Task

[Augustwise]

You can test the app here: https://node-auth-app-three.vercel.app/
The frontend has been deployed to Vercel, and the backend is hosted on my own Linux server.
I also used my domain superrobot.digital and Nginx to ensure the backend worked properly

For the first time ever, I tried using https://neon.com/ as a database (since it was built into Vercel). I think it’s a handy tool, but I’m not sure about the pricing—I need to look into that in more detail.

[mateacademy-ai-mentor]

Review Summary

I am requesting changes because there are two critical requirement violations that affect core functionality and access control. First, your backend routes for POST /register and POST /login in src/backend/src/routes/auth.routes.js are not protected by guestOnlyMiddleware, even though the specification requires registration and login to be available only to non‑authenticated users; this means authenticated users can still call these endpoints, which breaks that requirement. Second, there is no server-side logout endpoint at all, while the task explicitly requires a logout action that is only possible for authenticated users and results in redirecting back to the login page; you should add a route like POST /logout protected by authMiddleware that destroys any server session state (e.g., req.session.destroy(...)) and lets the frontend redirect to /login.

Aside from these, your implementation is strong: registration, activation, login checks for activation, password reset flows, profile updates, email-change confirmation/notification, and GitHub OAuth are all well structured and align with the task. As smaller improvements (not blockers), consider adding a guard in saveSession (in auth.controller.js) to handle missing req.session, validating required JWT and mail environment variables at startup, and optionally providing a dev/test mail transport so email flows don’t crash when SMTP credentials aren’t configured. Once you add guest-only protection to register/login and implement the protected logout endpoint, your solution will meet the critical checklist items and should be ready to pass.

---

✨ Please rate this review in the Platform's notification center¹. I will be grateful for your feedback! ✨

Important

Fix the issues, commit the changes, and then re-request my review using the Re-request review button² in the Reviewers tab.

Tip

If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag³.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.

Caution

Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.

Footnotes

1. Rate AI review example ↩

2. Re-request AI review example ↩

3. Add AI review comments example ↩

[mateacademy-ai-mentor]

The auth controller's methods assume guest-only vs authenticated access is enforced by route middlewares, but in auth.routes.js I see /register and /login are not using guestOnlyMiddleware here. Ensure these routes are protected so only non-authenticated users can call them, as required by the task: "Register... only non‑authenticated" and "Login... only non‑authenticated".

[mateacademy-ai-mentor]

activate redirects client to the frontend activation page; requirement: "The application must provide an activation page that is accessible only for non‑authenticated users." Ensure the frontend activation page enforces guest-only access (client-side hook exists) and that server-side route is accessible without auth — this code is fine but confirm frontend protects it. If activation page must be server-protected for guests only, add guestOnlyMiddleware to this route.

[mateacademy-ai-mentor]

login returns a JWT but does not set any session state; this is fine if client stores token. Requirement: "If a user attempts to log in and is not active, the application must ask them to activate their email." The authService.login already checks activationToken and throws unauthorized with message about activation, so controller will propagate this — good. Just ensure client displays that message.

[mateacademy-ai-mentor]

requestPasswordReset and resetPassword are implemented and return appropriate messages. Ensure frontend password reset flow includes the Reset Password confirmation page with password and confirmation fields that must be equal — backend resetPassword only accepts token and password; front-end enforces confirmation equality, which meets requirement. No server changes required here.

[mateacademy-ai-mentor]

confirmEmailChange verifies token and redirects to client activation with flow=email-change. Requirement: "To change an email, the user should type the password, confirm the new email and notify the old email about the change." The user.service.requestEmailChange and confirmEmailChange handle this (sending confirmation and notification). Controller simply redirects after confirmation — good.

[mateacademy-ai-mentor]

GitHub OAuth flow saves state in express-session (req.session.githubAuth). app.js configures express-session and passport.initialize(), but I don't see passport.session() used — since authenticate is called with session:false and session data is stored manually in req.session, this is acceptable. However if you expect passport to restore session from serializeUser/deserializeUser add passport.session() and corresponding serialization. Currently the flow uses req.session and saveSession/destroySession helpers — works as implemented.

[mateacademy-ai-mentor]

githubAuthenticate uses passport.authenticate with state:true. passport-github2 will expect the OAuth flow state to be handled; because you persist intent in req.session and then call /auth/github which triggers OAuth redirect, ensure session cookie is set and sent during provider redirect/callback (express-session cookie settings are present). Note cookie.secure is tied to NODE_ENV; for dev ensure secure:false so session persists across redirects.

[mateacademy-ai-mentor]

githubCallback handles both link and authenticate flows, finalizes via finalizeGitHubAuthentication and redirects client with accessToken in URL. This meets optional Passport.js requirement. One note: buildClientRedirect sets params only when value truthy; if accessToken is an empty string (null in link flow) it won't add — expected. No change required here.

[mateacademy-ai-mentor]

The auth controller's GitHub start endpoints set req.session.githubAuth and call saveSession which uses req.session.save. However, in app.js you only call passport.initialize() and did not call passport.session(). If your flow relies on express-session (req.session) it's fine, but be aware Passport session middleware is separate. If you intended to use passport sessions for persistent login state, add app.use(passport.session()) after session middleware in app.js.

[mateacademy-ai-mentor]

activate and confirmEmailChange build a client redirect with an access token and redirect to the frontend activation page. This exposes an access token in the URL query string. While it works, consider returning the token in a POST response or using a short lived token (you already do) and documenting this behavior; ensure CLIENT handles storing it securely. (Not a functional bug but important security note.)

[mateacademy-ai-mentor]

In register, login, requestPasswordReset and resetPassword handlers you accept request body values without trimming (except handled later in services). Validation is performed in service layer, which is fine, but ensure frontend and backend validation align. No change required if services enforce validation (they do).

[mateacademy-ai-mentor]

authMiddleware expects an Authorization header with Bearer token. However many frontend requests use access token stored in localStorage and set Authorization header in api.request; this is consistent. Ensure any requests relying on cookie-based session authentication use appropriate middleware — currently API uses bearer JWT, not session auth.

[mateacademy-ai-mentor]

The errorMiddleware correctly serializes ApiError instances. Consider including stack trace in non-production environments for easier debugging, but not required by task.

[mateacademy-ai-mentor]

The middleware logs unexpected errors to stderr then sends generic 500 response. This behavior is appropriate; ensure sensitive error details are not leaked to clients (current code does not leak them).

[mateacademy-ai-mentor]

The error middleware returns ApiError errors property even when it's empty. That's fine. No functional issues found here.

[mateacademy-ai-mentor]

The task requires that registration and login be available only to non-authenticated users. In auth.routes.js the POST /register and POST /login routes are not protected by guestOnlyMiddleware. Add guestOnlyMiddleware to these routes so authenticated users cannot access them (e.g., authRouter.post('/register', guestOnlyMiddleware, authController.register)).

[mateacademy-ai-mentor]

The task requires logout that is only possible for authenticated users and redirects to login after logging out. I couldn't find any server-side logout route in the backend files. Consider adding a DELETE/POST /logout route protected by authMiddleware that destroys server session if used and returns 204; the frontend currently clears local token client-side but an explicit server endpoint is needed if using server sessions.

[mateacademy-ai-mentor]

guestOnlyMiddleware and authMiddleware rely solely on Authorization: Bearer header. The frontend stores access token in localStorage and sets Authorization header in requests — this is consistent. However, some GitHub flows depend on express-session cookies (req.session.githubAuth). Ensure CORS credentials and cookie settings (in app.js session cookie and cors) allow session cookie on OAuth redirects (cookie.secure tied to NODE_ENV and sameSite: 'lax' may block cross-site POSTs in some browsers). This is operational guidance to ensure GitHub link/auth flows work.

[mateacademy-ai-mentor]

The middleware correctly returns ApiError for ApiError instances and logs other errors. However, it exposes full error via process.stderr.write(${error}\n), which is fine for logs but ensure sensitive info isn't logged in production. (Informational)

[mateacademy-ai-mentor]

guestOnlyMiddleware inspects Authorization header to determine signed-in state. This approach works but relies solely on Authorization header; if the client uses cookie-based sessions, guestOnlyMiddleware won't detect them. Given the app uses JWT bearer tokens in API calls, this is acceptable. Consider documenting that guestOnly applies to Bearer-authenticated requests only.

[mateacademy-ai-mentor]

In guestOnlyMiddleware, the middleware calls next() in multiple branches and finally next(ApiError.badRequest(...)). Behavior is correct, but you may simplify flow for clarity. No functional change required.

