fix

auth.service.ts

@@ -0,0 +1,145 @@
+import { Injectable } from '@angular/core';
+import { HttpClient } from '@angular/common/http';
+import { BehaviorSubject, Observable, of, throwError } from 'rxjs';
+import { catchError, tap } from 'rxjs/operators';
+import { Router } from '@angular/router';
+
+@Injectable({
+  providedIn: 'root'
+})
+export class AuthService {
+  private apiUrl = location.hostname.endsWith('hf.space')
+    ? 'https://majemaai-mj-learn-backend.hf.space'
+    : 'http://localhost:5000';
+
+  private loggedInSubject = new BehaviorSubject<boolean>(false);
+  public loggedIn$ = this.loggedInSubject.asObservable();
+  private refreshInterval: any;
+
+  constructor(private http: HttpClient, private router: Router) { }
+
+  // ? Updated to use /auth/login endpoint
+  login(username: string, password: string): Observable<any> {
+    return this.http.post(`${this.apiUrl}/auth/login`, { username, password }, { withCredentials: true });
+  }
+
+  setLoggedIn(status: boolean): void {
+    this.loggedInSubject.next(status);
+  }
+
+  isLoggedIn(): boolean {
+    return this.loggedInSubject.value;
+  }
+
+  // ? Updated to use /auth/refresh endpoint
+  startAutoRefresh(): void {
+    this.clearAutoRefresh(); // Clear any existing interval
+
+    this.refreshInterval = setInterval(() => {
+      console.log("?? Auto-refreshing token...");
+      this.http.post(`${this.apiUrl}/auth/refresh`, {}, { withCredentials: true }).subscribe(
+        response => {
+          console.log('? Auto-refresh successful');
+        },
+        error => {
+          console.error('? Auto-refresh failed:', error);
+          // Clear tokens manually (if needed)
+          this.clearTokens();
+
+          // Redirect to login
+          this.router.navigate(['/auth']);
+        }
+      );
+    }, 14 * 60 * 1000); // Every 14 minutes
+  }
+
+  clearAutoRefresh(): void {
+    if (this.refreshInterval) {
+      clearInterval(this.refreshInterval);
+      this.refreshInterval = null;
+    }
+  }
+
+  // ? Updated to use /auth/logout endpoint
+  logout(): Observable<any> {
+    console.log("?? Sending logout request with credentials");
+
+    return this.http.post(`${this.apiUrl}/auth/logout`, {}, { withCredentials: true }).pipe(
+      tap(response => {
+        console.log('?? Response from backend:', response);
+        this.clearTokens();
+        this.clearAutoRefresh();  // ? Stop auto-refresh
+        this.setLoggedIn(false);  // ? Reflect logout in UI
+      }),
+      catchError(error => {
+        console.error('? Error from backend:', error);
+        // Still ensure local state reflects logout
+        this.clearTokens();
+        this.clearAutoRefresh();
+        this.setLoggedIn(false);
+        return throwError(() => error);
+      })
+    );
+  }
+
+  clearTokens(): void {
+    document.cookie = 'access_token=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';
+    document.cookie = 'refresh_token=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';
+    this.clearAutoRefresh();  // ?
+  }
+
+  // ? Get access token (using cookies)
+  getAccessToken(): string | null {
+    const cookies = document.cookie.split('; ');
+    for (let cookie of cookies) {
+      if (cookie.startsWith('access_token=')) {
+        return cookie.split('=')[1];
+      }
+    }
+    return null;
+  }
+
+  // ? Save tokens (Not necessary, as tokens are managed via cookies)
+  saveTokens(accessToken: string, refreshToken: string): void {
+    // No need for this if you're using cookies, but if you want to persist in localStorage, use:
+    localStorage.setItem('access_token', accessToken);
+    localStorage.setItem('refresh_token', refreshToken);
+  }
+
+  // ? Updated to use /auth/check-auth endpoint
+  checkSession(): Observable<boolean> {
+    return this.http.get(`${this.apiUrl}/auth/check-auth`, { withCredentials: true }).pipe(
+      tap((res: any) => {
+        console.log('? Session valid:', res);
+        this.setLoggedIn(true);
+        this.startAutoRefresh();
+        return true; // ? Important!
+      }),
+      catchError((err) => {
+        if (err.status === 401) {
+          // Access token may be expired. Try refresh
+          console.warn('?? Access token expired. Trying to refresh...');
+
+          // ? Updated to use /auth/refresh endpoint
+          return this.http.post(`${this.apiUrl}/auth/refresh`, {}, { withCredentials: true }).pipe(
+            tap((refreshRes: any) => {
+              console.log("? Token refreshed during checkSession.");
+              //alert("? Token refreshed during checkSession.");
+              this.setLoggedIn(true);
+              this.startAutoRefresh();
+            }),
+            catchError((refreshErr) => {
+              console.error("? Refresh token failed during checkSession.", refreshErr);
+              this.setLoggedIn(false);
+              return of(false);
+            })
+          );
+        } else {
+          console.error("? Unknown error during checkSession", err);
+          this.setLoggedIn(false);
+          return of(false);
+        }
+      })
+    );
+  }
+}

auth/__init__.py

@@ -0,0 +1,25 @@
+"""
+Authentication module for MJ Learn Backend
+
+This module provides:
+- User authentication and authorization
+- JWT token management
+- Database models for user management
+- Security utilities
+"""
+
+from .models import User, BlacklistedToken, RefreshToken
+from .utils import token_required, anonymize_username
+from .database import get_db_connection, init_db
+from .routes import auth_bp
+
+__all__ = [
+    'User',
+    'BlacklistedToken', 
+    'RefreshToken',
+    'token_required',
+    'anonymize_username',
+    'get_db_connection',
+    'init_db',
+    'auth_bp'
+]

