@organizasyon/meeting-nanaman-app-backend 1.0.0

package/src/controllers/users/index.ts

@@ -0,0 +1,981 @@
+import { Response } from 'express'
+import UsersModel from '../../models/users'
+import EmployeesModel from '../../models/employees'
+import PasskeysModel from '../../models/passkeys'
+import { getEmailQueue } from '../../queues'
+import bcrypt from 'bcrypt'
+import jwt from 'jsonwebtoken'
+import crypto from 'crypto'
+import type { MulterRequest } from '../../types'
+
+class Users {
+  /**
+   * Register a new user
+   */
+  public async register(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {}
+      
+      const { email, password, first_name, last_name, role = 'employee', employee_id } = body
+
+      if (!email || !password || !first_name || !last_name) {
+        res.status(400).json({ message: 'email, password, first_name, and last_name are required' })
+        return
+      }
+
+      // Check if user already exists
+      const existingUser = await UsersModel.findOne({
+        email,
+        deleted_at: null
+      }).lean().exec()
+
+      if (existingUser) {
+        res.status(409).json({ message: 'User with this email already exists' })
+        return
+      }
+
+      // Validate employee_id if provided
+      if (employee_id) {
+        const employee = await EmployeesModel.findOne({
+          _id: employee_id,
+          deleted_at: null
+        }).lean().exec()
+
+        if (!employee) {
+          res.status(400).json({ message: 'Invalid employee_id' })
+          return
+        }
+      }
+
+      // Hash password
+      const hashedPassword = await bcrypt.hash(password, 10)
+
+      // Create user
+      const user = await UsersModel.create({
+        email: email.trim().toLowerCase(),
+        password: hashedPassword,
+        first_name: first_name.trim(),
+        middle_name: body.middle_name?.trim() || null,
+        last_name: last_name.trim(),
+        role,
+        employee_id: employee_id || null,
+        is_active: true,
+        created_at: Date.now(),
+        updated_at: Date.now()
+      })
+
+      // Remove password from response
+      const userResponse = {
+        id: user._id,
+        email: user.email,
+        first_name: user.first_name,
+        middle_name: user.middle_name,
+        last_name: user.last_name,
+        full_name: `${user.first_name} ${user.last_name}`,
+        role: user.role,
+        employee_id: user.employee_id,
+        is_active: user.is_active,
+        created_at: user.created_at
+      }
+
+      res.status(201).json({
+        message: 'User registered successfully',
+        user: userResponse
+      })
+    } catch (err) {
+      console.error('Register user error', err)
+      res.status(500).json({ message: 'Failed to register user', error: String(err) })
+    }
+  }
+
+  /**
+   * User login
+   */
+  public async login(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {}
+      const { email, password } = body
+
+      if (!email || !password) {
+        res.status(400).json({ message: 'email and password are required' })
+        return
+      }
+
+      // Find user by email
+      const user = await UsersModel.findOne({
+        email: email.trim().toLowerCase(),
+        deleted_at: null,
+        is_active: true
+      })
+        .populate('employee_id', 'first_name last_name email position department')
+        .lean()
+        .exec()
+
+      if (!user) {
+        res.status(401).json({ message: 'Invalid credentials' })
+        return
+      }
+
+      // Verify password
+      const isPasswordValid = await bcrypt.compare(password, user.password as string)
+
+      if (!isPasswordValid) {
+        res.status(401).json({ message: 'Invalid credentials' })
+        return
+      }
+
+      // Generate JWT tokens
+      const jwtSecret = process.env.JWT_SECRET;
+      if (!jwtSecret) {
+        throw new Error('JWT_SECRET environment variable is required');
+      }
+      const jwtRefreshSecret = process.env.JWT_REFRESH_SECRET || jwtSecret;
+
+      const accessToken = jwt.sign(
+        {
+          userId: user._id,
+          email: user.email,
+          role: user.role
+        },
+        jwtSecret,
+        { expiresIn: '15m' } // Short-lived access token
+      );
+
+      const refreshToken = jwt.sign(
+        {
+          userId: user._id,
+          email: user.email,
+          role: user.role
+        },
+        jwtRefreshSecret,
+        { expiresIn: '7d' } // Long-lived refresh token
+      );
+
+      // Remove password from response
+      const userResponse = {
+        id: user._id,
+        email: user.email,
+        first_name: user.first_name,
+        middle_name: user.middle_name,
+        last_name: user.last_name,
+        full_name: `${user.first_name} ${user.last_name}`,
+        role: user.role,
+        employee_id: user.employee_id,
+        is_active: user.is_active
+      }
+
+      res.json({
+        message: 'Login successful',
+        accessToken,
+        refreshToken,
+        user: userResponse
+      })
+    } catch (err) {
+      console.error('Login error', err)
+      res.status(500).json({ message: 'Login failed', error: String(err) })
+    }
+  }
+
+  /**
+   * User logout
+   */
+  public async logout(req: MulterRequest, res: Response): Promise<void> {
+    try {
+      // In a stateless JWT setup, logout is typically handled client-side
+      // by removing the token from storage. However, we can provide a response
+      // to confirm the logout action.