[mateacademy-ai-mentor]

Apply guestOnlyMiddleware to POST /register so only non-authenticated users can register. Add it similarly to POST /login. Currently both routes are unprotected which violates requirement: "Register ... (only non authenticated)" and "Login ... (only non authenticated)".

[mateacademy-ai-mentor]

Consider adding a server-side logout route protected by authMiddleware (e.g., POST/DELETE /logout) that destroys server session and/or informs client. The task requires "Logout (only authenticated)" and redirect to login after logging out. Currently there's no backend logout endpoint; frontend clears localStorage but server session destroy may be needed if sessions are used for OAuth flows.

[mateacademy-ai-mentor]

Routes for password reset and activation are correctly protected with guestOnlyMiddleware where appropriate; ensure frontend flows use these (they do). No further route changes required beyond adding guestOnlyMiddleware to register/login.

[mateacademy-ai-mentor]

In auth.routes.js, POST /register and POST /login are not protected by guestOnlyMiddleware. The task requires registration and login to be available only for non‑authenticated users — add guestOnlyMiddleware to these routes (e.g., authRouter.post('/register', guestOnlyMiddleware, authController.register)).

[mateacademy-ai-mentor]

There is no server-side logout route. The task requires logout to be available only for authenticated users and to redirect to login after logging out. Add an authenticated endpoint (e.g., POST/DELETE /logout) protected by authMiddleware that destroys server session (if any) and responds so frontend can redirect to /login.

[mateacademy-ai-mentor]

guestOnlyMiddleware determines guest status by checking Authorization header for a Bearer token. This matches frontend API usage which sets Authorization when access token exists. Ensure all guest-only pages/routes (frontend) also use the client-side guest check so UX matches server constraints. (Informational)

[mateacademy-ai-mentor]

GitHub OAuth start endpoints save flow state to req.session.githubAuth. Ensure express-session cookie settings and CORS credentials (configured in app.js) allow the session cookie to be sent during OAuth provider redirects; otherwise session state may be lost on callback. Confirm cookie.secure and sameSite settings are appropriate for your deployment. (Operational)

[mateacademy-ai-mentor]

In auth.routes.js POST /register and POST /login are not protected by guestOnlyMiddleware. The task requires registration and login to be available only for non‑authenticated users. Add guestOnlyMiddleware to these routes, e.g.: authRouter.post('/register', guestOnlyMiddleware, authController.register) and similarly for /login.

[mateacademy-ai-mentor]

There is no server-side logout route. The task requires logout only for authenticated users and redirect to login after logging out. Implement a protected endpoint (e.g., POST or DELETE /logout) that uses authMiddleware and destroys server session (req.session.destroy) and/or informs client to clear token. Frontend should call it and then redirect to /login.

[mateacademy-ai-mentor]

In auth.routes.js POST /register and /login are not protected by guestOnlyMiddleware. The task requires registration and login to be available only to non‑authenticated users. Add guestOnlyMiddleware to these routes (e.g., authRouter.post('/register', guestOnlyMiddleware, authController.register)).

[mateacademy-ai-mentor]

There is no server-side logout route. The task requires logout be available only for authenticated users and redirect to login after logging out. Add a logout endpoint (protected by authMiddleware) that destroys session (if used) and/or advises frontend to clear token, then returns 204 or a JSON response. Frontend should call it and redirect to /login.

[mateacademy-ai-mentor]

guestOnlyMiddleware and authMiddleware inspect only the Authorization header (Bearer token). This matches the frontend which sets the header from localStorage, but the GitHub OAuth flows rely on express-session cookies. Ensure CORS and session cookie settings allow the session cookie across the OAuth redirect (sameSite, secure and credentials settings). This is operational guidance to avoid losing OAuth flow state.

[mateacademy-ai-mentor]

saveSession in auth.controller.js calls req.session.save without checking if req.session exists. Given express-session is configured this should be fine, but add a guard if (!req.session) return Promise.resolve(); for extra robustness.

[mateacademy-ai-mentor]

Activation and email-change redirects include the access token in the URL query string. This works with the frontend ActivationPage which reads and stores the token, but exposing tokens in query params can leak them via referer or browser history. You already issue short-lived tokens; consider documenting this behavior or switching to a fragment/hash or POST if stricter security is desired.

[mateacademy-ai-mentor]

POST /register and POST /login in auth.routes.js are not protected by guestOnlyMiddleware. The task requires registration and login to be available only to non‑authenticated users. Add guestOnlyMiddleware to these routes, e.g. authRouter.post('/register', guestOnlyMiddleware, authController.register) and similarly for /login.

[mateacademy-ai-mentor]

There is no server-side logout route. The task requires logout (only authenticated) and redirect to login after logging out. Add a protected logout endpoint (e.g., POST or DELETE /logout) using authMiddleware that destroys the server session (if used) and returns success so the frontend can clear token and redirect to /login.

[mateacademy-ai-mentor]

saveSession in auth.controller.js calls req.session.save without checking if req.session exists. Express-session is configured so this is unlikely, but guarding if (!req.session) return Promise.resolve(); would make it more robust.

[mateacademy-ai-mentor]

Activation and email-change callbacks redirect to the frontend with an access token in the URL query. Frontend ActivationPage consumes this token. Note: exposing tokens in query strings can leak them via referer/history; you already issue short-lived tokens, but consider documenting this design or using a fragment/hash or POST if stricter protection is desired.

[mateacademy-ai-mentor]

In jwt.service.js, sign and verification functions use environment secrets (e.g., process.env.JWT_ACCESS_SECRET) without fallback to a default value. If these env vars are missing, jwt.sign will throw. Consider validating required secrets at startup or providing clearer errors. This is important because many flows depend on JWT operations (access, email-change, password-reset).

[mateacademy-ai-mentor]

In mail.service.js getTransport throws if MAIL_FROM_ADDRESS/GMAIL_USER or GMAIL_APP_PASSWORD are missing. During development/tests this will break registration/password reset flows that send emails. Consider adding a noop transport or a clear error message indicating emails are disabled in non-production. (Informational but can block local testing)

[mateacademy-ai-mentor]

In socialAccount.service.removeByUserAndProvider you prevent removing the last sign-in method when user has no password. This enforces safety for social-account-only accounts — it matches requirements to require setting a password before removing only social sign-in. Good.

[mateacademy-ai-mentor]

POST /register is currently unprotected. The task requires registration be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.:
authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

POST /login is currently unprotected. The task requires login be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.:
authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

There is no server-side logout route. The task requires logout (only authenticated) and redirect to login after logging out. Add a protected logout endpoint (use authMiddleware) that destroys the session (if any) and returns success so the frontend can clear token and navigate to /login.

[mateacademy-ai-mentor]

GitHub OAuth flows rely on express-session cookie persistence across provider redirects (req.session.githubAuth). Ensure CORS and session cookie settings allow the cookie on the OAuth callback (app.js sets credentials:true and session cookie sameSite:'lax' — verify this works in your deployment). If cookies are lost, OAuth flow may fallback to authenticate intent.

[mateacademy-ai-mentor]

auth.routes.js: POST /register and POST /login are not using guestOnlyMiddleware. The task requires registration and login to be available only for non‑authenticated users — add guestOnlyMiddleware to these routes (e.g., authRouter.post('/register', guestOnlyMiddleware, authController.register)).

[mateacademy-ai-mentor]

No logout route exists in auth.routes.js or controllers. The task requires logout only for authenticated users and redirect to login after logging out. Add a protected logout endpoint (use authMiddleware) that destroys server session (if used) and returns success so frontend can clear token and navigate to /login.

[mateacademy-ai-mentor]

saveSession in auth.controller.js calls req.session.save without guarding for missing req.session. Express-session is configured, but for robustness consider adding if (!req.session) return Promise.resolve(); at start of saveSession to avoid potential runtime errors.

[mateacademy-ai-mentor]

GitHub OAuth flows store intent in req.session.githubAuth. Ensure express-session cookie settings and CORS (credentials: true) permit the session cookie to be sent across OAuth redirects; otherwise session state may be lost on callback and flow will fallback. Verify sameSite/secure in production.

[mateacademy-ai-mentor]

jwt.service.js: signing functions use environment variables directly (e.g., process.env.JWT_ACCESS_SECRET). If these are undefined, jwt.sign will throw. Ensure required JWT secrets are set in env for production. Consider validating presence at startup or providing clearer errors.

[mateacademy-ai-mentor]

mail.service.js: getTransport throws if GMAIL_USER / GMAIL_APP_PASSWORD missing. For development/testing consider a noop/mock transport to avoid runtime failures when sending emails is not configured.

[mateacademy-ai-mentor]

guestOnlyMiddleware determines guest status solely from Authorization: Bearer header. This is consistent with frontend using bearer tokens. If you later support cookie/session auth for API calls, update this middleware to detect that too. For current app behavior no change required.

