@blackcode_sa/metaestetics-api 1.14.17 → 1.14.23

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@blackcode_sa/metaestetics-api",
   "private": false,
-  "version": "1.14.17",
+  "version": "1.14.23",
   "description": "Firebase authentication service with anonymous upgrade support",
   "main": "dist/index.js",
   "module": "dist/index.mjs",

package/src/admin/mailing/practitionerInvite/templates/invitation.template.ts

@@ -78,21 +78,10 @@ export const practitionerInvitationTemplate = `
       
       <p>This token will expire on <strong>{{expirationDate}}</strong>.</p>
       
-      <p><strong>You have two options to create your account:</strong></p>
-      
-      <p><strong>Option 1: Sign in with Google (Recommended)</strong></p>
-      <ol>
-        <li>Open the MetaEsthetics Doctor App</li>
-        <li>Click "Sign in with Google" on the login screen</li>
-        <li>Select your Google account (use the email address: {{practitionerEmail}})</li>
-        <li>You'll see an invitation to join {{clinicName}} - simply select it and join!</li>
-      </ol>
-      
-      <p><strong>Option 2: Use Email/Password with Token</strong></p>
+      <p>To create your account:</p>
       <ol>
         <li>Visit {{registrationUrl}}</li>
-        <li>Click "Claim Existing Profile with Token"</li>
-        <li>Enter your email ({{practitionerEmail}}) and create a password</li>
+        <li>Enter your email and create a password</li>
         <li>When prompted, enter the token above</li>
       </ol>
       

package/src/services/auth/auth.service.ts

@@ -35,7 +35,6 @@ import {
   Timestamp,
   runTransaction,
   Firestore,
-  serverTimestamp,
 } from 'firebase/firestore';
 import { FirebaseApp } from 'firebase/app';
 import { User, UserRole, USERS_COLLECTION } from '../../types';
@@ -91,91 +90,40 @@ export class AuthService extends BaseService {
   constructor(db: Firestore, auth: Auth, app: FirebaseApp, userService: UserService) {
     super(db, auth, app);
     this.userService = userService || new UserService(db, auth, app);
-    
-    // Initialize auth state change listener for debugging
-    // This helps track when auth.currentUser changes, which is critical for debugging
-    // the permission-denied issue during user document creation
-    onAuthStateChanged(this.auth, (user) => {
-      const timestamp = new Date().toISOString();
-      const stackTrace = new Error().stack?.split('\n').slice(2, 5).join('\n') || 'N/A';
-      console.log(`[AUTH STATE CHANGE] ${timestamp}`);
-      console.log(`[AUTH STATE CHANGE] User: ${user?.uid || 'NULL'} (email: ${user?.email || 'N/A'})`);
-      console.log(`[AUTH STATE CHANGE] auth.currentUser: ${this.auth.currentUser?.uid || 'NULL'}`);
-      console.log(`[AUTH STATE CHANGE] Stack trace (first 3 frames):\n${stackTrace}`);
-      console.log('[AUTH STATE CHANGE] ---');
-    });
-    
-    // Log initial auth state
-    console.log('[AUTH] AuthService initialized');
-    console.log('[AUTH] Initial auth.currentUser:', this.auth.currentUser?.uid || 'NULL');
   }
 
