alpe-temp 1.0.1 → 1.0.3

package/backend-project/package-lock.json

@@ -9,10 +9,12 @@
       "version": "1.0.0",
       "dependencies": {
         "bcryptjs": "^2.4.3",
+        "connect-mongo": "^6.0.0",
         "cors": "^2.8.5",
         "dotenv": "^16.4.5",
         "exceljs": "^4.4.0",
         "express": "^4.19.2",
+        "express-session": "^1.19.0",
         "helmet": "^7.1.0",
         "jsonwebtoken": "^9.0.2",
         "mongoose": "^8.5.0",
@@ -183,6 +185,18 @@
       "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==",
       "license": "MIT"
     },
+    "node_modules/asn1.js": {
+      "version": "5.4.1",
+      "resolved": "https://registry.npmjs.org/asn1.js/-/asn1.js-5.4.1.tgz",
+      "integrity": "sha512-+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA==",
+      "license": "MIT",
+      "dependencies": {
+        "bn.js": "^4.0.0",
+        "inherits": "^2.0.1",
+        "minimalistic-assert": "^1.0.0",
+        "safer-buffer": "^2.1.0"
+      }
+    },
     "node_modules/async": {
       "version": "3.2.6",
       "resolved": "https://registry.npmjs.org/async/-/async-3.2.6.tgz",
@@ -273,6 +287,12 @@
       "integrity": "sha512-iD3898SR7sWVRHbiQv+sHUtHnMvC1o3nW5rAcqnq3uOn07DSAppZYUkIGslDz6gXC7HfunPe7YVBgoEJASPcHA==",
       "license": "MIT"
     },
+    "node_modules/bn.js": {
+      "version": "4.12.3",
+      "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.12.3.tgz",
+      "integrity": "sha512-fGTi3gxV/23FTYdAoUtLYp6qySe2KE3teyZitipKNRuVYcBkoP/bB3guXN/XVKUe9mxCHXnc9C4ocyz8OmgN0g==",
+      "license": "MIT"
+    },
     "node_modules/body-parser": {
       "version": "1.20.5",
       "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.5.tgz",
@@ -481,6 +501,46 @@
       "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
       "license": "MIT"
     },
+    "node_modules/connect-mongo": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/connect-mongo/-/connect-mongo-6.0.0.tgz",
+      "integrity": "sha512-mHxfnTiWk7ZtxmHdcrFBKlr7fCtgGoFpx/oe9jFW0yb2NinagsxEeuol78nUWMpnWyYK0nnuXMlU9wrgUjTE6g==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "^4.4.3",
+        "kruptein": "3.0.8"
+      },
+      "engines": {
+        "node": ">=20.8.0"
+      },
+      "peerDependencies": {
+        "express-session": "^1.17.1",
+        "mongodb": ">=5.0.0"
+      }
+    },
+    "node_modules/connect-mongo/node_modules/debug": {
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
+      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
+      "license": "MIT",
+      "dependencies": {
+        "ms": "^2.1.3"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/connect-mongo/node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "license": "MIT"
+    },
     "node_modules/content-disposition": {
       "version": "0.5.4",
       "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.4.tgz",
@@ -818,6 +878,29 @@
         "url": "https://opencollective.com/express"
       }
     },
+    "node_modules/express-session": {
+      "version": "1.19.0",
+      "resolved": "https://registry.npmjs.org/express-session/-/express-session-1.19.0.tgz",
+      "integrity": "sha512-0csaMkGq+vaiZTmSMMGkfdCOabYv192VbytFypcvI0MANrp+4i/7yEkJ0sbAEhycQjntaKGzYfjfXQyVb7BHMA==",
+      "license": "MIT",
+      "dependencies": {
+        "cookie": "~0.7.2",
+        "cookie-signature": "~1.0.7",
+        "debug": "~2.6.9",
+        "depd": "~2.0.0",
+        "on-headers": "~1.1.0",
+        "parseurl": "~1.3.3",
+        "safe-buffer": "~5.2.1",
+        "uid-safe": "~2.1.5"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
     "node_modules/fast-csv": {
       "version": "4.3.6",
       "resolved": "https://registry.npmjs.org/fast-csv/-/fast-csv-4.3.6.tgz",
@@ -1307,6 +1390,18 @@
         "node": ">=12.0.0"
       }
     },
+    "node_modules/kruptein": {
+      "version": "3.0.8",
+      "resolved": "https://registry.npmjs.org/kruptein/-/kruptein-3.0.8.tgz",
+      "integrity": "sha512-0CyalFA0Cjp3jnziMp0u1uLZW2/ouhQ0mEMfYlroBXNe86na1RwAuwBcdRAegeWZNMfQy/G5fN47g/Axjtqrfw==",
+      "license": "MIT",
+      "dependencies": {
+        "asn1.js": "^5.4.1"
+      },
+      "engines": {
+        "node": ">8"
+      }
+    },
     "node_modules/lazystream": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/lazystream/-/lazystream-1.0.1.tgz",
@@ -1548,6 +1643,12 @@
         "node": ">= 0.6"
       }
     },
+    "node_modules/minimalistic-assert": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz",
+      "integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==",
+      "license": "ISC"
+    },
     "node_modules/minimatch": {
       "version": "3.1.5",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
@@ -1859,6 +1960,15 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/on-headers": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.1.0.tgz",
+      "integrity": "sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
     "node_modules/once": {
       "version": "1.4.0",
       "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
@@ -1961,6 +2071,15 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/random-bytes": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/random-bytes/-/random-bytes-1.0.0.tgz",
+      "integrity": "sha512-iv7LhNVO047HzYR3InF6pUcUsPQiHTM1Qal51DcGSuZFBil1aBBWG5eHPNek7bvILMaYJ/8RU1e8w1AMdHmLQQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
     "node_modules/range-parser": {
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
@@ -2384,6 +2503,18 @@
         "node": ">= 0.6"
       }
     },
+    "node_modules/uid-safe": {
+      "version": "2.1.5",
+      "resolved": "https://registry.npmjs.org/uid-safe/-/uid-safe-2.1.5.tgz",
+      "integrity": "sha512-KPHm4VL5dDXKz01UuEd88Df+KzynaohSL9fBh096KWAxSKZQDI2uBrVqtvRM4rwrIrRRKsdLNML/lnaaVSRioA==",
+      "license": "MIT",
+      "dependencies": {
+        "random-bytes": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
     "node_modules/undefsafe": {
       "version": "2.0.5",
       "resolved": "https://registry.npmjs.org/undefsafe/-/undefsafe-2.0.5.tgz",