[mateacademy-ai-mentor]

socialAccount.model.js: indexes reference physical column names via field mappings (e.g., providerId, user_id). Ensure DB migrations/schema use the same column names so uniqueness indexes are applied correctly. This is informational — model is consistent as written.

[mateacademy-ai-mentor]

POST /register is currently unprotected. The task requires registration be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.:
authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

POST /login is currently unprotected. The task requires login be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.:
authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

auth.routes.js: POST /register is not protected by guestOnlyMiddleware. The task requires registration to be available only for non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

auth.routes.js: POST /login is not protected by guestOnlyMiddleware. The task requires login to be available only for non‑authenticated users. Add guestOnlyMiddleware to this route as well: authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

jwt.service.js: JWT signing functions rely on environment secrets (e.g., JWT_ACCESS_SECRET) and will throw if missing. To avoid runtime failures, validate required JWT secrets at startup or provide clearer errors. This impacts activation/login/password-reset flows which depend on JWTs.

[mateacademy-ai-mentor]

mail.service.js: getTransport throws when MAIL_FROM_ADDRESS/GMAIL_USER or GMAIL_APP_PASSWORD are missing. During development or tests this will break flows that send emails (registration, password reset). Consider providing a development/noop transport (or Ethereal) to allow testing without real SMTP credentials.

[mateacademy-ai-mentor]

POST /register is currently unprotected. The task requires registration to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

POST /login is currently unprotected. The task requires login to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

The GitHub OAuth flow stores intent in req.session.githubAuth. Ensure express-session cookie and CORS settings allow the session cookie to be sent during provider redirect and callback (app.js sets credentials: true and session cookie sameSite:'lax'). If the session cookie is lost on callback, the OAuth flow may fallback to authenticate intent — verify this in integration tests.

[mateacademy-ai-mentor]

jwt.service.js relies on environment secrets (e.g., JWT_ACCESS_SECRET). If these are missing jwt.sign will throw. Consider validating required JWT env vars at startup and providing clear errors to avoid runtime failures for token operations used across many flows.

[mateacademy-ai-mentor]

mail.service.js throws when MAIL or GMAIL env vars are missing, which will break registration/password-reset flows during development. Consider adding a development/noop transport or using a test SMTP provider to avoid runtime failures when email credentials are not configured.

[mateacademy-ai-mentor]

Add guestOnlyMiddleware to POST /register so only non-authenticated users can register. For example: authRouter.post('/register', guestOnlyMiddleware, authController.register); This is required by the task.

[mateacademy-ai-mentor]

Add guestOnlyMiddleware to POST /login so only non-authenticated users can log in. For example: authRouter.post('/login', guestOnlyMiddleware, authController.login); This is required by the task.

[mateacademy-ai-mentor]

There is no server-side logout route. The task requires logout to be available only for authenticated users and to redirect to login after logging out. Add a protected logout endpoint (use authMiddleware) that destroys server session (if used) and returns success so frontend can clear token and redirect to /login.

[mateacademy-ai-mentor]

jwt.service.js relies on environment secrets such as JWT_ACCESS_SECRET. If these env vars are missing jwt.sign will throw. Validate required JWT secrets at startup or provide clear errors to avoid runtime failures in token operations (activation, reset, email-change).

[mateacademy-ai-mentor]

mail.service.js throws when mail credentials are missing (GMAIL_USER / GMAIL_APP_PASSWORD). During development/tests this will break flows that send emails. Consider adding a development/noop transport or using an Ethereal account for local testing to avoid runtime exceptions.

[mateacademy-ai-mentor]

Review Summary

I am requesting changes because a few checklist-level requirements are not yet enforced on the backend, even though the overall implementation is otherwise strong and feature-complete.

Critical issues that must be fixed (blockers):

1. Guest-only protection on auth routes: In src/backend/src/routes/auth.routes.js, the routes POST /register and POST /login (around lines 9–11) are currently unguarded. The task explicitly requires that registration and login be available only to non‑authenticated users, so you need to insert guestOnlyMiddleware before the controllers for both of these routes (e.g. authRouter.post('/register', guestOnlyMiddleware, authController.register)). Similarly, GET /activate/:hash (around line 38) must be available only to guests; wrap that route with guestOnlyMiddleware as well.
2. Missing server-side logout endpoint: The requirements state that logout must be available only for authenticated users and redirect to the login page after logging out, but there is no backend logout route. Add an authenticated endpoint such as POST /logout in auth.routes.js, protect it with authMiddleware, and in its controller destroy the server session (using your existing session helper or req.session.destroy) so the frontend can call it, then clear the token and navigate to /login.

Important to verify (may also be a blocker if incomplete):
3. Email-change initiation behavior: user.controller.changeEmail delegates to userService.requestEmailChange; per the checklist, this flow must (a) verify the current password, (b) create an email-change token with jwtService.signEmailChangeToken, (c) send a confirmation link to the new email using mailService.sendEmailChangeConfirmation, and (d) notify the old email using mailService.sendEmailChangeNotification. Please ensure this service method exists and performs all these steps; if it’s missing or partial, implement the missing pieces.

Everything else—registration, activation, login, password reset, profile updates, and GitHub OAuth—is very well structured and aligns closely with the requirements. Once you add the guest-only guards, the logout route, and confirm the email-change initiation logic, your solution will fully meet the task’s standards.

---

✨ Please rate this review in the Platform's notification center¹. I will be grateful for your feedback! ✨

Important

Fix the issues, commit the changes, and then re-request my review using the Re-request review button² in the Reviewers tab.

Tip

If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag³.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.

Caution

Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.

Footnotes

1. Rate AI review example ↩

2. Re-request AI review example ↩

3. Add AI review comments example ↩

[mateacademy-ai-mentor]

authMiddleware expects an Authorization header with Bearer token. However many frontend requests use access token stored in localStorage and set Authorization header in api.request; this is consistent. Ensure any requests relying on cookie-based session authentication use appropriate middleware — currently API uses bearer JWT, not session auth.

[mateacademy-ai-mentor]

The middleware correctly returns ApiError for ApiError instances and logs other errors. However, it exposes full error via process.stderr.write(${error}\n), which is fine for logs but ensure sensitive info isn't logged in production. (Informational)

[mateacademy-ai-mentor]

guestOnlyMiddleware inspects Authorization header to determine signed-in state. This approach works but relies solely on Authorization header; if the client uses cookie-based sessions, guestOnlyMiddleware won't detect them. Given the app uses JWT bearer tokens in API calls, this is acceptable. Consider documenting that guestOnly applies to Bearer-authenticated requests only.

[mateacademy-ai-mentor]

In guestOnlyMiddleware, the middleware calls next() in multiple branches and finally next(ApiError.badRequest(...)). Behavior is correct, but you may simplify flow for clarity. No functional change required.

[mateacademy-ai-mentor]

In auth.routes.js POST /register and /login are not protected by guestOnlyMiddleware. The task requires registration and login to be available only to non‑authenticated users. Add guestOnlyMiddleware to these routes (e.g., authRouter.post('/register', guestOnlyMiddleware, authController.register)).

[mateacademy-ai-mentor]

There is no server-side logout route. The task requires logout be available only for authenticated users and redirect to login after logging out. Add a logout endpoint (protected by authMiddleware) that destroys session (if used) and/or advises frontend to clear token, then returns 204 or a JSON response. Frontend should call it and redirect to /login.

[mateacademy-ai-mentor]

guestOnlyMiddleware and authMiddleware inspect only the Authorization header (Bearer token). This matches the frontend which sets the header from localStorage, but the GitHub OAuth flows rely on express-session cookies. Ensure CORS and session cookie settings allow the session cookie across the OAuth redirect (sameSite, secure and credentials settings). This is operational guidance to avoid losing OAuth flow state.

[mateacademy-ai-mentor]

saveSession in auth.controller.js calls req.session.save without checking if req.session exists. Given express-session is configured this should be fine, but add a guard if (!req.session) return Promise.resolve(); for extra robustness.

[mateacademy-ai-mentor]

Activation and email-change redirects include the access token in the URL query string. This works with the frontend ActivationPage which reads and stores the token, but exposing tokens in query params can leak them via referer or browser history. You already issue short-lived tokens; consider documenting this behavior or switching to a fragment/hash or POST if stricter security is desired.

[mateacademy-ai-mentor]

auth.routes.js: POST /register and POST /login are not using guestOnlyMiddleware. The task requires registration and login to be available only for non‑authenticated users — add guestOnlyMiddleware to these routes (e.g., authRouter.post('/register', guestOnlyMiddleware, authController.register)).