   /**
    * Waits for Firebase Auth state to settle after sign-in.
-   * 
-   * In React Native with AsyncStorage persistence, there's a critical issue:
-   * 1. signInWithCredential() sets auth.currentUser in memory immediately
-   * 2. But AsyncStorage persistence happens asynchronously
-   * 3. If AsyncStorage reads an old NULL value, it can OVERWRITE the current auth state
-   * 4. This causes auth.currentUser to become NULL even after it was set
-   * 
-   * This method uses onAuthStateChanged to wait for the auth state to be SET and STABLE.
-   * It ensures the auth state persists through AsyncStorage operations.
-   * 
-   * @param expectedUid - The UID we expect to see in auth.currentUser
-   * @param timeoutMs - Maximum time to wait (default 5 seconds)
-   * @returns Promise that resolves when auth state is ready and stable
+   * In React Native with AsyncStorage persistence, auth state may not be immediately available.
    */
   private async waitForAuthStateToSettle(expectedUid: string, timeoutMs: number = 5000): Promise<void> {
-    // If already correct, still wait a bit to ensure it's stable (not just set in memory)
     if (this.auth.currentUser?.uid === expectedUid) {
-      console.log('[AUTH] Auth state appears set, waiting for stability...');
-      // Wait a small amount to ensure AsyncStorage persistence completes
       await new Promise(resolve => setTimeout(resolve, 200));
-      // Check again after wait
       if (this.auth.currentUser?.uid === expectedUid) {
-        console.log('[AUTH] ✅ Auth state stable for:', expectedUid);
         return;
       }
     }
-
-    console.log('[AUTH] Waiting for auth state to settle for:', expectedUid);
-    console.log('[AUTH] Current auth.currentUser:', this.auth.currentUser?.uid || 'NULL');
     
     return new Promise((resolve, reject) => {
       const startTime = Date.now();
       let resolved = false;
       
-      // Use onAuthStateChanged to wait for auth state to be SET
-      // This is more reliable than polling auth.currentUser
       const unsubscribe = onAuthStateChanged(this.auth, (user) => {
         if (resolved) return;
         
         const currentUid = user?.uid || null;
-        console.log('[AUTH] onAuthStateChanged fired:', currentUid || 'NULL');
         
         if (currentUid === expectedUid) {
-          // Auth state is set, but wait a bit more to ensure it's stable
-          // AsyncStorage might still be writing/reading
           setTimeout(() => {
             if (resolved) return;
             
-            // Final check - is it still set?
             if (this.auth.currentUser?.uid === expectedUid) {
               resolved = true;
               unsubscribe();
               clearTimeout(timeout);
-              const elapsed = Date.now() - startTime;
-              console.log(`[AUTH] ✅ Auth state settled and stable after ${elapsed}ms for:`, expectedUid);
               resolve();
-            } else {
-              console.warn('[AUTH] ⚠️ Auth state became NULL after being set, waiting more...');
             }
-          }, 300); // Wait 300ms for AsyncStorage to stabilize
-        } else if (currentUid === null && Date.now() - startTime > 1000) {
-          // Auth state became NULL after being set - this is the bug we're trying to fix
-          console.error('[AUTH] ❌ Auth state became NULL after being set!');
-          console.error('[AUTH] This indicates AsyncStorage persistence issue');
+          }, 300);
         }
       });
       
@@ -183,9 +131,6 @@ export class AuthService extends BaseService {
         if (resolved) return;
         resolved = true;
         unsubscribe();
-        console.error('[AUTH] ❌ Timeout waiting for auth state to settle');
-        console.error('[AUTH] Expected UID:', expectedUid);
-        console.error('[AUTH] Actual auth.currentUser:', this.auth.currentUser?.uid || 'NULL');
         reject(new Error(`Timeout waiting for auth state to settle. Expected: ${expectedUid}, Got: ${this.auth.currentUser?.uid || 'NULL'}`));
       }, timeoutMs);
     });
@@ -935,31 +880,16 @@ export class AuthService extends BaseService {
         throw new AuthError('No practitioner profiles selected to claim', 'AUTH/NO_PROFILES_SELECTED', 400);
       }
 
-      // Check auth state BEFORE sign-in
-      console.log('[AUTH] currentUser BEFORE sign-in:', this.auth.currentUser?.uid || 'NULL');
-
-      // Sign in with Google credential
-      console.log('[AUTH] Signing in with Google credential...');
       const credential = GoogleAuthProvider.credential(idToken);
       const result = await signInWithCredential(this.auth, credential);
       const firebaseUser = result.user;
-      
-      // Check auth state IMMEDIATELY AFTER sign-in
-      console.log('[AUTH] currentUser IMMEDIATELY AFTER sign-in:', this.auth.currentUser?.uid || 'NULL');
-      console.log('[AUTH] User returned from signInWithCredential:', firebaseUser.uid);
 
       const practitionerService = new PractitionerService(this.db, this.auth, this.app);
 
