@blackcode_sa/metaestetics-api 1.15.16 → 1.15.17-staging.0

package/src/services/auth/auth.service.ts

@@ -1,1435 +1,1435 @@
-import {
-  Auth,
-  User as FirebaseUser,
-  signInWithEmailAndPassword,
-  createUserWithEmailAndPassword,
-  signInAnonymously as firebaseSignInAnonymously,
-  signOut as firebaseSignOut,
-  GoogleAuthProvider,
-  signInWithPopup,
-  signInWithRedirect,
-  getRedirectResult,
-  linkWithCredential,
-  EmailAuthProvider,
-  onAuthStateChanged,
-  sendPasswordResetEmail,
-  verifyPasswordResetCode,
-  confirmPasswordReset,
-  fetchSignInMethodsForEmail,
-  signInWithCredential,
-  OAuthProvider,
-} from 'firebase/auth';
-import {
-  getFirestore,
-  collection,
-  doc,
-  getDoc,
-  setDoc,
-  updateDoc,
-  deleteDoc,
-  query,
-  where,
-  getDocs,
-  orderBy,
-  limit,
-  startAfter,
-  Timestamp,
-  runTransaction,
-  Firestore,
-} from 'firebase/firestore';
-import { FirebaseApp } from 'firebase/app';
-import { User, UserRole, USERS_COLLECTION } from '../../types';
-import { z } from 'zod';
-import { emailSchema, passwordSchema, userRoleSchema } from '../../validations/schemas';
-import { AuthError, AUTH_ERRORS } from '../../errors/auth.errors';
-import { FirebaseErrorCode } from '../../errors/firebase.errors';
-import { FirebaseError } from '../../errors/firebase.errors';
-import { BaseService } from '../base.service';
-import { UserService } from '../user/user.service';
-import {
-  ClinicGroup,
-  AdminToken,
-  AdminTokenStatus,
-  CreateClinicGroupData,
-  CreateClinicAdminData,
-  ContactPerson,
-  ClinicAdminSignupData,
-  SubscriptionModel,
-  CLINIC_GROUPS_COLLECTION,
-  ClinicAdmin,
-} from '../../types/clinic';
-import { clinicAdminSignupSchema } from '../../validations/clinic.schema';
-import { ClinicGroupService } from '../clinic/clinic-group.service';
-import { ClinicAdminService } from '../clinic/clinic-admin.service';
-import { ClinicService } from '../clinic/clinic.service';
-import {
-  Practitioner,
-  CreatePractitionerData,
-  PractitionerStatus,
-  PractitionerBasicInfo,
-  PractitionerCertification,
-} from '../../types/practitioner';
-import { PractitionerService } from '../practitioner/practitioner.service';
-import { practitionerSignupSchema } from '../../validations/practitioner.schema';
-import { CertificationLevel } from '../../backoffice/types/static/certification.types';
-import { MediaService } from '../media/media.service';
-// Import utility functions
-import {
-  checkEmailExists,
-  cleanupFirebaseUser,
-  handleFirebaseError,
-  handleSignupError,
-  buildPractitionerData,
-  validatePractitionerProfileData,
-} from './utils';
-
-export class AuthService extends BaseService {
-  private googleProvider = new GoogleAuthProvider();
-  private userService: UserService;
-
-  constructor(db: Firestore, auth: Auth, app: FirebaseApp, userService: UserService) {
-    super(db, auth, app);
-    this.userService = userService || new UserService(db, auth, app);
-  }
-
-  /**
-   * Waits for Firebase Auth state to settle after sign-in.
-   * In React Native with AsyncStorage persistence, auth state may not be immediately available.
-   */
-  private async waitForAuthStateToSettle(expectedUid: string, timeoutMs: number = 5000): Promise<void> {
-    if (this.auth.currentUser?.uid === expectedUid) {
-      await new Promise(resolve => setTimeout(resolve, 200));
-      if (this.auth.currentUser?.uid === expectedUid) {
-        return;
-      }
-    }
-    
-    return new Promise((resolve, reject) => {
-      const startTime = Date.now();
-      let resolved = false;
-      
-      const unsubscribe = onAuthStateChanged(this.auth, (user) => {
-        if (resolved) return;
-        
-        const currentUid = user?.uid || null;
-        
-        if (currentUid === expectedUid) {
-          setTimeout(() => {
-            if (resolved) return;
-            
-            if (this.auth.currentUser?.uid === expectedUid) {
-              resolved = true;
-              unsubscribe();
-              clearTimeout(timeout);
-              resolve();
-            }
-          }, 300);
-        }
-      });
-      
-      const timeout = setTimeout(() => {
-        if (resolved) return;
-        resolved = true;
-        unsubscribe();
-        reject(new Error(`Timeout waiting for auth state to settle. Expected: ${expectedUid}, Got: ${this.auth.currentUser?.uid || 'NULL'}`));
-      }, timeoutMs);
-    });
-  }
-
-  /**
-   * Registruje novog korisnika sa email-om i lozinkom
-   */
-  async signUp(
-    email: string,
-    password: string,
-    initialRole: UserRole = UserRole.PATIENT,
-    options?: {
-      patientInviteToken?: string;
-    },
-  ): Promise<User> {
-    const { user: firebaseUser } = await createUserWithEmailAndPassword(this.auth, email, password);
-
-    return this.userService.createUser(firebaseUser, [initialRole], options);
-  }
-
-  /**
-   * Registers a new clinic admin user with email and password
-   * Can either create a new clinic group or join an existing one with a token
-   *
-   * @param data - Clinic admin signup data
-   * @returns Object containing the created user, clinic group, and clinic admin
-   */
-  async signUpClinicAdmin(data: ClinicAdminSignupData): Promise<{
-    user: User;
-    clinicGroup: ClinicGroup;
-    clinicAdmin: ClinicAdmin;
-  }> {
-    try {
-      console.log('[AUTH] Starting clinic admin signup process', {
-        email: data.email,
-      });
-
-      // Validate data
-      try {
-        await clinicAdminSignupSchema.parseAsync(data);
-        console.log('[AUTH] Clinic admin signup data validation passed');
-      } catch (validationError) {
-        console.error('[AUTH] Validation error in signUpClinicAdmin:', validationError);
-        throw validationError;
-      }
-
-      // Create Firebase user
-      console.log('[AUTH] Creating Firebase user');
-      let firebaseUser;
-      try {
-        const result = await createUserWithEmailAndPassword(this.auth, data.email, data.password);
-        firebaseUser = result.user;
-        console.log('[AUTH] Firebase user created successfully', {
-          uid: firebaseUser.uid,
-        });
-      } catch (firebaseError) {
-        console.error('[AUTH] Firebase user creation failed:', firebaseError);
-        throw handleFirebaseError(firebaseError);
-      }
-
-      // Create user with CLINIC_ADMIN role
-      console.log('[AUTH] Creating user with CLINIC_ADMIN role');
-      let user;
-      try {
-        user = await this.userService.createUser(firebaseUser, [UserRole.CLINIC_ADMIN], {
-          skipProfileCreation: true,
-        });
-        console.log('[AUTH] User with CLINIC_ADMIN role created successfully', {
-          userId: user.uid,
-        });
-      } catch (userCreationError) {
-        console.error('[AUTH] User creation failed:', userCreationError);
-        throw userCreationError;
-      }
-
-      // Create contact person object
-      const contactPerson: ContactPerson = {
-        firstName: data.firstName,
-        lastName: data.lastName,
-        title: data.title,
-        email: data.email,
-        phoneNumber: data.phoneNumber,
-      };
-      console.log('[AUTH] Contact person object created');
-
-      // Initialize services
-      console.log('[AUTH] Initializing clinic services');
-      const clinicAdminService = new ClinicAdminService(this.db, this.auth, this.app);
-      const clinicGroupService = new ClinicGroupService(
-        this.db,
-        this.auth,
-        this.app,
-        clinicAdminService,
-      );
-      const mediaService = new MediaService(this.db, this.auth, this.app);
-      const clinicService = new ClinicService(
-        this.db,
-        this.auth,
-        this.app,
-        clinicGroupService,
-        clinicAdminService,
-        mediaService,
-      );
-
-      // Set services to resolve circular dependencies
-      clinicAdminService.setServices(clinicGroupService, clinicService);
-      console.log('[AUTH] Services initialized and circular dependencies resolved');
-
-      let clinicGroup: ClinicGroup | null = null;
-      let adminProfile: ClinicAdmin | null = null;
-
-      if (data.isCreatingNewGroup) {
-        console.log('[AUTH] Creating new clinic group flow');
-        // Create new clinic group
-        if (!data.clinicGroupData) {
-          console.error('[AUTH] Clinic group data is missing');
-          throw new Error('Clinic group data is required when creating a new group');
-        }
-
-        // First create the clinic admin without a group
-        console.log('[AUTH] Creating clinic admin first (without group)');
-        const createClinicAdminData: CreateClinicAdminData = {
-          userRef: firebaseUser.uid,
-          isGroupOwner: true,
-          clinicsManaged: [],
-          contactInfo: contactPerson,
-          roleTitle: data.title,
-          isActive: true,
-          // No clinicGroupId yet
-        };
-
-        try {
-          adminProfile = await clinicAdminService.createClinicAdmin(createClinicAdminData);
-          console.log('[AUTH] Clinic admin created successfully', {
-            adminId: adminProfile.id,
-          });
-        } catch (adminCreationError) {
-          console.error('[AUTH] Clinic admin creation failed:', adminCreationError);
-          throw adminCreationError;
-        }
-
-        // Update user document with admin profile reference
-        try {
-          console.log('[AUTH] Updating user with admin profile reference');
-          user = await this.userService.updateUser(firebaseUser.uid, {
-            adminProfile: adminProfile.id,
-          });
-          console.log('[AUTH] User updated with admin profile reference successfully');
-        } catch (userUpdateError) {
-          console.error('[AUTH] Failed to update user with admin profile:', userUpdateError);
-          throw userUpdateError;
-        }
-
-        // Then create clinic group
-        const createClinicGroupData: CreateClinicGroupData = {
-          name: data.clinicGroupData.name,
-          hqLocation: data.clinicGroupData.hqLocation,
-          contactInfo: data.clinicGroupData.contactInfo,
-          contactPerson: contactPerson,
-          ownerId: adminProfile.id, // Use admin profile ID, not user UID
-          isActive: true,
-          logo: data.clinicGroupData.logo || null,
-          subscriptionModel:
-            data.clinicGroupData.subscriptionModel || SubscriptionModel.NO_SUBSCRIPTION,
-          onboarding: {
-            completed: false,
-            step: 1,
-          },
-        };
-        console.log('[AUTH] Clinic group data prepared', {
-          groupName: createClinicGroupData.name,
-        });
-
-        // Create clinic group
-        try {
-          clinicGroup = await clinicGroupService.createClinicGroup(
-            createClinicGroupData,
-            adminProfile.id, // Use admin profile ID, not user UID
-            false, // This is not a default group since we're providing complete data
-          );
-          console.log('[AUTH] Clinic group created successfully', {
-            groupId: clinicGroup.id,
-          });
-
-          // Now update the admin with the group ID
-          console.log('[AUTH] Updating admin with clinic group ID');
-          await clinicAdminService.updateClinicAdmin(adminProfile.id, {
-            // Use admin profile ID, not user UID
-            clinicGroupId: clinicGroup.id,
-          });
-          console.log('[AUTH] Admin updated with clinic group ID successfully');
-
-          // Get the updated admin profile
-          adminProfile = await clinicAdminService.getClinicAdmin(adminProfile.id);
-        } catch (groupCreationError) {
-          console.error('[AUTH] Clinic group creation failed:', groupCreationError);
-          throw groupCreationError;
-        }
-      } else {
-        console.log('[AUTH] Joining existing clinic group flow');
-        // Join existing clinic group with token
-        if (!data.inviteToken) {
-          console.error('[AUTH] Invite token is missing');
-          throw new Error('Invite token is required when joining an existing group');
-        }
-        console.log('[AUTH] Invite token provided', {
-          token: data.inviteToken,
-        });
-
-        // Find the token in the database
-        console.log('[AUTH] Searching for token in clinic groups');
-        const groupsRef = collection(this.db, CLINIC_GROUPS_COLLECTION);
-        const q = query(groupsRef);
-        const querySnapshot = await getDocs(q);
-
-        let foundGroup: ClinicGroup | null = null;
-        let foundToken: AdminToken | null = null;
-
-        console.log('[AUTH] Found', querySnapshot.size, 'clinic groups to check');
-        for (const docSnapshot of querySnapshot.docs) {
