m

[SoraEmpty]

No description provided.

[mateacademy-ai-mentor]

Review Summary

This implementation has several critical blockers that prevent the application from functioning correctly. Broken route definitions in authRoutes.ts export routers directly instead of mounting them to a single router, which will crash the app on import. Registration ignores the 'name' field entirely—only email and password are extracted from req.body, but the task requires registering with name, email, and password. Login uses GET method (router.get('/login')) when POST is required to receive credentials in the request body. Password change functionality is completely missing from the ProfileController despite being explicitly required for the profile page. Email change doesn't notify the old email address as specified in the requirements. Additionally, there's a missing return statement in resetPasswordConfirmation after password/confirmation mismatch check, allowing execution to continue with invalid data. These issues must be addressed before the implementation can be approved.

---

✨ Please rate this review in the Platform's notification center¹. I will be grateful for your feedback! ✨

Important

Fix the issues, commit the changes, and then re-request my review using the Re-request review button² in the Reviewers tab.

Tip

If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag³.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.

Caution

Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.

Footnotes

1. Rate AI review example ↩

2. Re-request AI review example ↩

3. Add AI review comments example ↩

[mateacademy-ai-mentor]

The 'name' field from req.body is missing in registration. The requirements specify registering with 'name, email and password'.

[mateacademy-ai-mentor]

The User model requires 'name' field but doesn't set allowNull: false, which is inconsistent. The name field should be properly validated at model level.

[mateacademy-ai-mentor]

The auth middleware returns a redirect to '/login' instead of returning a 401 status code for unauthenticated users. The requirements specify that profile and other authenticated pages should be restricted.

[mateacademy-ai-mentor]

When email is changed, there's no notification sent to the old email address as required by the task. The requirements state: 'notify the old email about the change'.

[mateacademy-ai-mentor]

The password change endpoint (with old password, new password and confirmation) is completely missing from the ProfileController. The requirements specify this is required for the profile page.

[mateacademy-ai-mentor]

Routes are defined incorrectly - each route is exported directly without being added to the router. This is an anti-pattern that breaks the router structure. Routes should use router.post(...) format, not direct exports.

[mateacademy-ai-mentor]

The middleware only checks for session existence but doesn't verify if the user is actually active (isActive flag). Non-active users should be handled appropriately.

[mateacademy-ai-mentor]

Mixing CommonJS require() with ES6 export syntax. Use consistent module syntax throughout.

[mateacademy-ai-mentor]

Registration doesn't capture 'name' from req.body - the task requires registering with name, email and password. Currently only email and password are extracted.

[mateacademy-ai-mentor]

The register function only extracts email and password from req.body, but the task requires registration with name, email, and password. The name field is missing and not being saved to the database.

[mateacademy-ai-mentor]

The login route is defined with GET method, but login requires receiving email and password in the request body. GET requests cannot have a body, so the credentials will never be received. This should be POST.

[mateacademy-ai-mentor]

The authMiddleware returns res.status(401).redirect('/login'). A redirect response should have status 302, not 401. Browsers/clients may not properly handle a 401 with a redirect. Either use res.redirect(302, '/login') or return a 401 JSON response without redirect.

[mateacademy-ai-mentor]

When password !== confirmation, the function continues execution without returning. It should have return res.status(400).json({...}) to stop processing and return an error response.

[mateacademy-ai-mentor]

The changeEmail function doesn't send a notification to the old email address when the email is changed. The task specifically requires: 'notify the old email about the change'.

[mateacademy-ai-mentor]

The database.js file uses CommonJS require syntax but exports with ES6 export. This mixing will cause a syntax error. Use either module.exports or convert entirely to ES6 imports.

[mateacademy-ai-mentor]

No route protects unauthenticated users from accessing authenticated-only pages. Routes for login, register, forgot-password should redirect to profile if user is already authenticated. Currently, any user can access these routes.

[mateacademy-ai-mentor]

The registration function only captures email and password from req.body, but the task requires registering with name, email, and password. The name field is missing.

[mateacademy-ai-mentor]

The name field is not being passed to User.create(). The task requires registration with name, email, and password. This will cause registration to fail or create users without names.

[mateacademy-ai-mentor]

Routes are exported directly without being added to the router - this is incorrect. Each line like export const authRouter = router.post(...) creates a new mini-router but doesn't attach it to the main router. The pattern should be: router.post('/register', register) followed by export default router or export { router }.

[mateacademy-ai-mentor]

The login route is defined with GET method, but login requires receiving email and password in the request body. GET requests cannot send a body, so credentials will never be received. Change to router.post('/login', login).

[mateacademy-ai-mentor]

No route exists for changing password in the profile. The task requires: 'It allows to change a password (require an old one, new password and confirmation)'. A route like router.put('/profile/password', isAuthenticated, changePassword) is needed, along with the corresponding controller function.

[mateacademy-ai-mentor]

Routes for non-authenticated users (/register, /login, /forgot-password) should check if the user is already logged in and redirect to profile. Currently, any user can access these routes even when authenticated.

[mateacademy-ai-mentor]

The middleware only checks if session exists but doesn't verify if the user is actually active. The task requires checking user activation status before allowing access to authenticated pages.

[mateacademy-ai-mentor]

The login route is defined with GET method, but credentials need to be sent in the request body which requires POST method.

[mateacademy-ai-mentor]

The User model email field lacks validation constraints. Should include allowNull: false and validate email format properly.