[mateacademy-ai-mentor]

No logout route exists in auth.routes.js or controllers. The task requires logout only for authenticated users and redirect to login after logging out. Add a protected logout endpoint (use authMiddleware) that destroys server session (if used) and returns success so frontend can clear token and navigate to /login.

[mateacademy-ai-mentor]

saveSession in auth.controller.js calls req.session.save without guarding for missing req.session. Express-session is configured, but for robustness consider adding if (!req.session) return Promise.resolve(); at start of saveSession to avoid potential runtime errors.

[mateacademy-ai-mentor]

GitHub OAuth flows store intent in req.session.githubAuth. Ensure express-session cookie settings and CORS (credentials: true) permit the session cookie to be sent across OAuth redirects; otherwise session state may be lost on callback and flow will fallback. Verify sameSite/secure in production.

[mateacademy-ai-mentor]

jwt.service.js: signing functions use environment variables directly (e.g., process.env.JWT_ACCESS_SECRET). If these are undefined, jwt.sign will throw. Ensure required JWT secrets are set in env for production. Consider validating presence at startup or providing clearer errors.

[mateacademy-ai-mentor]

mail.service.js: getTransport throws if GMAIL_USER / GMAIL_APP_PASSWORD missing. For development/testing consider a noop/mock transport to avoid runtime failures when sending emails is not configured.

[mateacademy-ai-mentor]

guestOnlyMiddleware determines guest status solely from Authorization: Bearer header. This is consistent with frontend using bearer tokens. If you later support cookie/session auth for API calls, update this middleware to detect that too. For current app behavior no change required.

[mateacademy-ai-mentor]

socialAccount.model.js: indexes reference physical column names via field mappings (e.g., providerId, user_id). Ensure DB migrations/schema use the same column names so uniqueness indexes are applied correctly. This is informational — model is consistent as written.

[mateacademy-ai-mentor]

Add guestOnlyMiddleware to POST /register so only non-authenticated users can register. For example: authRouter.post('/register', guestOnlyMiddleware, authController.register); This is required by the task.

[mateacademy-ai-mentor]

Add guestOnlyMiddleware to POST /login so only non-authenticated users can log in. For example: authRouter.post('/login', guestOnlyMiddleware, authController.login); This is required by the task.

[mateacademy-ai-mentor]

There is no server-side logout route. The task requires logout to be available only for authenticated users and to redirect to login after logging out. Add a protected logout endpoint (use authMiddleware) that destroys server session (if used) and returns success so frontend can clear token and redirect to /login.

[mateacademy-ai-mentor]

jwt.service.js relies on environment secrets such as JWT_ACCESS_SECRET. If these env vars are missing jwt.sign will throw. Validate required JWT secrets at startup or provide clear errors to avoid runtime failures in token operations (activation, reset, email-change).

[mateacademy-ai-mentor]

mail.service.js throws when mail credentials are missing (GMAIL_USER / GMAIL_APP_PASSWORD). During development/tests this will break flows that send emails. Consider adding a development/noop transport or using an Ethereal account for local testing to avoid runtime exceptions.

[mateacademy-ai-mentor]

guestOnlyMiddleware and authMiddleware inspect Authorization Bearer header (JWT). This matches frontend api.ts that sets the header. If you later support cookie/session auth for API calls, update these middlewares accordingly. No change required now.

[mateacademy-ai-mentor]

In auth.routes.js, POST /register is not protected by guestOnlyMiddleware. The task requires registration to be available only to non-authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

In auth.routes.js, POST /login is not protected by guestOnlyMiddleware. The task requires login to be available only to non-authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

jwt.service.js relies on environment secrets (e.g., JWT_ACCESS_SECRET). If these are missing, jwt.sign will throw at runtime. Consider validating required JWT env vars at startup and providing clear error messages to avoid runtime failures across flows that depend on JWTs (activation, reset, email-change).

[mateacademy-ai-mentor]

mail.service.js: getTransport throws when MAIL_FROM_ADDRESS/GMAIL_USER or GMAIL_APP_PASSWORD are missing. During development or tests this will break email-dependent flows (registration, password reset). Consider adding a development/noop transport (or Ethereal) to allow testing without real SMTP credentials.

[mateacademy-ai-mentor]

guestOnlyMiddleware and authMiddleware inspect only the Authorization header for a Bearer token, which matches the frontend api.ts behavior. If you later support cookie/session-based API auth, update these middlewares accordingly. (No change required now.)

[mateacademy-ai-mentor]

auth.routes.js: POST /register is not protected by guestOnlyMiddleware. The task requires registration to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

auth.routes.js: POST /login is not protected by guestOnlyMiddleware. The task requires login to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

Review Summary

I am requesting changes because a few checklist-level requirements are not yet enforced on the backend, even though the overall implementation is otherwise strong and feature-complete.

Critical issues that must be fixed (blockers):

1. Guest-only protection on auth routes: In src/backend/src/routes/auth.routes.js, the routes POST /register and POST /login (around lines 9–11) are currently unguarded. The task explicitly requires that registration and login be available only to non‑authenticated users, so you need to insert guestOnlyMiddleware before the controllers for both of these routes (e.g. authRouter.post('/register', guestOnlyMiddleware, authController.register)). Similarly, GET /activate/:hash (around line 38) must be available only to guests; wrap that route with guestOnlyMiddleware as well.
2. Missing server-side logout endpoint: The requirements state that logout must be available only for authenticated users and redirect to the login page after logging out, but there is no backend logout route. Add an authenticated endpoint such as POST /logout in auth.routes.js, protect it with authMiddleware, and in its controller destroy the server session (using your existing session helper or req.session.destroy) so the frontend can call it, then clear the token and navigate to /login.

Important to verify (may also be a blocker if incomplete):
3. Email-change initiation behavior: user.controller.changeEmail delegates to userService.requestEmailChange; per the checklist, this flow must (a) verify the current password, (b) create an email-change token with jwtService.signEmailChangeToken, (c) send a confirmation link to the new email using mailService.sendEmailChangeConfirmation, and (d) notify the old email using mailService.sendEmailChangeNotification. Please ensure this service method exists and performs all these steps; if it’s missing or partial, implement the missing pieces.

Everything else—registration, activation, login, password reset, profile updates, and GitHub OAuth—is very well structured and aligns closely with the requirements. Once you add the guest-only guards, the logout route, and confirm the email-change initiation logic, your solution will fully meet the task’s standards.

---

✨ Please rate this review in the Platform's notification center¹. I will be grateful for your feedback! ✨

Important

Fix the issues, commit the changes, and then re-request my review using the Re-request review button² in the Reviewers tab.

Tip

If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag³.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.

Caution

Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.

Footnotes

1. Rate AI review example ↩

2. Re-request AI review example ↩

3. Add AI review comments example ↩

[mateacademy-ai-mentor]

authMiddleware expects an Authorization header with Bearer token. However many frontend requests use access token stored in localStorage and set Authorization header in api.request; this is consistent. Ensure any requests relying on cookie-based session authentication use appropriate middleware — currently API uses bearer JWT, not session auth.

[mateacademy-ai-mentor]

The middleware correctly returns ApiError for ApiError instances and logs other errors. However, it exposes full error via process.stderr.write(${error}\n), which is fine for logs but ensure sensitive info isn't logged in production. (Informational)

[mateacademy-ai-mentor]

guestOnlyMiddleware inspects Authorization header to determine signed-in state. This approach works but relies solely on Authorization header; if the client uses cookie-based sessions, guestOnlyMiddleware won't detect them. Given the app uses JWT bearer tokens in API calls, this is acceptable. Consider documenting that guestOnly applies to Bearer-authenticated requests only.

[mateacademy-ai-mentor]

In guestOnlyMiddleware, the middleware calls next() in multiple branches and finally next(ApiError.badRequest(...)). Behavior is correct, but you may simplify flow for clarity. No functional change required.

[mateacademy-ai-mentor]

In auth.routes.js POST /register and /login are not protected by guestOnlyMiddleware. The task requires registration and login to be available only to non‑authenticated users. Add guestOnlyMiddleware to these routes (e.g., authRouter.post('/register', guestOnlyMiddleware, authController.register)).

[mateacademy-ai-mentor]

There is no server-side logout route. The task requires logout be available only for authenticated users and redirect to login after logging out. Add a logout endpoint (protected by authMiddleware) that destroys session (if used) and/or advises frontend to clear token, then returns 204 or a JSON response. Frontend should call it and redirect to /login.

[mateacademy-ai-mentor]

guestOnlyMiddleware and authMiddleware inspect only the Authorization header (Bearer token). This matches the frontend which sets the header from localStorage, but the GitHub OAuth flows rely on express-session cookies. Ensure CORS and session cookie settings allow the session cookie across the OAuth redirect (sameSite, secure and credentials settings). This is operational guidance to avoid losing OAuth flow state.