-          const group = docSnapshot.data() as ClinicGroup;
-          console.log('[AUTH] Checking group', {
-            groupId: group.id,
-            groupName: group.name,
-          });
-
-          // Find the token in the group's tokens
-          const token = group.adminTokens.find(t => {
-            const isMatch =
-              t.token === data.inviteToken &&
-              t.status === AdminTokenStatus.ACTIVE &&
-              new Date(t.expiresAt.toDate()) > new Date();
-
-            console.log('[AUTH] Checking token', {
-              tokenId: t.id,
-              tokenMatch: t.token === data.inviteToken,
-              tokenStatus: t.status,
-              tokenActive: t.status === AdminTokenStatus.ACTIVE,
-              tokenExpiry: new Date(t.expiresAt.toDate()),
-              tokenExpired: new Date(t.expiresAt.toDate()) <= new Date(),
-              isMatch,
-            });
-
-            return isMatch;
-          });
-
-          if (token) {
-            foundGroup = group;
-            foundToken = token;
-            console.log('[AUTH] Found matching token in group', {
-              groupId: group.id,
-              tokenId: token.id,
-            });
-            break;
-          }
-        }
-
-        if (!foundGroup || !foundToken) {
-          console.error('[AUTH] No valid token found in any clinic group');
-          throw new Error('Invalid or expired invite token');
-        }
-
-        clinicGroup = foundGroup;
-
-        // Create clinic admin
-        console.log('[AUTH] Creating clinic admin');
-        const createClinicAdminData: CreateClinicAdminData = {
-          userRef: firebaseUser.uid,
-          clinicGroupId: foundGroup.id,
-          isGroupOwner: false,
-          clinicsManaged: [],
-          contactInfo: contactPerson,
-          roleTitle: data.title,
-          isActive: true,
-        };
-
-        try {
-          adminProfile = await clinicAdminService.createClinicAdmin(createClinicAdminData);
-          console.log('[AUTH] Clinic admin created successfully', {
-            adminId: adminProfile.id,
-          });
-        } catch (adminCreationError) {
-          console.error('[AUTH] Clinic admin creation failed:', adminCreationError);
-          throw adminCreationError;
-        }
-
-        // Mark token as used
-        try {
-          await clinicGroupService.verifyAndUseAdminToken(
-            foundGroup.id,
-            data.inviteToken,
-            firebaseUser.uid,
-          );
-          console.log('[AUTH] Token marked as used successfully');
-        } catch (tokenUseError) {
-          console.error('[AUTH] Failed to mark token as used:', tokenUseError);
-          throw tokenUseError;
-        }
-      }
-
-      console.log('[AUTH] Clinic admin signup completed successfully', {
-        userId: user.uid,
-        clinicGroupId: clinicGroup.id,
-        clinicAdminId: adminProfile?.id || 'unknown',
-      });
-
-      // Ensure we have all required data before returning
-      if (!clinicGroup || !adminProfile) {
-        throw new Error('Failed to create or retrieve clinic group or admin profile');
-      }
-
-      return {
-        user,
-        clinicGroup,
-        clinicAdmin: adminProfile,
-      };
-    } catch (error) {
-      if (error instanceof z.ZodError) {
-        console.error(
-          '[AUTH] Zod validation error in signUpClinicAdmin:',
-          JSON.stringify(error.errors, null, 2),
-        );
-        throw AUTH_ERRORS.VALIDATION_ERROR;
-      }
-
-      const firebaseError = error as FirebaseError;
-      if (firebaseError.code === FirebaseErrorCode.EMAIL_ALREADY_IN_USE) {
-        console.error('[AUTH] Email already in use:', data.email);
-        throw AUTH_ERRORS.EMAIL_ALREADY_EXISTS;
-      }
-
-      console.error('[AUTH] Unhandled error in signUpClinicAdmin:', error);
-      throw error;
-    }
-  }
-
-  /**
-   * Prijavljuje korisnika sa email-om i lozinkom
-   */
-  async signIn(email: string, password: string): Promise<User> {
-    const { user: firebaseUser } = await signInWithEmailAndPassword(this.auth, email, password);
-
-    return this.userService.getOrCreateUser(firebaseUser);
-  }
-
-  /**
-   * Prijavljuje korisnika sa email-om i lozinkom samo za clinic_admin role
-   * @param email - Email korisnika
-   * @param password - Lozinka korisnika
-   * @returns Objekat koji sadrži korisnika, admin profil i grupu klinika
-   * @throws {AUTH_ERRORS.INVALID_ROLE} Ako korisnik nema clinic_admin rolu
-   * @throws {AUTH_ERRORS.NOT_FOUND} Ako admin profil nije pronađen
-   */
-  async signInClinicAdmin(
-    email: string,
-    password: string,
-  ): Promise<{
-    user: User;
-    clinicAdmin: ClinicAdmin;
-    clinicGroup: ClinicGroup;
-  }> {
-    try {
-      // Initialize required services
-      const clinicAdminService = new ClinicAdminService(this.db, this.auth, this.app);
-      const clinicGroupService = new ClinicGroupService(
-        this.db,
-        this.auth,
-        this.app,
-        clinicAdminService,
-      );
-      const mediaService = new MediaService(this.db, this.auth, this.app);
-      const clinicService = new ClinicService(
-        this.db,
-        this.auth,
-        this.app,
-        clinicGroupService,
-        clinicAdminService,
-        mediaService,
-      );
-
-      // Set services to resolve circular dependencies
-      clinicAdminService.setServices(clinicGroupService, clinicService);
-
-      // Sign in with email/password
-      const { user: firebaseUser } = await signInWithEmailAndPassword(this.auth, email, password);
-
-      // Get or create user
-      const user = await this.userService.getOrCreateUser(firebaseUser);
-
-      // Check if user has clinic_admin role
-      if (!user.roles?.includes(UserRole.CLINIC_ADMIN)) {
-        console.error('[AUTH] User is not a clinic admin:', user.uid);
-        // Sign out the user immediately for security
-        await this.auth.signOut();
-        throw AUTH_ERRORS.UNAUTHORIZED_ROLE;
-      }
-
-      // Check and get admin profile
-      if (!user.adminProfile) {
-        console.error('[AUTH] User has no admin profile:', user.uid);
-        throw AUTH_ERRORS.NOT_FOUND;
-      }
-
-      // Get clinic admin profile
-      const adminProfile = await clinicAdminService.getClinicAdmin(user.adminProfile);
-      if (!adminProfile) {
-        console.error('[AUTH] Admin profile not found:', user.adminProfile);
-        throw AUTH_ERRORS.NOT_FOUND;
-      }
-
-      // Get clinic group
-      const clinicGroup = await clinicGroupService.getClinicGroup(adminProfile.clinicGroupId);
-      if (!clinicGroup) {
-        console.error('[AUTH] Clinic group not found:', adminProfile.clinicGroupId);
-        throw AUTH_ERRORS.NOT_FOUND;
-      }
-
-      return {
-        user,
-        clinicAdmin: adminProfile,
-        clinicGroup,
-      };
-    } catch (error) {
-      console.error('[AUTH] Error in signInClinicAdmin:', error);
-      throw error;
-    }
-  }
-
-  /**
-   * Prijavljuje korisnika anonimno
-   */
-  async signInAnonymously(options?: { skipProfileCreation?: boolean }): Promise<User> {
-    const { user: firebaseUser } = await firebaseSignInAnonymously(this.auth);
-
-    if (options?.skipProfileCreation) {
-      return this.userService.getOrCreateUser(firebaseUser, UserRole.PATIENT, { skipProfileCreation: true });
-    }
-
-    return this.userService.getOrCreateUser(firebaseUser);
-  }
-
-  /**
-   * Odjavljuje trenutnog korisnika
-   */
-  async signOut(): Promise<void> {
-    await firebaseSignOut(this.auth);
-  }
-
-  /**
-   * Vraća trenutno prijavljenog korisnika
-   */
-  async getCurrentUser(): Promise<User | null> {
-    const firebaseUser = this.auth.currentUser;
-    if (!firebaseUser) return null;
-
-    return this.userService.getUserById(firebaseUser.uid);
-  }
-
-  /**
-   * Registruje callback za promene stanja autentifikacije
-   */
-  onAuthStateChange(callback: (user: FirebaseUser | null) => void): () => void {
-    return onAuthStateChanged(this.auth, callback);
-  }
-
-  async upgradeAnonymousUser(email: string, password: string): Promise<User> {
-    try {
-      await emailSchema.parseAsync(email);
-      await passwordSchema.parseAsync(password);
-
-      const currentUser = this.auth.currentUser;
-      if (!currentUser) {
-        throw AUTH_ERRORS.NOT_AUTHENTICATED;
-      }
-      if (!currentUser.isAnonymous) {
-        throw new AuthError('User is not anonymous', 'AUTH/NOT_ANONYMOUS_USER', 400);
-      }
-
-      const credential = EmailAuthProvider.credential(email, password);
-      await linkWithCredential(currentUser, credential);
-
-      return await this.userService.upgradeAnonymousUser(currentUser.uid, email);
-    } catch (error) {
-      if (error instanceof z.ZodError) {
-        throw AUTH_ERRORS.VALIDATION_ERROR;
-      }
-      const firebaseError = error as FirebaseError;
-      if (firebaseError.code === FirebaseErrorCode.EMAIL_ALREADY_IN_USE) {
-        throw AUTH_ERRORS.EMAIL_ALREADY_EXISTS;
-      }
-      throw error;
-    }
-  }
-
-  /**
-   * Šalje email za resetovanje lozinke korisniku
-   * @param email Email adresa korisnika
-   * @returns Promise koji se razrešava kada je email poslat
-   */
-  async sendPasswordResetEmail(email: string): Promise<void> {
-    try {
-      await emailSchema.parseAsync(email);
-
-      // Šaljemo email za resetovanje lozinke
-      await sendPasswordResetEmail(this.auth, email);
-    } catch (error) {
-      if (error instanceof z.ZodError) {
-        throw AUTH_ERRORS.VALIDATION_ERROR;
-      }
-
-      const firebaseError = error as FirebaseError;
-      
-      // Handle specific Firebase errors
-      switch (firebaseError.code) {
-        case FirebaseErrorCode.USER_NOT_FOUND:
-          throw AUTH_ERRORS.USER_NOT_FOUND;
-        case FirebaseErrorCode.INVALID_EMAIL:
-          throw AUTH_ERRORS.INVALID_EMAIL;
-        case FirebaseErrorCode.TOO_MANY_REQUESTS:
-          throw AUTH_ERRORS.TOO_MANY_REQUESTS;
-        case FirebaseErrorCode.NETWORK_ERROR:
-          throw AUTH_ERRORS.NETWORK_ERROR;
-        case FirebaseErrorCode.OPERATION_NOT_ALLOWED:
-          throw AUTH_ERRORS.OPERATION_NOT_ALLOWED;
-        default:
-          // Re-throw unknown errors as-is
-          throw error;
-      }
-    }
-  }
-
-  /**
-   * Verifikuje kod za resetovanje lozinke iz email linka
-   * @param oobCode Kod iz URL-a za resetovanje lozinke
-   * @returns Promise koji se razrešava sa email adresom korisnika ako je kod validan
-   */
-  async verifyPasswordResetCode(oobCode: string): Promise<string> {
-    try {
-      // Verifikujemo kod i vraćamo email korisnika
-      return await verifyPasswordResetCode(this.auth, oobCode);
-    } catch (error) {
-      const firebaseError = error as FirebaseError;
-      if (firebaseError.code === FirebaseErrorCode.EXPIRED_ACTION_CODE) {
-        throw AUTH_ERRORS.EXPIRED_ACTION_CODE;
-      } else if (firebaseError.code === FirebaseErrorCode.INVALID_ACTION_CODE) {
-        throw AUTH_ERRORS.INVALID_ACTION_CODE;
-      }
-
-      throw error;
-    }
-  }
-
-  /**
-   * Potvrđuje resetovanje lozinke i postavlja novu lozinku
-   * @param oobCode Kod iz URL-a za resetovanje lozinke
-   * @param newPassword Nova lozinka
-   * @returns Promise koji se razrešava kada je lozinka promenjena
-   */
-  async confirmPasswordReset(oobCode: string, newPassword: string): Promise<void> {
-    try {
-      await passwordSchema.parseAsync(newPassword);
-
-      // Potvrđujemo resetovanje lozinke i postavljamo novu lozinku
-      await confirmPasswordReset(this.auth, oobCode, newPassword);
-    } catch (error) {
-      if (error instanceof z.ZodError) {
-        throw AUTH_ERRORS.VALIDATION_ERROR;
-      }
-
-      const firebaseError = error as FirebaseError;
-      if (firebaseError.code === FirebaseErrorCode.EXPIRED_ACTION_CODE) {
-        throw AUTH_ERRORS.EXPIRED_ACTION_CODE;
-      } else if (firebaseError.code === FirebaseErrorCode.INVALID_ACTION_CODE) {
-        throw AUTH_ERRORS.INVALID_ACTION_CODE;
-      } else if (firebaseError.code === FirebaseErrorCode.WEAK_PASSWORD) {
-        throw AUTH_ERRORS.WEAK_PASSWORD;
-      }
-
-      throw error;
-    }
-  }
-
-  /**
-   * Registers a new practitioner user with email and password (ATOMIC VERSION)
-   * Uses Firestore transactions to ensure atomicity and proper rollback on failures
-   *
-   * @param data - Practitioner signup data containing either new profile details or token for claiming draft profile
-   * @returns Object containing the created user and practitioner profile
-   */
-  async signUpPractitioner(data: {
-    email: string;
-    password: string;
-    firstName?: string;
-    lastName?: string;
-    token?: string;