auth/database.py

@@ -0,0 +1,168 @@
+"""
+Database connection and initialization module
+
+Handles:
+- Database connection management
+- Table creation and initialization
+- Connection string configuration
+- Database diagnostics
+"""
+
+import os
+import pyodbc
+from threading import Lock
+from .models import get_table_definitions
+
+# Database configuration
+DB_SERVER = os.getenv("DB_SERVER", r"(localdb)\MSSQLLocalDB")
+DB_DATABASE = os.getenv("DB_DATABASE", "AuthenticationDB1")
+DB_DRIVER = os.getenv("DB_DRIVER", "ODBC Driver 17 for SQL Server")
+
+# Build connection string
+is_local = (
+    DB_SERVER.lower().startswith("localhost")
+    or DB_SERVER.startswith(".")
+    or DB_SERVER.lower().startswith("(localdb)")
+    or "\\" in DB_SERVER
+)
+
+if is_local:
+    # Windows local / LocalDB using modern ODBC driver
+    CONN_STR = (
+        f"DRIVER={{{DB_DRIVER}}};"
+        f"SERVER={DB_SERVER};"
+        f"DATABASE={DB_DATABASE};"
+        "Trusted_Connection=yes;"
+        "TrustServerCertificate=yes;"
+    )
+else:
+    # Remote SQL auth
+    CONN_STR = (
+        f"DRIVER={{{DB_DRIVER}}};"
+        f"SERVER={DB_SERVER};DATABASE={DB_DATABASE};"
+        f"UID={os.getenv('DB_USER')};PWD={os.getenv('DB_PASSWORD')};"
+        "Encrypt=yes;TrustServerCertificate=yes;"
+    )
+
+# Database initialization tracking
+_db_init_done = False
+_db_init_lock = Lock()
+
+
+def get_db_connection():
+    """
+    Create a database connection with short timeout
+    
+    Raises:
+        RuntimeError: If DB credentials are missing for remote connections
+        pyodbc.Error: If connection fails
+    """
+    if "Trusted_Connection=yes" not in CONN_STR:
+        if not os.getenv("DB_USER") or not os.getenv("DB_PASSWORD"):
+            raise RuntimeError("DB_USER/DB_PASSWORD are not set in the environment.")
+    return pyodbc.connect(CONN_STR, timeout=5)
+
+
+def init_db():
+    """
+    Create database tables if they do not exist
+    
+    Creates:
+    - Users table for authentication
+    - BlacklistedTokens table for token management  
+    - RefreshTokens table for refresh token storage
+    """
+    conn = get_db_connection()
+    cur = conn.cursor()
+    
+    # Get table definitions
+    tables = get_table_definitions()
+    
+    # Create each table
+    for table_name, sql in tables.items():
+        cur.execute(sql)
+    
+    conn.commit()
+    conn.close()
+
+
+def ensure_database_initialized():
+    """
+    Ensure database is initialized (thread-safe)
+    
+    Call this from Flask app startup to initialize database once.
+    Controlled by RUN_INIT_DB environment variable.
+    """
+    global _db_init_done
+    should_init = os.getenv("RUN_INIT_DB", "0") == "1"
+    
+    if should_init and not _db_init_done:
+        with _db_init_lock:
+            if not _db_init_done:
+                try:
+                    init_db()
+                    print("? Database initialized successfully")
+                    return True
+                except Exception as e:
+                    print(f"? Database initialization failed: {e}")
+                    raise
+                finally:
+                    _db_init_done = True
+    
+    return _db_init_done
+
+
+def get_database_info():
+    """
+    Get database diagnostic information (admin only)
+    
+    Returns safe diagnostic information without exposing credentials.
+    """
+    info = {}
+    
+    # Get available drivers
+    try:
+        info["drivers_found"] = pyodbc.drivers()
+    except Exception as e:
+        info["drivers_found_error"] = str(e)
+
+    # Safe database information
+    info["database_name"] = DB_DATABASE
+    info["server_type"] = "LocalDB" if is_local else "Remote"
+    
+    # Test connection
+    try:
+        conn = get_db_connection()
+        conn.close()
+        info["connection_status"] = "ok"
+    except Exception as e:
+        info["connection_status"] = "error"
+        info["error_type"] = type(e).__name__
+    
+    return info
+
+
+def test_database_connection():
+    """
+    Test database connection and return status
+    
+    Returns:
+        tuple: (success: bool, message: str)
+    """
+    try:
+        conn = get_db_connection()
+        
+        # Test basic query
+        cur = conn.cursor()
+        cur.execute("SELECT 1")
+        result = cur.fetchone()
+        
+        conn.close()
+        
+        if result and result[0] == 1:
+            return True, "Database connection successful"
+        else:
+            return False, "Database query failed"
+            
+    except Exception as e:
+        return False, f"Database connection failed: {str(e)}"