[mateacademy-ai-mentor]

saveSession in auth.controller.js calls req.session.save without checking if req.session exists. Given express-session is configured this should be fine, but add a guard if (!req.session) return Promise.resolve(); for extra robustness.

[mateacademy-ai-mentor]

Activation and email-change redirects include the access token in the URL query string. This works with the frontend ActivationPage which reads and stores the token, but exposing tokens in query params can leak them via referer or browser history. You already issue short-lived tokens; consider documenting this behavior or switching to a fragment/hash or POST if stricter security is desired.

[mateacademy-ai-mentor]

auth.routes.js: POST /register and POST /login are not using guestOnlyMiddleware. The task requires registration and login to be available only for non‑authenticated users — add guestOnlyMiddleware to these routes (e.g., authRouter.post('/register', guestOnlyMiddleware, authController.register)).

[mateacademy-ai-mentor]

No logout route exists in auth.routes.js or controllers. The task requires logout only for authenticated users and redirect to login after logging out. Add a protected logout endpoint (use authMiddleware) that destroys server session (if used) and returns success so frontend can clear token and navigate to /login.

[mateacademy-ai-mentor]

saveSession in auth.controller.js calls req.session.save without guarding for missing req.session. Express-session is configured, but for robustness consider adding if (!req.session) return Promise.resolve(); at start of saveSession to avoid potential runtime errors.

[mateacademy-ai-mentor]

GitHub OAuth flows store intent in req.session.githubAuth. Ensure express-session cookie settings and CORS (credentials: true) permit the session cookie to be sent across OAuth redirects; otherwise session state may be lost on callback and flow will fallback. Verify sameSite/secure in production.

[mateacademy-ai-mentor]

jwt.service.js: signing functions use environment variables directly (e.g., process.env.JWT_ACCESS_SECRET). If these are undefined, jwt.sign will throw. Ensure required JWT secrets are set in env for production. Consider validating presence at startup or providing clearer errors.

[mateacademy-ai-mentor]

mail.service.js: getTransport throws if GMAIL_USER / GMAIL_APP_PASSWORD missing. For development/testing consider a noop/mock transport to avoid runtime failures when sending emails is not configured.

[mateacademy-ai-mentor]

guestOnlyMiddleware determines guest status solely from Authorization: Bearer header. This is consistent with frontend using bearer tokens. If you later support cookie/session auth for API calls, update this middleware to detect that too. For current app behavior no change required.

[mateacademy-ai-mentor]

socialAccount.model.js: indexes reference physical column names via field mappings (e.g., providerId, user_id). Ensure DB migrations/schema use the same column names so uniqueness indexes are applied correctly. This is informational — model is consistent as written.

[mateacademy-ai-mentor]

Add guestOnlyMiddleware to POST /register so only non-authenticated users can register. For example: authRouter.post('/register', guestOnlyMiddleware, authController.register); This is required by the task.

[mateacademy-ai-mentor]

Add guestOnlyMiddleware to POST /login so only non-authenticated users can log in. For example: authRouter.post('/login', guestOnlyMiddleware, authController.login); This is required by the task.

[mateacademy-ai-mentor]

There is no server-side logout route. The task requires logout to be available only for authenticated users and to redirect to login after logging out. Add a protected logout endpoint (use authMiddleware) that destroys server session (if used) and returns success so frontend can clear token and redirect to /login.

[mateacademy-ai-mentor]

jwt.service.js relies on environment secrets such as JWT_ACCESS_SECRET. If these env vars are missing jwt.sign will throw. Validate required JWT secrets at startup or provide clear errors to avoid runtime failures in token operations (activation, reset, email-change).

[mateacademy-ai-mentor]

mail.service.js throws when mail credentials are missing (GMAIL_USER / GMAIL_APP_PASSWORD). During development/tests this will break flows that send emails. Consider adding a development/noop transport or using an Ethereal account for local testing to avoid runtime exceptions.

[mateacademy-ai-mentor]

guestOnlyMiddleware and authMiddleware inspect Authorization Bearer header (JWT). This matches frontend api.ts that sets the header. If you later support cookie/session auth for API calls, update these middlewares accordingly. No change required now.

[mateacademy-ai-mentor]

In auth.routes.js, POST /register is not protected by guestOnlyMiddleware. The task requires registration to be available only to non-authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

In auth.routes.js, POST /login is not protected by guestOnlyMiddleware. The task requires login to be available only to non-authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

jwt.service.js relies on environment secrets (e.g., JWT_ACCESS_SECRET). If these are missing, jwt.sign will throw at runtime. Consider validating required JWT env vars at startup and providing clear error messages to avoid runtime failures across flows that depend on JWTs (activation, reset, email-change).

[mateacademy-ai-mentor]

mail.service.js: getTransport throws when MAIL_FROM_ADDRESS/GMAIL_USER or GMAIL_APP_PASSWORD are missing. During development or tests this will break email-dependent flows (registration, password reset). Consider adding a development/noop transport (or Ethereal) to allow testing without real SMTP credentials.

[mateacademy-ai-mentor]

guestOnlyMiddleware and authMiddleware inspect only the Authorization header for a Bearer token, which matches the frontend api.ts behavior. If you later support cookie/session-based API auth, update these middlewares accordingly. (No change required now.)

[mateacademy-ai-mentor]

auth.routes.js: POST /register is not protected by guestOnlyMiddleware. The task requires registration to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

auth.routes.js: POST /login is not protected by guestOnlyMiddleware. The task requires login to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

There is no server-side logout route in the backend. The task requires logout to be available only for authenticated users and to redirect to login after logging out. Add a protected logout endpoint (use authMiddleware) that destroys the server session (if any) and returns success so the frontend can clear token and navigate to /login.

[mateacademy-ai-mentor]

jwt.service.js relies on environment secrets (e.g., JWT_ACCESS_SECRET). If these are missing, jwt.sign will throw. Consider validating required JWT env vars at startup and providing clear errors to avoid runtime failures in flows that depend on JWTs (activation, password-reset, email-change).

[mateacademy-ai-mentor]

mail.service.js: getTransport throws when MAIL_FROM_ADDRESS/GMAIL_USER or GMAIL_APP_PASSWORD are missing. During development/tests this will break email-dependent flows (registration, password reset). Consider adding a development/noop transport (or Ethereal) to allow testing without real SMTP credentials.

[mateacademy-ai-mentor]

In src/backend/src/routes/auth.routes.js the POST /register route is not protected by guestOnlyMiddleware. The task requires registration to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

In src/backend/src/routes/auth.routes.js the POST /login route is not protected by guestOnlyMiddleware. The task requires login to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

src/backend/src/services/jwt.service.js relies on environment JWT secrets (e.g., JWT_ACCESS_SECRET). If these env vars are missing jwt.sign will throw. Consider validating required JWT env vars at startup and providing clear errors to avoid runtime failures in flows that use tokens (activation, password-reset, email-change).

[mateacademy-ai-mentor]

src/backend/src/services/mail.service.js throws when MAIL_FROM_ADDRESS/GMAIL_USER or GMAIL_APP_PASSWORD are missing. During development/tests this will break registration/password-reset flows that send emails. Consider adding a development/noop transport (or Ethereal) or handling missing creds gracefully in non-production to allow testing without real SMTP credentials.

[mateacademy-ai-mentor]

In src/backend/src/routes/auth.routes.js the POST /register route is not protected by guestOnlyMiddleware. The task requires registration to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

In src/backend/src/routes/auth.routes.js the POST /login route is not protected by guestOnlyMiddleware. The task requires login to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

Password reset endpoints (/password-reset and /password-reset/confirm) are correctly using guestOnlyMiddleware in auth.routes.js, but ensure the activation and register/login routes use the same middleware for consistency with requirements.

[mateacademy-ai-mentor]

In passport.js lines 6-9: The isGithubAuthEnabled function checks process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET but returns Boolean(...,). The trailing comma is harmless in JS but the overall check is fine. No action required.

[mateacademy-ai-mentor]

Register and login routes are unprotected. According to the task, these must be available only to non-authenticated users. In src/backend/src/routes/auth.routes.js add guestOnlyMiddleware to POST /register and POST /login so only guests can access them.

[mateacademy-ai-mentor]

The activation endpoint GET /activate/:hash should be available only to non-authenticated users as per the requirements. In src/backend/src/routes/auth.routes.js wrap the /activate/:hash route with guestOnlyMiddleware.