-    profileData?: Partial<CreatePractitionerData>;
-  }): Promise<{
-    user: User;
-    practitioner: Practitioner;
-  }> {
-    let firebaseUser: any = null;
-
-    try {
-      console.log('[AUTH] Starting atomic practitioner signup process', {
-        email: data.email,
-        hasToken: !!data.token,
-      });
-
-      // Step 1: Pre-validate all data before any mutations
-      await this.validateSignupData(data);
-
-      // Step 2: Create Firebase user (outside transaction - can't be easily rolled back)
-      console.log('[AUTH] Creating Firebase user');
-      try {
-        const result = await createUserWithEmailAndPassword(this.auth, data.email, data.password);
-        firebaseUser = result.user;
-        console.log('[AUTH] Firebase user created successfully', {
-          uid: firebaseUser.uid,
-        });
-      } catch (firebaseError) {
-        console.error('[AUTH] Firebase user creation failed:', firebaseError);
-        throw handleFirebaseError(firebaseError);
-      }
-
-      // Step 3: Execute all database operations in a single transaction
-      console.log('[AUTH] Starting Firestore transaction');
-      const transactionResult = await runTransaction(this.db, async transaction => {
-        console.log('[AUTH] Transaction started - creating user and practitioner');
-
-        // Initialize services
-        const practitionerService = new PractitionerService(this.db, this.auth, this.app);
-
-        // Create user document using existing method (not in transaction for now)
-        console.log('[AUTH] Creating user document');
-        const user = await this.userService.createUser(firebaseUser, [UserRole.PRACTITIONER], {
-          skipProfileCreation: true,
-        });
-
-        let practitioner: Practitioner;
-
-        // Handle practitioner profile creation/claiming
-        if (data.token) {
-          console.log('[AUTH] Claiming existing practitioner profile with token');
-          const claimedPractitioner = await practitionerService.validateTokenAndClaimProfile(
-            data.token,
-            firebaseUser.uid,
-          );
-          if (!claimedPractitioner) {
-            throw new Error('Invalid or expired invitation token');
-          }
-          practitioner = claimedPractitioner;
-        } else {
-          // Check if a draft profile exists for this email
-          console.log('[AUTH] Checking for existing draft practitioner profile', {
-            email: data.email,
-          });
-          const draftPractitioner = await practitionerService.findDraftPractitionerByEmail(
-            data.email
-          );
-
-          if (draftPractitioner) {
-            console.log('[AUTH] Draft practitioner profile found', {
-              practitionerId: draftPractitioner.id,
-              email: data.email,
-              clinics: draftPractitioner.clinics,
-            });
-            
-            // Extract clinic names from clinicsInfo (should be populated when draft is created)
-            let clinicNames: string[] = [];
-            if (draftPractitioner.clinicsInfo && draftPractitioner.clinicsInfo.length > 0) {
-              clinicNames = draftPractitioner.clinicsInfo
-                .map((clinic) => clinic.name)
-                .filter((name): name is string => !!name);
-            } else if (draftPractitioner.clinics && draftPractitioner.clinics.length > 0) {
-              // Fallback: fetch clinic names if clinicsInfo is missing
-              console.log('[AUTH] clinicsInfo missing, fetching clinic names from clinic IDs');
-              const clinicService = practitionerService.getClinicService();
-              const clinicNamePromises = draftPractitioner.clinics.map(async (clinicId) => {
-                try {
-                  const clinic = await clinicService.getClinic(clinicId);
-                  return clinic?.name || null;
-                } catch (error) {
-                  console.error(`[AUTH] Error fetching clinic ${clinicId}:`, error);
-                  return null;
-                }
-              });
-              const names = await Promise.all(clinicNamePromises);
-              clinicNames = names.filter((name): name is string => !!name);
-            }
-            
-            // Cleanup Firebase user since we're not creating a profile
-            await cleanupFirebaseUser(firebaseUser);
-            
-            // Throw error with clinic information
-            throw new AuthError(
-              AUTH_ERRORS.DRAFT_PROFILE_EXISTS.message,
-              AUTH_ERRORS.DRAFT_PROFILE_EXISTS.code,
-              AUTH_ERRORS.DRAFT_PROFILE_EXISTS.status,
-              {
-                clinicNames,
-                clinics: draftPractitioner.clinics,
-                clinicsInfo: draftPractitioner.clinicsInfo,
-              }
-            );
-          }
-
-          console.log('[AUTH] No draft profile found, creating new practitioner profile');
-          const practitionerData = buildPractitionerData(data, firebaseUser.uid);
-          practitioner = await practitionerService.createPractitioner(practitionerData);
-        }
-
-        // Link practitioner to user
-        console.log('[AUTH] Linking practitioner to user');
-        await this.userService.updateUser(firebaseUser.uid, {
-          practitionerProfile: practitioner.id,
-        });
-
-        console.log('[AUTH] Transaction operations completed successfully');
-        return { user, practitioner };
-      });
-
-      console.log('[AUTH] Atomic practitioner signup completed successfully', {
-        userId: transactionResult.user.uid,
-        practitionerId: transactionResult.practitioner.id,
-      });
-
-      return transactionResult;
-    } catch (error) {
-      console.error('[AUTH] Atomic signup failed, initiating cleanup...', error);
-
-      // Cleanup Firebase user if transaction failed
-      if (firebaseUser) {
-        await cleanupFirebaseUser(firebaseUser);
-      }
-
-      throw handleSignupError(error);
-    }
-  }
-
-  /**
-   * Claims draft practitioner profiles after Google Sign-In.
-   * Uses the current authenticated user (from initial Google Sign-In).
-   * 
-   * @param idToken - The Google ID token (used to re-authenticate if needed)
-   * @param practitionerIds - Array of draft practitioner profile IDs to claim
-   * @returns Object containing user and claimed practitioner
-   */
-  async claimDraftProfilesWithGoogle(
-    idToken: string,
-    practitionerIds: string[]
-  ): Promise<{
-    user: User;
-    practitioner: Practitioner;
-  }> {
-    try {
-      console.log('[AUTH] Starting claim draft profiles with Google', {
-        practitionerIdsCount: practitionerIds.length,
-        practitionerIds,
-      });
-
-      if (practitionerIds.length === 0) {
-        throw new AuthError('No practitioner profiles selected to claim', 'AUTH/NO_PROFILES_SELECTED', 400);
-      }
-
-      const credential = GoogleAuthProvider.credential(idToken);
-      const result = await signInWithCredential(this.auth, credential);
-      const firebaseUser = result.user;
-
-      const practitionerService = new PractitionerService(this.db, this.auth, this.app);
-
-      let user: User;
-      try {
-        user = await this.userService.getUserById(firebaseUser.uid);
-      } catch (userError) {
-        throw new AuthError(
-          'User account not properly initialized. Please try signing in again.',
-          'AUTH/USER_NOT_INITIALIZED',
-          500,
-        );
-      }
-
-      let practitioner: Practitioner;
-      if (practitionerIds.length === 1) {
-        practitioner = await practitionerService.claimDraftProfileWithGoogle(
-          practitionerIds[0],
-          firebaseUser.uid
-        );
-      } else {
-        practitioner = await practitionerService.claimMultipleDraftProfilesWithGoogle(
-          practitionerIds,
-          firebaseUser.uid
-        );
-      }
-
-      if (!user.practitionerProfile || user.practitionerProfile !== practitioner.id) {
-        await this.userService.updateUser(firebaseUser.uid, {
-          practitionerProfile: practitioner.id,
-        });
-      }
-
-      const updatedUser = await this.userService.getUserById(firebaseUser.uid);
-
-      return {
-        user: updatedUser,
-        practitioner,
-      };
-    } catch (error: any) {
-      console.error('[AUTH] Error claiming draft profiles with Google:', error);
-      throw handleSignupError(error);
-    }
-  }
-
-  /**
-   * Pre-validate all signup data before any mutations
-   * Prevents partial creation by catching issues early
-   */
-  private async validateSignupData(data: {
-    email: string;
-    password: string;
-    firstName?: string;
-    lastName?: string;
-    token?: string;
-    profileData?: Partial<CreatePractitionerData>;
-  }): Promise<void> {
-    console.log('[AUTH] Pre-validating signup data');
-
-    try {
-      // 1. Schema validation
-      await practitionerSignupSchema.parseAsync(data);
-      console.log('[AUTH] Schema validation passed');
-
-      // 2. Check if email already exists (before creating Firebase user)
-      const emailExists = await checkEmailExists(this.auth, data.email);
-      if (emailExists) {
-        console.log('[AUTH] Email already exists:', data.email);
-        throw AUTH_ERRORS.EMAIL_ALREADY_EXISTS;
-      }
-      console.log('[AUTH] Email availability confirmed');
-
-      // 3. Validate token if provided
-      if (data.token) {
-        const practitionerService = new PractitionerService(this.db, this.auth, this.app);
-        const isValidToken = await practitionerService.validateToken(data.token);
-        if (!isValidToken) {
-          console.log('[AUTH] Invalid token provided:', data.token);
-          throw new Error('Invalid or expired invitation token');
-        }
-        console.log('[AUTH] Token validation passed');
-      }
-
-      // 4. Validate profile data structure if provided
-      if (data.profileData) {
-        await validatePractitionerProfileData(data.profileData);
-        console.log('[AUTH] Profile data validation passed');
-      }
-
-      console.log('[AUTH] All pre-validation checks passed');
-    } catch (error) {
-      console.error('[AUTH] Pre-validation failed:', error);
-      throw error;
-    }
-  }
-
-  /**
-   * Signs in a user with email and password specifically for practitioner role
-   * @param email - User's email
-   * @param password - User's password
-   * @returns Object containing the user and practitioner profile
-   * @throws {AUTH_ERRORS.INVALID_ROLE} If user doesn't have practitioner role
-   * @throws {AUTH_ERRORS.NOT_FOUND} If practitioner profile is not found
-   */
-  async signInPractitioner(
-    email: string,
-    password: string,
-  ): Promise<{
-    user: User;
-    practitioner: Practitioner;
-  }> {
-    try {
-      console.log('[AUTH] Starting practitioner signin process', {
-        email: email,
-      });
-
-      // Initialize required service
-      const practitionerService = new PractitionerService(this.db, this.auth, this.app);
-
-      // Sign in with email/password
-      const { user: firebaseUser } = await signInWithEmailAndPassword(this.auth, email, password);
-
-      // Get or create user
-      const user = await this.userService.getOrCreateUser(firebaseUser);
-      console.log('[AUTH] User retrieved', { uid: user.uid });
-
-      // Check if user has practitioner role
-      if (!user.roles?.includes(UserRole.PRACTITIONER)) {
-        console.error('[AUTH] User is not a practitioner:', user.uid);
-        throw AUTH_ERRORS.INVALID_ROLE;
-      }
-
-      // Check and get practitioner profile
-      if (!user.practitionerProfile) {
-        console.error('[AUTH] User has no practitioner profile:', user.uid);
-        throw AUTH_ERRORS.NOT_FOUND;
-      }
-
-      // Get practitioner profile
-      const practitioner = await practitionerService.getPractitioner(user.practitionerProfile);
-      if (!practitioner) {
-        console.error('[AUTH] Practitioner profile not found:', user.practitionerProfile);
-        throw AUTH_ERRORS.NOT_FOUND;
-      }
-
-      console.log('[AUTH] Practitioner signin completed successfully', {
-        userId: user.uid,
-        practitionerId: practitioner.id,
-      });
-
-      return {
-        user,
-        practitioner,
-      };
-    } catch (error) {
-      console.error('[AUTH] Error in signInPractitioner:', error);
-      throw error;
-    }
-  }
-
-  /**
-   * Signs in a user with a Google ID token from a mobile client.
-   * If the user does not exist, a new user is created.
-   * @param idToken - The Google ID token obtained from the mobile app.
-   * @param initialRole - The role to assign to the user if they are being created.