-      // Step 1: Get User document (should already exist from signUpPractitionerWithGoogle)
-      // The User document is created IMMEDIATELY after Google sign-in in signUpPractitionerWithGoogle
-      // This matches the token flow pattern - no delays between sign-in and User doc creation
       let user: User;
       try {
         user = await this.userService.getUserById(firebaseUser.uid);
-        console.log('[AUTH] User document found:', user.uid);
       } catch (userError) {
-        console.error('[AUTH] ❌ User document should already exist! It should have been created in signUpPractitionerWithGoogle.');
-        console.error('[AUTH] This indicates a bug - User doc creation failed in the initial Google sign-in flow.');
         throw new AuthError(
           'User account not properly initialized. Please try signing in again.',
           'AUTH/USER_NOT_INITIALIZED',
@@ -967,39 +897,27 @@ export class AuthService extends BaseService {
         );
       }
 
-      // Step 3: Claim the draft profiles
       let practitioner: Practitioner;
       if (practitionerIds.length === 1) {
-        console.log('[AUTH] Claiming single draft profile:', practitionerIds[0]);
         practitioner = await practitionerService.claimDraftProfileWithGoogle(
           practitionerIds[0],
           firebaseUser.uid
         );
       } else {
-        console.log('[AUTH] Claiming multiple draft profiles:', practitionerIds);
         practitioner = await practitionerService.claimMultipleDraftProfilesWithGoogle(
           practitionerIds,
           firebaseUser.uid
         );
       }
-      console.log('[AUTH] Draft profiles claimed:', practitioner.id);
 
-      // Step 4: Link practitioner to user
       if (!user.practitionerProfile || user.practitionerProfile !== practitioner.id) {
-        console.log('[AUTH] Linking practitioner to user');
         await this.userService.updateUser(firebaseUser.uid, {
           practitionerProfile: practitioner.id,
         });
       }
 
-      // Fetch updated user (with practitionerProfile reference)
       const updatedUser = await this.userService.getUserById(firebaseUser.uid);
 
-      console.log('[AUTH] Draft profiles claimed successfully', {
-        userId: updatedUser.uid,
-        practitionerId: practitioner.id,
-      });
-
       return {
         user: updatedUser,
         practitioner,
@@ -1180,13 +1098,6 @@ export class AuthService extends BaseService {
       const { user: firebaseUser } = await signInWithCredential(this.auth, credential);
       console.log('[AUTH] Firebase user signed in:', firebaseUser.uid);
 
-      // CRITICAL: Wait for auth state to settle before making Firestore queries
-      // In React Native with AsyncStorage persistence, auth.currentUser can be NULL
-      // immediately after signInWithCredential due to async persistence race condition
-      console.log('[AUTH] Waiting for auth state to settle after sign-in...');
-      await this.waitForAuthStateToSettle(firebaseUser.uid);
-      console.log('[AUTH] ✅ Auth state settled, proceeding with Firestore queries');
-
       // 4) Load our domain user document.
       const existingUser = await this.userService.getUserById(firebaseUser.uid);
       if (existingUser) {
@@ -1252,69 +1163,37 @@ export class AuthService extends BaseService {
       }
 
       const normalizedEmail = email.toLowerCase().trim();
-      console.log('[AUTH] Extracted email from Google token:', normalizedEmail);
 
