upfynai-code 2.5.1 → 2.6.0

package/server/routes/auth.js

@@ -100,47 +100,23 @@ router.post('/login', (req, res, next) => {
   next();
 }, async (req, res) => {
   try {
-    const { username, password, firstName, lastName, phone } = req.body;
+    const { username, password } = req.body;
 
     if (!username || !password) {
-      return res.status(400).json({ error: 'Email and password are required' });
+      return res.status(400).json({ error: 'Identifier and password are required' });
     }
 
     const user = await userDb.getUserByUsername(username.trim());
     if (!user) {
-      return res.status(401).json({ error: 'Invalid email or password' });
+      return res.status(401).json({ error: 'Invalid credentials' });
     }
 
     const isValidPassword = await bcrypt.compare(password, user.password_hash);
     if (!isValidPassword) {
-      return res.status(401).json({ error: 'Invalid email or password' });
+      return res.status(401).json({ error: 'Invalid credentials' });
     }
 
-    // Update name/phone if provided and different from stored values
-    const fName = (firstName || '').trim().slice(0, 50);
-    const lName = (lastName || '').trim().slice(0, 50);
-    const ph = (phone || '').trim().slice(0, 20);
-    const updates = [];
-    const args = [];
-    if (fName && fName !== user.first_name) { updates.push('first_name = ?'); args.push(fName); }
-    if (lName && lName !== user.last_name) { updates.push('last_name = ?'); args.push(lName); }
-    if (ph && ph !== user.phone) { updates.push('phone = ?'); args.push(ph); }
-    if (fName && lName && `${fName} ${lName}` !== user.username) {
-      updates.push('username = ?');
-      args.push(`${fName} ${lName}`);
-    } else if (fName && !lName && fName !== user.username && !user.last_name) {
-      updates.push('username = ?');
-      args.push(fName);
-    }
-    if (updates.length > 0) {
-      try {
-        args.push(user.id);
-        await db.execute({ sql: `UPDATE users SET ${updates.join(', ')} WHERE id = ?`, args });
-      } catch { /* non-critical profile update */ }
-    }
-
-    // Re-fetch user to get updated fields
-    const updatedUser = updates.length > 0 ? (await userDb.getUserById(user.id)) || user : user;
+    const updatedUser = user;
 
     // Generate token + set cookie
     const token = generateToken(updatedUser);
@@ -254,6 +230,33 @@ router.get('/connect-token', authenticateToken, async (req, res) => {
   }
 });
 
+// Update profile — phone only (email and other sensitive fields are read-only)
+router.patch('/profile', authenticateToken, async (req, res) => {
+  try {
+    const userId = req.user.id;
+    const { phone } = req.body;
+
+    if (phone === undefined) {
+      return res.status(400).json({ error: 'No fields to update' });
+    }
+
+    const trimmed = (phone || '').trim().slice(0, 20);
+    if (trimmed && !/^[+]?[\d\s()-]{7,20}$/.test(trimmed)) {
+      return res.status(400).json({ error: 'Invalid phone format' });
+    }
+
+    await db.execute({ sql: 'UPDATE users SET phone = ? WHERE id = ?', args: [trimmed || null, userId] });
+
+    const updated = await userDb.getUserById(userId);
+    res.json({
+      success: true,
+      user: { phone: updated?.phone || null }
+    });
+  } catch (error) {
+    res.status(500).json({ error: 'Failed to update profile' });
+  }
+});
+
 // Logout — clear the session cookie
 router.post('/logout', authenticateToken, (req, res) => {
   clearSessionCookie(res);