-   * @returns The signed-in or newly created user.
-   */
-  async signInWithGoogleIdToken(
-    idToken: string,
-    initialRole: UserRole = UserRole.PATIENT,
-  ): Promise<User> {
-    try {
-      console.log('[AUTH] Signing in with Google ID Token');
-
-      // Sign in with Google credential — auto-creates Firebase Auth user if needed.
-      const credential = GoogleAuthProvider.credential(idToken);
-      const { user: firebaseUser } = await signInWithCredential(this.auth, credential);
-      console.log('[AUTH] Firebase user signed in:', firebaseUser.uid);
-
-      // Load or create domain user document
-      return await this.userService.getOrCreateUser(firebaseUser, UserRole.PATIENT);
-    } catch (error) {
-      console.error('[AUTH] Error in signInWithGoogleIdToken:', error);
-      throw handleFirebaseError(error);
-    }
-  }
-
-  /**
-   * Signs up or signs in a practitioner with Google authentication.
-   * Checks for existing practitioner account or draft profiles.
-   * 
-   * @param idToken - The Google ID token obtained from the mobile app
-   * @returns Object containing user, practitioner (if exists), and draft profiles (if any)
-   */
-  async signUpPractitionerWithGoogle(
-    idToken: string
-  ): Promise<{
-    user: User | null;
-    practitioner: Practitioner | null;
-    draftProfiles: Practitioner[];
-  }> {
-    try {
-      console.log('[AUTH] Starting practitioner Google Sign-In/Sign-Up');
-
-      // Extract email from Google ID token
-      let email: string | undefined;
-      try {
-        const payloadBase64 = idToken.split('.')[1];
-        const payloadJson = globalThis.atob
-          ? globalThis.atob(payloadBase64)
-          : Buffer.from(payloadBase64, 'base64').toString('utf8');
-        const payload = JSON.parse(payloadJson);
-        email = payload.email as string | undefined;
-      } catch (decodeError) {
-        console.error('[AUTH] Failed to decode email from Google ID token:', decodeError);
-        throw new AuthError(
-          'Unable to read email from Google token. Please try again.',
-          'AUTH/INVALID_GOOGLE_TOKEN',
-          400,
-        );
-      }
-
-      if (!email) {
-        throw new AuthError(
-          'Unable to read email from Google token. Please try again.',
-          'AUTH/INVALID_GOOGLE_TOKEN',
-          400,
-        );
-      }
-
-      const normalizedEmail = email.toLowerCase().trim();
-
-      const methods = await fetchSignInMethodsForEmail(this.auth, normalizedEmail);
-      const hasGoogleMethod = methods.includes(GoogleAuthProvider.GOOGLE_SIGN_IN_METHOD);
-      const hasEmailMethod = methods.includes(EmailAuthProvider.EMAIL_PASSWORD_SIGN_IN_METHOD);
-
-      const practitionerService = new PractitionerService(this.db, this.auth, this.app);
-
-      if (hasGoogleMethod) {
-        const credential = GoogleAuthProvider.credential(idToken);
-        const { user: firebaseUser } = await signInWithCredential(this.auth, credential);
-        
-        await this.waitForAuthStateToSettle(firebaseUser.uid);
-        
-        let existingUser: User | null = null;
-        try {
-          existingUser = await this.userService.getUserById(firebaseUser.uid);
-        } catch (userError: any) {
-          if (!this.auth.currentUser || this.auth.currentUser.uid !== firebaseUser.uid) {
-            const credential = GoogleAuthProvider.credential(idToken);
-            await signInWithCredential(this.auth, credential);
-            await this.waitForAuthStateToSettle(firebaseUser.uid, 2000);
-          }
-          
-          const practitionerService = new PractitionerService(this.db, this.auth, this.app);
-          const draftProfiles = await practitionerService.getDraftProfilesByEmail(normalizedEmail);
-          
-          if (draftProfiles.length === 0) {
-            try {
-              await firebaseSignOut(this.auth);
-            } catch (signOutError) {
-              console.warn('[AUTH] Error signing out:', signOutError);
-            }
-            throw new AuthError(
-              'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
-              'AUTH/NO_DRAFT_PROFILES',
-              404,
-            );
-          }
-          
-          try {
-            const newUser = await this.userService.createUser(firebaseUser, [UserRole.PRACTITIONER], {
-              skipProfileCreation: true,
-            });
-            
-            return {
-              user: newUser,
-              practitioner: null,
-              draftProfiles: draftProfiles,
-            };
-          } catch (createUserError: any) {
-            try {
-              await firebaseSignOut(this.auth);
-            } catch (signOutError) {
-              console.warn('[AUTH] Error signing out:', signOutError);
-            }
-            throw createUserError;
-          }
-        }
-        
-        // User document exists - check for practitioner profile and draft profiles
-        if (!existingUser) {
-          await firebaseSignOut(this.auth);
-          throw new AuthError(
-            'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
-            'AUTH/NO_DRAFT_PROFILES',
-            404,
-          );
-        }
-
-        // Check if user has practitioner profile
-        let practitioner: Practitioner | null = null;
-        if (existingUser.practitionerProfile) {
-          practitioner = await practitionerService.getPractitioner(existingUser.practitionerProfile);
-        }
-
-        // Check for any new draft profiles
-        const draftProfiles = await practitionerService.getDraftProfilesByEmail(normalizedEmail);
-
-        return {
-          user: existingUser,
-          practitioner,
-          draftProfiles,
-        };
-      }
-
-      if (hasEmailMethod && !hasGoogleMethod) {
-        throw new AuthError(
-          'An account with this email already exists. Please sign in with your email and password, then link your Google account in settings.',
-          'AUTH/EMAIL_ALREADY_EXISTS',
-          409,
-        );
-      }
-
-      const credential = GoogleAuthProvider.credential(idToken);
-      
-      let firebaseUser: FirebaseUser;
-      try {
-        const result = await signInWithCredential(this.auth, credential);
-        firebaseUser = result.user;
-      } catch (error: any) {
-        // If sign-in fails because email already exists with different provider
-        if (error.code === 'auth/account-exists-with-different-credential') {
-          throw new AuthError(
-            'An account with this email already exists. Please sign in with your email and password, then link your Google account in settings.',
-            'AUTH/EMAIL_ALREADY_EXISTS',
-            409,
-          );
-        }
-        throw error;
-      }
-
-      await this.waitForAuthStateToSettle(firebaseUser.uid);
-
-      let existingUser: User | null = null;
-      try {
-        const existingUserDoc = await this.userService.getUserById(firebaseUser.uid);
-        if (existingUserDoc) {
-          existingUser = existingUserDoc;
-        }
-      } catch (error) {
-        // Continue with new user creation
-      }
-
-      let draftProfiles: Practitioner[] = [];
-      try {
-        draftProfiles = await practitionerService.getDraftProfilesByEmail(normalizedEmail);
-      } catch (draftCheckError: any) {
-        try {
-          await firebaseSignOut(this.auth);
-        } catch (signOutError) {
-          console.warn('[AUTH] Error signing out:', signOutError);
-        }
-        throw new AuthError(
-          'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
-          'AUTH/NO_DRAFT_PROFILES',
-          404,
-        );
-      }
-
-      let user: User;
-      if (existingUser) {
-        user = existingUser;
-      } else {
-        if (draftProfiles.length === 0) {
-          try {
-            await firebaseSignOut(this.auth);
-          } catch (signOutError) {
-            console.warn('[AUTH] Error signing out:', signOutError);
-          }
-          throw new AuthError(
-            'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
-            'AUTH/NO_DRAFT_PROFILES',
-            404,
-          );
-        }
-        
-        user = await this.userService.createUser(firebaseUser, [UserRole.PRACTITIONER], {
-          skipProfileCreation: true,
-        });
-      }
-
-      let practitioner: Practitioner | null = null;
-      if (user.practitionerProfile) {
-        practitioner = await practitionerService.getPractitioner(user.practitionerProfile);
-      }
-
-      return {
-        user,
-        practitioner,
-        draftProfiles,
-      };
-    } catch (error: any) {
-      if (error instanceof AuthError) {
-        throw error;
-      }
-      
-      const errorMessage = error?.message || error?.toString() || '';
-      if (errorMessage.includes('NO_DRAFT_PROFILES') || errorMessage.includes('clinic invitation')) {
-        throw new AuthError(
-          'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
-          'AUTH/NO_DRAFT_PROFILES',
-          404,
-        );
-      }
-      
-      const wrappedError = handleFirebaseError(error);
-      
-      if (wrappedError.message.includes('permissions') || wrappedError.message.includes('Account creation failed')) {
-        throw new AuthError(
-          'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
-          'AUTH/NO_DRAFT_PROFILES',
-          404,
-        );
-      }
-      
-      throw wrappedError;
-    }
-  }
-
-  /**
-   * Links a Google account to the currently signed-in user using an ID token.
-   * This is used to upgrade an anonymous user or to allow an existing user
-   * to sign in with Google in the future.
-   * @param idToken - The Google ID token obtained from the mobile app.
-   * @returns The updated user profile.
-   */
-  async linkGoogleAccount(idToken: string): Promise<User> {
-    try {
-      console.log('[AUTH] Linking Google account with ID Token');
-      const currentUser = this.auth.currentUser;
-      if (!currentUser) {
-        throw AUTH_ERRORS.NOT_AUTHENTICATED;
-      }
-
-      const wasAnonymous = currentUser.isAnonymous;
-      console.log(`[AUTH] Current user is ${wasAnonymous ? 'anonymous' : 'not anonymous'}`);
-
-      const credential = GoogleAuthProvider.credential(idToken);
-      const userCredential = await linkWithCredential(currentUser, credential);
-      const linkedFirebaseUser = userCredential.user;
-      console.log('[AUTH] Google account linked successfully to user:', linkedFirebaseUser.uid);
-
-      if (wasAnonymous) {
-        console.log('[AUTH] Upgrading anonymous user profile');
-        return await this.userService.upgradeAnonymousUser(
-          linkedFirebaseUser.uid,
-          linkedFirebaseUser.email!,
-        );
-      }
-
-      // If the user was not anonymous, just return their updated profile
-      return (await this.userService.getUserById(linkedFirebaseUser.uid))!;
-    } catch (error) {
-      console.error('[AUTH] Error in linkGoogleAccount:', error);
-      throw handleFirebaseError(error);
-    }
-  }
-
-  /**
-   * Signs in or registers a user with an Apple ID token.
-   * If the user does not exist, a new user is created.
-   */
-  async signInWithAppleIdToken(
-    idToken: string,
-    rawNonce: string,
-    appleUserInfo?: { fullName?: { givenName?: string; familyName?: string }; email?: string },
-  ): Promise<User> {
-    try {
-      console.log('[AUTH] Signing in with Apple ID Token');
-
-      // Build Apple OAuth credential
-      const provider = new OAuthProvider('apple.com');
-      const credential = provider.credential({ idToken, rawNonce });
-
-      // Sign in to Firebase — auto-creates Firebase Auth user if needed
-      const { user: firebaseUser } = await signInWithCredential(this.auth, credential);
-      console.log('[AUTH] Firebase user signed in via Apple:', firebaseUser.uid);
-
-      // Load or create domain user document
-      return await this.userService.getOrCreateUser(firebaseUser, UserRole.PATIENT);
-    } catch (error) {
-      console.error('[AUTH] Error in signInWithAppleIdToken:', error);
-      throw handleFirebaseError(error);
-    }
-  }
-
-  /**
-   * Link an Apple account to the current user (anonymous → full account upgrade).
-   * Mirrors linkGoogleAccount.