[mateacademy-ai-mentor]

The app initializes passport with passport.initialize() but does not call passport.session(). You store GitHub flow state in req.session and use passport.authenticate with session:false, so this may be fine. If you intend to use Passport session deserialization later, consider adding app.use(passport.session()) in src/backend/src/app.js.

[mateacademy-ai-mentor]

UserController.changeEmail (src/backend/src/controllers/user.controller.js) calls userService.requestEmailChange. Ensure the implementation of userService.requestEmailChange validates the current password, creates an email-change token (using jwtService.signEmailChangeToken), sends confirmation to the new email (mailService.sendEmailChangeConfirmation) and notifies the old email (mailService.sendEmailChangeNotification). This is required by the checklist item for changing email.

[mateacademy-ai-mentor]

There is no logout endpoint in the provided auth routes. The requirements state "The application must allow a user to log out (only authenticated) and redirect to login after logging out." Add an authenticated POST /logout route (use authMiddleware) that destroys the session (use the existing destroySession logic) and responds so the client can redirect to /login.

[mateacademy-ai-mentor]

The controller relies on userService.requestEmailChange to implement the email-change initiation (require current password, send confirmation to new email, notify old email). Ensure that user.service.requestEmailChange exists and performs these steps; otherwise this violates the requirement: "To change an email on the Profile page, the user should type the password, confirm the new email and notify the old email about the change."

[mateacademy-ai-mentor]

me, changePassword, changeName, changeEmail and removeGithubAccount all forward errors via next(error). Ensure authMiddleware protects these routes (it is applied in user.routes.js) so they are available only to authenticated users as required.

[mateacademy-ai-mentor]

auth.routes.js: POST /register is not protected by guestOnlyMiddleware. The task requires registration to be available only to non-authenticated users — add guestOnlyMiddleware to this route.

[mateacademy-ai-mentor]

auth.routes.js: POST /login is not protected by guestOnlyMiddleware. The task requires login to be available only to non-authenticated users — add guestOnlyMiddleware to this route.

[mateacademy-ai-mentor]

auth.routes.js: GET /activate/:hash is currently public. The task requires the activation page to be available only to non-authenticated users — wrap this route with guestOnlyMiddleware.

[mateacademy-ai-mentor]

user.controller.js: changeEmail delegates to userService.requestEmailChange. Ensure that userService.requestEmailChange validates the provided password, generates an email-change confirmation token, sends the confirmation to the new email, and notifies the old email (mailService.sendEmailChangeConfirmation and sendEmailChangeNotification). If missing, implement these steps to satisfy the checklist.

[mateacademy-ai-mentor]

app.js: passport.initialize() is used but passport.session() is not mounted. Since you use express-session to store githubAuth state and use passport.authenticate with session:false, this may be intentional. If you require Passport session deserialization later, add app.use(passport.session()). Verify intended behavior for GitHub link/auth flows.

[mateacademy-ai-mentor]

Per the task, registration must be available only to non-authenticated users. In src/backend/src/routes/auth.routes.js the POST /register route is not protected by guestOnlyMiddleware — add guestOnlyMiddleware to this route.

[mateacademy-ai-mentor]

Per the task, login must be available only to non-authenticated users. In src/backend/src/routes/auth.routes.js the POST /login route is not protected by guestOnlyMiddleware — add guestOnlyMiddleware to this route.

[mateacademy-ai-mentor]

POST /register must be available only to non-authenticated users per the task. In src/backend/src/routes/auth.routes.js the route at line 10 registers '/register' without guestOnlyMiddleware. Add guestOnlyMiddleware to this route.

[mateacademy-ai-mentor]

POST /login must be available only to non-authenticated users per the task. In src/backend/src/routes/auth.routes.js the route at line 11 registers '/login' without guestOnlyMiddleware. Add guestOnlyMiddleware to this route.

[mateacademy-ai-mentor]

In auth.routes.js lines 9-11 the POST /register and POST /login routes are unguarded. The task requires these be available only to non-authenticated users — add guestOnlyMiddleware to both routes.

[mateacademy-ai-mentor]

In auth.routes.js line 38 the GET /activate/:hash route is public. The task requires the activation page to be available only to non-authenticated users — wrap this route with guestOnlyMiddleware.

[mateacademy-ai-mentor]

There is no logout endpoint in the provided auth routes. The task requires a logout action available only to authenticated users and redirect to login after logging out. Add an authenticated route (e.g. POST /logout) that calls session destroy (use the destroySession helper or req.session.destroy) and returns success so the client can redirect.

[mateacademy-ai-mentor]

Review Summary

I am requesting changes because a few checklist-level requirements are not yet enforced on the backend, even though the overall implementation is otherwise strong and feature-complete.

Critical issues that must be fixed (blockers):

1. Guest-only protection on auth routes: In src/backend/src/routes/auth.routes.js, the routes POST /register and POST /login (around lines 9–11) are currently unguarded. The task explicitly requires that registration and login be available only to non‑authenticated users, so you need to insert guestOnlyMiddleware before the controllers for both of these routes (e.g. authRouter.post('/register', guestOnlyMiddleware, authController.register)). Similarly, GET /activate/:hash (around line 38) must be available only to guests; wrap that route with guestOnlyMiddleware as well.
2. Missing server-side logout endpoint: The requirements state that logout must be available only for authenticated users and redirect to the login page after logging out, but there is no backend logout route. Add an authenticated endpoint such as POST /logout in auth.routes.js, protect it with authMiddleware, and in its controller destroy the server session (using your existing session helper or req.session.destroy) so the frontend can call it, then clear the token and navigate to /login.

Important to verify (may also be a blocker if incomplete):
3. Email-change initiation behavior: user.controller.changeEmail delegates to userService.requestEmailChange; per the checklist, this flow must (a) verify the current password, (b) create an email-change token with jwtService.signEmailChangeToken, (c) send a confirmation link to the new email using mailService.sendEmailChangeConfirmation, and (d) notify the old email using mailService.sendEmailChangeNotification. Please ensure this service method exists and performs all these steps; if it’s missing or partial, implement the missing pieces.

Everything else—registration, activation, login, password reset, profile updates, and GitHub OAuth—is very well structured and aligns closely with the requirements. Once you add the guest-only guards, the logout route, and confirm the email-change initiation logic, your solution will fully meet the task’s standards.

---

✨ Please rate this review in the Platform's notification center¹. I will be grateful for your feedback! ✨

Important

Fix the issues, commit the changes, and then re-request my review using the Re-request review button² in the Reviewers tab.

Tip

If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag³.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.

Caution

Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.

Footnotes

1. Rate AI review example ↩

2. Re-request AI review example ↩

3. Add AI review comments example ↩

[mateacademy-ai-mentor]

authMiddleware expects an Authorization header with Bearer token. However many frontend requests use access token stored in localStorage and set Authorization header in api.request; this is consistent. Ensure any requests relying on cookie-based session authentication use appropriate middleware — currently API uses bearer JWT, not session auth.

[mateacademy-ai-mentor]

The middleware correctly returns ApiError for ApiError instances and logs other errors. However, it exposes full error via process.stderr.write(${error}\n), which is fine for logs but ensure sensitive info isn't logged in production. (Informational)

[mateacademy-ai-mentor]

guestOnlyMiddleware inspects Authorization header to determine signed-in state. This approach works but relies solely on Authorization header; if the client uses cookie-based sessions, guestOnlyMiddleware won't detect them. Given the app uses JWT bearer tokens in API calls, this is acceptable. Consider documenting that guestOnly applies to Bearer-authenticated requests only.

[mateacademy-ai-mentor]

In guestOnlyMiddleware, the middleware calls next() in multiple branches and finally next(ApiError.badRequest(...)). Behavior is correct, but you may simplify flow for clarity. No functional change required.

[mateacademy-ai-mentor]

In auth.routes.js POST /register and /login are not protected by guestOnlyMiddleware. The task requires registration and login to be available only to non‑authenticated users. Add guestOnlyMiddleware to these routes (e.g., authRouter.post('/register', guestOnlyMiddleware, authController.register)).

[mateacademy-ai-mentor]

There is no server-side logout route. The task requires logout be available only for authenticated users and redirect to login after logging out. Add a logout endpoint (protected by authMiddleware) that destroys session (if used) and/or advises frontend to clear token, then returns 204 or a JSON response. Frontend should call it and redirect to /login.

[mateacademy-ai-mentor]

guestOnlyMiddleware and authMiddleware inspect only the Authorization header (Bearer token). This matches the frontend which sets the header from localStorage, but the GitHub OAuth flows rely on express-session cookies. Ensure CORS and session cookie settings allow the session cookie across the OAuth redirect (sameSite, secure and credentials settings). This is operational guidance to avoid losing OAuth flow state.