auth/models.py

@@ -0,0 +1,177 @@
+"""
+Database models and schemas for authentication system
+
+Contains:
+- User model with role-based access
+- Token blacklist model
+- Refresh token model  
+- Database table definitions
+"""
+
+import pyodbc
+from typing import Optional, Dict, Any
+
+
+class User:
+    """User model for authentication and authorization"""
+    
+    def __init__(self, username: str, password_hash: str, role: str = 'user', user_id: int = None):
+        self.id = user_id
+        self.username = username
+        self.password_hash = password_hash
+        self.role = role
+    
+    @staticmethod
+    def find_by_username(conn: pyodbc.Connection, username: str) -> Optional['User']:
+        """Find user by username"""
+        cur = conn.cursor()
+        cur.execute("SELECT id, username, password_hash, role FROM Users WHERE username = ?", (username,))
+        row = cur.fetchone()
+        if row:
+            return User(
+                user_id=row[0],
+                username=row[1], 
+                password_hash=row[2],
+                role=row[3]
+            )
+        return None
+    
+    @staticmethod
+    def create_user(conn: pyodbc.Connection, username: str, password_hash: str, role: str = 'user') -> bool:
+        """Create a new user"""
+        try:
+            cur = conn.cursor()
+            cur.execute(
+                "INSERT INTO Users (username, password_hash, role) VALUES (?, ?, ?)",
+                (username, password_hash, role)
+            )
+            conn.commit()
+            return True
+        except pyodbc.IntegrityError:
+            return False
+    
+    @staticmethod
+    def get_all_users(conn: pyodbc.Connection) -> list:
+        """Get all users (admin only)"""
+        cur = conn.cursor()
+        cur.execute("SELECT id, username, role FROM Users ORDER BY id")
+        users = []
+        for row in cur.fetchall():
+            users.append({
+                "id": row[0],
+                "username": row[1], 
+                "role": row[2]
+            })
+        return users
+    
+    @staticmethod
+    def promote_to_admin(conn: pyodbc.Connection, username: str) -> bool:
+        """Promote user to admin role"""
+        cur = conn.cursor()
+        cur.execute("UPDATE Users SET role = 'admin' WHERE username = ?", (username,))
+        conn.commit()
+        return cur.rowcount > 0
+    
+    @staticmethod
+    def user_count(conn: pyodbc.Connection) -> int:
+        """Get total user count"""
+        cur = conn.cursor()
+        cur.execute("SELECT COUNT(*) FROM Users")
+        return cur.fetchone()[0]
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Convert user to dictionary (safe for JSON)"""
+        return {
+            "id": self.id,
+            "username": self.username,
+            "role": self.role
+            # Note: Never include password_hash in dict
+        }
+
+
+class BlacklistedToken:
+    """Model for blacklisted JWT tokens"""
+    
+    @staticmethod
+    def is_blacklisted(conn: pyodbc.Connection, token: str) -> bool:
+        """Check if token is blacklisted"""
+        cur = conn.cursor()
+        cur.execute("SELECT token FROM BlacklistedTokens WHERE token = ?", (token,))
+        return cur.fetchone() is not None
+    
+    @staticmethod 
+    def add_to_blacklist(conn: pyodbc.Connection, token: str) -> bool:
+        """Add token to blacklist"""
+        cur = conn.cursor()
+        # Check if already blacklisted
+        cur.execute("SELECT token FROM BlacklistedTokens WHERE token = ?", (token,))
+        if cur.fetchone():
+            return True  # Already blacklisted
+        
+        cur.execute("INSERT INTO BlacklistedTokens (token) VALUES (?)", (token,))
+        conn.commit()
+        return True
+
+
+class RefreshToken:
+    """Model for refresh token management"""
+    
+    @staticmethod
+    def find_by_token(conn: pyodbc.Connection, token: str) -> Optional[str]:
+        """Find username by refresh token"""
+        cur = conn.cursor()
+        cur.execute("SELECT username FROM RefreshTokens WHERE token = ?", (token,))
+        row = cur.fetchone()
+        return row[0] if row else None
+    
+    @staticmethod
+    def create_token(conn: pyodbc.Connection, username: str, token: str) -> bool:
+        """Store refresh token"""
+        cur = conn.cursor()
+        cur.execute("INSERT INTO RefreshTokens (username, token) VALUES (?, ?)", (username, token))
+        conn.commit()
+        return True
+    
+    @staticmethod
+    def delete_user_tokens(conn: pyodbc.Connection, username: str) -> bool:
+        """Delete all refresh tokens for user"""
+        cur = conn.cursor()
+        cur.execute("DELETE FROM RefreshTokens WHERE username = ?", (username,))
+        conn.commit()
+        return True
+
+
+# Database table creation SQL
+def get_table_definitions():
+    """Get SQL statements for creating authentication tables"""
+    return {
+        'users': """
+            IF OBJECT_ID('Users', 'U') IS NULL
+            CREATE TABLE Users (
+                id INT IDENTITY(1,1) PRIMARY KEY,
+                username NVARCHAR(100) UNIQUE NOT NULL,
+                password_hash NVARCHAR(500) NOT NULL,
+                role NVARCHAR(50) DEFAULT 'user'
+            )
+        """,
+        
+        'blacklisted_tokens': """
+            IF OBJECT_ID('BlacklistedTokens', 'U') IS NULL
+            CREATE TABLE BlacklistedTokens (
+                id INT IDENTITY(1,1) PRIMARY KEY,
+                token NVARCHAR(1000) UNIQUE NOT NULL,
+                created_at DATETIME DEFAULT GETDATE()
+            )
+        """,
+        
+        'refresh_tokens': """
+            IF OBJECT_ID('RefreshTokens', 'U') IS NULL
+            CREATE TABLE RefreshTokens (
+                id INT IDENTITY(1,1) PRIMARY KEY,
+                username NVARCHAR(100) NOT NULL,
+                token NVARCHAR(1000) UNIQUE NOT NULL,
+                created_at DATETIME DEFAULT GETDATE(),
+                FOREIGN KEY (username) REFERENCES Users(username) ON DELETE CASCADE
+            )
+        """
+    }