package/backend-project/package.json

@@ -10,13 +10,15 @@
   },
   "dependencies": {
     "bcryptjs": "^2.4.3",
+    "connect-mongo": "^6.0.0",
     "cors": "^2.8.5",
     "dotenv": "^16.4.5",
     "exceljs": "^4.4.0",
     "express": "^4.19.2",
-    "mongoose": "^8.5.0",
+    "express-session": "^1.19.0",
     "helmet": "^7.1.0",
     "jsonwebtoken": "^9.0.2",
+    "mongoose": "^8.5.0",
     "uuid": "^10.0.0"
   },
   "devDependencies": {

package/backend-project/src/app.js

@@ -1,39 +1,37 @@
-// ═══════════════════════════════════════════════════════════════════════════
-//  🚀  APP  —  Express application setup
-// ═══════════════════════════════════════════════════════════════════════════
-//
-//  WHAT THIS FILE DOES:
-//    - Creates the Express app
-//    - Adds middleware (security, CORS, JSON parsing)
-//    - Registers all API module routes
-//    - Exports the app for server.js to use
-//
-//  HOW TO ADD A NEW MODULE:
-//    1. Add its routes to src/config/app.config.js (registeredRoutes array)
-//    2. Add a use() line below (see the PATTERN section)
-//    3. Done! Your new API is live.
-//
-// ═══════════════════════════════════════════════════════════════════════════
-
 const express = require('express');
-const path    = require('path');
-const helmet  = require('helmet');
-const cors    = require('cors');
-const db      = require('./config/db');
-const cfg     = require('./config/app.config');
-
+const path = require('path');
+const helmet = require('helmet');
+const cors = require('cors');
+const session = require('express-session');
+const { MongoStore } = require('connect-mongo');
+const db = require('./config/db');
+const cfg = require('./config/app.config');
+const env = require('./config/env');
 const { errorHandler, notFoundHandler } = require('./middleware/error.middleware');
 
 const app = express();
 
-// ─── GLOBAL MIDDLEWARE (applied to every request) ────────────────────────────
-app.use(helmet());                    // security headers
-app.use(cors());                      // allow cross-origin requests
-app.use(express.json({ limit: '10mb' }));  // parse JSON bodies
+app.use(helmet({ contentSecurityPolicy: false }));
+app.use(cors({
+  origin: process.env.NODE_ENV === 'production' ? false : 'http://localhost:5173',
+  credentials: true,
+}));
+app.use(express.json({ limit: '10mb' }));
 app.use(express.urlencoded({ extended: true }));
 