-   */
-  async linkAppleAccount(idToken: string, rawNonce: string): Promise<User> {
-    try {
-      console.log('[AUTH] Linking Apple account with ID Token');
-      const currentUser = this.auth.currentUser;
-      if (!currentUser) {
-        throw AUTH_ERRORS.NOT_AUTHENTICATED;
-      }
-
-      const wasAnonymous = currentUser.isAnonymous;
-      console.log(`[AUTH] Current user is ${wasAnonymous ? 'anonymous' : 'not anonymous'}`);
-
-      const provider = new OAuthProvider('apple.com');
-      const credential = provider.credential({ idToken, rawNonce });
-      const userCredential = await linkWithCredential(currentUser, credential);
-      const linkedFirebaseUser = userCredential.user;
-      console.log('[AUTH] Apple account linked successfully to user:', linkedFirebaseUser.uid);
-
-      if (wasAnonymous) {
-        console.log('[AUTH] Upgrading anonymous user profile');
-        const email = linkedFirebaseUser.email || '';
-        return await this.userService.upgradeAnonymousUser(
-          linkedFirebaseUser.uid,
-          email,
-        );
-      }
-
-      return (await this.userService.getUserById(linkedFirebaseUser.uid))!;
-    } catch (error) {
-      console.error('[AUTH] Error in linkAppleAccount:', error);
-      throw handleFirebaseError(error);
-    }
-  }
-}
+import {
+  Auth,
+  User as FirebaseUser,
+  signInWithEmailAndPassword,
+  createUserWithEmailAndPassword,
+  signInAnonymously as firebaseSignInAnonymously,
+  signOut as firebaseSignOut,
+  GoogleAuthProvider,
+  signInWithPopup,
+  signInWithRedirect,
+  getRedirectResult,
+  linkWithCredential,
+  EmailAuthProvider,
+  onAuthStateChanged,
+  sendPasswordResetEmail,
+  verifyPasswordResetCode,
+  confirmPasswordReset,
+  fetchSignInMethodsForEmail,
+  signInWithCredential,
+  OAuthProvider,
+} from 'firebase/auth';
+import {
+  getFirestore,
+  collection,
+  doc,
+  getDoc,
+  setDoc,
+  updateDoc,
+  deleteDoc,
+  query,
+  where,
+  getDocs,
+  orderBy,
+  limit,
+  startAfter,
+  Timestamp,
+  runTransaction,
+  Firestore,
+} from 'firebase/firestore';
+import { FirebaseApp } from 'firebase/app';
+import { User, UserRole, USERS_COLLECTION } from '../../types';
+import { z } from 'zod';
+import { emailSchema, passwordSchema, userRoleSchema } from '../../validations/schemas';
+import { AuthError, AUTH_ERRORS } from '../../errors/auth.errors';
+import { FirebaseErrorCode } from '../../errors/firebase.errors';
+import { FirebaseError } from '../../errors/firebase.errors';
+import { BaseService } from '../base.service';
+import { UserService } from '../user/user.service';
+import {
+  ClinicGroup,
+  AdminToken,
+  AdminTokenStatus,
+  CreateClinicGroupData,
+  CreateClinicAdminData,
+  ContactPerson,
+  ClinicAdminSignupData,
+  SubscriptionModel,
+  CLINIC_GROUPS_COLLECTION,
+  ClinicAdmin,
+} from '../../types/clinic';
+import { clinicAdminSignupSchema } from '../../validations/clinic.schema';
+import { ClinicGroupService } from '../clinic/clinic-group.service';
+import { ClinicAdminService } from '../clinic/clinic-admin.service';
+import { ClinicService } from '../clinic/clinic.service';
+import {
+  Practitioner,
+  CreatePractitionerData,
+  PractitionerStatus,
+  PractitionerBasicInfo,
+  PractitionerCertification,
+} from '../../types/practitioner';
+import { PractitionerService } from '../practitioner/practitioner.service';
+import { practitionerSignupSchema } from '../../validations/practitioner.schema';
+import { CertificationLevel } from '../../backoffice/types/static/certification.types';
+import { MediaService } from '../media/media.service';
+// Import utility functions
+import {
+  checkEmailExists,
+  cleanupFirebaseUser,
+  handleFirebaseError,
+  handleSignupError,
+  buildPractitionerData,
+  validatePractitionerProfileData,
+} from './utils';
+
+export class AuthService extends BaseService {
+  private googleProvider = new GoogleAuthProvider();
+  private userService: UserService;
+
+  constructor(db: Firestore, auth: Auth, app: FirebaseApp, userService: UserService) {
+    super(db, auth, app);
+    this.userService = userService || new UserService(db, auth, app);
+  }
+
+  /**
+   * Waits for Firebase Auth state to settle after sign-in.
+   * In React Native with AsyncStorage persistence, auth state may not be immediately available.
+   */
+  private async waitForAuthStateToSettle(expectedUid: string, timeoutMs: number = 5000): Promise<void> {
+    if (this.auth.currentUser?.uid === expectedUid) {
+      await new Promise(resolve => setTimeout(resolve, 200));
+      if (this.auth.currentUser?.uid === expectedUid) {
+        return;
+      }
+    }
+    
+    return new Promise((resolve, reject) => {
+      const startTime = Date.now();
+      let resolved = false;
+      
+      const unsubscribe = onAuthStateChanged(this.auth, (user) => {
+        if (resolved) return;
+        
+        const currentUid = user?.uid || null;
+        
+        if (currentUid === expectedUid) {
+          setTimeout(() => {
+            if (resolved) return;
+            
+            if (this.auth.currentUser?.uid === expectedUid) {
+              resolved = true;
+              unsubscribe();
+              clearTimeout(timeout);
+              resolve();
+            }
+          }, 300);
+        }
+      });
+      
+      const timeout = setTimeout(() => {
+        if (resolved) return;
+        resolved = true;
+        unsubscribe();
+        reject(new Error(`Timeout waiting for auth state to settle. Expected: ${expectedUid}, Got: ${this.auth.currentUser?.uid || 'NULL'}`));
+      }, timeoutMs);
+    });
+  }
+
+  /**
+   * Registruje novog korisnika sa email-om i lozinkom
+   */
+  async signUp(
+    email: string,
+    password: string,
+    initialRole: UserRole = UserRole.PATIENT,
+    options?: {
+      patientInviteToken?: string;
+    },
+  ): Promise<User> {
+    const { user: firebaseUser } = await createUserWithEmailAndPassword(this.auth, email, password);
+
+    return this.userService.createUser(firebaseUser, [initialRole], options);
+  }
+
+  /**
+   * Registers a new clinic admin user with email and password
+   * Can either create a new clinic group or join an existing one with a token
+   *
+   * @param data - Clinic admin signup data
+   * @returns Object containing the created user, clinic group, and clinic admin
+   */
+  async signUpClinicAdmin(data: ClinicAdminSignupData): Promise<{
+    user: User;
+    clinicGroup: ClinicGroup;
+    clinicAdmin: ClinicAdmin;
+  }> {
+    try {
+      console.log('[AUTH] Starting clinic admin signup process', {
+        email: data.email,
+      });
+
+      // Validate data
+      try {
+        await clinicAdminSignupSchema.parseAsync(data);
+        console.log('[AUTH] Clinic admin signup data validation passed');
+      } catch (validationError) {
+        console.error('[AUTH] Validation error in signUpClinicAdmin:', validationError);
+        throw validationError;
+      }
+
+      // Create Firebase user
+      console.log('[AUTH] Creating Firebase user');
+      let firebaseUser;
+      try {
+        const result = await createUserWithEmailAndPassword(this.auth, data.email, data.password);
+        firebaseUser = result.user;
+        console.log('[AUTH] Firebase user created successfully', {
+          uid: firebaseUser.uid,
+        });
+      } catch (firebaseError) {
+        console.error('[AUTH] Firebase user creation failed:', firebaseError);
+        throw handleFirebaseError(firebaseError);
+      }
+
+      // Create user with CLINIC_ADMIN role
+      console.log('[AUTH] Creating user with CLINIC_ADMIN role');
+      let user;
+      try {
+        user = await this.userService.createUser(firebaseUser, [UserRole.CLINIC_ADMIN], {
+          skipProfileCreation: true,
+        });
+        console.log('[AUTH] User with CLINIC_ADMIN role created successfully', {
+          userId: user.uid,
+        });
+      } catch (userCreationError) {
+        console.error('[AUTH] User creation failed:', userCreationError);
+        throw userCreationError;
+      }
+
+      // Create contact person object
+      const contactPerson: ContactPerson = {
+        firstName: data.firstName,
+        lastName: data.lastName,
+        title: data.title,
+        email: data.email,
+        phoneNumber: data.phoneNumber,
+      };
+      console.log('[AUTH] Contact person object created');
+
+      // Initialize services
+      console.log('[AUTH] Initializing clinic services');
+      const clinicAdminService = new ClinicAdminService(this.db, this.auth, this.app);
+      const clinicGroupService = new ClinicGroupService(
+        this.db,
+        this.auth,
+        this.app,
+        clinicAdminService,
+      );
+      const mediaService = new MediaService(this.db, this.auth, this.app);
+      const clinicService = new ClinicService(
+        this.db,
+        this.auth,
+        this.app,
+        clinicGroupService,
+        clinicAdminService,
+        mediaService,
+      );
+
+      // Set services to resolve circular dependencies
+      clinicAdminService.setServices(clinicGroupService, clinicService);
+      console.log('[AUTH] Services initialized and circular dependencies resolved');
+
+      let clinicGroup: ClinicGroup | null = null;
+      let adminProfile: ClinicAdmin | null = null;
+
+      if (data.isCreatingNewGroup) {
+        console.log('[AUTH] Creating new clinic group flow');
+        // Create new clinic group
+        if (!data.clinicGroupData) {
+          console.error('[AUTH] Clinic group data is missing');
+          throw new Error('Clinic group data is required when creating a new group');
+        }
+
+        // First create the clinic admin without a group
+        console.log('[AUTH] Creating clinic admin first (without group)');
+        const createClinicAdminData: CreateClinicAdminData = {
+          userRef: firebaseUser.uid,
+          isGroupOwner: true,
+          clinicsManaged: [],
+          contactInfo: contactPerson,
+          roleTitle: data.title,
+          isActive: true,
+          // No clinicGroupId yet
+        };
+
+        try {
+          adminProfile = await clinicAdminService.createClinicAdmin(createClinicAdminData);
+          console.log('[AUTH] Clinic admin created successfully', {
+            adminId: adminProfile.id,
+          });
+        } catch (adminCreationError) {
+          console.error('[AUTH] Clinic admin creation failed:', adminCreationError);
+          throw adminCreationError;
+        }
+
+        // Update user document with admin profile reference
+        try {
+          console.log('[AUTH] Updating user with admin profile reference');
+          user = await this.userService.updateUser(firebaseUser.uid, {
+            adminProfile: adminProfile.id,
+          });
+          console.log('[AUTH] User updated with admin profile reference successfully');
+        } catch (userUpdateError) {
+          console.error('[AUTH] Failed to update user with admin profile:', userUpdateError);
+          throw userUpdateError;
+        }
+
+        // Then create clinic group
+        const createClinicGroupData: CreateClinicGroupData = {
+          name: data.clinicGroupData.name,
+          hqLocation: data.clinicGroupData.hqLocation,
+          contactInfo: data.clinicGroupData.contactInfo,
+          contactPerson: contactPerson,
+          ownerId: adminProfile.id, // Use admin profile ID, not user UID
+          isActive: true,
+          logo: data.clinicGroupData.logo || null,
+          subscriptionModel:
+            data.clinicGroupData.subscriptionModel || SubscriptionModel.NO_SUBSCRIPTION,
+          onboarding: {
+            completed: false,
+            step: 1,
+          },
+        };
+        console.log('[AUTH] Clinic group data prepared', {
+          groupName: createClinicGroupData.name,
+        });
+
+        // Create clinic group
+        try {
+          clinicGroup = await clinicGroupService.createClinicGroup(
+            createClinicGroupData,
+            adminProfile.id, // Use admin profile ID, not user UID
+            false, // This is not a default group since we're providing complete data
+          );
+          console.log('[AUTH] Clinic group created successfully', {
+            groupId: clinicGroup.id,
+          });
+
+          // Now update the admin with the group ID
+          console.log('[AUTH] Updating admin with clinic group ID');
+          await clinicAdminService.updateClinicAdmin(adminProfile.id, {
+            // Use admin profile ID, not user UID
+            clinicGroupId: clinicGroup.id,
+          });
+          console.log('[AUTH] Admin updated with clinic group ID successfully');
+
+          // Get the updated admin profile
+          adminProfile = await clinicAdminService.getClinicAdmin(adminProfile.id);
+        } catch (groupCreationError) {
+          console.error('[AUTH] Clinic group creation failed:', groupCreationError);
+          throw groupCreationError;
+        }
+      } else {
+        console.log('[AUTH] Joining existing clinic group flow');
+        // Join existing clinic group with token
+        if (!data.inviteToken) {
+          console.error('[AUTH] Invite token is missing');