auth/routes.py

@@ -0,0 +1,346 @@
+"""
+Authentication routes and endpoints
+
+Contains all authentication-related Flask routes:
+- User registration and login
+- Token refresh and logout  
+- Admin user management
+- Database diagnostics
+"""
+
+import os
+import datetime
+import bcrypt
+import jwt
+import pyodbc
+from flask import Blueprint, request, jsonify, make_response, current_app
+
+from .database import get_db_connection
+from .models import User, BlacklistedToken, RefreshToken
+from .utils import (
+    token_required, 
+    anonymize_username, 
+    add_cookie, 
+    validate_user_input,
+    is_admin_user,
+    log_security_event
+)
+
+# Create authentication blueprint
+auth_bp = Blueprint('auth', __name__)
+
+
+@auth_bp.route("/dashboard")
+@token_required
+def dashboard(username):
+    """Protected dashboard endpoint"""
+    return jsonify({"message": f"Welcome {username} to your dashboard!"})
+
+
+@auth_bp.route("/login", methods=["POST"])
+def login():
+    """User login endpoint"""
+    data = request.json or {}
+    username = data.get('username', '').strip()
+    password = data.get('password', '')
+
+    # Input validation
+    is_valid, error_msg = validate_user_input(username, password)
+    if not is_valid:
+        return jsonify({"message": error_msg}), 400
+    
+    # Normalize username to prevent case sensitivity issues
+    username = username.lower()
+
+    try:
+        conn = get_db_connection()
+        user = User.find_by_username(conn, username)
+        conn.close()
+    except Exception as e:
+        current_app.logger.exception("DB access error on login: %s", e)
+        return jsonify({"message": "Database is unavailable"}), 503
+
+    if not user:
+        log_security_event("failed_login", username, request.remote_addr, "user_not_found")
+        return jsonify({"message": "Invalid credentials"}), 401
+
+    if not bcrypt.checkpw(password.encode('utf-8'), user.password_hash.encode('utf-8')):
+        log_security_event("failed_login", username, request.remote_addr, "wrong_password")
+        return jsonify({"message": "Invalid credentials"}), 401
+
+    # Successful login
+    log_security_event("successful_login", username, request.remote_addr)
+
+    # Generate tokens
+    access_token = jwt.encode(
+        {'username': username, 'exp': datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(minutes=15)},
+        current_app.config['SECRET_KEY'],
+        algorithm="HS256"
+    )
+    refresh_token = jwt.encode(
+        {'username': username, 'exp': datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=7)},
+        current_app.config['SECRET_KEY'],
+        algorithm="HS256"
+    )
+
+    # Store refresh token
+    try:
+        conn = get_db_connection()
+        RefreshToken.create_token(conn, username, refresh_token)
+        conn.close()
+    except Exception as e:
+        current_app.logger.exception("DB write error on login: %s", e)
+        return jsonify({"message": "Database is unavailable"}), 503
+
+    resp = make_response(jsonify({"message": "Login successful"}))
+    add_cookie(resp, 'access_token', access_token, 900)                 # 15 min
+    add_cookie(resp, 'refresh_token', refresh_token, 7*24*60*60)       # 7 days
+    return resp
+
+
+@auth_bp.route("/refresh", methods=["POST"])
+def refresh():
+    """Token refresh endpoint"""
+    refresh_token = request.cookies.get("refresh_token")
+    if not refresh_token:
+        return jsonify({'message': 'Refresh token is missing'}), 400
+
+    try:
+        payload = jwt.decode(refresh_token, current_app.config['SECRET_KEY'], algorithms=["HS256"])
+    except jwt.ExpiredSignatureError:
+        return jsonify({'message': 'Refresh token has expired'}), 401
+    except jwt.InvalidTokenError:
+        return jsonify({'message': 'Invalid refresh token'}), 401
+
+    try:
+        conn = get_db_connection()
+        username = RefreshToken.find_by_token(conn, refresh_token)
+        conn.close()
+    except Exception as e:
+        current_app.logger.exception("DB access error on refresh: %s", e)
+        return jsonify({"message": "Database is unavailable"}), 503
+
+    if not username:
+        return jsonify({'message': 'Invalid refresh token'}), 401
+
+    # Generate new access token
+    new_access = jwt.encode(
+        {'username': username, 'exp': datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(minutes=15)},
+        current_app.config['SECRET_KEY'],
+        algorithm="HS256"
+    )
+
+    resp = make_response(jsonify({'access_token': new_access}))
+    add_cookie(resp, 'access_token', new_access, 900)
+    return resp
+
+
+@auth_bp.route("/logout", methods=["POST"])
+@token_required
+def logout(username):
+    """User logout endpoint"""
+    token = request.cookies.get('access_token')
+    if not token:
+        return jsonify({"message": "Invalid token format"}), 401
+
+    try:
+        conn = get_db_connection()
+        
+        # Add to blacklist
+        BlacklistedToken.add_to_blacklist(conn, token)
+        
+        # Delete refresh tokens
+        RefreshToken.delete_user_tokens(conn, username)
+        
+        conn.close()
+        
+        log_security_event("logout", username, request.remote_addr)
+        
+    except Exception as e:
+        current_app.logger.exception("DB write error on logout: %s", e)
+        return jsonify({"message": "Database is unavailable"}), 503
+
+    resp = make_response(jsonify({"message": "Logged out successfully!"}))
+    resp.delete_cookie('access_token', path='/')
+    resp.delete_cookie('refresh_token', path='/')
+    return resp
+
+
+@auth_bp.route("/check-auth", methods=["GET"])
+@token_required
+def check_auth(username):
+    """Check authentication status"""
+    return jsonify({"message": "Authenticated", "username": username}), 200
+
+
+@auth_bp.route("/signup", methods=["POST"])
+def signup():
+    """User registration endpoint"""
+    data = request.json or {}
+    username = data.get('username', '').strip()
+    password = data.get('password', '')
+    
+    # Input validation
+    is_valid, error_msg = validate_user_input(username, password)
+    if not is_valid:
+        return jsonify({"message": error_msg}), 400
+    
+    # Normalize username (prevent duplicates like "Admin" and "admin")
+    username = username.lower()
+    
+    try:
+        conn = get_db_connection()
+        
+        # Check if username already exists
+        if User.find_by_username(conn, username):
+            conn.close()
+            return jsonify({"message": "Username already exists"}), 409
+        
+        # Hash password
+        password_hash = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
+        
+        # Create new user
+        if User.create_user(conn, username, password_hash.decode('utf-8')):
+            conn.close()
+            log_security_event("user_registered", username, request.remote_addr)
+            return jsonify({"message": "User registered successfully"}), 201
+        else:
+            conn.close()
+            return jsonify({"message": "Username already exists"}), 409
+        
+    except Exception as e:
+        current_app.logger.exception("DB error on signup: %s", e)
+        return jsonify({"message": "Database is unavailable"}), 503
+
+
+@auth_bp.route("/admin/promote-user", methods=["POST"])
+@token_required
+def promote_user(username):
+    """Promote a user to admin role - ADMIN ONLY"""
+    try:
+        conn = get_db_connection()
+        
+        # Check if current user is admin
+        if not is_admin_user(conn, username):
+            conn.close()
+            log_security_event("unauthorized_access", username, request.remote_addr, "promote-user")
+            return jsonify({"message": "Unauthorized - Admin access required"}), 403
+        
+        # Get target username from request
+        data = request.json or {}
+        target_user = data.get('username', '').strip().lower()
+        
+        if not target_user:
+            conn.close()
+            return jsonify({"message": "Username is required"}), 400
+        
+        # Check if target user exists
+        target_user_obj = User.find_by_username(conn, target_user)
+        if not target_user_obj:
+            conn.close()
+            return jsonify({"message": "User not found"}), 404
+        
+        if target_user_obj.role == 'admin':
+            conn.close()
+            return jsonify({"message": "User is already an admin"}), 400
+        
+        # Promote user to admin
+        if User.promote_to_admin(conn, target_user):
+            conn.close()
+            log_security_event("user_promoted", username, request.remote_addr, f"promoted {target_user}")
+            return jsonify({"message": f"User {target_user} promoted to admin successfully"}), 200
+        else:
+            conn.close()
+            return jsonify({"message": "Failed to promote user"}), 500
+        
+    except Exception as e:
+        current_app.logger.exception("DB error in promote-user: %s", e)
+        return jsonify({"message": "Database is unavailable"}), 503
+
+
+@auth_bp.route("/admin/users", methods=["GET"])
+@token_required
+def list_users(username):
+    """List all users - ADMIN ONLY"""
+    try:
+        conn = get_db_connection()
+        
+        # Check if current user is admin
+        if not is_admin_user(conn, username):
+            conn.close()
+            log_security_event("unauthorized_access", username, request.remote_addr, "list-users")
+            return jsonify({"message": "Unauthorized - Admin access required"}), 403
+        
+        # Get all users
+        users = User.get_all_users(conn)
+        conn.close()
+        
+        log_security_event("admin_action", username, request.remote_addr, "viewed_user_list")
+        return jsonify({"users": users, "total": len(users)}), 200
+        
+    except Exception as e:
+        current_app.logger.exception("DB error in list-users: %s", e)
+        return jsonify({"message": "Database is unavailable"}), 503
+
+
+@auth_bp.route("/admin/create-first-admin", methods=["POST"])
+def create_first_admin():
+    """Create the first admin user - ONLY if no users exist"""
+    try:
+        conn = get_db_connection()
+        
+        # Check if any users exist
+        if User.user_count(conn) > 0:
+            conn.close()
+            return jsonify({"message": "Users already exist. Cannot create first admin."}), 409
+        
+        # Create first admin user
+        username = "admin"
+        password = "admin123"  # Should be changed immediately
+        
+        # Hash password
+        password_hash = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
+        
+        # Create admin user
+        if User.create_user(conn, username, password_hash.decode('utf-8'), 'admin'):
+            conn.close()
+            log_security_event("first_admin_created", "system", request.remote_addr)
+            return jsonify({
+                "message": "First admin user created successfully",
+                "username": "admin",
+                "password": "admin123",
+                "warning": "CHANGE THE PASSWORD IMMEDIATELY!"
+            }), 201
+        else:
+            conn.close()
+            return jsonify({"message": "Failed to create admin user"}), 500
+        
+    except Exception as e:
+        current_app.logger.exception("DB error creating first admin: %s", e)
+        return jsonify({"message": "Database is unavailable"}), 503
+
+
+@auth_bp.route("/db/diag", methods=["GET"])
+@token_required
+def db_diag(username):
+    """Database diagnostics - ADMIN ONLY"""
+    try:
+        conn = get_db_connection()
+        
+        # Security: Only allow admin users to access diagnostic information
+        if not is_admin_user(conn, username):
+            conn.close()
+            log_security_event("unauthorized_access", username, request.remote_addr, "db-diag")
+            return jsonify({"message": "Unauthorized - Admin access required"}), 403
+        
+        conn.close()
+    except Exception as e:
+        current_app.logger.exception("DB access error in db_diag: %s", e)
+        return jsonify({"message": "Database is unavailable"}), 503
+
+    # Proceed with diagnostics for admin users only
+    from .database import get_database_info
+    info = get_database_info()
+    
+    log_security_event("admin_action", username, request.remote_addr, "accessed_db_diagnostics")
+    return jsonify(info), 200