-      // Check if user already exists in Firebase Auth
       const methods = await fetchSignInMethodsForEmail(this.auth, normalizedEmail);
       const hasGoogleMethod = methods.includes(GoogleAuthProvider.GOOGLE_SIGN_IN_METHOD);
       const hasEmailMethod = methods.includes(EmailAuthProvider.EMAIL_PASSWORD_SIGN_IN_METHOD);
 
       const practitionerService = new PractitionerService(this.db, this.auth, this.app);
 
-      // Case 1: User exists with Google provider - sign in and check for practitioner profile
       if (hasGoogleMethod) {
-        console.log('[AUTH] User exists with Google provider, signing in');
         const credential = GoogleAuthProvider.credential(idToken);
         const { user: firebaseUser } = await signInWithCredential(this.auth, credential);
         
-        // CRITICAL: Wait for auth state to settle before making Firestore queries
-        // In React Native with AsyncStorage persistence, auth.currentUser can be NULL
-        // immediately after signInWithCredential due to async persistence race condition
-        console.log('[AUTH] Waiting for auth state to settle after sign-in...');
         await this.waitForAuthStateToSettle(firebaseUser.uid);
-        console.log('[AUTH] ✅ Auth state settled, proceeding with Firestore queries');
         
         let existingUser: User | null = null;
         try {
           existingUser = await this.userService.getUserById(firebaseUser.uid);
-          console.log('[AUTH] User document found:', existingUser.uid);
         } catch (userError: any) {
-          // User document doesn't exist in Firestore
-          console.log('[AUTH] User document not found in Firestore, checking for draft profiles', {
-            errorCode: userError?.code,
-            errorMessage: userError?.message,
-            errorType: userError?.constructor?.name,
-            isAuthError: userError instanceof AuthError,
-          });
-          
-          // Check for draft profiles before signing out
-          // CRITICAL: Verify auth.currentUser is still set before Firestore query
-          // AsyncStorage persistence can cause it to become NULL even after being set
           if (!this.auth.currentUser || this.auth.currentUser.uid !== firebaseUser.uid) {
-            console.error('[AUTH] ❌ auth.currentUser became NULL before draft profile query!');
-            console.error('[AUTH] Expected UID:', firebaseUser.uid);
-            console.error('[AUTH] Actual auth.currentUser:', this.auth.currentUser?.uid || 'NULL');
-            console.log('[AUTH] Waiting for auth state to recover...');
-            // Try to wait for it to come back
+            const credential = GoogleAuthProvider.credential(idToken);
+            await signInWithCredential(this.auth, credential);
             await this.waitForAuthStateToSettle(firebaseUser.uid, 2000);
           }
           
           const practitionerService = new PractitionerService(this.db, this.auth, this.app);
           const draftProfiles = await practitionerService.getDraftProfilesByEmail(normalizedEmail);
           
-          console.log('[AUTH] Draft profiles check result:', {
-            email: normalizedEmail,
-            draftProfilesCount: draftProfiles.length,
-            draftProfileIds: draftProfiles.map(p => p.id),
-          });
-          
           if (draftProfiles.length === 0) {
-            // No draft profiles - sign out and throw error
-            console.log('[AUTH] No draft profiles found, signing out and throwing error');
             try {
               await firebaseSignOut(this.auth);
             } catch (signOutError) {
-              console.warn('[AUTH] Error signing out Firebase user (non-critical):', signOutError);
+              console.warn('[AUTH] Error signing out:', signOutError);
             }
             throw new AuthError(
               'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
@@ -1323,35 +1202,21 @@ export class AuthService extends BaseService {
             );
           }
           
-          // Draft profiles exist - CREATE USER DOCUMENT IMMEDIATELY (like token flow)
-          // This matches the token flow pattern: create User doc right after sign-in, before any delays
-          console.log('[AUTH] Draft profiles found, creating User document IMMEDIATELY after sign-in');
-          console.log('[AUTH] auth.currentUser at User creation time:', this.auth.currentUser?.uid || 'NULL');
-          
           try {
-            // Create User document immediately (same pattern as token flow)
             const newUser = await this.userService.createUser(firebaseUser, [UserRole.PRACTITIONER], {
               skipProfileCreation: true,
             });
-            console.log('[AUTH] ✅ User document created successfully:', newUser.uid);
             
