,
-      );
-    } catch (error) {
-      console.error('[AUTH] Error in signInWithGoogleIdToken:', error);
-      throw handleFirebaseError(error);
-    }
-  }
-
-  /**
-   * Links a Google account to the currently signed-in user using an ID token.
-   * This is used to upgrade an anonymous user or to allow an existing user
-   * to sign in with Google in the future.
-   * @param idToken - The Google ID token obtained from the mobile app.
-   * @returns The updated user profile.
-   */
-  async linkGoogleAccount(idToken: string): Promise<User> {
-    try {
-      console.log('[AUTH] Linking Google account with ID Token');
-      const currentUser = this.auth.currentUser;
-      if (!currentUser) {
-        throw AUTH_ERRORS.NOT_AUTHENTICATED;
-      }
-
-      const wasAnonymous = currentUser.isAnonymous;
-      console.log(`[AUTH] Current user is ${wasAnonymous ? 'anonymous' : 'not anonymous'}`);
-
-      const credential = GoogleAuthProvider.credential(idToken);
-      const userCredential = await linkWithCredential(currentUser, credential);
-      const linkedFirebaseUser = userCredential.user;
-      console.log('[AUTH] Google account linked successfully to user:', linkedFirebaseUser.uid);
-
-      if (wasAnonymous) {
-        console.log('[AUTH] Upgrading anonymous user profile');
-        return await this.userService.upgradeAnonymousUser(
-          linkedFirebaseUser.uid,
-          linkedFirebaseUser.email!,
-        );
-      }
-
-      // If the user was not anonymous, just return their updated profile
-      return (await this.userService.getUserById(linkedFirebaseUser.uid))!;
-    } catch (error) {
-      console.error('[AUTH] Error in linkGoogleAccount:', error);
-      throw handleFirebaseError(error);
-    }
-  }
-}
+import {
+  Auth,
+  User as FirebaseUser,
+  signInWithEmailAndPassword,
+  createUserWithEmailAndPassword,
+  signInAnonymously as firebaseSignInAnonymously,
+  signOut as firebaseSignOut,
+  GoogleAuthProvider,
+  signInWithPopup,
+  signInWithRedirect,
+  getRedirectResult,
+  linkWithCredential,
+  EmailAuthProvider,
+  onAuthStateChanged,
+  sendPasswordResetEmail,
+  verifyPasswordResetCode,
+  confirmPasswordReset,
+  fetchSignInMethodsForEmail,
+  signInWithCredential,
+} from 'firebase/auth';
+import {
+  getFirestore,
+  collection,
+  doc,
+  getDoc,
+  setDoc,
+  updateDoc,
+  deleteDoc,
+  query,
+  where,
+  getDocs,
+  orderBy,
+  limit,
+  startAfter,
+  Timestamp,
+  runTransaction,
+  Firestore,
+} from 'firebase/firestore';
+import { FirebaseApp } from 'firebase/app';
+import { User, UserRole, USERS_COLLECTION } from '../../types';
+import { z } from 'zod';
+import { emailSchema, passwordSchema, userRoleSchema } from '../../validations/schemas';
+import { AuthError, AUTH_ERRORS } from '../../errors/auth.errors';
+import { FirebaseErrorCode } from '../../errors/firebase.errors';
+import { FirebaseError } from '../../errors/firebase.errors';
+import { BaseService } from '../base.service';
+import { UserService } from '../user/user.service';
+import { throws } from 'assert';
+import {
+  ClinicGroup,
+  AdminToken,
+  AdminTokenStatus,
+  CreateClinicGroupData,
+  CreateClinicAdminData,
+  ContactPerson,
+  ClinicAdminSignupData,
+  SubscriptionModel,
+  CLINIC_GROUPS_COLLECTION,
+  ClinicAdmin,
+} from '../../types/clinic';
+import { clinicAdminSignupSchema } from '../../validations/clinic.schema';
+import { ClinicGroupService } from '../clinic/clinic-group.service';
+import { ClinicAdminService } from '../clinic/clinic-admin.service';
+import { ClinicService } from '../clinic/clinic.service';
+import {
+  Practitioner,
+  CreatePractitionerData,
+  PractitionerStatus,
+  PractitionerBasicInfo,
+  PractitionerCertification,
+} from '../../types/practitioner';
+import { PractitionerService } from '../practitioner/practitioner.service';
+import { practitionerSignupSchema } from '../../validations/practitioner.schema';
+import { CertificationLevel } from '../../backoffice/types/static/certification.types';
+import { MediaService } from '../media/media.service';
+// Import utility functions
+import {
+  checkEmailExists,
+  cleanupFirebaseUser,
+  handleFirebaseError,
+  handleSignupError,
+  buildPractitionerData,
+  validatePractitionerProfileData,
+} from './utils';
+
+export class AuthService extends BaseService {
+  private googleProvider = new GoogleAuthProvider();
+  private userService: UserService;
+
+  constructor(db: Firestore, auth: Auth, app: FirebaseApp, userService: UserService) {
+    super(db, auth, app);
+    this.userService = userService || new UserService(db, auth, app);
+  }
+
+  /**