auth/utils.py

@@ -0,0 +1,156 @@
+"""
+Authentication utilities and security functions
+
+Contains:
+- JWT token validation decorator
+- Security helpers
+- Username anonymization for logging
+- Cookie management utilities
+"""
+
+import os
+import jwt
+import hashlib
+from functools import wraps
+from flask import request, jsonify, current_app, make_response
+from .database import get_db_connection
+from .models import BlacklistedToken
+
+
+def anonymize_username(username):
+    """Create anonymous hash for logging while preserving uniqueness"""
+    if not username:
+        return "anonymous"
+    return hashlib.sha256(f"user_{username}_salt".encode()).hexdigest()[:12]
+
+
+def token_required(f):
+    """
+    JWT token validation decorator
+    
+    Validates access token from cookies and checks blacklist.
+    Returns username to the decorated function.
+    """
+    @wraps(f)
+    def decorated(*args, **kwargs):
+        token = request.cookies.get('access_token')
+        if not token:
+            return jsonify({"message": "Token is missing"}), 401
+
+        try:
+            # Check blacklist
+            conn = get_db_connection()
+            if BlacklistedToken.is_blacklisted(conn, token):
+                conn.close()
+                return jsonify({"message": "Token has been revoked. Please log in again."}), 401
+            conn.close()
+
+            # Decode and validate token
+            data = jwt.decode(token, current_app.config['SECRET_KEY'], algorithms=["HS256"])
+            return f(data['username'], *args, **kwargs)
+
+        except jwt.ExpiredSignatureError:
+            return jsonify({"message": "Token has expired"}), 401
+        except jwt.InvalidTokenError:
+            return jsonify({"message": "Invalid token"}), 401
+        except Exception as e:
+            current_app.logger.exception("Auth error: %s", e)
+            return jsonify({"message": "Server error"}), 500
+    return decorated
+
+
+def extract_username_from_request(req) -> str | None:
+    """
+    Extract username from various sources in request
+    
+    Checks in order:
+    1. X-User header
+    2. Request body JSON
+    3. JWT cookie
+    """
+    # 1) Header
+    hdr = req.headers.get("X-User")
+    if hdr:
+        return hdr
+
+    # 2) Body
+    data = req.get_json(silent=True) or {}
+    if data.get("username"):
+        return data.get("username")
+
+    # 3) JWT cookie
+    token = req.cookies.get("access_token")
+    if token:
+        try:
+            payload = jwt.decode(token, current_app.config["SECRET_KEY"], algorithms=["HS256"])
+            return payload.get("username")
+        except jwt.ExpiredSignatureError:
+            return None
+        except jwt.InvalidTokenError:
+            return None
+
+    return None
+
+
+def add_cookie(resp, name: str, value: str, max_age: int):
+    """
+    Add secure cookie to response
+    
+    In prod: Secure + SameSite=None + Partitioned (works with third-party cookie protections).
+    In dev: SameSite=Lax, not Secure.
+    """
+    IS_PROD = os.getenv("ENV", "dev").lower() == "prod"
+    
+    if IS_PROD:
+        resp.headers.add(
+            "Set-Cookie",
+            f"{name}={value}; Path=/; Max-Age={max_age}; Secure; HttpOnly; SameSite=None; Partitioned"
+        )
+    else:
+        resp.set_cookie(name, value, httponly=True, secure=False, samesite="Lax", max_age=max_age, path="/")
+
+
+def validate_user_input(username: str, password: str) -> tuple[bool, str]:
+    """
+    Validate user input for signup/login
+    
+    Returns: (is_valid, error_message)
+    """
+    if not username or not password:
+        return False, "Username and password are required"
+    
+    if len(username) < 3 or len(username) > 50:
+        return False, "Username must be 3-50 characters"
+    
+    if len(password) < 8:
+        return False, "Password must be at least 8 characters"
+    
+    # Additional validation can be added here
+    # - Special character requirements
+    # - Username format validation
+    # - Password complexity checks
+    
+    return True, ""
+
+
+def is_admin_user(conn, username: str) -> bool:
+    """Check if user has admin role"""
+    from .models import User
+    user = User.find_by_username(conn, username)
+    return user is not None and user.role == 'admin'
+
+
+def log_security_event(event_type: str, username: str, ip_address: str, details: str = ""):
+    """
+    Log security events with anonymized usernames
+    
+    Args:
+        event_type: Type of security event (login, logout, failed_login, etc.)
+        username: Username (will be anonymized)
+        ip_address: Request IP address
+        details: Additional details about the event
+    """
+    user_hash = anonymize_username(username)
+    current_app.logger.info(
+        f"Security Event [{event_type}]: user_hash={user_hash}, ip={ip_address}, details={details}"
+    )

