fix: improve session handling and user verification flow

- Add proper session saving in login endpoint with explicit save calls
- Update user verification flow to set proper role and activation state
- Standardize API endpoint naming for user operations
- Add verifiedAt timestamp to track when users complete verification
- Clean up console logs and improve logging messages
- Fix session userId storage to consistently use string format

The main changes focus on ensuring sessions are properly saved during login
and standardizing how we handle user verification and activation states.

Author: foyzulkarim

src/auth/localStrategy.js

@@ -8,6 +8,7 @@ const {
   updateById,
   findByVerificationToken,
   refreshVerificationToken,
+  completeEmailVerification,
 } = require('../domains/user/service');
 const { AppError } = require('../libraries/error-handling/AppError');
 const { sendVerificationEmail } = require('../libraries/email/emailService');
@@ -84,6 +85,9 @@ const registerUser = async ({ email, password }) => {
       isAdmin: false,
       verificationToken,
       verificationTokenExpiry,
+      isDeactivated: false, // we activate the user after email verification
+      role: 'Visitor',
+      roleId: null,
     };
 
     // Create the user
@@ -119,12 +123,7 @@ const verifyEmail = async (token) => {
     }
 
     // Update user as verified
-    await updateById(user._id, {
-      isVerified: true,
-      verificationToken: null,
-      verificationTokenExpiry: null,
-      updatedAt: new Date()
-    });
+    await completeEmailVerification(user._id);
 
     return { message: 'Email verified successfully' };
   } catch (error) {

src/domains/user/api.js

@@ -62,7 +62,7 @@ const routes = () => {
   );
 
   router.get(
-    '/detail/:id',
+    '/:id/detail',
     logRequest({}),
     validateRequest({ schema: idSchema, isParam: true }),
     async (req, res, next) => {
@@ -107,8 +107,9 @@ const routes = () => {
     return result;
   };
 
-  router.delete(
-    '/remove/:id',
+  // deactivateUser
+  router.put(
+    '/:id/deactivate',
     logRequest({}),
     isAuthorized,
     validateRequest({ schema: idSchema, isParam: true }),
@@ -131,8 +132,8 @@ const routes = () => {
   );
 
   // activateUser
-  router.post(
-    '/activate/:id',
+  router.put(
+    '/:id/activate',
     logRequest({}),
     isAuthorized,
     validateRequest({ schema: idSchema, isParam: true }),
@@ -150,7 +151,7 @@ const routes = () => {
 
   // update user's role only
   router.put(
-    '/update-role/:id',
+    '/:id/update-role',
     logRequest({}),
     isAuthorized,
     validateRequest({ schema: updateUserRoleSchema, isParam: false }),

src/domains/user/schema.js

@@ -99,6 +99,9 @@ const schema = new mongoose.Schema({
   verificationEmailSentAt: {
     type: Date,
   },
+  verifiedAt: {
+    type: Date,
+  },
 
   // Auth and status flags
   isDemo: {
@@ -145,7 +148,7 @@ const schema = new mongoose.Schema({
   role: {
     type: String,
     required: true,
-    default: 'visitor',
+    default: 'Visitor',
   },
   roleId: {
     type: mongoose.Schema.Types.ObjectId,

src/domains/user/service.js

@@ -298,6 +298,42 @@ const refreshVerificationToken = async (email) => {
   }
 };
 
+const completeEmailVerification = async (userId) => {
+  try {
+    const defaultRole = await Role.findOne({ name: 'Visitor' });
+    if (!defaultRole) {
+      throw new AppError('role-not-found', 'Default user role not found', 500);
+    }
+
+    const updateData = {
+      $unset: {
+        verificationToken: 1,
+        verificationTokenExpiry: 1,
+        isDemo: 1
+      },
+      $set: {
+        isVerified: true,
+        verifiedAt: new Date(),
+        role: 'Visitor',
+        roleId: defaultRole._id,
+        updatedAt: new Date(),
+        isDeactivated: false
+      }
+    };
+
+    const user = await Model.findByIdAndUpdate(userId, updateData, { new: true });
+    if (!user) {
+      throw new AppError('user-not-found', 'User not found', 404);
+    }
+
+    logger.info('completeEmailVerification(): User verification completed', { userId });
+    return user;
+  } catch (error) {
+    logger.error('completeEmailVerification(): Failed to complete verification', error);
+    throw error instanceof AppError ? error : new AppError('verification-failed', error.message, 400);
+  }
+};
+
 module.exports = {
   create,
   search,
@@ -315,4 +351,5 @@ module.exports = {
   findByVerificationToken,
   refreshVerificationToken,
   updateUserRole,
+  completeEmailVerification,
 };