[mateacademy-ai-mentor]

saveSession in auth.controller.js calls req.session.save without checking if req.session exists. Given express-session is configured this should be fine, but add a guard if (!req.session) return Promise.resolve(); for extra robustness.

[mateacademy-ai-mentor]

Activation and email-change redirects include the access token in the URL query string. This works with the frontend ActivationPage which reads and stores the token, but exposing tokens in query params can leak them via referer or browser history. You already issue short-lived tokens; consider documenting this behavior or switching to a fragment/hash or POST if stricter security is desired.

[mateacademy-ai-mentor]

auth.routes.js: POST /register and POST /login are not using guestOnlyMiddleware. The task requires registration and login to be available only for non‑authenticated users — add guestOnlyMiddleware to these routes (e.g., authRouter.post('/register', guestOnlyMiddleware, authController.register)).

[mateacademy-ai-mentor]

No logout route exists in auth.routes.js or controllers. The task requires logout only for authenticated users and redirect to login after logging out. Add a protected logout endpoint (use authMiddleware) that destroys server session (if used) and returns success so frontend can clear token and navigate to /login.

[mateacademy-ai-mentor]

saveSession in auth.controller.js calls req.session.save without guarding for missing req.session. Express-session is configured, but for robustness consider adding if (!req.session) return Promise.resolve(); at start of saveSession to avoid potential runtime errors.

[mateacademy-ai-mentor]

GitHub OAuth flows store intent in req.session.githubAuth. Ensure express-session cookie settings and CORS (credentials: true) permit the session cookie to be sent across OAuth redirects; otherwise session state may be lost on callback and flow will fallback. Verify sameSite/secure in production.

[mateacademy-ai-mentor]

jwt.service.js: signing functions use environment variables directly (e.g., process.env.JWT_ACCESS_SECRET). If these are undefined, jwt.sign will throw. Ensure required JWT secrets are set in env for production. Consider validating presence at startup or providing clearer errors.

[mateacademy-ai-mentor]

mail.service.js: getTransport throws if GMAIL_USER / GMAIL_APP_PASSWORD missing. For development/testing consider a noop/mock transport to avoid runtime failures when sending emails is not configured.

[mateacademy-ai-mentor]

guestOnlyMiddleware determines guest status solely from Authorization: Bearer header. This is consistent with frontend using bearer tokens. If you later support cookie/session auth for API calls, update this middleware to detect that too. For current app behavior no change required.

[mateacademy-ai-mentor]

socialAccount.model.js: indexes reference physical column names via field mappings (e.g., providerId, user_id). Ensure DB migrations/schema use the same column names so uniqueness indexes are applied correctly. This is informational — model is consistent as written.

[mateacademy-ai-mentor]

Add guestOnlyMiddleware to POST /register so only non-authenticated users can register. For example: authRouter.post('/register', guestOnlyMiddleware, authController.register); This is required by the task.

[mateacademy-ai-mentor]

Add guestOnlyMiddleware to POST /login so only non-authenticated users can log in. For example: authRouter.post('/login', guestOnlyMiddleware, authController.login); This is required by the task.

[mateacademy-ai-mentor]

There is no server-side logout route. The task requires logout to be available only for authenticated users and to redirect to login after logging out. Add a protected logout endpoint (use authMiddleware) that destroys server session (if used) and returns success so frontend can clear token and redirect to /login.

[mateacademy-ai-mentor]

jwt.service.js relies on environment secrets such as JWT_ACCESS_SECRET. If these env vars are missing jwt.sign will throw. Validate required JWT secrets at startup or provide clear errors to avoid runtime failures in token operations (activation, reset, email-change).

[mateacademy-ai-mentor]

mail.service.js throws when mail credentials are missing (GMAIL_USER / GMAIL_APP_PASSWORD). During development/tests this will break flows that send emails. Consider adding a development/noop transport or using an Ethereal account for local testing to avoid runtime exceptions.

[mateacademy-ai-mentor]

guestOnlyMiddleware and authMiddleware inspect Authorization Bearer header (JWT). This matches frontend api.ts that sets the header. If you later support cookie/session auth for API calls, update these middlewares accordingly. No change required now.

[mateacademy-ai-mentor]

In auth.routes.js, POST /register is not protected by guestOnlyMiddleware. The task requires registration to be available only to non-authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

In auth.routes.js, POST /login is not protected by guestOnlyMiddleware. The task requires login to be available only to non-authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

jwt.service.js relies on environment secrets (e.g., JWT_ACCESS_SECRET). If these are missing, jwt.sign will throw at runtime. Consider validating required JWT env vars at startup and providing clear error messages to avoid runtime failures across flows that depend on JWTs (activation, reset, email-change).

[mateacademy-ai-mentor]

mail.service.js: getTransport throws when MAIL_FROM_ADDRESS/GMAIL_USER or GMAIL_APP_PASSWORD are missing. During development or tests this will break email-dependent flows (registration, password reset). Consider adding a development/noop transport (or Ethereal) to allow testing without real SMTP credentials.

[mateacademy-ai-mentor]

guestOnlyMiddleware and authMiddleware inspect only the Authorization header for a Bearer token, which matches the frontend api.ts behavior. If you later support cookie/session-based API auth, update these middlewares accordingly. (No change required now.)

[mateacademy-ai-mentor]

auth.routes.js: POST /register is not protected by guestOnlyMiddleware. The task requires registration to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

auth.routes.js: POST /login is not protected by guestOnlyMiddleware. The task requires login to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

There is no server-side logout route in the backend. The task requires logout to be available only for authenticated users and to redirect to login after logging out. Add a protected logout endpoint (use authMiddleware) that destroys the server session (if any) and returns success so the frontend can clear token and navigate to /login.

[mateacademy-ai-mentor]

jwt.service.js relies on environment secrets (e.g., JWT_ACCESS_SECRET). If these are missing, jwt.sign will throw. Consider validating required JWT env vars at startup and providing clear errors to avoid runtime failures in flows that depend on JWTs (activation, password-reset, email-change).

[mateacademy-ai-mentor]

mail.service.js: getTransport throws when MAIL_FROM_ADDRESS/GMAIL_USER or GMAIL_APP_PASSWORD are missing. During development/tests this will break email-dependent flows (registration, password reset). Consider adding a development/noop transport (or Ethereal) to allow testing without real SMTP credentials.

[mateacademy-ai-mentor]

In src/backend/src/routes/auth.routes.js the POST /register route is not protected by guestOnlyMiddleware. The task requires registration to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

In src/backend/src/routes/auth.routes.js the POST /login route is not protected by guestOnlyMiddleware. The task requires login to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

src/backend/src/services/jwt.service.js relies on environment JWT secrets (e.g., JWT_ACCESS_SECRET). If these env vars are missing jwt.sign will throw. Consider validating required JWT env vars at startup and providing clear errors to avoid runtime failures in flows that use tokens (activation, password-reset, email-change).

[mateacademy-ai-mentor]

src/backend/src/services/mail.service.js throws when MAIL_FROM_ADDRESS/GMAIL_USER or GMAIL_APP_PASSWORD are missing. During development/tests this will break registration/password-reset flows that send emails. Consider adding a development/noop transport (or Ethereal) or handling missing creds gracefully in non-production to allow testing without real SMTP credentials.

[mateacademy-ai-mentor]

In src/backend/src/routes/auth.routes.js the POST /register route is not protected by guestOnlyMiddleware. The task requires registration to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/register', guestOnlyMiddleware, authController.register);

[mateacademy-ai-mentor]

In src/backend/src/routes/auth.routes.js the POST /login route is not protected by guestOnlyMiddleware. The task requires login to be available only to non‑authenticated users. Add guestOnlyMiddleware to this route, e.g.: authRouter.post('/login', guestOnlyMiddleware, authController.login);

[mateacademy-ai-mentor]

Password reset endpoints (/password-reset and /password-reset/confirm) are correctly using guestOnlyMiddleware in auth.routes.js, but ensure the activation and register/login routes use the same middleware for consistency with requirements.

[mateacademy-ai-mentor]

In passport.js lines 6-9: The isGithubAuthEnabled function checks process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET but returns Boolean(...,). The trailing comma is harmless in JS but the overall check is fine. No action required.

[mateacademy-ai-mentor]

Register and login routes are unprotected. According to the task, these must be available only to non-authenticated users. In src/backend/src/routes/auth.routes.js add guestOnlyMiddleware to POST /register and POST /login so only guests can access them.

[mateacademy-ai-mentor]

The activation endpoint GET /activate/:hash should be available only to non-authenticated users as per the requirements. In src/backend/src/routes/auth.routes.js wrap the /activate/:hash route with guestOnlyMiddleware.