chroma_db/cc71e05b-734e-41ed-99a2-95d0f26626eb/data_level0.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d3c9fd302f000d7790aa403c2d0d8fec363fe46f30b07d53020b6e33b22435a9
+size 1676000

chroma_db/cc71e05b-734e-41ed-99a2-95d0f26626eb/header.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e87a1dc8bcae6f2c4bea6d5dd5005454d4dace8637dae29bff3c037ea771411e
+size 100

chroma_db/cc71e05b-734e-41ed-99a2-95d0f26626eb/length.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fc19b1997119425765295aeab72d76faa6927d4f83985d328c26f20468d6cc76
+size 4000

requirements.txt

@@ -43,7 +43,7 @@ pytesseract==0.3.10
 Pillow==10.4.0
 
 # Misc
-pysqlite3-binary==0.5.3.post1
+
 tiktoken==0.11.0
 torchcodec
 phonemizer

sign-up.service.ts

@@ -0,0 +1,17 @@
+import { Injectable } from '@angular/core';
+import { HttpClient } from '@angular/common/http';  // Import HttpClient for API calls
+import { Observable } from 'rxjs';  // Import Observable for async handling
+
+@Injectable({ providedIn: 'root' })
+export class SignUpService {
+  private apiUrl = location.hostname.endsWith('hf.space')
+    ? 'https://majemaai-mj-learn-backend.hf.space'
+    : 'http://localhost:5000';
+
+  constructor(private http: HttpClient) { }
+
+  // ? Updated to use /auth/signup endpoint
+  signUp(payload: any): Observable<any> {
+    return this.http.post(`${this.apiUrl}/auth/signup`, payload);
+  }
+}