-            // Return user + draft profiles (user doc already exists, just need to claim profiles)
             return {
               user: newUser,
               practitioner: null,
               draftProfiles: draftProfiles,
             };
           } catch (createUserError: any) {
-            console.error('[AUTH] ❌ Failed to create User document:', {
-              errorCode: createUserError?.code,
-              errorMessage: createUserError?.message,
-              uid: firebaseUser.uid,
-            });
-            // Sign out on failure
             try {
               await firebaseSignOut(this.auth);
             } catch (signOutError) {
-              console.warn('[AUTH] Error signing out Firebase user (non-critical):', signOutError);
+              console.warn('[AUTH] Error signing out:', signOutError);
             }
             throw createUserError;
           }
@@ -1383,11 +1248,7 @@ export class AuthService extends BaseService {
         };
       }
 
-      // Case 2: User exists with email/password - need to link Google provider
-      // Firebase doesn't allow linking without being signed in first
-      // So we need to ask user to sign in with email/password first, then link
       if (hasEmailMethod && !hasGoogleMethod) {
-        console.log('[AUTH] User exists with email/password only');
         throw new AuthError(
           'An account with this email already exists. Please sign in with your email and password, then link your Google account in settings.',
           'AUTH/EMAIL_ALREADY_EXISTS',
@@ -1395,8 +1256,6 @@ export class AuthService extends BaseService {
         );
       }
 
-      // Case 3: New user - sign in with Google and check for draft profiles
-      console.log('[AUTH] Signing in with Google credential');
       const credential = GoogleAuthProvider.credential(idToken);
       
       let firebaseUser: FirebaseUser;
@@ -1415,39 +1274,26 @@ export class AuthService extends BaseService {
         throw error;
       }
 
-      // CRITICAL: Wait for auth state to settle before making Firestore queries
-      // In React Native with AsyncStorage persistence, auth.currentUser can be NULL
-      // immediately after signInWithCredential due to async persistence race condition
-      console.log('[AUTH] Waiting for auth state to settle after sign-in...');
       await this.waitForAuthStateToSettle(firebaseUser.uid);
-      console.log('[AUTH] ✅ Auth state settled, proceeding with Firestore queries');
 
-      // Check for existing User document (in case user had email/password account that was just linked)
       let existingUser: User | null = null;
       try {
         const existingUserDoc = await this.userService.getUserById(firebaseUser.uid);
         if (existingUserDoc) {
           existingUser = existingUserDoc;
-          console.log('[AUTH] Found existing User document');
         }
       } catch (error) {
-        console.error('[AUTH] Error checking for existing user:', error);
         // Continue with new user creation
       }
 
-      // Check for draft profiles
-      console.log('[AUTH] Checking for draft profiles');
       let draftProfiles: Practitioner[] = [];
       try {
         draftProfiles = await practitionerService.getDraftProfilesByEmail(normalizedEmail);
-        console.log('[AUTH] Draft profiles check complete', { count: draftProfiles.length });
       } catch (draftCheckError: any) {
-        console.error('[AUTH] Error checking draft profiles:', draftCheckError);
-        // If checking draft profiles fails, sign out and throw appropriate error
         try {
           await firebaseSignOut(this.auth);
         } catch (signOutError) {
-          console.warn('[AUTH] Error signing out Firebase user (non-critical):', signOutError);
+          console.warn('[AUTH] Error signing out:', signOutError);
         }
         throw new AuthError(
           'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
@@ -1458,72 +1304,43 @@ export class AuthService extends BaseService {
 