+   * Registruje novog korisnika sa email-om i lozinkom
+   */
+  async signUp(
+    email: string,
+    password: string,
+    initialRole: UserRole = UserRole.PATIENT,
+    options?: {
+      patientInviteToken?: string;
+    },
+  ): Promise<User> {
+    const { user: firebaseUser } = await createUserWithEmailAndPassword(this.auth, email, password);
+
+    return this.userService.createUser(firebaseUser, [initialRole], options);
+  }
+
+  /**
+   * Registers a new clinic admin user with email and password
+   * Can either create a new clinic group or join an existing one with a token
+   *
+   * @param data - Clinic admin signup data
+   * @returns Object containing the created user, clinic group, and clinic admin
+   */
+  async signUpClinicAdmin(data: ClinicAdminSignupData): Promise<{
+    user: User;
+    clinicGroup: ClinicGroup;
+    clinicAdmin: ClinicAdmin;
+  }> {
+    try {
+      console.log('[AUTH] Starting clinic admin signup process', {
+        email: data.email,
+      });
+
+      // Validate data
+      try {
+        await clinicAdminSignupSchema.parseAsync(data);
+        console.log('[AUTH] Clinic admin signup data validation passed');
+      } catch (validationError) {
+        console.error('[AUTH] Validation error in signUpClinicAdmin:', validationError);
+        throw validationError;
+      }
+
+      // Create Firebase user
+      console.log('[AUTH] Creating Firebase user');
+      let firebaseUser;
+      try {
+        const result = await createUserWithEmailAndPassword(this.auth, data.email, data.password);
+        firebaseUser = result.user;
+        console.log('[AUTH] Firebase user created successfully', {
+          uid: firebaseUser.uid,
+        });
+      } catch (firebaseError) {
+        console.error('[AUTH] Firebase user creation failed:', firebaseError);
+        throw handleFirebaseError(firebaseError);
+      }
+
+      // Create user with CLINIC_ADMIN role
+      console.log('[AUTH] Creating user with CLINIC_ADMIN role');
+      let user;
+      try {
+        user = await this.userService.createUser(firebaseUser, [UserRole.CLINIC_ADMIN], {
+          skipProfileCreation: true,
+        });
+        console.log('[AUTH] User with CLINIC_ADMIN role created successfully', {
+          userId: user.uid,
+        });
+      } catch (userCreationError) {
+        console.error('[AUTH] User creation failed:', userCreationError);
+        throw userCreationError;
+      }
+
+      // Create contact person object
+      const contactPerson: ContactPerson = {
+        firstName: data.firstName,
+        lastName: data.lastName,
+        title: data.title,
+        email: data.email,
+        phoneNumber: data.phoneNumber,
+      };
+      console.log('[AUTH] Contact person object created');
+
+      // Initialize services
+      console.log('[AUTH] Initializing clinic services');
+      const clinicAdminService = new ClinicAdminService(this.db, this.auth, this.app);
+      const clinicGroupService = new ClinicGroupService(
+        this.db,
+        this.auth,
+        this.app,
+        clinicAdminService,
+      );
+      const mediaService = new MediaService(this.db, this.auth, this.app);
+      const clinicService = new ClinicService(
+        this.db,
+        this.auth,
+        this.app,
+        clinicGroupService,
+        clinicAdminService,
+        mediaService,
+      );
+
+      // Set services to resolve circular dependencies
+      clinicAdminService.setServices(clinicGroupService, clinicService);
+      console.log('[AUTH] Services initialized and circular dependencies resolved');
+
+      let clinicGroup: ClinicGroup | null = null;
+      let adminProfile: ClinicAdmin | null = null;
+
+      if (data.isCreatingNewGroup) {
+        console.log('[AUTH] Creating new clinic group flow');
+        // Create new clinic group
+        if (!data.clinicGroupData) {
+          console.error('[AUTH] Clinic group data is missing');
+          throw new Error('Clinic group data is required when creating a new group');
+        }
+
+        // First create the clinic admin without a group
+        console.log('[AUTH] Creating clinic admin first (without group)');
+        const createClinicAdminData: CreateClinicAdminData = {
+          userRef: firebaseUser.uid,
+          isGroupOwner: true,
+          clinicsManaged: [],
+          contactInfo: contactPerson,
+          roleTitle: data.title,
+          isActive: true,
+          // No clinicGroupId yet
+        };
+
+        try {
+          adminProfile = await clinicAdminService.createClinicAdmin(createClinicAdminData);
+          console.log('[AUTH] Clinic admin created successfully', {