+      res.json({
+        message: 'Logout successful',
+        success: true
+      })
+    } catch (err) {
+      console.error('Logout error', err)
+      res.status(500).json({ message: 'Logout failed', error: String(err) })
+    }
+  }
+
+  /**
+   * Get user profile
+   */
+  public async getProfile(req: MulterRequest, res: Response): Promise<void> {
+    try {
+      // Get user ID from JWT token (assuming middleware has authenticated the user)
+      const userId = (req as any).user?.userId
+      console.log('Get profile for userId:', userId)
+
+      if (!userId) {
+        console.log('No userId in request')
+        res.status(401).json({ message: 'Unauthorized' })
+        return
+      }
+
+      const user = await UsersModel.findOne({
+        _id: userId,
+        deleted_at: null
+      })
+        .select('-password -__v')
+        .populate('employee_id', 'first_name last_name middle_name email position department contact_number address')
+        .lean()
+        .exec()
+
+      console.log('User found:', !!user)
+      if (!user) {
+        console.log('User not found for id:', userId)
+        res.status(404).json({ message: 'User not found' })
+        return
+      }
+
+      const response = {
+        message: 'Profile retrieved successfully',
+        user
+      }
+      console.log('Sending response:', response)
+      res.json(response)
+    } catch (err) {
+      console.error('Get profile error', err)
+      res.status(500).json({ message: 'Failed to retrieve profile', error: String(err) })
+    }
+  }
+
+  /**
+   * Get all users
+   */
+  public async getAll(req: MulterRequest, res: Response): Promise<void> {
+    try {
+      const users = await UsersModel.find({ deleted_at: null })
+        .select('-password -__v')
+        .populate('employee_id', 'first_name last_name email position department')
+        .sort({ created_at: -1 })
+        .lean()
+        .exec()
+
+      res.json({
+        message: 'Users retrieved successfully',
+        count: users.length,
+        users
+      })
+    } catch (err) {
+      console.error('Get users error', err)
+      res.status(500).json({ message: 'Failed to retrieve users', error: String(err) })
+    }
+  }
+
+  /**
+   * Get user by ID
+   */
+  public async getById(req: MulterRequest, res: Response): Promise<void> {
+    try {
+      const { id } = req.params
+      
+      if (!id) {
+        res.status(400).json({ message: 'User ID is required' })
+        return
+      }
+
+      const user = await UsersModel.findOne({ 
+        _id: id, 
+        deleted_at: null 
+      })
+        .select('-password -__v')
+        .populate('employee_id', 'first_name last_name email position department')
+        .lean()
+        .exec()
+
+      if (!user) {
+        res.status(404).json({ message: 'User not found' })
+        return
+      }
+
+      res.json({
+        message: 'User retrieved successfully',
+        user
+      })
+    } catch (err) {
+      console.error('Get user error', err)
+      res.status(500).json({ message: 'Failed to retrieve user', error: String(err) })
+    }
+  }
+
+  /**
+   * Update user
+   */
+  public async update(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const { id } = req.params
+      const body = req.body || {}
+      
+      if (!id) {
+        res.status(400).json({ message: 'User ID is required' })
+        return
+      }
+
+      const updateData: any = {
+        updated_at: Date.now()
+      }
+
+      // Only update provided fields (excluding password)
+      const allowedFields = ['email', 'first_name', 'middle_name', 'last_name', 'role', 'employee_id', 'is_active']
+      for (const field of allowedFields) {
+        if (body[field] !== undefined) {
+          updateData[field] = body[field]
+        }
+      }
+
+      // Validate employee_id if provided
+      if (updateData.employee_id) {
+        const employee = await EmployeesModel.findOne({
+          _id: updateData.employee_id,
+          deleted_at: null
+        }).lean().exec()
+
+        if (!employee) {
+          res.status(400).json({ message: 'Invalid employee_id' })
+          return
+        }
+      }
+
+      const user = await UsersModel.findOneAndUpdate(
+        { _id: id, deleted_at: null },
+        updateData,
+        { new: true, runValidators: true }
+      )
+        .select('-password -__v')