       let user: User;
       if (existingUser) {
-        // User exists - use existing account
         user = existingUser;
-        console.log('[AUTH] Using existing user account');
       } else {
-        // For new users: Only create account if there are draft profiles OR if user already has a practitioner profile
-        // Since doctors can only join via clinic invitation, we should not create accounts without invitations
         if (draftProfiles.length === 0) {
-          console.log('[AUTH] No draft profiles found, signing out and throwing error');
-          // Sign out the Firebase user since we're not creating an account
-          // Wrap in try-catch to handle any sign-out errors gracefully
           try {
             await firebaseSignOut(this.auth);
           } catch (signOutError) {
-            console.warn('[AUTH] Error signing out Firebase user (non-critical):', signOutError);
-            // Continue anyway - the important part is we're not creating the account
+            console.warn('[AUTH] Error signing out:', signOutError);
           }
-          const noDraftError = new AuthError(
+          throw new AuthError(
             'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
             'AUTH/NO_DRAFT_PROFILES',
             404,
           );
-          console.log('[AUTH] Throwing NO_DRAFT_PROFILES error:', noDraftError.code);
-          throw noDraftError;
         }
         
-        // Create new user document only if draft profiles exist
         user = await this.userService.createUser(firebaseUser, [UserRole.PRACTITIONER], {
           skipProfileCreation: true,
         });
-        console.log('[AUTH] Created new user account with draft profiles available');
       }
 
-      // Check if user already has practitioner profile
       let practitioner: Practitioner | null = null;
       if (user.practitionerProfile) {
         practitioner = await practitionerService.getPractitioner(user.practitionerProfile);
       }
 
-      console.log('[AUTH] Google Sign-In complete', {
-        userId: user.uid,
-        hasPractitioner: !!practitioner,
-        draftProfilesCount: draftProfiles.length,
-      });
-
       return {
         user,
         practitioner,
         draftProfiles,
       };
     } catch (error: any) {
-      console.error('[AUTH] Error in signUpPractitionerWithGoogle:', error);
-      console.error('[AUTH] Error type:', error?.constructor?.name);
-      console.error('[AUTH] Error instanceof AuthError:', error instanceof AuthError);
-      console.error('[AUTH] Error code:', error?.code);
-      console.error('[AUTH] Error message:', error?.message);
-      
-      // Preserve AuthError instances (like NO_DRAFT_PROFILES) without wrapping
       if (error instanceof AuthError) {
-        console.log('[AUTH] Preserving AuthError:', error.code);
         throw error;
       }
       
-      // Check if error message contains NO_DRAFT_PROFILES before wrapping
       const errorMessage = error?.message || error?.toString() || '';
       if (errorMessage.includes('NO_DRAFT_PROFILES') || errorMessage.includes('clinic invitation')) {
-        console.log('[AUTH] Detected clinic invitation error in message, converting to AuthError');
         throw new AuthError(
           'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
           'AUTH/NO_DRAFT_PROFILES',
@@ -1531,14 +1348,9 @@ export class AuthService extends BaseService {
         );
       }
       
-      // For other errors, wrap them but preserve the original message if it's helpful
       const wrappedError = handleFirebaseError(error);
-      console.log('[AUTH] Wrapped error:', wrappedError.message);
       
-      // If the wrapped error message is generic, try to preserve more context
       if (wrappedError.message.includes('permissions') || wrappedError.message.includes('Account creation failed')) {
-        // This might be a permissions error during sign-out or user creation
-        // If we got here and there were no draft profiles, it's likely the same issue
         throw new AuthError(
           'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
           'AUTH/NO_DRAFT_PROFILES',

package/src/services/practitioner/practitioner.service.ts

@@ -483,6 +483,34 @@ export class PractitionerService extends BaseService {
         throw new Error("Practitioner is not associated with this clinic");
       }
 