-// ─── HEALTH CHECK ────────────────────────────────────────────────────────────
-//  Every scenario needs a health endpoint for deployment monitoring.
+app.use(session({
+  secret: env.SESSION_SECRET,
+  resave: false,
+  saveUninitialized: false,
+  store: MongoStore.create({ mongoUrl: env.MONGODB_URI, collectionName: 'sessions' }),
+  cookie: {
+    httpOnly: true,
+    secure: false,
+    sameSite: 'lax',
+    maxAge: 24 * 60 * 60 * 1000,
+  },
+}));
+
 app.get('/health', (_req, res) =>
   res.json({
     status: 'ok',
@@ -42,28 +40,12 @@ app.get('/health', (_req, res) =>
   })
 );
 
-// ╔═══════════════════════════════════════════════════════════════════════════╗
-// ║  📌  PATTERN: Register a new module                                    ║
-// ║                                                                         ║
-// ║  Step 1. In app.config.js, add to registeredRoutes:                     ║
-// ║    { name: 'products', routes: require('./modules/product/product.routes') } ║
-// ║                                                                         ║
-// ║  Step 2. Add one line below:                                           ║
-// ║    app.use('/api/products', require('./modules/product/product.routes'));    ║
-// ╚═══════════════════════════════════════════════════════════════════════════╝
-
-// ─── MODULE ROUTES ───────────────────────────────────────────────────────────
-//  Each line starts a new API group under /api/...
-//  The route file inside each module handles its own sub-routes.
-//
-app.use('/api/auth',        require('./modules/auth/auth.routes'));
-app.use('/api/excel',       require('./modules/excel/excel.routes'));
-app.use('/api/employees',   require('./modules/employee/employee.routes'));
+app.use('/api/auth', require('./modules/auth/auth.routes'));
+app.use('/api/employees', require('./modules/employee/employee.routes'));
 app.use('/api/departments', require('./modules/department/department.routes'));
-app.use('/api/salaries',    require('./modules/salary/salary.routes'));
-app.use('/api/reports',     require('./modules/reports/reports.routes'));
+app.use('/api/positions', require('./modules/position/position.routes'));
+app.use('/api/reports', require('./modules/reports/reports.routes'));
 
-// ─── FRONTEND SPA (serves built React app) ────────────────────────────────────
 const distPath = path.join(__dirname, '..', '..', 'frontend-project', 'dist');
 app.use(express.static(distPath));
 
@@ -72,13 +54,9 @@ app.get('*', (req, res, next) => {
   res.sendFile(path.join(distPath, 'index.html'));
 });
 
-// ─── ERROR HANDLING (must be last) ───────────────────────────────────────────
-//  These catch any errors from routes above.
-app.use(notFoundHandler);   // handles 404 - route not found
-app.use(errorHandler);      // handles 500 - server errors
+app.use(notFoundHandler);
+app.use(errorHandler);
 
-// ─── DATABASE CONNECTION ─────────────────────────────────────────────────────
-//  Called by server.js (not here) so the app is testable without a DB.
 app.connectDB = () => db.connect();
 
 module.exports = app;

package/backend-project/src/config/app.config.js

@@ -1,72 +1,24 @@
-// ═══════════════════════════════════════════════════════════════════════════
-//  ⚙️  APP CONFIG  —  One place to control the whole backend
-// ═══════════════════════════════════════════════════════════════════════════
-//
-//  WHAT THIS FILE DOES:
-//    - Loads environment variables from .env (via env.js)
-//    - Lists every registered module (so you can add/remove features)
-//    - Exports everything in one easy-to-find object
-//
-//  HOW TO ADD A NEW FEATURE (e.g. "Products"):
-//    1. Create folder:  src/modules/product/
-//    2. Copy files from src/modules/_example/  (rename to product.*)
-//    3. Import routes below in this file (see REGISTERED MODULES)
-//    4. Add route line in app.js (see instructions there)
-//
-// ═══════════════════════════════════════════════════════════════════════════
-
 const env = require('./env');
 
-// ─── SERVER SETTINGS ─────────────────────────────────────────────────────────
 const server = {
   PORT: env.PORT,
   NODE_ENV: env.NODE_ENV,
 };
 
-// ─── DATABASE ────────────────────────────────────────────────────────────────
 const database = {
   URI: env.MONGODB_URI,
 };
 