src/app/auth/auth.service.ts

@@ -0,0 +1,145 @@
+import { Injectable } from '@angular/core';
+import { HttpClient } from '@angular/common/http';
+import { BehaviorSubject, Observable, of, throwError } from 'rxjs';
+import { catchError, tap } from 'rxjs/operators';
+import { Router } from '@angular/router';
+
+@Injectable({
+  providedIn: 'root'
+})
+export class AuthService {
+  private apiUrl = location.hostname.endsWith('hf.space')
+    ? 'https://majemaai-mj-learn-backend.hf.space'
+    : 'http://localhost:5000';
+
+  private loggedInSubject = new BehaviorSubject<boolean>(false);
+  public loggedIn$ = this.loggedInSubject.asObservable();
+  private refreshInterval: any;
+
+  constructor(private http: HttpClient, private router: Router) { }
+
+  // ? Updated to use /auth/login endpoint
+  login(username: string, password: string): Observable<any> {
+    return this.http.post(`${this.apiUrl}/auth/login`, { username, password }, { withCredentials: true });
+  }
+
+  setLoggedIn(status: boolean): void {
+    this.loggedInSubject.next(status);
+  }
+
+  isLoggedIn(): boolean {
+    return this.loggedInSubject.value;
+  }
+
+  // ? Updated to use /auth/refresh endpoint
+  startAutoRefresh(): void {
+    this.clearAutoRefresh(); // Clear any existing interval
+
+    this.refreshInterval = setInterval(() => {
+      console.log("?? Auto-refreshing token...");
+      this.http.post(`${this.apiUrl}/auth/refresh`, {}, { withCredentials: true }).subscribe(
+        response => {
+          console.log('? Auto-refresh successful');
+        },
+        error => {
+          console.error('? Auto-refresh failed:', error);
+          // Clear tokens manually (if needed)
+          this.clearTokens();
+
+          // Redirect to login
+          this.router.navigate(['/auth']);
+        }
+      );
+    }, 14 * 60 * 1000); // Every 14 minutes
+  }
+
+  clearAutoRefresh(): void {
+    if (this.refreshInterval) {
+      clearInterval(this.refreshInterval);
+      this.refreshInterval = null;
+    }
+  }
+
+  // ? Updated to use /auth/logout endpoint
+  logout(): Observable<any> {
+    console.log("?? Sending logout request with credentials");
+
+    return this.http.post(`${this.apiUrl}/auth/logout`, {}, { withCredentials: true }).pipe(
+      tap(response => {
+        console.log('?? Response from backend:', response);
+        this.clearTokens();
+        this.clearAutoRefresh();  // ? Stop auto-refresh
+        this.setLoggedIn(false);  // ? Reflect logout in UI
+      }),
+      catchError(error => {
+        console.error('? Error from backend:', error);
+        // Still ensure local state reflects logout
+        this.clearTokens();
+        this.clearAutoRefresh();
+        this.setLoggedIn(false);
+        return throwError(() => error);
+      })
+    );
+  }
+
+  clearTokens(): void {
+    document.cookie = 'access_token=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';
+    document.cookie = 'refresh_token=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';
+    this.clearAutoRefresh();  // ?
+  }
+
+  // ? Get access token (using cookies)
+  getAccessToken(): string | null {
+    const cookies = document.cookie.split('; ');
+    for (let cookie of cookies) {
+      if (cookie.startsWith('access_token=')) {
+        return cookie.split('=')[1];
+      }
+    }
+    return null;
+  }
+
+  // ? Save tokens (Not necessary, as tokens are managed via cookies)
+  saveTokens(accessToken: string, refreshToken: string): void {
+    // No need for this if you're using cookies, but if you want to persist in localStorage, use:
+    localStorage.setItem('access_token', accessToken);
+    localStorage.setItem('refresh_token', refreshToken);
+  }
+
+  // ? Updated to use /auth/check-auth endpoint
+  checkSession(): Observable<boolean> {
+    return this.http.get(`${this.apiUrl}/auth/check-auth`, { withCredentials: true }).pipe(
+      tap((res: any) => {
+        console.log('? Session valid:', res);
+        this.setLoggedIn(true);
+        this.startAutoRefresh();
+        return true; // ? Important!
+      }),
+      catchError((err) => {
+        if (err.status === 401) {
+          // Access token may be expired. Try refresh
+          console.warn('?? Access token expired. Trying to refresh...');
+
+          // ? Updated to use /auth/refresh endpoint
+          return this.http.post(`${this.apiUrl}/auth/refresh`, {}, { withCredentials: true }).pipe(
+            tap((refreshRes: any) => {
+              console.log("? Token refreshed during checkSession.");
+              //alert("? Token refreshed during checkSession.");
+              this.setLoggedIn(true);
+              this.startAutoRefresh();
+            }),
+            catchError((refreshErr) => {
+              console.error("? Refresh token failed during checkSession.", refreshErr);
+              this.setLoggedIn(false);
+              return of(false);
+            })
+          );
+        } else {
+          console.error("? Unknown error during checkSession", err);
+          this.setLoggedIn(false);
+          return of(false);
+        }
+      })
+    );
+  }
+}

src/app/sign-up/sign-up.service.ts

@@ -0,0 +1,17 @@
+import { Injectable } from '@angular/core';
+import { HttpClient } from '@angular/common/http';  // Import HttpClient for API calls
+import { Observable } from 'rxjs';  // Import Observable for async handling
+
+@Injectable({ providedIn: 'root' })
+export class SignUpService {
+  private apiUrl = location.hostname.endsWith('hf.space')
+    ? 'https://majemaai-mj-learn-backend.hf.space'
+    : 'http://localhost:5000';
+
+  constructor(private http: HttpClient) { }
+
+  // ? Updated to use /auth/signup endpoint
+  signUp(payload: any): Observable<any> {
+    return this.http.post(`${this.apiUrl}/auth/signup`, payload);
+  }
+}

verification.py

@@ -1,749 +1,169 @@
-# --- load .env FIRST ---
+"""
+MJ Learn Backend - Main Flask Application
+
+A clean, professional Flask application with modular authentication.
+
+Main Features:
+- JWT-based authentication system
+- Role-based access control (admin/user)
+- Secure token management with blacklisting
+- CORS configuration for cross-origin requests
+- Modular blueprint architecture
+- Environment-based configuration
+"""
+
 import os
 from dotenv import load_dotenv
-import requests
-import hashlib  # Added for secure logging
-from werkzeug.utils import secure_filename
-BASEDIR = os.path.abspath(os.path.dirname(__file__))
-load_dotenv(os.path.join(BASEDIR, ".env"))  # loads DB_USER, DB_PASSWORD, RUN_INIT_DB
-import socket
 import logging
-from threading import Lock
-from functools import wraps
-import datetime
-import bcrypt
-import jwt
-import pyodbc
-from flask import Flask, request, jsonify, make_response, current_app
+from flask import Flask, request
 from flask_cors import CORS
 
-# ------------------------------------------------------------------------------
-# Security Helper Functions
-# ------------------------------------------------------------------------------
-def anonymize_username(username):
-    """Create anonymous hash for logging while preserving uniqueness"""
-    if not username:
-        return "anonymous"
-    return hashlib.sha256(f"user_{username}_salt".encode()).hexdigest()[:12]
-
-# ------------------------------------------------------------------------------
-# App, ENV, CORS
-# ------------------------------------------------------------------------------
-app = Flask(__name__)
-
-# FIXED: Move SECRET_KEY to environment variable
-app.config['SECRET_KEY'] = os.getenv('SECRET_KEY')
-if not app.config['SECRET_KEY']:
-    raise RuntimeError("SECRET_KEY must be set in environment variables!")
-
-IS_PROD = os.getenv("ENV", "dev").lower() == "prod"
-_origins = os.getenv("ALLOWED_ORIGINS", "http://localhost:4200")
-ALLOWED_ORIGINS = [o.strip() for o in _origins.split(",") if o.strip()]
-# CORS(app, supports_credentials=True, origins=ALLOWED_ORIGINS)
-# Allow both localhost forms by default if env not set
-_default_origins = "http://localhost:4200,http://127.0.0.1:4200"
-_origins = os.getenv("ALLOWED_ORIGINS", _default_origins)
-ALLOWED_ORIGINS = [o.strip() for o in _origins.split(",") if o.strip()]
-
-CORS(
-    app,
-    resources={r"/*": {"origins": ALLOWED_ORIGINS}},
-    supports_credentials=True,
-    allow_headers=["Content-Type", "Authorization", "X-Requested-With", "X-User"],
-    expose_headers=["Set-Cookie"],
-    methods=["GET", "POST", "OPTIONS"]  # FIXED: Separated "POST, OPTIONS" into individual strings
-)
-
-
-def extract_username_from_request(req) -> str | None:
-    # 1) Header
-    hdr = req.headers.get("X-User")
-    if hdr:
-        return hdr
-
-    # 2) Body
-    data = req.get_json(silent=True) or {}
-    if data.get("username"):
-        return data.get("username")
+# Load environment variables first
+BASEDIR = os.path.abspath(os.path.dirname(__file__))
+load_dotenv(os.path.join(BASEDIR, ".env"))
 