+            adminId: adminProfile.id,
+          });
+        } catch (adminCreationError) {
+          console.error('[AUTH] Clinic admin creation failed:', adminCreationError);
+          throw adminCreationError;
+        }
+
+        // Update user document with admin profile reference
+        try {
+          console.log('[AUTH] Updating user with admin profile reference');
+          user = await this.userService.updateUser(firebaseUser.uid, {
+            adminProfile: adminProfile.id,
+          });
+          console.log('[AUTH] User updated with admin profile reference successfully');
+        } catch (userUpdateError) {
+          console.error('[AUTH] Failed to update user with admin profile:', userUpdateError);
+          throw userUpdateError;
+        }
+
+        // Then create clinic group
+        const createClinicGroupData: CreateClinicGroupData = {
+          name: data.clinicGroupData.name,
+          hqLocation: data.clinicGroupData.hqLocation,
+          contactInfo: data.clinicGroupData.contactInfo,
+          contactPerson: contactPerson,
+          ownerId: adminProfile.id, // Use admin profile ID, not user UID
+          isActive: true,
+          logo: data.clinicGroupData.logo || null,
+          subscriptionModel:
+            data.clinicGroupData.subscriptionModel || SubscriptionModel.NO_SUBSCRIPTION,
+          onboarding: {
+            completed: false,
+            step: 1,
+          },
+        };
+        console.log('[AUTH] Clinic group data prepared', {
+          groupName: createClinicGroupData.name,
+        });
+
+        // Create clinic group
+        try {
+          clinicGroup = await clinicGroupService.createClinicGroup(
+            createClinicGroupData,
+            adminProfile.id, // Use admin profile ID, not user UID
+            false, // This is not a default group since we're providing complete data
+          );
+          console.log('[AUTH] Clinic group created successfully', {
+            groupId: clinicGroup.id,
+          });
+
+          // Now update the admin with the group ID
+          console.log('[AUTH] Updating admin with clinic group ID');
+          await clinicAdminService.updateClinicAdmin(adminProfile.id, {
+            // Use admin profile ID, not user UID
+            clinicGroupId: clinicGroup.id,
+          });
+          console.log('[AUTH] Admin updated with clinic group ID successfully');
+
+          // Get the updated admin profile
+          adminProfile = await clinicAdminService.getClinicAdmin(adminProfile.id);
+        } catch (groupCreationError) {
+          console.error('[AUTH] Clinic group creation failed:', groupCreationError);
+          throw groupCreationError;
+        }
+      } else {
+        console.log('[AUTH] Joining existing clinic group flow');
+        // Join existing clinic group with token
+        if (!data.inviteToken) {
+          console.error('[AUTH] Invite token is missing');
+          throw new Error('Invite token is required when joining an existing group');
+        }
+        console.log('[AUTH] Invite token provided', {
+          token: data.inviteToken,
+        });
+
+        // Find the token in the database
+        console.log('[AUTH] Searching for token in clinic groups');
+        const groupsRef = collection(this.db, CLINIC_GROUPS_COLLECTION);
+        const q = query(groupsRef);
+        const querySnapshot = await getDocs(q);
+
+        let foundGroup: ClinicGroup | null = null;
+        let foundToken: AdminToken | null = null;
+
+        console.log('[AUTH] Found', querySnapshot.size, 'clinic groups to check');
+        for (const docSnapshot of querySnapshot.docs) {
+          const group = docSnapshot.data() as ClinicGroup;
+          console.log('[AUTH] Checking group', {
+            groupId: group.id,
+            groupName: group.name,
+          });
+
+          // Find the token in the group's tokens
+          const token = group.adminTokens.find(t => {
+            const isMatch =
+              t.token === data.inviteToken &&
+              t.status === AdminTokenStatus.ACTIVE &&
+              new Date(t.expiresAt.toDate()) > new Date();
+
+            console.log('[AUTH] Checking token', {
+              tokenId: t.id,
+              tokenMatch: t.token === data.inviteToken,
+              tokenStatus: t.status,
+              tokenActive: t.status === AdminTokenStatus.ACTIVE,
+              tokenExpiry: new Date(t.expiresAt.toDate()),
+              tokenExpired: new Date(t.expiresAt.toDate()) <= new Date(),
+              isMatch,
+            });
+
+            return isMatch;
+          });
+
+          if (token) {