[mateacademy-ai-mentor]

The User model password field lacks validation constraints. Should include allowNull: false since it's required for authentication.

[mateacademy-ai-mentor]

The User model lacks a changePasswordToken or similar field to track password change requests separately from resetPasswordToken.

[mateacademy-ai-mentor]

The register function only extracts email and password from req.body, but the task requires registration with name, email, and password. The name field is missing and not being saved to the database.

[mateacademy-ai-mentor]

The authMiddleware returns res.status(401).redirect('/login'). A redirect response should have status 302, not 401. Browsers/clients may not properly handle a 401 with a redirect. Either use res.redirect(302, '/login') or return a 401 JSON response without redirect.

[mateacademy-ai-mentor]

The database.js file uses CommonJS require syntax but exports with ES6 export. This mixing will cause a syntax error. Use either module.exports or convert entirely to ES6 imports.

[mateacademy-ai-mentor]

Review Summary

The implementation has made good progress fixing several previous issues, but one critical feature remains completely missing from the Profile page: password change functionality. The task explicitly requires that users can change their password by providing their old password, a new password, and a confirmation. Currently, ProfileController.js only implements resetName and changeEmail functions with no route or handler for password changes. Critical issues include missing password change endpoint and route, which must be implemented to meet requirements.

---

✨ Please rate this review in the Platform's notification center¹. I will be grateful for your feedback! ✨

Important

Fix the issues, commit the changes, and then re-request my review using the Re-request review button² in the Reviewers tab.

Tip

If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag³.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.

Caution

Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.

Footnotes

1. Rate AI review example ↩

2. Re-request AI review example ↩

3. Add AI review comments example ↩

[mateacademy-ai-mentor]

The Profile page requirements specify: 'It allows to change a password (require an old one, new password and confirmation)'. This functionality is not implemented anywhere in the file - there's only resetName and changeEmail functions.

[mateacademy-ai-mentor]

The resetPasswordExpires field is set to a new Date() but never cleared after successful password reset. After nullifying resetPasswordToken, you should also set resetPasswordExpires to null to properly clean up.

[mateacademy-ai-mentor]

The route for password change is missing. The task requires a password change feature on the Profile page that accepts old password, new password, and confirmation. Add: router.put('/profile/password', isAuthenticated, changePassword);

[mateacademy-ai-mentor]

Empty catch block silently swallows all errors. If database query fails during authentication check, the error is ignored and next() is called, potentially allowing unauthenticated requests to proceed.

[mateacademy-ai-mentor]

Missing password change route. The Profile page requires a password change endpoint (with old password, new password, and confirmation). Add a route like: router.put('/profile/password', isAuthenticated, changePassword);

[mateacademy-ai-mentor]

Review Summary

I am approving your implementation with some important issues to address.

What you did well: Your authentication system is well-structured with proper password validation, email activation flow, protected routes, and most profile management features working correctly. The code organization and middleware usage show good understanding of Express patterns.

Critical issues to fix:

1. Password change verification is inverted in src/controllers/ProfileController.js - The requirements explicitly state password change must require "old password, new password and confirmation," but your passwordChange function:

   • Doesn't receive oldPassword from req.body at all
   • Compares newPassword against the current password instead of verifying the old one first

   The fix requires:

   • Add oldPassword to destructuring: const { oldPassword, newPassword, confirmation } = req.body;
   • Use bcrypt.compare(oldPassword, user.password) to verify identity before allowing the change

2. Empty catch block at line 117 will cause hanging requests on errors - add a proper error response like res.status(500).json({ message: 'Помилка при зміні пароля' });

Minor improvement: The resetPasswordConfirmation function doesn't validate password strength (the regex used in registration), which could allow weak passwords during reset flow.

These are standard security patterns for password changes - verifying the old password proves identity before allowing modifications. Keep up the good work on the overall architecture!

---

✨ Please rate this review in the Platform's notification center¹. I will be grateful for your feedback! ✨

Important

Fix the issues, commit the changes, and then re-request my review using the Re-request review button² in the Reviewers tab.

Tip

If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag³.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.

Caution

Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.

Footnotes

1. Rate AI review example ↩

2. Re-request AI review example ↩

3. Add AI review comments example ↩

[mateacademy-ai-mentor]

The requirements state that changing password must require an 'old one' (old password), but this function doesn't verify the submitted old password. It only checks if the new password differs from the current one. You should receive 'oldPassword' from req.body and verify it with bcrypt.compare() before allowing the password change.

[mateacademy-ai-mentor]

The catch block is empty - if an error occurs, no response will be sent to the client, causing a hanging request. Add proper error handling like: catch (error) { res.status(500).json({ message: 'Помилка при зміні пароля' }); }

[mateacademy-ai-mentor]

The oldPassword field is missing from the destructured request body. According to requirements, password change requires 'old password, new password and confirmation'. Add oldPassword to the destructuring on line 82.

[mateacademy-ai-mentor]

The comparison logic here is checking if newPassword equals user.password - this prevents password reuse but doesn't verify the old password as required. The requirements state 'require an old one' meaning you must verify the current password first before allowing the change. Consider comparing the oldPassword with the user's current password instead.

[mateacademy-ai-mentor]

Empty catch block on line 117 will silently swallow errors. Consider adding error logging or returning a proper error response.

[brespect]

Good progress, but you need to pass all tests and build before requesting the review

[Anton-Kuchmasov]

Good job!

Don't push .env as well as any other secrets/envs in Github repo again