-// ─── JWT AUTHENTICATION ──────────────────────────────────────────────────────
-const jwt = {
-  SECRET: env.JWT_SECRET,
-  EXPIRES_IN: env.JWT_EXPIRES_IN,
-  REFRESH_SECRET: env.JWT_REFRESH_SECRET,
-  REFRESH_EXPIRES_IN: env.JWT_REFRESH_EXPIRES_IN,
-};
-
-// ─── BCRYPT ──────────────────────────────────────────────────────────────────
-const bcrypt = {
-  ROUNDS: env.BCRYPT_ROUNDS,
-};
-
-// ─── REGISTERED MODULES ──────────────────────────────────────────────────────
-//  🔵  To ADD a new module:
-//       1. Import its routes:  const productRoutes = require('../modules/product/product.routes');
-//       2. Add to the list:    { name: 'products', routes: productRoutes }
-//
-//  🔴  To REMOVE a module:
-//       Just delete its line from this array (and the import above).
-//
-//  Every module in this list automatically gets:
-//    - Route registration in app.js
-//    - Listed in the /health endpoint for debugging
-//
 const registeredRoutes = [
   { name: 'auth',        routes: require('../modules/auth/auth.routes') },
   { name: 'employees',   routes: require('../modules/employee/employee.routes') },
   { name: 'departments', routes: require('../modules/department/department.routes') },
-  { name: 'salaries',    routes: require('../modules/salary/salary.routes') },
+  { name: 'positions',   routes: require('../modules/position/position.routes') },
   { name: 'reports',     routes: require('../modules/reports/reports.routes') },
-  { name: 'excel',       routes: require('../modules/excel/excel.routes') },
 ];
 
-// ─── EXPORT EVERYTHING ───────────────────────────────────────────────────────
 module.exports = {
   server,
   database,
-  jwt,
-  bcrypt,
   registeredRoutes,
 };

package/backend-project/src/config/env.js

@@ -3,17 +3,9 @@ require('dotenv').config();
 const env = {
   PORT: process.env.PORT || 3000,
   NODE_ENV: process.env.NODE_ENV || 'development',
-
-  MONGODB_URI: process.env.MONGODB_URI || 'mongodb://127.0.0.1:27017/auth_db',
-
-  JWT_SECRET: process.env.JWT_SECRET || 'change-this-secret-in-production',
-  JWT_EXPIRES_IN: process.env.JWT_EXPIRES_IN || '7d',
-  JWT_REFRESH_SECRET: process.env.JWT_REFRESH_SECRET || 'change-this-refresh-secret',
-  JWT_REFRESH_EXPIRES_IN: process.env.JWT_REFRESH_EXPIRES_IN || '30d',
-
+  MONGODB_URI: process.env.MONGODB_URI || 'mongodb://127.0.0.1:27017/HRMS',
+  SESSION_SECRET: process.env.SESSION_SECRET || 'hrms-session-secret-change-in-production',
   BCRYPT_ROUNDS: parseInt(process.env.BCRYPT_ROUNDS || '12', 10),
-
-  EXCEL_OUTPUT_DIR: process.env.EXCEL_OUTPUT_DIR || './exports',
 };
 
 module.exports = env;

package/backend-project/src/middleware/auth.middleware.js

@@ -1,33 +1,10 @@
-const { verifyAccessToken } = require('../utils/token');
 const res_ = require('../utils/response');
 
-/**
- * authenticate — verifies the Bearer token and attaches `req.user`.
- */
 const authenticate = (req, res, next) => {
-  const header = req.headers.authorization || '';
-  const token = header.startsWith('Bearer ') ? header.slice(7) : null;
-
-  if (!token) return res_.unauthorized(res, 'No token provided');
-
-  try {
-    req.user = verifyAccessToken(token);
-    return next();
-  } catch (err) {
-    const message = err.name === 'TokenExpiredError' ? 'Token expired' : 'Invalid token';
-    return res_.unauthorized(res, message);
-  }
-};
-
-/**
- * authorize — gates a route to specific roles.
- * Usage: router.delete('/admin', authenticate, authorize('admin'), handler)
- */
-const authorize = (...roles) => (req, res, next) => {
-  if (!roles.includes(req.user?.role)) {
-    return res_.forbidden(res, 'Insufficient permissions');
+  if (!req.session || !req.session.userId) {
+    return res_.unauthorized(res, 'Please log in first');
   }
   return next();
 };
 