+        .populate('employee_id', 'first_name last_name email position department')
+        .lean()
+        .exec()
+
+      if (!user) {
+        res.status(404).json({ message: 'User not found' })
+        return
+      }
+
+      res.json({
+        message: 'User updated successfully',
+        user
+      })
+    } catch (err) {
+      console.error('Update user error', err)
+      res.status(500).json({ message: 'Failed to update user', error: String(err) })
+    }
+  }
+
+  /**
+    * Soft delete user
+    */
+   public async delete(req: MulterRequest, res: Response): Promise<void> {
+     try {
+       const { id } = req.params
+
+       if (!id) {
+         res.status(400).json({ message: 'User ID is required' })
+         return
+       }
+
+       const user = await UsersModel.findOneAndUpdate(
+         { _id: id, deleted_at: null },
+         { deleted_at: Date.now() },
+         { new: true }
+       )
+         .lean()
+         .exec()
+
+       if (!user) {
+         res.status(404).json({ message: 'User not found' })
+         return
+       }
+
+ res.json({
+           message: 'User deleted successfully',
+           user: {
+             id: user._id,
+             email: user.email
+           }
+         })
+     } catch (err) {
+       console.error('Delete user error', err)
+       res.status(500).json({ message: 'Failed to delete user', error: String(err) })
+     }
+   }
+
+  /**
+   * Forgot password - send reset email
+   */
+  public async forgotPassword(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {}
+      const { email } = body
+
+      if (!email) {
+        res.status(400).json({ message: 'Email is required' })
+        return
+      }
+
+      // Find user by email
+      const user = await UsersModel.findOne({
+        email: email.trim().toLowerCase(),
+        deleted_at: null,
+        is_active: true
+      }).lean().exec() as any
+
+      if (!user) {
+        res.status(404).json({ message: 'User with this email not found' })
+        return
+      }
+
+      // Generate reset token
+      const resetToken = crypto.randomBytes(32).toString('hex')
+      const resetTokenExpiry = Date.now() + (60 * 60 * 1000) // 1 hour
+
+      // Update user with reset token
+      await UsersModel.updateOne(
+        { _id: user._id },
+        {
+          reset_token: resetToken,
+          reset_token_expires: resetTokenExpiry,
+          updated_at: Date.now()
+        }
+      )
+
+      // Add to email queue
+      await getEmailQueue().add('send-email', {
+        type: 'password_reset',
+        data: {
+          user_id: user._id,
+          email: user.email,
+          reset_token: resetToken,
+          name: user.full_name || `${user.first_name} ${user.last_name}`
+        }
+      })
+
+      res.json({
+        message: 'Password reset email sent successfully',
+        success: true
+      })
+    } catch (err) {
+      console.error('Forgot password error', err)
+      res.status(500).json({ message: 'Failed to send password reset email', error: String(err) })
+    }
+  }
+
+  /**
+   * Change password
+   */
+  public async changePassword(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {}
+      const { current_password, new_password } = body
+
+      if (!current_password || !new_password) {
+        res.status(400).json({ message: 'Current password and new password are required' })
+        return
+      }
+
+      // Get user ID from JWT token
+      const userId = (req as any).user?.userId
+      if (!userId) {
+        res.status(401).json({ message: 'Unauthorized' })
+        return
+      }
+
+      // Find user
+      const user = await UsersModel.findOne({
+        _id: userId,
+        deleted_at: null,
+        is_active: true
+      }).exec()
+
+      if (!user) {
+        res.status(404).json({ message: 'User not found' })
+        return
+      }
+
+      // Verify current password
+      const isCurrentPasswordValid = await bcrypt.compare(current_password, user.password as string)
+      if (!isCurrentPasswordValid) {
+        res.status(400).json({ message: 'Current password is incorrect' })
+        return
+      }
+
+      // Hash new password
+      const hashedNewPassword = await bcrypt.hash(new_password, 10)
+
+      // Update password
+      await UsersModel.updateOne(
+        { _id: userId },
+        {
+          password: hashedNewPassword,