+            foundGroup = group;
+            foundToken = token;
+            console.log('[AUTH] Found matching token in group', {
+              groupId: group.id,
+              tokenId: token.id,
+            });
+            break;
+          }
+        }
+
+        if (!foundGroup || !foundToken) {
+          console.error('[AUTH] No valid token found in any clinic group');
+          throw new Error('Invalid or expired invite token');
+        }
+
+        clinicGroup = foundGroup;
+
+        // Create clinic admin
+        console.log('[AUTH] Creating clinic admin');
+        const createClinicAdminData: CreateClinicAdminData = {
+          userRef: firebaseUser.uid,
+          clinicGroupId: foundGroup.id,
+          isGroupOwner: false,
+          clinicsManaged: [],
+          contactInfo: contactPerson,
+          roleTitle: data.title,
+          isActive: true,
+        };
+
+        try {
+          adminProfile = await clinicAdminService.createClinicAdmin(createClinicAdminData);
+          console.log('[AUTH] Clinic admin created successfully', {
+            adminId: adminProfile.id,
+          });
+        } catch (adminCreationError) {
+          console.error('[AUTH] Clinic admin creation failed:', adminCreationError);
+          throw adminCreationError;
+        }
+
+        // Mark token as used
+        try {
+          await clinicGroupService.verifyAndUseAdminToken(
+            foundGroup.id,
+            data.inviteToken,
+            firebaseUser.uid,
+          );
+          console.log('[AUTH] Token marked as used successfully');
+        } catch (tokenUseError) {
+          console.error('[AUTH] Failed to mark token as used:', tokenUseError);
+          throw tokenUseError;
+        }
+      }
+
+      console.log('[AUTH] Clinic admin signup completed successfully', {
+        userId: user.uid,
+        clinicGroupId: clinicGroup.id,
+        clinicAdminId: adminProfile?.id || 'unknown',
+      });
+
+      // Ensure we have all required data before returning
+      if (!clinicGroup || !adminProfile) {
+        throw new Error('Failed to create or retrieve clinic group or admin profile');
+      }
+
+      return {
+        user,
+        clinicGroup,
+        clinicAdmin: adminProfile,
+      };
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        console.error(
+          '[AUTH] Zod validation error in signUpClinicAdmin:',
+          JSON.stringify(error.errors, null, 2),
+        );
+        throw AUTH_ERRORS.VALIDATION_ERROR;
+      }
+
+      const firebaseError = error as FirebaseError;
+      if (firebaseError.code === FirebaseErrorCode.EMAIL_ALREADY_IN_USE) {
+        console.error('[AUTH] Email already in use:', data.email);
+        throw AUTH_ERRORS.EMAIL_ALREADY_EXISTS;
+      }
+
+      console.error('[AUTH] Unhandled error in signUpClinicAdmin:', error);
+      throw error;
+    }
+  }
+
+  /**
+   * Prijavljuje korisnika sa email-om i lozinkom
+   */
+  async signIn(email: string, password: string): Promise<User> {
+    const { user: firebaseUser } = await signInWithEmailAndPassword(this.auth, email, password);
+
+    return this.userService.getOrCreateUser(firebaseUser);
+  }
+
+  /**
+   * Prijavljuje korisnika sa email-om i lozinkom samo za clinic_admin role
+   * @param email - Email korisnika
+   * @param password - Lozinka korisnika
+   * @returns Objekat koji sadrži korisnika, admin profil i grupu klinika
+   * @throws {AUTH_ERRORS.INVALID_ROLE} Ako korisnik nema clinic_admin rolu
+   * @throws {AUTH_ERRORS.NOT_FOUND} Ako admin profil nije pronađen
+   */
+  async signInClinicAdmin(
+    email: string,
+    password: string,
+  ): Promise<{
+    user: User;
+    clinicAdmin: ClinicAdmin;
+    clinicGroup: ClinicGroup;
+  }> {
+    try {
+      // Initialize required services
+      const clinicAdminService = new ClinicAdminService(this.db, this.auth, this.app);
+      const clinicGroupService = new ClinicGroupService(
+        this.db,
+        this.auth,
+        this.app,
+        clinicAdminService,
+      );
+      const mediaService = new MediaService(this.db, this.auth, this.app);
+      const clinicService = new ClinicService(
+        this.db,
+        this.auth,
+        this.app,
+        clinicGroupService,
+        clinicAdminService,
+        mediaService,
+      );
+
+      // Set services to resolve circular dependencies
+      clinicAdminService.setServices(clinicGroupService, clinicService);
+
+      // Sign in with email/password
+      const { user: firebaseUser } = await signInWithEmailAndPassword(this.auth, email, password);
+
+      // Get or create user
+      const user = await this.userService.getOrCreateUser(firebaseUser);
