Skip to content

feat: implement user registration and login system #222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Flapjacck merged 2 commits into from
Jan 25, 2026
Merged

feat: implement user registration and login system #222

Flapjacck merged 2 commits into from
Jan 25, 2026

Conversation

@hunterShierman
Copy link
Contributor

@hunterShierman hunterShierman commented Jan 22, 2026

📝 Implement User Registration and Login

Description

Implements complete user registration and login functionality for admin users, interviewers, and candidates as outlined in issue #98.

Changes Made

New Features

Invite Code System

  • Created Invite model for managing registration invites
  • Admins can generate invite codes for new admin/interviewer registrations
  • Invite codes can be locked to specific emails
  • Invite codes expire after a configurable number of days (default 7)
  • Candidates can register without an invite code

Email Verification

  • Added POST /api/auth/verify-email endpoint
  • Added POST /api/auth/resend-verification endpoint
  • Users must verify email before logging in
  • Added sendVerificationCode method to EmailService
  • Added isEmailVerified, emailVerificationCode, and emailVerificationCodeExpiry fields to User model

Login Security

  • Added loginRateLimiter middleware
  • Account locks for 15 minutes after 5 failed login attempts
  • Added failedLoginAttempts and lockUntil fields to User model
  • Failed attempts reset on successful login

Modified Files

File Changes
models/Invite.ts New file - Invite model for registration codes
models/user.ts Added isEmailVerified, emailVerificationCode, emailVerificationCodeExpiry, failedLoginAttempts, lockUntil fields
routes/authRoutes.ts Updated /register with invite code support, added email verification check to /login, added /verify-email, /resend-verification, /invite endpoints
middleware/authMiddleware.ts Added loginRateLimiter middleware
utils/email.ts Added sendVerificationCode method

API Endpoints

Method Endpoint Description Access
POST /api/auth/register Register new user (invite code required for admin/interviewer) Public
POST /api/auth/login Login with email/password Public
POST /api/auth/verify-email Verify email with 6-digit code Public
POST /api/auth/resend-verification Resend verification code Public
POST /api/auth/invite Create invite code Admin only
POST /api/auth/refresh-token Refresh access token Public
POST /api/auth/logout Logout and revoke tokens Authenticated

Acceptance Criteria

  • Admins can register with email and password
  • Users of all roles can log in securely
  • JWT tokens are generated and stored securely
  • Email verification is working correctly
  • Input validation prevents invalid data
  • Rate limiting prevents brute force attacks
  • All auth endpoints follow security best practices

Testing

To test the flow:

  1. Register a candidate:
   POST /api/auth/register
   { "name": "Test User", "email": "test@example.com", "password": "password123" }
  1. Verify email:
   POST /api/auth/verify-email
   { "email": "test@example.com", "code": "123456" }
  1. Login:
   POST /api/auth/login
   { "email": "test@example.com", "password": "password123" }
  1. Create admin invite (requires admin auth):
   POST /api/auth/invite
   { "role": "admin", "email": "newadmin@example.com" }

Related Issues

Ref #98

@hunterShierman
feat: implement user registration and login system
aae53b9 
- Add invite code system for admin/interviewer registration
- Implement email verification flow (verify-email, resend-verification)
- Add login rate limiting with account locking after 5 failed attempts
- Create Invite model for managing registration invites
- Add emailVerificationCode fields to User model
- Add failedLoginAttempts and lockUntil fields for brute force protection
- Update EmailService with sendVerificationCode method

Ref #98
@hunterShierman hunterShierman linked an issue Jan 22, 2026 that may be closed by this pull request
📝 Implement user registration and login #98
Closed
Flapjacck
Flapjacck approved these changes Jan 25, 2026
View reviewed changes
Copy link
Member

@Flapjacck Flapjacck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Flapjacck Flapjacck merged commit 69452d1 into main Jan 25, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Flapjacck Flapjacck Flapjacck approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

📝 Implement user registration and login

3 participants

@hunterShierman @Flapjacck