feat: email/password auth + QR-based developer profile sharing (#Dev-…#537
feat: email/password auth + QR-based developer profile sharing (#Dev-…#537amritbej wants to merge 4 commits into
Conversation
…Card)
## Summary
Implements full user authentication and dynamic QR-based developer profile
sharing for the DevCard platform.
## What's new
### Backend
- **Password auth** — `POST /auth/signup` and `POST /auth/login` using
Node.js built-in `crypto.scrypt` (zero new dependencies)
- **Zod validation** — email normalised to lowercase, username regex
`[A-Za-z0-9_-]{3,50}`, password min 8 chars
- **Atomic signup** — user + default Card created in a single Prisma
transaction; existing OAuth users unaffected (nullable `password_hash`)
- **Security** — `passwordHash` stripped from every API response
- **Migration** — `20260611120000_password_auth` adds nullable
`password_hash` column
- **Unit tests** — 4 tests: signup, login, duplicate-email 409,
wrong-password 401 (all pass)
### Frontend (SvelteKit)
- **`/signup`** — real-time username format hint, password strength bar
(Weak/Fair/Strong), red/green field borders, spinner on submit
- **`/login`** — friendly 'Email or password is incorrect' message
- **`/dashboard`** — JWT-authenticated page: edit display name, username,
bio, role, company, accent colour; add/edit/delete platform links (GitHub,
LinkedIn, Twitter/X, etc.); live QR code preview; one-click copy URL
- **Landing page** — Log in / Create card CTAs in nav
- **Public profile** (`/u/:username`) — display name now pure white with
accent-colour glow, @username handle shown, role badge and bio lifted
- **Vite dev proxy** — `/auth` and `/api` forwarded to backend; browser
uses relative URLs so no CORS issues
- **Bug fix** — `devcard/[id]/+page.server.ts`: catch variable was shadowing
the imported SvelteKit `error` helper
- **Bug fix** — Svelte 5 reactivity: `$derived` for profile/error props
- **Bug fix** — `apiClient.ts` extracts `details.fieldErrors` from zod
responses so users see exact field messages instead of 'Validation failed'
- **Bug fix** — signup submit was immediately returning because `canSubmit`
included `!loading`; fixed by separating `formValid` from loading state
## Test plan
- All 4 backend auth unit tests pass (`pnpm --filter @devcard/backend test`)
- `svelte-check` — 0 errors
- Manual E2E: signup → login → add links → public profile → QR code all work
Closes: email-auth, profile-management, QR-sharing
|
Someone is attempting to deploy a commit to the Prashantkumar Khatri's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
Hi @amritbej, Thanks for opening this pull request. This PR has been automatically classified based on the files modified. Applied Labels
Primary Review Area
Reviewer@Harxhit has been identified as the primary reviewer for this pull request. If you have any questions regarding the affected area or implementation details, feel free to reach out to the assigned reviewer. Thank you for your contribution! |
CI — Checks FailedBackend — FAIL
Mobile — SKIP
Web — FAIL
Last updated: |
…profile-sharing # Conflicts: # apps/backend/src/routes/auth.ts # apps/web/src/lib/apiClient.ts # apps/web/src/routes/+page.svelte # apps/web/src/routes/devcard/[id]/+page.server.ts # apps/web/src/routes/u/[username]/+page.svelte # apps/web/vite.config.ts
|
@Harxhit , please review the pr |
Harxhit
added
the
gssoc:approved
|
These changes are not supposed to be for web. Closing this PR. |
|
@ShantKhatri , |
|
Should I resubmit as a backend-only PR (auth routes, password hashing, migration, tests with no frontend code)? or should frontend work be tackled—separate PR or different tech stack? what to do ?? |
Just BE changes with approval from @Harxhit . As we are expecting any feature of related to this issue in web. |
3 participants
Summary
Implements email/password authentication and dynamic QR-based developer profile sharing for the DevCard platform. Users can sign up, log in, manage their social profile links from a dashboard, and share all their developer profiles through a single generated QR code that points to a public profile page.
Closes #117
Type of Change
What Changed
Backend
apps/backend/prisma/schema.prisma— added nullablepassword_hashfield toUsermodelapps/backend/prisma/migrations/20260611120000_password_auth/migration.sql— migration to add the columnapps/backend/src/utils/password.ts— scrypt-based hash/verify using Node.js built-incrypto(zero new deps)apps/backend/src/routes/auth.ts—POST /auth/signupandPOST /auth/loginwith zod schema validation; signup atomically createsUser+ defaultCardin one Prisma transactionapps/backend/src/utils/validators.ts—signupSchemaandloginSchema(email lowercased, username regex, password min 8 chars)apps/backend/src/services/profileService.ts— stripspasswordHashfrom all profile API responsesapps/backend/src/__tests__/auth.test.ts— 4 unit tests: signup, login, duplicate email → 409, wrong password → 401Frontend (SvelteKit)
apps/web/vite.config.ts— Vite dev proxy:/authand/apiforwarded to backend, eliminating all CORS issues in developmentapps/web/src/lib/apiClient.ts— browser uses relative URLs (through proxy); extractsdetails.fieldErrorsfrom zod error responses so users see e.g."password: must be at least 8 characters"not"Validation failed"apps/web/src/lib/auth.ts—signup(),login(),logout()helpers, localStorage JWT storeapps/web/src/routes/signup/+page.svelte— signup form with real-time username hint (blur), password strength bar (Weak/Fair/Strong), red/green field borders, loading spinner,formValidguard decoupled fromloadingstateapps/web/src/routes/login/+page.svelte— login form with friendly error message, loading spinnerapps/web/src/routes/dashboard/+page.svelte— JWT-authenticated profile editor: display name, username, bio, role, company, accent colour; add/edit/delete platform links (GitHub, LinkedIn, Twitter/X, etc.); live QR code<img>preview; one-click copy of public URLapps/web/src/routes/+page.svelte— added Log in / Create card links to landing navapps/web/src/routes/u/[username]/+page.svelte— display name now pure white (#ffffff) with accent-colourtext-shadowglow;@usernamehandle shown below name; role badge and bio text lifted to proper contrastHow to Test
docker start devcard-postgres devcard-rediscd apps/backend && DATABASE_URL="..." npx prisma migrate deploypnpm --filter @devcard/backend dev→ runs onhttp://localhost:3000pnpm --filter @devcard/web dev→ runs onhttp://localhost:5173http://localhost:5173/signup→ create an account (username: letters/numbers/_/-only, password: min 8 chars)/dashboard→ add GitHub, LinkedIn, Twitter links; set bio and accent colour/u/<username>public profile showing all links/login, log back in → redirected to dashboardpnpm --filter @devcard/backend test→ 4/4 passpnpm --filter @devcard/web check→ 0 errorsChecklist
pnpm -r run lintpasses).pnpm --filter @devcard/web check→ 0 errors).pnpm --filter @devcard/backend test→ 4/4 pass).console.logor debug statements left in the code.password_hashis nullable so existing OAuth users are unaffected.)Screenshots / Recordings
Additional Context
crypto.scryptpassword_hashcolumn is nullable; existing GitHub/Google OAuth users havenulland are unaffectedPUBLIC_API_URLenv var should be set)localStorage— a future improvement would be to move tohttpOnlycookies for better XSS protection