+
+      // Check if user has clinic_admin role
+      if (!user.roles?.includes(UserRole.CLINIC_ADMIN)) {
+        console.error('[AUTH] User is not a clinic admin:', user.uid);
+        // Sign out the user immediately for security
+        await this.auth.signOut();
+        throw AUTH_ERRORS.UNAUTHORIZED_ROLE;
+      }
+
+      // Check and get admin profile
+      if (!user.adminProfile) {
+        console.error('[AUTH] User has no admin profile:', user.uid);
+        throw AUTH_ERRORS.NOT_FOUND;
+      }
+
+      // Get clinic admin profile
+      const adminProfile = await clinicAdminService.getClinicAdmin(user.adminProfile);
+      if (!adminProfile) {
+        console.error('[AUTH] Admin profile not found:', user.adminProfile);
+        throw AUTH_ERRORS.NOT_FOUND;
+      }
+
+      // Get clinic group
+      const clinicGroup = await clinicGroupService.getClinicGroup(adminProfile.clinicGroupId);
+      if (!clinicGroup) {
+        console.error('[AUTH] Clinic group not found:', adminProfile.clinicGroupId);
+        throw AUTH_ERRORS.NOT_FOUND;
+      }
+
+      return {
+        user,
+        clinicAdmin: adminProfile,
+        clinicGroup,
+      };
+    } catch (error) {
+      console.error('[AUTH] Error in signInClinicAdmin:', error);
+      throw error;
+    }
+  }
+
+  /**
+   * Prijavljuje korisnika anonimno
+   */
+  async signInAnonymously(): Promise<User> {
+    const { user: firebaseUser } = await firebaseSignInAnonymously(this.auth);
+
+    return this.userService.getOrCreateUser(firebaseUser);
+  }
+
+  /**
+   * Odjavljuje trenutnog korisnika
+   */
+  async signOut(): Promise<void> {
+    await firebaseSignOut(this.auth);
+  }
+
+  /**
+   * Vraća trenutno prijavljenog korisnika
+   */
+  async getCurrentUser(): Promise<User | null> {
+    const firebaseUser = this.auth.currentUser;
+    if (!firebaseUser) return null;
+
+    return this.userService.getUserById(firebaseUser.uid);
+  }
+
+  /**
+   * Registruje callback za promene stanja autentifikacije
+   */
+  onAuthStateChange(callback: (user: FirebaseUser | null) => void): () => void {
+    return onAuthStateChanged(this.auth, callback);
+  }
+
+  async upgradeAnonymousUser(email: string, password: string): Promise<User> {
+    try {
+      await emailSchema.parseAsync(email);
+      await passwordSchema.parseAsync(password);
+
+      const currentUser = this.auth.currentUser;
+      if (!currentUser) {
+        throw AUTH_ERRORS.NOT_AUTHENTICATED;
+      }
+      if (!currentUser.isAnonymous) {
+        throw new AuthError('User is not anonymous', 'AUTH/NOT_ANONYMOUS_USER', 400);
+      }
+
+      const credential = EmailAuthProvider.credential(email, password);
+      await linkWithCredential(currentUser, credential);
+
+      return await this.userService.upgradeAnonymousUser(currentUser.uid, email);
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        throw AUTH_ERRORS.VALIDATION_ERROR;
+      }
+      const firebaseError = error as FirebaseError;
+      if (firebaseError.code === FirebaseErrorCode.EMAIL_ALREADY_IN_USE) {
+        throw AUTH_ERRORS.EMAIL_ALREADY_EXISTS;
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Šalje email za resetovanje lozinke korisniku
+   * @param email Email adresa korisnika
+   * @returns Promise koji se razrešava kada je email poslat
+   */
+  async sendPasswordResetEmail(email: string): Promise<void> {
+    try {
+      await emailSchema.parseAsync(email);
+
+      // Šaljemo email za resetovanje lozinke
+      await sendPasswordResetEmail(this.auth, email);
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        throw AUTH_ERRORS.VALIDATION_ERROR;
+      }
+
+      const firebaseError = error as FirebaseError;
+      if (firebaseError.code === FirebaseErrorCode.USER_NOT_FOUND) {
+        throw AUTH_ERRORS.USER_NOT_FOUND;
+      }
+
+      throw error;
+    }
+  }
+
+  /**
+   * Verifikuje kod za resetovanje lozinke iz email linka
+   * @param oobCode Kod iz URL-a za resetovanje lozinke
+   * @returns Promise koji se razrešava sa email adresom korisnika ako je kod validan
+   */
+  async verifyPasswordResetCode(oobCode: string): Promise<string> {
+    try {
+      // Verifikujemo kod i vraćamo email korisnika
+      return await verifyPasswordResetCode(this.auth, oobCode);
+    } catch (error) {
+      const firebaseError = error as FirebaseError;
+      if (firebaseError.code === FirebaseErrorCode.EXPIRED_ACTION_CODE) {
+        throw AUTH_ERRORS.EXPIRED_ACTION_CODE;
+      } else if (firebaseError.code === FirebaseErrorCode.INVALID_ACTION_CODE) {
+        throw AUTH_ERRORS.INVALID_ACTION_CODE;
+      }
+
