const router = require('express').Router(); const User = require('../models/User'); const bcrypt = require('bcryptjs'); const jwt = require('jsonwebtoken'); const { OAuth2Client } = require('google-auth-library'); const verify = require('../utils/verifyToken'); const client = new OAuth2Client(process.env.GOOGLE_CLIENT_ID); // In-memory OTP store (Use Redis for production scaling) const otpStore = {}; // 1. INITIATE SIGNUP (Send OTP) router.post('/signup/initiate', async (req, res) => { try { const { email } = req.body; // Check if user already exists const userExists = await User.findOne({ email }); if (userExists) return res.status(400).send("Email already registered. Please Login."); // Generate OTP (Fixed to 111111 for testing as requested) const otp = "111111"; // Store OTP with a 10-minute expiry timestamp (optional logic, kept simple here) otpStore[email] = otp; // console.log(`[OTP] Sent to ${email}: ${otp}`); // Uncomment for debug res.send({ message: "OTP sent to email" }); } catch (err) { res.status(500).send("Server Error"); } }); // 2. VERIFY OTP & CREATE ACCOUNT router.post('/signup/verify', async (req, res) => { try { const { name, email, password, referral_code, otp, termsAccepted } = req.body; if (!termsAccepted) return res.status(400).send("You must accept Terms & Conditions"); // Validate OTP if (!otpStore[email] || otpStore[email] !== otp) { return res.status(400).send("Invalid or Expired OTP"); } // Hash Password const salt = await bcrypt.genSalt(10); const hashedPassword = await bcrypt.hash(password, salt); // Generate My Referral Code const myReferralCode = Math.random().toString(36).substring(2, 8).toUpperCase(); const user = new User({ name, email, password: hashedPassword, referral_code: myReferralCode, referred_by: referral_code || null, kyc_status: true // Storing consent as initial KYC step }); await user.save(); // Cleanup OTP delete otpStore[email]; // Auto Login const token = jwt.sign({ _id: user._id, role: user.role }, process.env.JWT_SECRET); res.send({ token, name: user.name, upi: user.upi_id }); } catch (err) { res.status(500).send("Signup Failed"); } }); // 3. LOGIN (Email + Password only) router.post('/login', async (req, res) => { try { const { email, password } = req.body; // Check User const user = await User.findOne({ email }); if (!user) return res.status(400).send("Email not found"); // Check Password const validPass = await bcrypt.compare(password, user.password); if (!validPass) return res.status(400).send("Invalid Password"); // Issue Token const token = jwt.sign({ _id: user._id, role: user.role }, process.env.JWT_SECRET); res.send({ token, name: user.name, upi: user.upi_id }); } catch (err) { res.status(500).send("Login Failed"); } }); // 4. GOOGLE AUTH (Smart Handling) router.post('/google', async (req, res) => { try { const { token, referral_code, termsAccepted } = req.body; const ticket = await client.verifyIdToken({ idToken: token, audience: process.env.GOOGLE_CLIENT_ID, }); const { name, email, sub } = ticket.getPayload(); let user = await User.findOne({ email }); // IF NEW USER: Require Consent if (!user) { if (!termsAccepted) return res.status(400).send("Please tick the Terms & Conditions box to Register."); const randomPassword = Math.random().toString(36).slice(-8); const salt = await bcrypt.genSalt(10); const hashedPassword = await bcrypt.hash(randomPassword, salt); const myReferralCode = Math.random().toString(36).substring(2, 8).toUpperCase(); user = new User({ name, email, password: hashedPassword, referral_code: myReferralCode, referred_by: referral_code || null, kyc_status: true }); await user.save(); } const jwtToken = jwt.sign({ _id: user._id, role: user.role }, process.env.JWT_SECRET); res.send({ token: jwtToken, name: user.name, upi: user.upi_id }); } catch (err) { res.status(400).send("Google Auth Failed"); } }); // 5. LOGOUT router.post('/logout', async (req, res) => { try { res.send({ message: "Logged Out" }); } catch (err) { res.status(500).send("Logout Failed"); } }); // GET CURRENT USER DETAILS (Protected) router.get('/me', verify, async (req, res) => { try { // Find user by ID (exclude password for security) const user = await User.findById(req.user._id).select('-password'); if (!user) return res.status(404).send("User not found"); res.json(user); } catch (err) { res.status(500).send("Server Error"); } }); router.post('/update-upi', verify, async (req, res) => { const { upi_id } = req.body; if (!upi_id || !upi_id.includes('@')) { return res.status(400).send("Invalid UPI ID"); } await User.findByIdAndUpdate(req.user._id, { upi_id }); res.send("UPI updated"); }); module.exports = router;