+          throw new Error('Invite token is required when joining an existing group');
+        }
+        console.log('[AUTH] Invite token provided', {
+          token: data.inviteToken,
+        });
+
+        // Find the token in the database
+        console.log('[AUTH] Searching for token in clinic groups');
+        const groupsRef = collection(this.db, CLINIC_GROUPS_COLLECTION);
+        const q = query(groupsRef);
+        const querySnapshot = await getDocs(q);
+
+        let foundGroup: ClinicGroup | null = null;
+        let foundToken: AdminToken | null = null;
+
+        console.log('[AUTH] Found', querySnapshot.size, 'clinic groups to check');
+        for (const docSnapshot of querySnapshot.docs) {
+          const group = docSnapshot.data() as ClinicGroup;
+          console.log('[AUTH] Checking group', {
+            groupId: group.id,
+            groupName: group.name,
+          });
+
+          // Find the token in the group's tokens
+          const token = group.adminTokens.find(t => {
+            const isMatch =
+              t.token === data.inviteToken &&
+              t.status === AdminTokenStatus.ACTIVE &&
+              new Date(t.expiresAt.toDate()) > new Date();
+
+            console.log('[AUTH] Checking token', {
+              tokenId: t.id,
+              tokenMatch: t.token === data.inviteToken,
+              tokenStatus: t.status,
+              tokenActive: t.status === AdminTokenStatus.ACTIVE,
+              tokenExpiry: new Date(t.expiresAt.toDate()),
+              tokenExpired: new Date(t.expiresAt.toDate()) <= new Date(),
+              isMatch,
+            });
+
+            return isMatch;
+          });
+
+          if (token) {
+            foundGroup = group;
+            foundToken = token;
+            console.log('[AUTH] Found matching token in group', {
+              groupId: group.id,
+              tokenId: token.id,
+            });
+            break;
+          }
+        }
+
+        if (!foundGroup || !foundToken) {
+          console.error('[AUTH] No valid token found in any clinic group');
+          throw new Error('Invalid or expired invite token');
+        }
+
+        clinicGroup = foundGroup;
+
+        // Create clinic admin
+        console.log('[AUTH] Creating clinic admin');
+        const createClinicAdminData: CreateClinicAdminData = {
+          userRef: firebaseUser.uid,
+          clinicGroupId: foundGroup.id,
+          isGroupOwner: false,
+          clinicsManaged: [],
+          contactInfo: contactPerson,
+          roleTitle: data.title,
+          isActive: true,
+        };
+
+        try {
+          adminProfile = await clinicAdminService.createClinicAdmin(createClinicAdminData);
+          console.log('[AUTH] Clinic admin created successfully', {
+            adminId: adminProfile.id,
+          });
+        } catch (adminCreationError) {
+          console.error('[AUTH] Clinic admin creation failed:', adminCreationError);
+          throw adminCreationError;
+        }
+
+        // Mark token as used
+        try {
+          await clinicGroupService.verifyAndUseAdminToken(
+            foundGroup.id,
+            data.inviteToken,
+            firebaseUser.uid,
+          );
+          console.log('[AUTH] Token marked as used successfully');
+        } catch (tokenUseError) {
+          console.error('[AUTH] Failed to mark token as used:', tokenUseError);
+          throw tokenUseError;
+        }
+      }
+
+      console.log('[AUTH] Clinic admin signup completed successfully', {
+        userId: user.uid,
+        clinicGroupId: clinicGroup.id,
+        clinicAdminId: adminProfile?.id || 'unknown',
+      });
+
+      // Ensure we have all required data before returning
+      if (!clinicGroup || !adminProfile) {
+        throw new Error('Failed to create or retrieve clinic group or admin profile');
+      }
+
+      return {
+        user,
+        clinicGroup,
+        clinicAdmin: adminProfile,
+      };
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        console.error(
+          '[AUTH] Zod validation error in signUpClinicAdmin:',
+          JSON.stringify(error.errors, null, 2),
+        );
+        throw AUTH_ERRORS.VALIDATION_ERROR;
+      }
+
+      const firebaseError = error as FirebaseError;
+      if (firebaseError.code === FirebaseErrorCode.EMAIL_ALREADY_IN_USE) {
+        console.error('[AUTH] Email already in use:', data.email);
+        throw AUTH_ERRORS.EMAIL_ALREADY_EXISTS;
+      }
+
+      console.error('[AUTH] Unhandled error in signUpClinicAdmin:', error);
+      throw error;
+    }
+  }
+
+  /**
+   * Prijavljuje korisnika sa email-om i lozinkom
+   */
+  async signIn(email: string, password: string): Promise<User> {
+    const { user: firebaseUser } = await signInWithEmailAndPassword(this.auth, email, password);
+
+    return this.userService.getOrCreateUser(firebaseUser);
+  }
+
+  /**
+   * Prijavljuje korisnika sa email-om i lozinkom samo za clinic_admin role
+   * @param email - Email korisnika
+   * @param password - Lozinka korisnika
+   * @returns Objekat koji sadrži korisnika, admin profil i grupu klinika
+   * @throws {AUTH_ERRORS.INVALID_ROLE} Ako korisnik nema clinic_admin rolu
+   * @throws {AUTH_ERRORS.NOT_FOUND} Ako admin profil nije pronađen
+   */
+  async signInClinicAdmin(
+    email: string,
+    password: string,
+  ): Promise<{
+    user: User;
+    clinicAdmin: ClinicAdmin;
+    clinicGroup: ClinicGroup;
+  }> {
+    try {
+      // Initialize required services
+      const clinicAdminService = new ClinicAdminService(this.db, this.auth, this.app);
+      const clinicGroupService = new ClinicGroupService(
+        this.db,
+        this.auth,
+        this.app,
+        clinicAdminService,
+      );
+      const mediaService = new MediaService(this.db, this.auth, this.app);
+      const clinicService = new ClinicService(
+        this.db,
+        this.auth,
+        this.app,
+        clinicGroupService,
+        clinicAdminService,
+        mediaService,
+      );
+
+      // Set services to resolve circular dependencies
+      clinicAdminService.setServices(clinicGroupService, clinicService);
+
+      // Sign in with email/password
+      const { user: firebaseUser } = await signInWithEmailAndPassword(this.auth, email, password);
+
+      // Get or create user
+      const user = await this.userService.getOrCreateUser(firebaseUser);
+
+      // Check if user has clinic_admin role
+      if (!user.roles?.includes(UserRole.CLINIC_ADMIN)) {
+        console.error('[AUTH] User is not a clinic admin:', user.uid);
+        // Sign out the user immediately for security
+        await this.auth.signOut();
+        throw AUTH_ERRORS.UNAUTHORIZED_ROLE;
+      }
+
+      // Check and get admin profile
+      if (!user.adminProfile) {
+        console.error('[AUTH] User has no admin profile:', user.uid);
+        throw AUTH_ERRORS.NOT_FOUND;
+      }
+
+      // Get clinic admin profile
+      const adminProfile = await clinicAdminService.getClinicAdmin(user.adminProfile);
+      if (!adminProfile) {
+        console.error('[AUTH] Admin profile not found:', user.adminProfile);
+        throw AUTH_ERRORS.NOT_FOUND;
+      }
+
+      // Get clinic group
+      const clinicGroup = await clinicGroupService.getClinicGroup(adminProfile.clinicGroupId);
+      if (!clinicGroup) {
+        console.error('[AUTH] Clinic group not found:', adminProfile.clinicGroupId);
+        throw AUTH_ERRORS.NOT_FOUND;
+      }
+
+      return {
+        user,
+        clinicAdmin: adminProfile,
+        clinicGroup,
+      };
+    } catch (error) {
+      console.error('[AUTH] Error in signInClinicAdmin:', error);
+      throw error;
+    }
+  }
+
+  /**
+   * Prijavljuje korisnika anonimno
+   */
+  async signInAnonymously(options?: { skipProfileCreation?: boolean }): Promise<User> {
+    const { user: firebaseUser } = await firebaseSignInAnonymously(this.auth);
+
+    if (options?.skipProfileCreation) {
+      return this.userService.getOrCreateUser(firebaseUser, UserRole.PATIENT, { skipProfileCreation: true });
+    }
+
+    return this.userService.getOrCreateUser(firebaseUser);
+  }
+
+  /**
+   * Odjavljuje trenutnog korisnika
+   */
+  async signOut(): Promise<void> {
+    await firebaseSignOut(this.auth);
+  }
+
+  /**
+   * Vraća trenutno prijavljenog korisnika
+   */
+  async getCurrentUser(): Promise<User | null> {
+    const firebaseUser = this.auth.currentUser;
+    if (!firebaseUser) return null;
+
+    return this.userService.getUserById(firebaseUser.uid);
+  }
+
+  /**
+   * Registruje callback za promene stanja autentifikacije
+   */
+  onAuthStateChange(callback: (user: FirebaseUser | null) => void): () => void {
+    return onAuthStateChanged(this.auth, callback);
+  }
+
+  async upgradeAnonymousUser(email: string, password: string): Promise<User> {
+    try {
+      await emailSchema.parseAsync(email);
+      await passwordSchema.parseAsync(password);
+
+      const currentUser = this.auth.currentUser;
+      if (!currentUser) {
+        throw AUTH_ERRORS.NOT_AUTHENTICATED;
+      }
+      if (!currentUser.isAnonymous) {
+        throw new AuthError('User is not anonymous', 'AUTH/NOT_ANONYMOUS_USER', 400);
+      }
+
+      const credential = EmailAuthProvider.credential(email, password);
+      await linkWithCredential(currentUser, credential);
+
+      return await this.userService.upgradeAnonymousUser(currentUser.uid, email);
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        throw AUTH_ERRORS.VALIDATION_ERROR;
+      }
+      const firebaseError = error as FirebaseError;
+      if (firebaseError.code === FirebaseErrorCode.EMAIL_ALREADY_IN_USE) {
+        throw AUTH_ERRORS.EMAIL_ALREADY_EXISTS;
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Šalje email za resetovanje lozinke korisniku
+   * @param email Email adresa korisnika
+   * @returns Promise koji se razrešava kada je email poslat
+   */
+  async sendPasswordResetEmail(email: string): Promise<void> {
+    try {
+      await emailSchema.parseAsync(email);
+
+      // Šaljemo email za resetovanje lozinke
+      await sendPasswordResetEmail(this.auth, email);
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        throw AUTH_ERRORS.VALIDATION_ERROR;
+      }
+
+      const firebaseError = error as FirebaseError;
+      
+      // Handle specific Firebase errors
+      switch (firebaseError.code) {
+        case FirebaseErrorCode.USER_NOT_FOUND:
+          throw AUTH_ERRORS.USER_NOT_FOUND;
+        case FirebaseErrorCode.INVALID_EMAIL:
+          throw AUTH_ERRORS.INVALID_EMAIL;
+        case FirebaseErrorCode.TOO_MANY_REQUESTS:
+          throw AUTH_ERRORS.TOO_MANY_REQUESTS;
+        case FirebaseErrorCode.NETWORK_ERROR:
+          throw AUTH_ERRORS.NETWORK_ERROR;
+        case FirebaseErrorCode.OPERATION_NOT_ALLOWED:
+          throw AUTH_ERRORS.OPERATION_NOT_ALLOWED;
+        default:
+          // Re-throw unknown errors as-is
+          throw error;
+      }
+    }
+  }
+
+  /**
+   * Verifikuje kod za resetovanje lozinke iz email linka
+   * @param oobCode Kod iz URL-a za resetovanje lozinke
+   * @returns Promise koji se razrešava sa email adresom korisnika ako je kod validan
+   */
+  async verifyPasswordResetCode(oobCode: string): Promise<string> {
+    try {
+      // Verifikujemo kod i vraćamo email korisnika
+      return await verifyPasswordResetCode(this.auth, oobCode);
+    } catch (error) {
+      const firebaseError = error as FirebaseError;
+      if (firebaseError.code === FirebaseErrorCode.EXPIRED_ACTION_CODE) {
+        throw AUTH_ERRORS.EXPIRED_ACTION_CODE;
+      } else if (firebaseError.code === FirebaseErrorCode.INVALID_ACTION_CODE) {
+        throw AUTH_ERRORS.INVALID_ACTION_CODE;
+      }
+
+      throw error;
+    }
+  }
+
+  /**
+   * Potvrđuje resetovanje lozinke i postavlja novu lozinku
+   * @param oobCode Kod iz URL-a za resetovanje lozinke
+   * @param newPassword Nova lozinka
+   * @returns Promise koji se razrešava kada je lozinka promenjena
+   */
+  async confirmPasswordReset(oobCode: string, newPassword: string): Promise<void> {
+    try {
+      await passwordSchema.parseAsync(newPassword);
+
+      // Potvrđujemo resetovanje lozinke i postavljamo novu lozinku
+      await confirmPasswordReset(this.auth, oobCode, newPassword);
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        throw AUTH_ERRORS.VALIDATION_ERROR;
+      }
+
+      const firebaseError = error as FirebaseError;
+      if (firebaseError.code === FirebaseErrorCode.EXPIRED_ACTION_CODE) {
+        throw AUTH_ERRORS.EXPIRED_ACTION_CODE;
+      } else if (firebaseError.code === FirebaseErrorCode.INVALID_ACTION_CODE) {
+        throw AUTH_ERRORS.INVALID_ACTION_CODE;
+      } else if (firebaseError.code === FirebaseErrorCode.WEAK_PASSWORD) {
+        throw AUTH_ERRORS.WEAK_PASSWORD;
+      }
+
+      throw error;
+    }
+  }
+
+  /**
+   * Registers a new practitioner user with email and password (ATOMIC VERSION)
+   * Uses Firestore transactions to ensure atomicity and proper rollback on failures
+   *
+   * @param data - Practitioner signup data containing either new profile details or token for claiming draft profile
+   * @returns Object containing the created user and practitioner profile