+      throw error;
+    }
+  }
+
+  /**
+   * Potvrđuje resetovanje lozinke i postavlja novu lozinku
+   * @param oobCode Kod iz URL-a za resetovanje lozinke
+   * @param newPassword Nova lozinka
+   * @returns Promise koji se razrešava kada je lozinka promenjena
+   */
+  async confirmPasswordReset(oobCode: string, newPassword: string): Promise<void> {
+    try {
+      await passwordSchema.parseAsync(newPassword);
+
+      // Potvrđujemo resetovanje lozinke i postavljamo novu lozinku
+      await confirmPasswordReset(this.auth, oobCode, newPassword);
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        throw AUTH_ERRORS.VALIDATION_ERROR;
+      }
+
+      const firebaseError = error as FirebaseError;
+      if (firebaseError.code === FirebaseErrorCode.EXPIRED_ACTION_CODE) {
+        throw AUTH_ERRORS.EXPIRED_ACTION_CODE;
+      } else if (firebaseError.code === FirebaseErrorCode.INVALID_ACTION_CODE) {
+        throw AUTH_ERRORS.INVALID_ACTION_CODE;
+      } else if (firebaseError.code === FirebaseErrorCode.WEAK_PASSWORD) {
+        throw AUTH_ERRORS.WEAK_PASSWORD;
+      }
+
+      throw error;
+    }
+  }
+
+  /**
+   * Registers a new practitioner user with email and password (ATOMIC VERSION)
+   * Uses Firestore transactions to ensure atomicity and proper rollback on failures
+   *
+   * @param data - Practitioner signup data containing either new profile details or token for claiming draft profile
+   * @returns Object containing the created user and practitioner profile
+   */
+  async signUpPractitioner(data: {
+    email: string;
+    password: string;
+    firstName?: string;
+    lastName?: string;
+    token?: string;
+    profileData?: Partial<CreatePractitionerData>;
+  }): Promise<{
+    user: User;
+    practitioner: Practitioner;
+  }> {
+    let firebaseUser: any = null;
+
+    try {
+      console.log('[AUTH] Starting atomic practitioner signup process', {
+        email: data.email,
+        hasToken: !!data.token,
+      });
+
+      // Step 1: Pre-validate all data before any mutations
+      await this.validateSignupData(data);
+
+      // Step 2: Create Firebase user (outside transaction - can't be easily rolled back)
+      console.log('[AUTH] Creating Firebase user');
+      try {
+        const result = await createUserWithEmailAndPassword(this.auth, data.email, data.password);
+        firebaseUser = result.user;
+        console.log('[AUTH] Firebase user created successfully', {
+          uid: firebaseUser.uid,
+        });
+      } catch (firebaseError) {
+        console.error('[AUTH] Firebase user creation failed:', firebaseError);
+        throw handleFirebaseError(firebaseError);
+      }
+
+      // Step 3: Execute all database operations in a single transaction
+      console.log('[AUTH] Starting Firestore transaction');
+      const transactionResult = await runTransaction(this.db, async transaction => {
+        console.log('[AUTH] Transaction started - creating user and practitioner');
+
+        // Initialize services
+        const practitionerService = new PractitionerService(this.db, this.auth, this.app);
+
+        // Create user document using existing method (not in transaction for now)
+        console.log('[AUTH] Creating user document');
+        const user = await this.userService.createUser(firebaseUser, [UserRole.PRACTITIONER], {
+          skipProfileCreation: true,
+        });
+
+        let practitioner: Practitioner;
+
+        // Handle practitioner profile creation/claiming
+        if (data.token) {
+          console.log('[AUTH] Claiming existing practitioner profile with token');
+          const claimedPractitioner = await practitionerService.validateTokenAndClaimProfile(
+            data.token,
+            firebaseUser.uid,
+          );
+          if (!claimedPractitioner) {
+            throw new Error('Invalid or expired invitation token');
+          }
+          practitioner = claimedPractitioner;
+        } else {
+          console.log('[AUTH] Creating new practitioner profile');
+          const practitionerData = buildPractitionerData(data, firebaseUser.uid);
+          practitioner = await practitionerService.createPractitioner(practitionerData);
+        }
+
+        // Link practitioner to user
+        console.log('[AUTH] Linking practitioner to user');
+        await this.userService.updateUser(firebaseUser.uid, {
+          practitionerProfile: practitioner.id,
+        });
+
+        console.log('[AUTH] Transaction operations completed successfully');
+        return { user, practitioner };
+      });
+
+      console.log('[AUTH] Atomic practitioner signup completed successfully', {
