solution#273
Conversation
mateacademy-ai-mentor
left a comment
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
The implementation has multiple critical import path errors that will cause runtime failures and block core functionality:
Critical Blockers:
-
Import path typo in
src/middlewares/auth.middleware.js- imports from'../services/jwt.service.js'but the actual file isjwt.services.js(with 's'). This will crash all authenticated routes withMODULE_NOT_FOUND. -
Import path typo in
src/index.js- importscookieParserfrom'cookieParser'instead of'cookie-parser'. This will crash the server on startup. -
Import path typo in
src/controller/auth.controller.js- imports from'jwt.service.js'instead of'jwt.services.js'. -
Function naming typo in
src/controller/auth.controller.jsline 144 - callsuserServices.normilizeUser(user)but the actual function inuser.services.jsis namednormalizeUser. This will cause a runtime error when registration or login succeeds. -
Missing
/profileroute - The requirements explicitly require a Profile page for authenticated users, butauth.router.jshas noGET /profileroute. Redirects in activation and login flows point to this non-existent endpoint. -
User routes lack authentication in
src/index.js- The/user/*routes are mounted withoutauthMiddleware, allowing unauthenticated access to user data endpoints.
These issues must be fixed before the application can run correctly.
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Important
Fix the issues, commit the changes, and then re-request my review using the Re-request review button2 in the Reviewers tab.
Tip
If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag3.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.
Caution
Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.
Footnotes
mateacademy-ai-mentor
left a comment
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Your implementation successfully covers all core requirements from the task: registration with validation and activation email, login with email activation check, logout with redirects, password reset flow, and profile page with name/password/email change capabilities. All authentication routes are properly protected with middleware, and 404 handling is in place. There are two functional improvements worth noting: 1. Profile response missing name: The normalizeUser function in src/services/user.services.js returns only { userId, email }, so the profile endpoint will display users without their name. Consider adding name: user.name to the returned object for complete profile data. 2. GET /user endpoint security: The user list endpoint returns full user objects including password hashes to any authenticated user. Consider removing this endpoint, restricting it to admin users, or returning only safe fields (excluding password). 3. Secure cookie flag: The refresh token cookie has secure: true, which may fail in development environments without HTTPS. Consider using secure: process.env.NODE_ENV === 'production' for local testing compatibility. These are improvements rather than blockers—your authentication system is functional and meets the task requirements. Great work resolving the import and routing issues from the previous review.
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Footnotes
| import { authMiddleware } from './middlewares/auth.mildware.js'; | ||
|
|
||
| const app = express(); | ||
| const port = process.env.PORT || 3000; |
There was a problem hiding this comment.
The GET / endpoint returns ALL users without any context about which user is requesting. An authenticated user can see all other users' data. Consider removing this endpoint or restricting it to admin users only.
|
|
||
| const [, token] = authorization.split(' '); | ||
|
|
||
| if (!token) { | ||
| return res.sendStatus(401); | ||
| } | ||
|
|
||
| const userData = jwtService.verify(token); | ||
|
|
||
| if (!userData) { |
There was a problem hiding this comment.
The validation functions return error messages but lack early returns after the first check. If both conditions fail, only the first error is returned correctly, but adding explicit returns after each condition improves clarity.
|
|
||
| function normalizeUser(user) { | ||
| return { | ||
| userId: user.userId, | ||
| email: user.email, | ||
| }; |
There was a problem hiding this comment.
The normalizeUser function excludes the name field, returning only { userId, email }. Since this is used to generate the JWT payload and the getProfile endpoint returns req.user, the profile response will be missing the user's name. Consider including name in the normalized user object so authenticated users can view their profile data with their name.
2 participants
No description provided.