-module.exports = { authenticate, authorize };
+module.exports = { authenticate };

package/backend-project/src/modules/auth/auth.controller.js

@@ -2,10 +2,10 @@ const AuthService = require('./auth.service');
 const res_ = require('../../utils/response');
 
 const AuthController = {
-  async signup(req, res) {
+  async register(req, res) {
     try {
-      const result = await AuthService.signup(req.body);
-      return res_.created(res, result, 'Account created successfully');
+      const user = await AuthService.createUser(req.body);
+      return res_.created(res, user, 'User account created');
     } catch (err) {
       return res_.error(res, err.message, err.statusCode || 500);
     }
@@ -13,17 +13,10 @@ const AuthController = {
 
   async login(req, res) {
     try {
-      const result = await AuthService.login(req.body);
-      return res_.success(res, result, 'Login successful');
-    } catch (err) {
-      return res_.error(res, err.message, err.statusCode || 500);
-    }
-  },
-
-  async refresh(req, res) {
-    try {
-      const result = await AuthService.refresh(req.body.refreshToken);
-      return res_.success(res, result, 'Tokens refreshed');
+      const user = await AuthService.login(req.body);
+      req.session.userId = user.id;
+      req.session.userName = user.userName;
+      return res_.success(res, { user }, 'Login successful');
     } catch (err) {
       return res_.error(res, err.message, err.statusCode || 500);
     }
@@ -31,16 +24,19 @@ const AuthController = {
 
   async me(req, res) {
     try {
-      const user = await AuthService.me(req.user.id);
-      return res_.success(res, user);
+      const user = await AuthService.me(req.session.userId);
+      return res_.success(res, { user });
     } catch (err) {
       return res_.error(res, err.message, err.statusCode || 500);
     }
   },
 
-  logout(_req, res) {
-    // JWT logout is client-side. Add a token blocklist here for server-side invalidation.
-    return res_.success(res, null, 'Logged out successfully');
+  async logout(req, res) {
+    req.session.destroy((err) => {
+      if (err) return res_.error(res, 'Logout failed', 500);
+      res.clearCookie('connect.sid');
+      return res_.success(res, null, 'Logged out successfully');
+    });
   },
 };
 

package/backend-project/src/modules/auth/auth.routes.js

@@ -4,13 +4,9 @@ const { authenticate } = require('../../middleware/auth.middleware');
 
 const router = Router();
 
-// Public routes
-router.post('/signup',  AuthController.signup);
-router.post('/login',   AuthController.login);
-router.post('/refresh', AuthController.refresh);
-
-// Protected routes
-router.get('/me',      authenticate, AuthController.me);
-router.post('/logout', authenticate, AuthController.logout);
+router.post('/register', AuthController.register);
+router.post('/login',    AuthController.login);
+router.get('/me',        authenticate, AuthController.me);
+router.post('/logout',   authenticate, AuthController.logout);
 
 module.exports = router;

package/backend-project/src/modules/auth/auth.service.js

@@ -1,7 +1,6 @@
 const bcrypt = require('bcryptjs');
 const User = require('./user.model');
 const env = require('../../config/env');
-const { generateTokens, verifyRefreshToken } = require('../../utils/token');
 
 const fail = (message, statusCode) => {
   const err = new Error(message);
@@ -10,45 +9,24 @@ const fail = (message, statusCode) => {
 };
 
 const AuthService = {
-  async signup({ name, email, password }) {
-    const existing = await User.findOne({ email: email.toLowerCase() });
-    if (existing) fail('Email is already registered', 409);
-
+  async createUser({ userName, password }) {
+    const existing = await User.findOne({ userName });
+    if (existing) fail('Username is already taken', 409);
     const hashed = await bcrypt.hash(password, env.BCRYPT_ROUNDS);
-    const user = await User.create({ name, email, password: hashed });
-    const tokens = generateTokens(user.toSafeObject());
-
-    return { user: user.toSafeObject(), ...tokens };
+    const user = await User.create({ userName, password: hashed });
+    return user.toSafeObject();
   },
 
-  async login({ email, password }) {
-    const user = await User.findOne({ email: email.toLowerCase() });
+  async login({ userName, password }) {
+    const user = await User.findOne({ userName }).populate('employee');
     if (!user) fail('Invalid credentials', 401);
-
     const valid = await bcrypt.compare(password, user.password);
     if (!valid) fail('Invalid credentials', 401);
-
-    const tokens = generateTokens(user.toSafeObject());
-    return { user: user.toSafeObject(), ...tokens };
-  },
-
-  async refresh(refreshToken) {
-    let payload;
-    try {
-      payload = verifyRefreshToken(refreshToken);
-    } catch {
-      fail('Invalid or expired refresh token', 401);
-    }
-
-    const user = await User.findById(payload.id);
-    if (!user) fail('User not found', 401);
-
-    const tokens = generateTokens(user.toSafeObject());
-    return { user: user.toSafeObject(), ...tokens };
+    return user.toSafeObject();
   },
 
   async me(userId) {
-    const user = await User.findById(userId);
+    const user = await User.findById(userId).populate('employee');
     if (!user) fail('User not found', 404);
     return user.toSafeObject();
   },