+        userId: transactionResult.user.uid,
+        practitionerId: transactionResult.practitioner.id,
+      });
+
+      return transactionResult;
+    } catch (error) {
+      console.error('[AUTH] Atomic signup failed, initiating cleanup...', error);
+
+      // Cleanup Firebase user if transaction failed
+      if (firebaseUser) {
+        await cleanupFirebaseUser(firebaseUser);
+      }
+
+      throw handleSignupError(error);
+    }
+  }
+
+  /**
+   * Pre-validate all signup data before any mutations
+   * Prevents partial creation by catching issues early
+   */
+  private async validateSignupData(data: {
+    email: string;
+    password: string;
+    firstName?: string;
+    lastName?: string;
+    token?: string;
+    profileData?: Partial<CreatePractitionerData>;
+  }): Promise<void> {
+    console.log('[AUTH] Pre-validating signup data');
+
+    try {
+      // 1. Schema validation
+      await practitionerSignupSchema.parseAsync(data);
+      console.log('[AUTH] Schema validation passed');
+
+      // 2. Check if email already exists (before creating Firebase user)
+      const emailExists = await checkEmailExists(this.auth, data.email);
+      if (emailExists) {
+        console.log('[AUTH] Email already exists:', data.email);
+        throw AUTH_ERRORS.EMAIL_ALREADY_EXISTS;
+      }
+      console.log('[AUTH] Email availability confirmed');
+
+      // 3. Validate token if provided
+      if (data.token) {
+        const practitionerService = new PractitionerService(this.db, this.auth, this.app);
+        const isValidToken = await practitionerService.validateToken(data.token);
+        if (!isValidToken) {
+          console.log('[AUTH] Invalid token provided:', data.token);
+          throw new Error('Invalid or expired invitation token');
+        }
+        console.log('[AUTH] Token validation passed');
+      }
+
+      // 4. Validate profile data structure if provided
+      if (data.profileData) {
+        await validatePractitionerProfileData(data.profileData);
+        console.log('[AUTH] Profile data validation passed');
+      }
+
+      console.log('[AUTH] All pre-validation checks passed');
+    } catch (error) {
+      console.error('[AUTH] Pre-validation failed:', error);
+      throw error;
+    }
+  }
+
+  /**
+   * Signs in a user with email and password specifically for practitioner role
+   * @param email - User's email
+   * @param password - User's password
+   * @returns Object containing the user and practitioner profile
+   * @throws {AUTH_ERRORS.INVALID_ROLE} If user doesn't have practitioner role
+   * @throws {AUTH_ERRORS.NOT_FOUND} If practitioner profile is not found
+   */
+  async signInPractitioner(
+    email: string,
+    password: string,
+  ): Promise<{
+    user: User;
+    practitioner: Practitioner;
+  }> {
+    try {
+      console.log('[AUTH] Starting practitioner signin process', {
+        email: email,
+      });
+
+      // Initialize required service
+      const practitionerService = new PractitionerService(this.db, this.auth, this.app);
+
+      // Sign in with email/password
+      const { user: firebaseUser } = await signInWithEmailAndPassword(this.auth, email, password);
+
+      // Get or create user
+      const user = await this.userService.getOrCreateUser(firebaseUser);
+      console.log('[AUTH] User retrieved', { uid: user.uid });
+
+      // Check if user has practitioner role
+      if (!user.roles?.includes(UserRole.PRACTITIONER)) {
+        console.error('[AUTH] User is not a practitioner:', user.uid);
+        throw AUTH_ERRORS.INVALID_ROLE;
+      }
+
+      // Check and get practitioner profile
+      if (!user.practitionerProfile) {
+        console.error('[AUTH] User has no practitioner profile:', user.uid);
+        throw AUTH_ERRORS.NOT_FOUND;
+      }
+
+      // Get practitioner profile
+      const practitioner = await practitionerService.getPractitioner(user.practitionerProfile);
+      if (!practitioner) {
+        console.error('[AUTH] Practitioner profile not found:', user.practitionerProfile);
+        throw AUTH_ERRORS.NOT_FOUND;
+      }
+
+      console.log('[AUTH] Practitioner signin completed successfully', {
+        userId: user.uid,
+        practitionerId: practitioner.id,
+      });
+
+      return {
+        user,
+        practitioner,
+      };
+    } catch (error) {
+      console.error('[AUTH] Error in signInPractitioner:', error);
+      throw error;
+    }
+  }
+
+  /**
+   * Signs in a user with a Google ID token from a mobile client.
+   * If the user does not exist, a new user is created.
+   * @param idToken - The Google ID token obtained from the mobile app.