+   */
+  async signUpPractitioner(data: {
+    email: string;
+    password: string;
+    firstName?: string;
+    lastName?: string;
+    token?: string;
+    profileData?: Partial<CreatePractitionerData>;
+  }): Promise<{
+    user: User;
+    practitioner: Practitioner;
+  }> {
+    let firebaseUser: any = null;
+
+    try {
+      console.log('[AUTH] Starting atomic practitioner signup process', {
+        email: data.email,
+        hasToken: !!data.token,
+      });
+
+      // Step 1: Pre-validate all data before any mutations
+      await this.validateSignupData(data);
+
+      // Step 2: Create Firebase user (outside transaction - can't be easily rolled back)
+      console.log('[AUTH] Creating Firebase user');
+      try {
+        const result = await createUserWithEmailAndPassword(this.auth, data.email, data.password);
+        firebaseUser = result.user;
+        console.log('[AUTH] Firebase user created successfully', {
+          uid: firebaseUser.uid,
+        });
+      } catch (firebaseError) {
+        console.error('[AUTH] Firebase user creation failed:', firebaseError);
+        throw handleFirebaseError(firebaseError);
+      }
+
+      // Step 3: Execute all database operations in a single transaction
+      console.log('[AUTH] Starting Firestore transaction');
+      const transactionResult = await runTransaction(this.db, async transaction => {
+        console.log('[AUTH] Transaction started - creating user and practitioner');
+
+        // Initialize services
+        const practitionerService = new PractitionerService(this.db, this.auth, this.app);
+
+        // Create user document using existing method (not in transaction for now)
+        console.log('[AUTH] Creating user document');
+        const user = await this.userService.createUser(firebaseUser, [UserRole.PRACTITIONER], {
+          skipProfileCreation: true,
+        });
+
+        let practitioner: Practitioner;
+
+        // Handle practitioner profile creation/claiming
+        if (data.token) {
+          console.log('[AUTH] Claiming existing practitioner profile with token');
+          const claimedPractitioner = await practitionerService.validateTokenAndClaimProfile(
+            data.token,
+            firebaseUser.uid,
+          );
+          if (!claimedPractitioner) {
+            throw new Error('Invalid or expired invitation token');
+          }
+          practitioner = claimedPractitioner;
+        } else {
+          // Check if a draft profile exists for this email
+          console.log('[AUTH] Checking for existing draft practitioner profile', {
+            email: data.email,
+          });
+          const draftPractitioner = await practitionerService.findDraftPractitionerByEmail(
+            data.email
+          );
+
+          if (draftPractitioner) {
+            console.log('[AUTH] Draft practitioner profile found', {
+              practitionerId: draftPractitioner.id,
+              email: data.email,
+              clinics: draftPractitioner.clinics,
+            });
+            
+            // Extract clinic names from clinicsInfo (should be populated when draft is created)
+            let clinicNames: string[] = [];
+            if (draftPractitioner.clinicsInfo && draftPractitioner.clinicsInfo.length > 0) {
+              clinicNames = draftPractitioner.clinicsInfo
+                .map((clinic) => clinic.name)
+                .filter((name): name is string => !!name);
+            } else if (draftPractitioner.clinics && draftPractitioner.clinics.length > 0) {
+              // Fallback: fetch clinic names if clinicsInfo is missing
+              console.log('[AUTH] clinicsInfo missing, fetching clinic names from clinic IDs');
+              const clinicService = practitionerService.getClinicService();
+              const clinicNamePromises = draftPractitioner.clinics.map(async (clinicId) => {
+                try {
+                  const clinic = await clinicService.getClinic(clinicId);
+                  return clinic?.name || null;
+                } catch (error) {
+                  console.error(`[AUTH] Error fetching clinic ${clinicId}:`, error);
+                  return null;
+                }
+              });
+              const names = await Promise.all(clinicNamePromises);
+              clinicNames = names.filter((name): name is string => !!name);
+            }
+            
+            // Cleanup Firebase user since we're not creating a profile
+            await cleanupFirebaseUser(firebaseUser);
+            
+            // Throw error with clinic information
+            throw new AuthError(
+              AUTH_ERRORS.DRAFT_PROFILE_EXISTS.message,
+              AUTH_ERRORS.DRAFT_PROFILE_EXISTS.code,
+              AUTH_ERRORS.DRAFT_PROFILE_EXISTS.status,
+              {
+                clinicNames,
+                clinics: draftPractitioner.clinics,
+                clinicsInfo: draftPractitioner.clinicsInfo,
+              }
+            );
+          }
+
+          console.log('[AUTH] No draft profile found, creating new practitioner profile');
+          const practitionerData = buildPractitionerData(data, firebaseUser.uid);
+          practitioner = await practitionerService.createPractitioner(practitionerData);
+        }
+
+        // Link practitioner to user
+        console.log('[AUTH] Linking practitioner to user');
+        await this.userService.updateUser(firebaseUser.uid, {
+          practitionerProfile: practitioner.id,
+        });
+
+        console.log('[AUTH] Transaction operations completed successfully');
+        return { user, practitioner };
+      });
+
+      console.log('[AUTH] Atomic practitioner signup completed successfully', {
+        userId: transactionResult.user.uid,
+        practitionerId: transactionResult.practitioner.id,
+      });
+
+      return transactionResult;
+    } catch (error) {
+      console.error('[AUTH] Atomic signup failed, initiating cleanup...', error);
+
+      // Cleanup Firebase user if transaction failed
+      if (firebaseUser) {
+        await cleanupFirebaseUser(firebaseUser);
+      }
+
+      throw handleSignupError(error);
+    }
+  }
+
+  /**
+   * Claims draft practitioner profiles after Google Sign-In.
+   * Uses the current authenticated user (from initial Google Sign-In).
+   * 
+   * @param idToken - The Google ID token (used to re-authenticate if needed)
+   * @param practitionerIds - Array of draft practitioner profile IDs to claim
+   * @returns Object containing user and claimed practitioner
+   */
+  async claimDraftProfilesWithGoogle(
+    idToken: string,
+    practitionerIds: string[]
+  ): Promise<{
+    user: User;
+    practitioner: Practitioner;
+  }> {
+    try {
+      console.log('[AUTH] Starting claim draft profiles with Google', {
+        practitionerIdsCount: practitionerIds.length,
+        practitionerIds,
+      });
+
+      if (practitionerIds.length === 0) {
+        throw new AuthError('No practitioner profiles selected to claim', 'AUTH/NO_PROFILES_SELECTED', 400);
+      }
+
+      const credential = GoogleAuthProvider.credential(idToken);
+      const result = await signInWithCredential(this.auth, credential);
+      const firebaseUser = result.user;
+
+      const practitionerService = new PractitionerService(this.db, this.auth, this.app);
+
+      let user: User;
+      try {
+        user = await this.userService.getUserById(firebaseUser.uid);
+      } catch (userError) {
+        throw new AuthError(
+          'User account not properly initialized. Please try signing in again.',
+          'AUTH/USER_NOT_INITIALIZED',
+          500,
+        );
+      }
+
+      let practitioner: Practitioner;
+      if (practitionerIds.length === 1) {
+        practitioner = await practitionerService.claimDraftProfileWithGoogle(
+          practitionerIds[0],
+          firebaseUser.uid
+        );
+      } else {
+        practitioner = await practitionerService.claimMultipleDraftProfilesWithGoogle(
+          practitionerIds,
+          firebaseUser.uid
+        );
+      }
+
+      if (!user.practitionerProfile || user.practitionerProfile !== practitioner.id) {
+        await this.userService.updateUser(firebaseUser.uid, {
+          practitionerProfile: practitioner.id,
+        });
+      }
+
+      const updatedUser = await this.userService.getUserById(firebaseUser.uid);
+
+      return {
+        user: updatedUser,
+        practitioner,
+      };
+    } catch (error: any) {
+      console.error('[AUTH] Error claiming draft profiles with Google:', error);
+      throw handleSignupError(error);
+    }
+  }
+
+  /**
+   * Pre-validate all signup data before any mutations
+   * Prevents partial creation by catching issues early
+   */
+  private async validateSignupData(data: {
+    email: string;
+    password: string;
+    firstName?: string;
+    lastName?: string;
+    token?: string;
+    profileData?: Partial<CreatePractitionerData>;
+  }): Promise<void> {
+    console.log('[AUTH] Pre-validating signup data');
+
+    try {
+      // 1. Schema validation
+      await practitionerSignupSchema.parseAsync(data);
+      console.log('[AUTH] Schema validation passed');
+
+      // 2. Check if email already exists (before creating Firebase user)
+      const emailExists = await checkEmailExists(this.auth, data.email);
+      if (emailExists) {
+        console.log('[AUTH] Email already exists:', data.email);
+        throw AUTH_ERRORS.EMAIL_ALREADY_EXISTS;
+      }
+      console.log('[AUTH] Email availability confirmed');
+
+      // 3. Validate token if provided
+      if (data.token) {
+        const practitionerService = new PractitionerService(this.db, this.auth, this.app);
+        const isValidToken = await practitionerService.validateToken(data.token);
+        if (!isValidToken) {
+          console.log('[AUTH] Invalid token provided:', data.token);
+          throw new Error('Invalid or expired invitation token');
+        }
+        console.log('[AUTH] Token validation passed');
+      }
+
+      // 4. Validate profile data structure if provided
+      if (data.profileData) {
+        await validatePractitionerProfileData(data.profileData);
+        console.log('[AUTH] Profile data validation passed');
+      }
+
+      console.log('[AUTH] All pre-validation checks passed');
+    } catch (error) {
+      console.error('[AUTH] Pre-validation failed:', error);
+      throw error;
+    }
+  }
+
+  /**
+   * Signs in a user with email and password specifically for practitioner role
+   * @param email - User's email
+   * @param password - User's password
+   * @returns Object containing the user and practitioner profile
+   * @throws {AUTH_ERRORS.INVALID_ROLE} If user doesn't have practitioner role
+   * @throws {AUTH_ERRORS.NOT_FOUND} If practitioner profile is not found
+   */
+  async signInPractitioner(
+    email: string,
+    password: string,
+  ): Promise<{
+    user: User;
+    practitioner: Practitioner;
+  }> {
+    try {
+      console.log('[AUTH] Starting practitioner signin process', {
+        email: email,
+      });
+
+      // Initialize required service
+      const practitionerService = new PractitionerService(this.db, this.auth, this.app);
+
+      // Sign in with email/password
+      const { user: firebaseUser } = await signInWithEmailAndPassword(this.auth, email, password);
+
+      // Get or create user
+      const user = await this.userService.getOrCreateUser(firebaseUser);
+      console.log('[AUTH] User retrieved', { uid: user.uid });
+
+      // Check if user has practitioner role
+      if (!user.roles?.includes(UserRole.PRACTITIONER)) {
+        console.error('[AUTH] User is not a practitioner:', user.uid);
+        throw AUTH_ERRORS.INVALID_ROLE;
+      }
+
+      // Check and get practitioner profile
+      if (!user.practitionerProfile) {
+        console.error('[AUTH] User has no practitioner profile:', user.uid);
+        throw AUTH_ERRORS.NOT_FOUND;
+      }
+
+      // Get practitioner profile
+      const practitioner = await practitionerService.getPractitioner(user.practitionerProfile);
+      if (!practitioner) {
+        console.error('[AUTH] Practitioner profile not found:', user.practitionerProfile);
+        throw AUTH_ERRORS.NOT_FOUND;
+      }
+
+      console.log('[AUTH] Practitioner signin completed successfully', {
+        userId: user.uid,
+        practitionerId: practitioner.id,
+      });
+
+      return {
+        user,
+        practitioner,
+      };
+    } catch (error) {
+      console.error('[AUTH] Error in signInPractitioner:', error);
+      throw error;
+    }
+  }
+
+  /**
+   * Signs in a user with a Google ID token from a mobile client.
+   * If the user does not exist, a new user is created.
+   * @param idToken - The Google ID token obtained from the mobile app.
+   * @param initialRole - The role to assign to the user if they are being created.
+   * @returns The signed-in or newly created user.
+   */
+  async signInWithGoogleIdToken(
+    idToken: string,
+    initialRole: UserRole = UserRole.PATIENT,
+  ): Promise<User> {
+    try {
+      console.log('[AUTH] Signing in with Google ID Token');
+
+      // Sign in with Google credential — auto-creates Firebase Auth user if needed.