+      // Security check: Verify that the clinic belongs to the clinic group of the user creating the token
+      // createdBy can be either clinicGroupId or clinicId
+      let expectedClinicGroupId: string | null = null;
+      
+      // First, check if createdBy matches the clinic's clinicGroupId directly
+      if (clinic.clinicGroupId === createdBy) {
+        // createdBy is the clinicGroupId, which matches - this is valid
+        expectedClinicGroupId = createdBy;
+      } else {
+        // createdBy might be a clinicId, check if that clinic belongs to the same group
+        try {
+          const creatorClinic = await this.getClinicService().getClinic(createdBy);
+          if (creatorClinic && creatorClinic.clinicGroupId === clinic.clinicGroupId) {
+            // Both clinics belong to the same group - valid
+            expectedClinicGroupId = clinic.clinicGroupId;
+          } else {
+            throw new Error("Clinic does not belong to your clinic group");
+          }
+        } catch (error: any) {
+          // If createdBy is not a valid clinicId, or clinics don't match, reject
+          if (error.message === "Clinic does not belong to your clinic group") {
+            throw error;
+          }
+          // If getClinic fails, createdBy might be a clinicGroupId that doesn't match
+          throw new Error("Clinic does not belong to your clinic group");
+        }
+      }
+
       // Default expiration is 7 days from now if not specified
       const expiration =
         validatedData.expiresAt ||
@@ -522,21 +550,29 @@ export class PractitionerService extends BaseService {
   /**
    * Gets active tokens for a practitioner
    * @param practitionerId ID of the practitioner
+   * @param clinicId Optional clinic ID to filter tokens by. If provided, only returns tokens for this clinic.
    * @returns Array of active tokens
    */
   async getPractitionerActiveTokens(
-    practitionerId: string
+    practitionerId: string,
+    clinicId?: string
   ): Promise<PractitionerToken[]> {
     const tokensRef = collection(
       this.db,
       `${PRACTITIONERS_COLLECTION}/${practitionerId}/${REGISTER_TOKENS_COLLECTION}`
     );
 
-    const q = query(
-      tokensRef,
+    const conditions = [
       where("status", "==", PractitionerTokenStatus.ACTIVE),
       where("expiresAt", ">", Timestamp.now())
-    );
+    ];
+
+    // Filter by clinic if provided
+    if (clinicId) {
+      conditions.push(where("clinicId", "==", clinicId));
+    }
+
+    const q = query(tokensRef, ...conditions);
 
     const querySnapshot = await getDocs(q);
     return querySnapshot.docs.map((doc) => doc.data() as PractitionerToken);
@@ -628,6 +664,45 @@ export class PractitionerService extends BaseService {
     });
   }
 
+  /**
+   * Revokes a token by setting its status to REVOKED
+   * @param tokenId ID of the token
+   * @param practitionerId ID of the practitioner
+   * @param clinicId ID of the clinic that owns the token. Used to verify ownership before revoking.
+   * @throws Error if token doesn't exist or doesn't belong to the specified clinic
+   */
+  async revokeToken(
+    tokenId: string,
+    practitionerId: string,
+    clinicId: string
+  ): Promise<void> {
+    const tokenRef = doc(
+      this.db,
+      `${PRACTITIONERS_COLLECTION}/${practitionerId}/${REGISTER_TOKENS_COLLECTION}/${tokenId}`
+    );
+
+    // First, verify the token exists and belongs to the clinic
+    const tokenDoc = await getDoc(tokenRef);
+    if (!tokenDoc.exists()) {
+      throw new Error("Token not found");
+    }
+
+    const tokenData = tokenDoc.data() as PractitionerToken;
+    if (tokenData.clinicId !== clinicId) {
+      throw new Error("Token does not belong to the specified clinic");
+    }
+
+    // Only revoke if token is still active
+    if (tokenData.status !== PractitionerTokenStatus.ACTIVE) {
+      throw new Error("Token is not active and cannot be revoked");
+    }
+
+    await updateDoc(tokenRef, {
+      status: PractitionerTokenStatus.REVOKED,
+      updatedAt: serverTimestamp(),
+    });
+  }
+
   /**
    * Dohvata zdravstvenog radnika po ID-u
    */