[mateacademy-ai-mentor]

The app initializes passport with passport.initialize() but does not call passport.session(). You store GitHub flow state in req.session and use passport.authenticate with session:false, so this may be fine. If you intend to use Passport session deserialization later, consider adding app.use(passport.session()) in src/backend/src/app.js.

[mateacademy-ai-mentor]

UserController.changeEmail (src/backend/src/controllers/user.controller.js) calls userService.requestEmailChange. Ensure the implementation of userService.requestEmailChange validates the current password, creates an email-change token (using jwtService.signEmailChangeToken), sends confirmation to the new email (mailService.sendEmailChangeConfirmation) and notifies the old email (mailService.sendEmailChangeNotification). This is required by the checklist item for changing email.

[mateacademy-ai-mentor]

There is no logout endpoint in the provided auth routes. The requirements state "The application must allow a user to log out (only authenticated) and redirect to login after logging out." Add an authenticated POST /logout route (use authMiddleware) that destroys the session (use the existing destroySession logic) and responds so the client can redirect to /login.

[mateacademy-ai-mentor]

The controller relies on userService.requestEmailChange to implement the email-change initiation (require current password, send confirmation to new email, notify old email). Ensure that user.service.requestEmailChange exists and performs these steps; otherwise this violates the requirement: "To change an email on the Profile page, the user should type the password, confirm the new email and notify the old email about the change."

[mateacademy-ai-mentor]

me, changePassword, changeName, changeEmail and removeGithubAccount all forward errors via next(error). Ensure authMiddleware protects these routes (it is applied in user.routes.js) so they are available only to authenticated users as required.

[mateacademy-ai-mentor]

auth.routes.js: POST /register is not protected by guestOnlyMiddleware. The task requires registration to be available only to non-authenticated users — add guestOnlyMiddleware to this route.

[mateacademy-ai-mentor]

auth.routes.js: POST /login is not protected by guestOnlyMiddleware. The task requires login to be available only to non-authenticated users — add guestOnlyMiddleware to this route.

[mateacademy-ai-mentor]

auth.routes.js: GET /activate/:hash is currently public. The task requires the activation page to be available only to non-authenticated users — wrap this route with guestOnlyMiddleware.

[mateacademy-ai-mentor]

user.controller.js: changeEmail delegates to userService.requestEmailChange. Ensure that userService.requestEmailChange validates the provided password, generates an email-change confirmation token, sends the confirmation to the new email, and notifies the old email (mailService.sendEmailChangeConfirmation and sendEmailChangeNotification). If missing, implement these steps to satisfy the checklist.

[mateacademy-ai-mentor]

app.js: passport.initialize() is used but passport.session() is not mounted. Since you use express-session to store githubAuth state and use passport.authenticate with session:false, this may be intentional. If you require Passport session deserialization later, add app.use(passport.session()). Verify intended behavior for GitHub link/auth flows.

[mateacademy-ai-mentor]

Per the task, registration must be available only to non-authenticated users. In src/backend/src/routes/auth.routes.js the POST /register route is not protected by guestOnlyMiddleware — add guestOnlyMiddleware to this route.

[mateacademy-ai-mentor]

Per the task, login must be available only to non-authenticated users. In src/backend/src/routes/auth.routes.js the POST /login route is not protected by guestOnlyMiddleware — add guestOnlyMiddleware to this route.

[mateacademy-ai-mentor]

POST /register must be available only to non-authenticated users per the task. In src/backend/src/routes/auth.routes.js the route at line 10 registers '/register' without guestOnlyMiddleware. Add guestOnlyMiddleware to this route.

[mateacademy-ai-mentor]

POST /login must be available only to non-authenticated users per the task. In src/backend/src/routes/auth.routes.js the route at line 11 registers '/login' without guestOnlyMiddleware. Add guestOnlyMiddleware to this route.

[mateacademy-ai-mentor]

In auth.routes.js lines 9-11 the POST /register and POST /login routes are unguarded. The task requires these be available only to non-authenticated users — add guestOnlyMiddleware to both routes.

[mateacademy-ai-mentor]

In auth.routes.js line 38 the GET /activate/:hash route is public. The task requires the activation page to be available only to non-authenticated users — wrap this route with guestOnlyMiddleware.

[mateacademy-ai-mentor]

There is no logout endpoint in the provided auth routes. The task requires a logout action available only to authenticated users and redirect to login after logging out. Add an authenticated route (e.g. POST /logout) that calls session destroy (use the destroySession helper or req.session.destroy) and returns success so the client can redirect.

[mateacademy-ai-mentor]

In app.js line 38 you call passport.initialize() but not passport.session(). You store GitHub flow state in req.session and use passport.authenticate with session:false, so this may be intentional. If you plan to use Passport session deserialization later, add app.use(passport.session()). Otherwise confirm current behavior is intentional for GitHub flows.

[mateacademy-ai-mentor]

In src/backend/src/routes/auth.routes.js lines 9-11: POST /register and POST /login are registered without guestOnlyMiddleware. The task requires registration and login to be available only to non-authenticated users — add guestOnlyMiddleware to both routes.

[mateacademy-ai-mentor]

In src/backend/src/routes/auth.routes.js lines 9-11: POST /register and POST /login are not using guestOnlyMiddleware. The task explicitly requires these to be available only to non-authenticated users — add guestOnlyMiddleware to both routes.

[mateacademy-ai-mentor]

In src/backend/src/routes/auth.routes.js line 38: GET /activate/:hash is currently public. The activation page must be available only to non-authenticated users per the requirements — wrap this route with guestOnlyMiddleware.

[mateacademy-ai-mentor]

There is no logout route in the provided auth routes. The task requires a logout action available only to authenticated users and redirect to login after logging out. Add an authenticated route (e.g. POST /logout) protected by authMiddleware that destroys the server session (use req.session.destroy or a destroySession helper) and returns success so the client can redirect to /login.

[mateacademy-ai-mentor]

In src/backend/src/controllers/user.controller.js lines 44-56: changeEmail delegates to userService.requestEmailChange. The checklist requires that changing email: requires typing the password, confirms the new email (confirmation link to new email), and notifies the old email. Ensure userService.requestEmailChange verifies the current password, creates/signs an email-change token (jwtService.signEmailChangeToken), sends confirmation to the new email (mailService.sendEmailChangeConfirmation), and sends notification to the old email (mailService.sendEmailChangeNotification). If absent or incomplete, implement it.

[mateacademy-ai-mentor]

In src/backend/src/app.js line 38: passport.initialize() is used but passport.session() is not mounted. You store GitHub flow state in req.session and use passport.authenticate with session:false, so this may be intentional. If you expect Passport to manage persistent sessions later, add app.use(passport.session()). Otherwise confirm current behavior is deliberate.

[mateacademy-ai-mentor]

In src/backend/src/routes/auth.routes.js lines 9-11: POST /register and POST /login are not protected by guestOnlyMiddleware. The task requires registration and login to be available only to non-authenticated users — add guestOnlyMiddleware to both routes.

[mateacademy-ai-mentor]

In src/backend/src/routes/auth.routes.js line 38: GET /activate/:hash is currently public. The task requires the activation page to be available only to non-authenticated users — wrap this route with guestOnlyMiddleware.

[mateacademy-ai-mentor]

There is no logout endpoint in the provided routes. The task requires an authenticated logout action that redirects to the login page. Add a protected route (e.g. POST /logout) using authMiddleware that destroys the session (use destroySession or req.session.destroy) and returns success so the client can redirect to /login.

[mateacademy-ai-mentor]

Sorry, the pull request review was unsuccessful for the following reasons:

Warning

Too many changes in the pull request. Please make sure that you have added only the necessary changes to the pull request.
_{[CODE: TMC]}

If the issue is within your control, please address it.
The next review attempt will automatically launch in about 1 hour.
If you believe this is an error or need assistance, please contact the support team.

[mateacademy-ai-mentor]

Sorry, the pull request review was unsuccessful for the following reasons:

Warning

Too many changes in the pull request. Please make sure that you have added only the necessary changes to the pull request.
_{[CODE: TMC]}

If the issue is within your control, please address it.
The next review attempt will automatically launch in about 1 hour.
If you believe this is an error or need assistance, please contact the support team.

[mateacademy-ai-mentor]

Sorry, the pull request review was unsuccessful for the following reasons:

Warning

Too many changes in the pull request. Please make sure that you have added only the necessary changes to the pull request.
_{[CODE: TMC]}

If the issue is within your control, please address it.
The next review attempt will automatically launch in about 1 hour.
If you believe this is an error or need assistance, please contact the support team.

[brespect]

Lgtm 🚀