src/libraries/email/emailService.js

@@ -9,7 +9,6 @@ sgMail.setApiKey(config.SENDGRID_API_KEY);
 
 // Debug mode configuration
 const isDebugMode = process.env.EMAIL_DEBUG === 'true';
-console.log('isDebugMode', isDebugMode, 'process.env.NODE_ENV', process.env.NODE_ENV, 'process.env.EMAIL_DEBUG', process.env.EMAIL_DEBUG);
 const debugDir = path.join(__dirname, 'debug');
 
 // Ensure debug directory exists

src/server.js

@@ -65,8 +65,8 @@ const handleAuthCallback = (strategy) => {
                 `${config.CLIENT_HOST}/login?error=failed-to-authenticate`
               );
             }
-
-            req.session.userId = trimmedUser._id;
+            logger.info('saving session for user', { user: trimmedUser });
+            req.session.userId = trimmedUser._id.toString();
             req.session.sessionId = req.sessionID;
             req.session.save((err) => {
               if (err) {
@@ -132,12 +132,10 @@ const createExpressApp = () => {
   // Update serialization
   passport.serializeUser(async function (user, done) {
     const trimmedUser = createTrimmedUser(user);
-    console.log('serializeUser', trimmedUser);
     done(null, trimmedUser);
   });
 
   passport.deserializeUser(function (trimmedUser, done) {
-    console.log('deserializeUser', trimmedUser);
     done(null, trimmedUser);
   });
 
@@ -217,9 +215,9 @@ const createExpressApp = () => {
       res.json(result);
     } catch (err) {
       if (err instanceof AppError) {
-        return res.status(err.statusCode || 400).json({ 
+        return res.status(err.statusCode || 400).json({
           message: err.message,
-          code: err.name 
+          code: err.name
         });
       }
       next(err);
@@ -248,9 +246,28 @@ const createExpressApp = () => {
         }
 
         const trimmedUser = createTrimmedUser(user);
-        return res.json({
-          message: 'Login successful',
-          user: trimmedUser,
+        // Save session data
+        req.session.userId = trimmedUser._id.toString();
+        req.session.sessionId = req.sessionID;
+
+        logger.info('saving session for user', { user: trimmedUser });
+
+        // Explicitly save the session
+        req.session.save((err) => {
+          if (err) {
+            logger.error('Failed to save session', err);
+            return next(err);
+          }
+
+          logger.info('Session saved successfully', {
+            sessionId: req.sessionID,
+            userId: trimmedUser._id
+          });
+
+          return res.json({
+            message: 'Login successful',
+            user: trimmedUser,
+          });
         });
       });
     })(req, res, next);
@@ -259,7 +276,8 @@ const createExpressApp = () => {
   expressApp.get('/api/logout', async (req, res, next) => {
     const username = req.user?.username;
     const userId = req.user?._id;
-
+    console.log('req.session', req.session);
+    console.log('req.session.userId', req.session.userId);
     req.logout(async function (err) {
       // Passport.js logout function
       if (err) {
@@ -299,7 +317,7 @@ const createExpressApp = () => {
   expressApp.post('/api/resend-verification', async (req, res, next) => {
     try {
       const { email } = req.body;
-      
+      logger.info('resend-verification', { email });
       if (!email) {
         return res.status(400).json({ message: 'Email is required' });
       }
@@ -308,9 +326,9 @@ const createExpressApp = () => {
       res.json(result);
     } catch (err) {
       if (err instanceof AppError) {
-        return res.status(err.statusCode || 400).json({ 
+        return res.status(err.statusCode || 400).json({
           message: err.message,
-          code: err.name 
+          code: err.name
         });
       }
       next(err);