+          updated_at: Date.now()
+        }
+      )
+
+      // Add to email queue
+      await getEmailQueue().add('send-email', {
+        type: 'password_changed',
+        data: {
+          user_id: user._id,
+          email: user.email,
+          name: `${user.first_name} ${user.middle_name ? user.middle_name + ' ' : ''}${user.last_name}`
+        }
+      })
+
+      res.json({
+        message: 'Password changed successfully',
+        success: true
+      })
+    } catch (err) {
+      console.error('Change password error', err)
+      res.status(500).json({ message: 'Failed to change password', error: String(err) })
+    }
+  }
+
+  /**
+   * Start passkey registration challenge
+   */
+  public async registerPasskey(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {}
+      const { user_id, email } = body
+
+      if (!user_id || !email) {
+        res.status(400).json({ message: 'User ID and email are required' })
+        return
+      }
+
+      // Find user
+      const user = await UsersModel.findOne({
+        _id: user_id,
+        email: email.trim().toLowerCase(),
+        deleted_at: null,
+        is_active: true
+      }).lean().exec()
+
+      if (!user) {
+        res.status(404).json({ message: 'User not found' })
+        return
+      }
+
+      // Generate WebAuthn challenge
+      const challenge = crypto.randomBytes(32)
+      const deviceId = crypto.randomBytes(16).toString('hex')
+
+      res.json({
+        challenge: challenge.toString('base64'),
+        device_id: deviceId,
+        device_name: `Device ${new Date().toLocaleDateString()}`
+      })
+    } catch (err) {
+      console.error('Register passkey challenge error', err)
+      res.status(500).json({ message: 'Failed to start registration', error: String(err) })
+    }
+  }
+
+  /**
+   * Complete passkey registration
+   */
+  public async completePasskeyRegistration(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {}
+      const { user_id, credential_id, device_id, name, public_key } = body
+
+      if (!user_id || !credential_id || !device_id || !name || !public_key) {
+        res.status(400).json({ message: 'All fields are required' })
+        return
+      }
+
+      // Check if passkey already exists
+      const existingPasskey = await PasskeysModel.findOne({
+        credential_id,
+        deleted_at: null
+      }).lean().exec()
+
+      if (existingPasskey) {
+        res.status(409).json({ message: 'Passkey already registered' })
+        return
+      }
+
+      // Get user info for email
+      const user = await UsersModel.findOne({ _id: user_id }).lean().exec()
+      if (!user) {
+        res.status(404).json({ message: 'User not found' })
+        return
+      }
+
+      // Create new passkey
+      await PasskeysModel.create({
+        user_id,
+        credential_id,
+        device_id,
+        name,
+        public_key,
+        created_at: Date.now(),
+        updated_at: Date.now()
+      })
+
+      // Add to email queue
+      await getEmailQueue().add('send-email', {
+        type: 'passkey',
+        data: {
+          user_id: user._id,
+          email: user.email,
+          name: `${user.first_name} ${user.middle_name ? user.middle_name + ' ' : ''}${user.last_name}`,
+          device_name: name
+        }
+      })
+
+      res.json({
+        message: 'Passkey registered successfully',
+        success: true,
+        device_id,
+        device_name: name
+      })
+    } catch (err) {
+      console.error('Complete passkey registration error', err)
+      res.status(500).json({ message: 'Failed to register passkey', error: String(err) })
+    }
+  }
+
+  /**
+   * Get user passkeys
+   */
+  public async getPasskeys(req: MulterRequest, res: Response): Promise<void> {
+    try {
+      const { user_id } = req.params 
+      
+      if (!user_id) {
+        res.status(400).json({ message: 'User ID is required' })
+        return
+      }
+
+      const passkeys = await PasskeysModel.find({
+        user_id,
+        deleted_at: null,
+        is_active: true
+      })
+        .select('-__v')
+        .sort({ created_at: -1 })
+        .lean()
+        .exec()
+
+      res.json({
+        message: 'Passkeys retrieved successfully',
+        passkeys
+      })
+    } catch (err) {
+      console.error('Get passkeys error', err)