+      const credential = GoogleAuthProvider.credential(idToken);
+      const { user: firebaseUser } = await signInWithCredential(this.auth, credential);
+      console.log('[AUTH] Firebase user signed in:', firebaseUser.uid);
+
+      // Load or create domain user document
+      return await this.userService.getOrCreateUser(firebaseUser, UserRole.PATIENT);
+    } catch (error) {
+      console.error('[AUTH] Error in signInWithGoogleIdToken:', error);
+      throw handleFirebaseError(error);
+    }
+  }
+
+  /**
+   * Signs up or signs in a practitioner with Google authentication.
+   * Checks for existing practitioner account or draft profiles.
+   * 
+   * @param idToken - The Google ID token obtained from the mobile app
+   * @returns Object containing user, practitioner (if exists), and draft profiles (if any)
+   */
+  async signUpPractitionerWithGoogle(
+    idToken: string
+  ): Promise<{
+    user: User | null;
+    practitioner: Practitioner | null;
+    draftProfiles: Practitioner[];
+  }> {
+    try {
+      console.log('[AUTH] Starting practitioner Google Sign-In/Sign-Up');
+
+      // Extract email from Google ID token
+      let email: string | undefined;
+      try {
+        const payloadBase64 = idToken.split('.')[1];
+        const payloadJson = globalThis.atob
+          ? globalThis.atob(payloadBase64)
+          : Buffer.from(payloadBase64, 'base64').toString('utf8');
+        const payload = JSON.parse(payloadJson);
+        email = payload.email as string | undefined;
+      } catch (decodeError) {
+        console.error('[AUTH] Failed to decode email from Google ID token:', decodeError);
+        throw new AuthError(
+          'Unable to read email from Google token. Please try again.',
+          'AUTH/INVALID_GOOGLE_TOKEN',
+          400,
+        );
+      }
+
+      if (!email) {
+        throw new AuthError(
+          'Unable to read email from Google token. Please try again.',
+          'AUTH/INVALID_GOOGLE_TOKEN',
+          400,
+        );
+      }
+
+      const normalizedEmail = email.toLowerCase().trim();
+
+      const methods = await fetchSignInMethodsForEmail(this.auth, normalizedEmail);
+      const hasGoogleMethod = methods.includes(GoogleAuthProvider.GOOGLE_SIGN_IN_METHOD);
+      const hasEmailMethod = methods.includes(EmailAuthProvider.EMAIL_PASSWORD_SIGN_IN_METHOD);
+
+      const practitionerService = new PractitionerService(this.db, this.auth, this.app);
+
+      if (hasGoogleMethod) {
+        const credential = GoogleAuthProvider.credential(idToken);
+        const { user: firebaseUser } = await signInWithCredential(this.auth, credential);
+        
+        await this.waitForAuthStateToSettle(firebaseUser.uid);
+        
+        let existingUser: User | null = null;
+        try {
+          existingUser = await this.userService.getUserById(firebaseUser.uid);
+        } catch (userError: any) {
+          if (!this.auth.currentUser || this.auth.currentUser.uid !== firebaseUser.uid) {
+            const credential = GoogleAuthProvider.credential(idToken);
+            await signInWithCredential(this.auth, credential);
+            await this.waitForAuthStateToSettle(firebaseUser.uid, 2000);
+          }
+          
+          const practitionerService = new PractitionerService(this.db, this.auth, this.app);
+          const draftProfiles = await practitionerService.getDraftProfilesByEmail(normalizedEmail);
+          
+          if (draftProfiles.length === 0) {
+            try {
+              await firebaseSignOut(this.auth);
+            } catch (signOutError) {
+              console.warn('[AUTH] Error signing out:', signOutError);
+            }
+            throw new AuthError(
+              'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
+              'AUTH/NO_DRAFT_PROFILES',
+              404,
+            );
+          }
+          
+          try {
+            const newUser = await this.userService.createUser(firebaseUser, [UserRole.PRACTITIONER], {
+              skipProfileCreation: true,
+            });
+            
+            return {
+              user: newUser,
+              practitioner: null,
+              draftProfiles: draftProfiles,
+            };
+          } catch (createUserError: any) {
+            try {
+              await firebaseSignOut(this.auth);
+            } catch (signOutError) {
+              console.warn('[AUTH] Error signing out:', signOutError);
+            }
+            throw createUserError;
+          }
+        }
+        
+        // User document exists - check for practitioner profile and draft profiles
+        if (!existingUser) {
+          await firebaseSignOut(this.auth);
+          throw new AuthError(
+            'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
+            'AUTH/NO_DRAFT_PROFILES',
+            404,
+          );
+        }
+
+        // Check if user has practitioner profile
+        let practitioner: Practitioner | null = null;
+        if (existingUser.practitionerProfile) {
+          practitioner = await practitionerService.getPractitioner(existingUser.practitionerProfile);
+        }
+
+        // Check for any new draft profiles
+        const draftProfiles = await practitionerService.getDraftProfilesByEmail(normalizedEmail);
+
+        return {
+          user: existingUser,
+          practitioner,
+          draftProfiles,
+        };
+      }
+
+      if (hasEmailMethod && !hasGoogleMethod) {
+        throw new AuthError(
+          'An account with this email already exists. Please sign in with your email and password, then link your Google account in settings.',
+          'AUTH/EMAIL_ALREADY_EXISTS',
+          409,
+        );
+      }
+
+      const credential = GoogleAuthProvider.credential(idToken);
+      
+      let firebaseUser: FirebaseUser;
+      try {
+        const result = await signInWithCredential(this.auth, credential);
+        firebaseUser = result.user;
+      } catch (error: any) {
+        // If sign-in fails because email already exists with different provider
+        if (error.code === 'auth/account-exists-with-different-credential') {
+          throw new AuthError(
+            'An account with this email already exists. Please sign in with your email and password, then link your Google account in settings.',
+            'AUTH/EMAIL_ALREADY_EXISTS',
+            409,
+          );
+        }
+        throw error;
+      }
+
+      await this.waitForAuthStateToSettle(firebaseUser.uid);
+
+      let existingUser: User | null = null;
+      try {
+        const existingUserDoc = await this.userService.getUserById(firebaseUser.uid);
+        if (existingUserDoc) {
+          existingUser = existingUserDoc;
+        }
+      } catch (error) {
+        // Continue with new user creation
+      }
+
+      let draftProfiles: Practitioner[] = [];
+      try {
+        draftProfiles = await practitionerService.getDraftProfilesByEmail(normalizedEmail);
+      } catch (draftCheckError: any) {
+        try {
+          await firebaseSignOut(this.auth);
+        } catch (signOutError) {
+          console.warn('[AUTH] Error signing out:', signOutError);
+        }
+        throw new AuthError(
+          'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
+          'AUTH/NO_DRAFT_PROFILES',
+          404,
+        );
+      }
+
+      let user: User;
+      if (existingUser) {
+        user = existingUser;
+      } else {
+        if (draftProfiles.length === 0) {
+          try {
+            await firebaseSignOut(this.auth);
+          } catch (signOutError) {
+            console.warn('[AUTH] Error signing out:', signOutError);
+          }
+          throw new AuthError(
+            'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
+            'AUTH/NO_DRAFT_PROFILES',
+            404,
+          );
+        }
+        
+        user = await this.userService.createUser(firebaseUser, [UserRole.PRACTITIONER], {
+          skipProfileCreation: true,
+        });
+      }
+
+      let practitioner: Practitioner | null = null;
+      if (user.practitionerProfile) {
+        practitioner = await practitionerService.getPractitioner(user.practitionerProfile);
+      }
+
+      return {
+        user,
+        practitioner,
+        draftProfiles,
+      };
+    } catch (error: any) {
+      if (error instanceof AuthError) {
+        throw error;
+      }
+      
+      const errorMessage = error?.message || error?.toString() || '';
+      if (errorMessage.includes('NO_DRAFT_PROFILES') || errorMessage.includes('clinic invitation')) {
+        throw new AuthError(
+          'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
+          'AUTH/NO_DRAFT_PROFILES',
+          404,
+        );
+      }
+      
+      const wrappedError = handleFirebaseError(error);
+      
+      if (wrappedError.message.includes('permissions') || wrappedError.message.includes('Account creation failed')) {
+        throw new AuthError(
+          'No clinic invitation found for this email. Please contact your clinic administrator to receive an invitation, or use the token provided by your clinic.',
+          'AUTH/NO_DRAFT_PROFILES',
+          404,
+        );
+      }
+      
+      throw wrappedError;
+    }
+  }
+
+  /**
+   * Links a Google account to the currently signed-in user using an ID token.
+   * This is used to upgrade an anonymous user or to allow an existing user
+   * to sign in with Google in the future.
+   * @param idToken - The Google ID token obtained from the mobile app.
+   * @returns The updated user profile.
+   */
+  async linkGoogleAccount(idToken: string): Promise<User> {
+    try {
+      console.log('[AUTH] Linking Google account with ID Token');
+      const currentUser = this.auth.currentUser;
+      if (!currentUser) {
+        throw AUTH_ERRORS.NOT_AUTHENTICATED;
+      }
+
+      const wasAnonymous = currentUser.isAnonymous;
+      console.log(`[AUTH] Current user is ${wasAnonymous ? 'anonymous' : 'not anonymous'}`);
+
+      const credential = GoogleAuthProvider.credential(idToken);
+      const userCredential = await linkWithCredential(currentUser, credential);
+      const linkedFirebaseUser = userCredential.user;
+      console.log('[AUTH] Google account linked successfully to user:', linkedFirebaseUser.uid);
+
+      if (wasAnonymous) {
+        console.log('[AUTH] Upgrading anonymous user profile');
+        return await this.userService.upgradeAnonymousUser(
+          linkedFirebaseUser.uid,
+          linkedFirebaseUser.email!,
+        );
+      }
+
+      // If the user was not anonymous, just return their updated profile
+      return (await this.userService.getUserById(linkedFirebaseUser.uid))!;
+    } catch (error) {
+      console.error('[AUTH] Error in linkGoogleAccount:', error);
+      throw handleFirebaseError(error);
+    }
+  }
+
+  /**
+   * Signs in or registers a user with an Apple ID token.
+   * If the user does not exist, a new user is created.
+   */
+  async signInWithAppleIdToken(
+    idToken: string,
+    rawNonce: string,
+    appleUserInfo?: { fullName?: { givenName?: string; familyName?: string }; email?: string },
+  ): Promise<User> {
+    try {
+      console.log('[AUTH] Signing in with Apple ID Token');
+
+      // Build Apple OAuth credential
+      const provider = new OAuthProvider('apple.com');
+      const credential = provider.credential({ idToken, rawNonce });
+
+      // Sign in to Firebase — auto-creates Firebase Auth user if needed
+      const { user: firebaseUser } = await signInWithCredential(this.auth, credential);
+      console.log('[AUTH] Firebase user signed in via Apple:', firebaseUser.uid);
+
+      // Load or create domain user document
+      return await this.userService.getOrCreateUser(firebaseUser, UserRole.PATIENT);
+    } catch (error) {
+      console.error('[AUTH] Error in signInWithAppleIdToken:', error);
+      throw handleFirebaseError(error);
+    }
+  }
+
+  /**
+   * Link an Apple account to the current user (anonymous → full account upgrade).
+   * Mirrors linkGoogleAccount.
+   */
+  async linkAppleAccount(idToken: string, rawNonce: string): Promise<User> {
+    try {
+      console.log('[AUTH] Linking Apple account with ID Token');
+      const currentUser = this.auth.currentUser;
+      if (!currentUser) {
+        throw AUTH_ERRORS.NOT_AUTHENTICATED;
+      }
+
+      const wasAnonymous = currentUser.isAnonymous;
+      console.log(`[AUTH] Current user is ${wasAnonymous ? 'anonymous' : 'not anonymous'}`);
+
+      const provider = new OAuthProvider('apple.com');
+      const credential = provider.credential({ idToken, rawNonce });
+      const userCredential = await linkWithCredential(currentUser, credential);
+      const linkedFirebaseUser = userCredential.user;
+      console.log('[AUTH] Apple account linked successfully to user:', linkedFirebaseUser.uid);
+
+      if (wasAnonymous) {
+        console.log('[AUTH] Upgrading anonymous user profile');
+        const email = linkedFirebaseUser.email || '';
+        return await this.userService.upgradeAnonymousUser(
+          linkedFirebaseUser.uid,
+          email,
+        );
+      }
+
+      return (await this.userService.getUserById(linkedFirebaseUser.uid))!;
+    } catch (error) {
+      console.error('[AUTH] Error in linkAppleAccount:', error);
+      throw handleFirebaseError(error);
+    }
+  }
+}