+   * @param initialRole - The role to assign to the user if they are being created.
+   * @returns The signed-in or newly created user.
+   */
+  async signInWithGoogleIdToken(
+    idToken: string,
+    initialRole: UserRole = UserRole.PATIENT,
+  ): Promise<User> {
+    try {
+      console.log('[AUTH] Signing in with Google ID Token');
+
+      // 1) Extract the email claim from the raw JWT so we can check Auth records *before* sign-in
+      let email: string | undefined;
+      try {
+        const payloadBase64 = idToken.split('.')[1];
+        const payloadJson = globalThis.atob
+          ? globalThis.atob(payloadBase64)
+          : Buffer.from(payloadBase64, 'base64').toString('utf8');
+        const payload = JSON.parse(payloadJson);
+        email = payload.email as string | undefined;
+      } catch (decodeError) {
+        console.warn('[AUTH] Failed to decode email from Google ID token:', decodeError);
+      }
+
+      if (!email) {
+        throw new AuthError(
+          'Unable to read email from Google token. Please try again or use another sign-in method.',
+          'AUTH/INVALID_GOOGLE_TOKEN',
+          400,
+        );
+      }
+
+      // 2) Check if this email already has a Google credential in Firebase Auth.
+      //    If not, abort early so we *never* create an unwanted Auth user.
+      const methods = await fetchSignInMethodsForEmail(this.auth, email);
+      console.log('[AUTH] Fetch sign in methods for email:', email, methods);
+      const hasGoogleMethod = methods.includes(GoogleAuthProvider.GOOGLE_SIGN_IN_METHOD);
+      console.log('[AUTH] Has Google method:', hasGoogleMethod);
+      if (!hasGoogleMethod) {
+        console.log('[AUTH] No existing Google credential for email, aborting login:', email);
+        throw new AuthError(
+          'No account found for this Google user. Please complete registration first.',
+          'AUTH/USER_NOT_FOUND',
+          404,
+        );
+      }
+
+      // 3) Safe to sign-in – we know the credential belongs to an existing Auth account.
+      const credential = GoogleAuthProvider.credential(idToken);
+      const { user: firebaseUser } = await signInWithCredential(this.auth, credential);
+      console.log('[AUTH] Firebase user signed in:', firebaseUser.uid);
+
+      // 4) Load our domain user document.
+      const existingUser = await this.userService.getUserById(firebaseUser.uid);
+      if (existingUser) {
+        console.log('[AUTH] Existing user found, returning profile:', existingUser.uid);
+        return existingUser;
+      }
+
+      // 5) If no profile exists we sign out immediately and error – but crucially no phantom user was created.
+      console.log('[AUTH] No existing MetaEstetics user for Google account – signing out.');
+      await firebaseSignOut(this.auth);
+      throw new AuthError(
+        'No account found. Please complete registration by starting with "Get Started".',
+        'AUTH/USER_NOT_FOUND',
+        404,
+      );
+    } catch (error) {
+      console.error('[AUTH] Error in signInWithGoogleIdToken:', error);
+      throw handleFirebaseError(error);
+    }
+  }
+
+  /**
+   * Links a Google account to the currently signed-in user using an ID token.
+   * This is used to upgrade an anonymous user or to allow an existing user
+   * to sign in with Google in the future.
+   * @param idToken - The Google ID token obtained from the mobile app.
+   * @returns The updated user profile.
+   */
+  async linkGoogleAccount(idToken: string): Promise<User> {
+    try {
+      console.log('[AUTH] Linking Google account with ID Token');
+      const currentUser = this.auth.currentUser;
+      if (!currentUser) {
+        throw AUTH_ERRORS.NOT_AUTHENTICATED;
+      }
+
+      const wasAnonymous = currentUser.isAnonymous;
+      console.log(`[AUTH] Current user is ${wasAnonymous ? 'anonymous' : 'not anonymous'}`);
+
+      const credential = GoogleAuthProvider.credential(idToken);
+      const userCredential = await linkWithCredential(currentUser, credential);
+      const linkedFirebaseUser = userCredential.user;
+      console.log('[AUTH] Google account linked successfully to user:', linkedFirebaseUser.uid);
+
+      if (wasAnonymous) {
+        console.log('[AUTH] Upgrading anonymous user profile');
+        return await this.userService.upgradeAnonymousUser(
+          linkedFirebaseUser.uid,
+          linkedFirebaseUser.email!,
+        );
+      }
+
+      // If the user was not anonymous, just return their updated profile
+      return (await this.userService.getUserById(linkedFirebaseUser.uid))!;
+    } catch (error) {
+      console.error('[AUTH] Error in linkGoogleAccount:', error);
+      throw handleFirebaseError(error);
+    }
+  }
+}