+      res.status(500).json({ message: 'Failed to retrieve passkeys', error: String(err) })
+    }
+  }
+
+  /**
+   * Search users by email
+   */
+  public async searchUsers(req: MulterRequest, res: Response): Promise<void> {
+    try {
+      const query = req.query.q as string;
+
+      if (!query || query.trim().length < 2) {
+        res.json({
+          message: 'Search query must be at least 2 characters',
+          users: []
+        });
+        return;
+      }
+
+      const searchTerm = query.trim().toLowerCase();
+
+      const users = await UsersModel.find({
+        deleted_at: null,
+        is_active: true,
+        $or: [
+          { email: { $regex: searchTerm, $options: 'i' } },
+          { first_name: { $regex: searchTerm, $options: 'i' } },
+          { last_name: { $regex: searchTerm, $options: 'i' } }
+        ]
+      })
+        .select('-password -__v')
+        .limit(10)
+        .lean()
+        .exec();
+
+      res.json({
+        message: 'Users retrieved successfully',
+        users,
+        count: users.length
+      });
+    } catch (err) {
+      console.error('Search users error', err);
+      res.status(500).json({ message: 'Failed to search users', error: String(err) });
+    }
+  }
+
+  /**
+   * Start passkey authentication challenge
+   */
+  public async authenticatePasskey(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {}
+      const { email, device_id } = body
+
+      if (!email || !device_id) {
+        res.status(400).json({ message: 'Email and device ID are required' })
+        return
+      }
+
+      // Find user by email
+      const user = await UsersModel.findOne({
+        email: email.trim().toLowerCase(),
+        deleted_at: null,
+        is_active: true
+      }).lean().exec()
+
+      if (!user) {
+        res.status(401).json({ message: 'Invalid credentials' })
+        return
+      }
+
+      // Find the latest active passkey for this user and device
+      const passkey = await PasskeysModel.findOne({
+        user_id: user._id,
+        device_id,
+        is_active: true,
+        deleted_at: null
+      })
+        .sort({ created_at: -1 })
+        .lean()
+        .exec()
+
+      if (!passkey) {
+        res.status(401).json({ message: 'No passkey found for this device' })
+        return
+      }
+
+      // Generate WebAuthn challenge
+      const challenge = crypto.randomBytes(32)
+
+      res.json({
+        challenge: challenge.toString('base64'),
+        user_id: user._id,
+        credential_id: passkey.credential_id
+      })
+    } catch (err) {
+      console.error('Passkey authentication challenge error', err)
+      res.status(500).json({ message: 'Failed to start authentication', error: String(err) })
+    }
+  }
+
+  /**
+   * Validate reset token
+   */
+  public async validateResetToken(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {}
+      const { token } = body
+
+      if (!token) {
+        res.status(400).json({ message: 'Token is required' })
+        return
+      }
+
+      // Find user with valid reset token
+      const user = await UsersModel.findOne({
+        reset_token: token,
+        reset_token_expires: { $gt: Date.now() },
+        deleted_at: null,
+        is_active: true
+      }).lean().exec()
+
+      if (!user) {
+        res.status(400).json({ message: 'Invalid or expired token' })
+        return
+      }
+
+      res.json({
+        message: 'Token is valid',
+        valid: true
+      })
+    } catch (err) {
+      console.error('Validate reset token error', err)
+      res.status(500).json({ message: 'Failed to validate token', error: String(err) })
+    }
+  }
+
+  /**
+   * Reset password with token
+   */
+  public async resetPassword(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {}
+      const { token, new_password } = body
+
+      if (!token || !new_password) {
+        res.status(400).json({ message: 'Token and new password are required' })
+        return
+      }
+
+      // Find user with valid reset token
+      const user = await UsersModel.findOne({
+        reset_token: token,
+        reset_token_expires: { $gt: Date.now() },
+        deleted_at: null,
+        is_active: true
+      }).exec()
+
+      if (!user) {
+        res.status(400).json({ message: 'Invalid or expired token' })
+        return
+      }
+
+      // Hash new password
