Update: Update Backend Auth Module for Signup Flow (Model, Controller, Validator, Types)

[youneedgreg]

• Added signup schema fields [firstName], [birthPlace], [location], optional [portfolioUrl], [bio], and role enum enforcement with timestamps and unique email in src/api/v1/user/user.model.ts; aligned typings with role union and timestamps plus Request user typing update in src/api/v1/user/user.type.ts and types/express.d.ts.
• Centralized role/password/bio config and messages (e.g., AllowedUserRoles, PasswordConfig) in src/api/v1/user/user.constant.ts and expanded Zod signup validation for required fields, password strength, URL and bio length checks in src/api/v1/user/user.validator.ts.
• Hardened auth logic: duplicate-email guard with 409 responses and 400s for validation errors in src/api/v1/user/user.controller.ts; bcrypt-based hashing with legacy argon2 fallback, sanitized user responses (hide password/api keys), and reusable sanitization in src/api/v1/user/user.utils.ts; createUser defaults for optional fields in src/api/v1/user/user.service.ts.
• Exposed the required POST /api/v1/auth/signup (and matching login alias) while keeping existing user routes in src/api/v1/user/user.routes.ts; adjusted signup tests to the new payload/endpoint and duplicate-email status in src/api/v1/user/test/user.test.ts.
• Added bcrypt runtime and types in [package.json:30-50]
• Closes Update Backend Auth Module for Signup Flow (Model, Controller, Validator, Types) #35

[gemini-code-assist]

Summary of Changes

Hello @youneedgreg, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a comprehensive overhaul of the backend authentication module, primarily focusing on the user signup and login processes. The changes aim to enhance data integrity, security, and API usability by expanding user profile fields, strengthening password management, implementing detailed input validation, and providing clearer error responses. The update also centralizes configuration for user-related settings and introduces new, more intuitive authentication endpoints.

Highlights

• Enhanced User Registration: The user registration flow has been significantly updated to include new required fields such as 'firstName', 'birthPlace', and 'location', along with optional fields like 'portfolioUrl' and 'bio'. The system now enforces role enums and includes timestamps for user records.
• Improved Authentication Security: Password hashing has been upgraded to use bcrypt, with argon2 retained as a fallback for backward compatibility during password verification. Sensitive user data, including passwords and API keys, is now consistently sanitized before being returned in responses.
• Robust Validation and Error Handling: Comprehensive Zod validation has been implemented for signup, covering new required fields, password strength, URL formats, and bio length. The API now returns specific 409 (Conflict) for duplicate email registrations and 400 (Bad Request) for validation errors.
• Centralized Configuration and New Endpoints: User-related constants, including allowed roles, password policies, and bio length limits, have been centralized. New API endpoints '/auth/signup' and '/auth/login' have been introduced as aliases for the existing user registration and login routes, respectively.
• Type and Test Updates: The 'IUser' interface and 'Request' user typing have been updated to reflect the new user model fields and partial user data handling. Corresponding unit tests for user registration have been adjusted to match the new payload, endpoint, and expected duplicate email status code.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request significantly enhances the user signup flow by adding new user fields, strengthening validation with Zod, and improving security by migrating to bcrypt for password hashing. The introduction of a sanitizeUser utility is a great step towards centralizing logic and preventing data leaks.

My review focuses on ensuring the new changes integrate correctly with existing code. I've identified a critical issue where a change to the findById utility breaks other parts of the application. I've also pointed out some opportunities for code cleanup and clarification on a potential behavior change in the API response. Overall, these are solid improvements, and addressing the feedback will make the implementation more robust.

[gemini-code-assist]

Changing findById to return a sanitized user breaks existing functionality. For example, the getApiKey controller method calls findById and then accesses user.apikey. However, the new sanitizeUser function you've introduced explicitly deletes the apikey property. This will cause the getApiKey method to always fail by incorrectly throwing an API_KEY_NOT_FOUND error.

Additionally, the type assertion as IUser | null is incorrect because sanitizeUser returns a Partial<IUser>, hiding the issue from the TypeScript compiler.

A safer approach is to keep findById as a utility for fetching the complete user document and call sanitizeUser explicitly where needed (e.g., in the profile controller after fetching the user).

Suggested change

	return this.sanitizeUser(user) as IUser | null
	return user

[gemini-code-assist]

This if (!userObj) check is unreachable. The sanitizeUser function returns null only when its input user is null. However, there's a check on line 47 that throws an error if user is null. Therefore, user will always be a valid user object when sanitizeUser is called on line 65, and userObj will never be null. You can safely remove this redundant check to improve code clarity.

[gemini-code-assist]

The new sanitizeUser function is a great refactor to centralize sanitization logic. However, I noticed a change in behavior compared to the previous implementation. The old sanitization logic (e.g., in findUserByEmail) explicitly removed createdAt and updatedAt fields from the user object. The new sanitizeUser function does not.

Was it intentional to start exposing these timestamp fields in API responses? If not, you might want to add them to the list of deleted properties for consistency with the previous behavior.

[abhishek-nexgen-dev]

@youneedgreg