+      const hashedPassword = await bcrypt.hash(new_password, 10)
+
+      // Update password and clear reset token
+      await UsersModel.updateOne(
+        { _id: user._id },
+        {
+          password: hashedPassword,
+          reset_token: null,
+          reset_token_expires: null,
+          updated_at: Date.now()
+        }
+      )
+
+      // Add to email queue for password changed notification
+      await getEmailQueue().add('send-email', {
+        type: 'password_changed',
+        data: {
+          user_id: user._id,
+          email: user.email,
+          name: `${user.first_name} ${user.middle_name ? user.middle_name + ' ' : ''}${user.last_name}`
+        }
+      })
+
+      res.json({
+        message: 'Password reset successfully',
+        success: true
+      })
+    } catch (err) {
+      console.error('Reset password error', err)
+      res.status(500).json({ message: 'Failed to reset password', error: String(err) })
+    }
+  }
+
+  /**
+   * Complete passkey authentication
+   */
+  public async verifyPasskey(req: MulterRequest & { body?: Record<string, any> }, res: Response): Promise<void> {
+    try {
+      const body = req.body || {}
+      const { email, device_id, credential_id, authenticator_data, client_data_json, signature } = body
+
+      if (!email || !device_id || !credential_id || !authenticator_data || !client_data_json || !signature) {
+        res.status(400).json({ message: 'All authentication data is required' })
+        return
+      }
+
+      // Find user by email
+      const user = await UsersModel.findOne({
+        email: email.trim().toLowerCase(),
+        deleted_at: null,
+        is_active: true
+      }).lean().exec()
+
+      if (!user) {
+        res.status(401).json({ message: 'Invalid credentials' })
+        return
+      }
+
+      // Find the passkey
+      const passkey = await PasskeysModel.findOne({
+        user_id: user._id,
+        credential_id,
+        device_id,
+        is_active: true,
+        deleted_at: null
+      }).lean().exec()
+
+      if (!passkey) {
+        res.status(401).json({ message: 'Invalid passkey' })
+        return
+      }
+
+      // TODO: Implement WebAuthn signature verification
+      // For now, we'll trust the client-side verification and proceed
+
+      // Update last used timestamp
+      await PasskeysModel.updateOne(
+        { _id: passkey._id },
+        { last_used_at: Date.now(), updated_at: Date.now() }
+      )
+
+      // Generate JWT token
+      const jwtSecret = process.env.JWT_SECRET
+      if (!jwtSecret) {
+        throw new Error('JWT_SECRET environment variable is required')
+      }
+
+      const token = jwt.sign(
+        {
+          userId: user._id,
+          email: user.email,
+          role: user.role
+        },
+        jwtSecret,
+        { expiresIn: '24h' }
+      )
+
+      res.json({
+        message: 'Passkey authentication successful',
+        token,
+        user: {
+          id: user._id,
+          email: user.email,
+          first_name: user.first_name,
+          middle_name: user.middle_name,
+          last_name: user.last_name,
+          full_name: `${user.first_name} ${user.last_name}`,
+          role: user.role,
+          employee_id: user.employee_id,
+          is_active: user.is_active
+        }
+      })
+    } catch (err) {
+      console.error('Passkey verification error', err)
+      res.status(500).json({ message: 'Passkey authentication failed', error: String(err) })
+    }
+  }
+
+  /**
+   * Delete passkey
+   */
+  public async deletePasskey(req: MulterRequest, res: Response): Promise<void> {
+    try {
+      const { passkeyId } = req.params
+
+      if (!passkeyId) {
+        res.status(400).json({ message: 'Passkey ID is required' })
+        return
+      }
+
+      const passkey = await PasskeysModel.findOneAndUpdate(
+        { _id: passkeyId, deleted_at: null },
+        { deleted_at: Date.now() },
+        { new: true }
+      ).lean().exec()
+
+      if (!passkey) {
+        res.status(404).json({ message: 'Passkey not found' })
+        return
+      }
+
+      res.json({
+        message: 'Passkey deleted successfully',
+        success: true
+      })
+    } catch (err) {
+      console.error('Delete passkey error', err)
+      res.status(500).json({ message: 'Failed to delete passkey', error: String(err) })
+    }
+  }
+}
+
+export default Users;