-    # 3) JWT cookie from verification.py
-    token = req.cookies.get("access_token")
-    if token:
-        try:
-            payload = jwt.decode(token, current_app.config["SECRET_KEY"], algorithms=["HS256"])
-            return payload.get("username")
-        except jwt.ExpiredSignatureError:
-            return None
-        except jwt.InvalidTokenError:
-            return None
+# Import authentication module
+from auth import auth_bp
+from auth.database import ensure_database_initialized
 
-    return None
 
+def create_app():
+    """Application factory pattern for Flask app creation"""
+    app = Flask(__name__)
     
-@app.after_request
-def add_cors_headers(resp):
-    origin = request.headers.get("Origin")
-    if origin and origin in ALLOWED_ORIGINS:
-        # echo the origin, never '*', when using credentials
-        resp.headers["Access-Control-Allow-Origin"] = origin
-        resp.headers["Vary"] = "Origin"
-        resp.headers["Access-Control-Allow-Credentials"] = "true"
-        resp.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization, X-Requested-With, X-User"
-        resp.headers["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS"
-    return resp
-
-
-@app.before_request
-def handle_options_early():
-    if request.method == "OPTIONS":
-        resp = app.make_default_options_response()
+    # Security configuration
+    app.config['SECRET_KEY'] = os.getenv('SECRET_KEY')
+    if not app.config['SECRET_KEY']:
+        raise RuntimeError("SECRET_KEY must be set in environment variables!")
+    
+    # Environment configuration
+    IS_PROD = os.getenv("ENV", "dev").lower() == "prod"
+    
+    # CORS configuration
+    _default_origins = "http://localhost:4200,http://127.0.0.1:4200"
+    _origins = os.getenv("ALLOWED_ORIGINS", _default_origins)
+    ALLOWED_ORIGINS = [o.strip() for o in _origins.split(",") if o.strip()]
+    
+    CORS(
+        app,
+        resources={r"/*": {"origins": ALLOWED_ORIGINS}},
+        supports_credentials=True,
+        allow_headers=["Content-Type", "Authorization", "X-Requested-With", "X-User"],
+        expose_headers=["Set-Cookie"],
+        methods=["GET", "POST", "OPTIONS"]
+    )
+    
+    # API configuration for blueprints
+    app.config["COHERE_API_KEY"] = os.getenv("COHERE_API_KEY", "")
+    
+    # CORS handlers
+    @app.after_request
+    def add_cors_headers(resp):
         origin = request.headers.get("Origin")
         if origin and origin in ALLOWED_ORIGINS:
             resp.headers["Access-Control-Allow-Origin"] = origin
+            resp.headers["Vary"] = "Origin"
             resp.headers["Access-Control-Allow-Credentials"] = "true"
-        # Mirror browser's requested headers/methods
-        req_headers = request.headers.get("Access-Control-Request-Headers", "Content-Type, Authorization, X-Requested-With, X-User")
-        req_method = request.headers.get("Access-Control-Request-Method", "POST")
-        resp.headers["Access-Control-Allow-Headers"] = req_headers
-        resp.headers["Access-Control-Allow-Methods"] = req_method
+            resp.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization, X-Requested-With, X-User"
+            resp.headers["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS"
         return resp
-        
-
-logging.basicConfig(level=logging.INFO)
-
-# NEW: API keys / shared config for blueprints (read from HF Secrets/ENV)
-app.config["COHERE_API_KEY"] = os.getenv("COHERE_API_KEY", "")
-
-# ------------------------------------------------------------------------------
-# SQL Server configuration
-# ------------------------------------------------------------------------------
-# DB_SERVER = "pykara-sqlserver.cb60o04yk948.ap-south-1.rds.amazonaws.com,1433"
-# DB_DATABASE = "AuthenticationDB1"
-
-DB_SERVER   = os.getenv("DB_SERVER", r"(localdb)\MSSQLLocalDB")
-DB_DATABASE = os.getenv("DB_DATABASE", "AuthenticationDB1")
-DB_DRIVER   = os.getenv("DB_DRIVER", "ODBC Driver 17 for SQL Server")  # 17 in your image
-
-
-# Build connection string (FIXED)
-is_local = (
-    DB_SERVER.lower().startswith("localhost")
-    or DB_SERVER.startswith(".")
-    or DB_SERVER.lower().startswith("(localdb)")
-    or "\\" in DB_SERVER
-)
-
-if is_local:
-    # Windows local / LocalDB using modern ODBC driver
-    CONN_STR = (
-        f"DRIVER={{{DB_DRIVER}}};"
-        f"SERVER={DB_SERVER};"
-        f"DATABASE={DB_DATABASE};"
-        "Trusted_Connection=yes;"
-        "TrustServerCertificate=yes;"
-    )
-else:
-    # Remote SQL auth
-    CONN_STR = (
-        f"DRIVER={{{DB_DRIVER}}};"
-        f"SERVER={DB_SERVER};DATABASE={DB_DATABASE};"
-        f"UID={os.getenv('DB_USER')};PWD={os.getenv('DB_PASSWORD')};"
-        "Encrypt=yes;TrustServerCertificate=yes;"
-    )
-
-
-def get_db_connection():
-    """Create a short-timeout connection. Fail clearly if secrets are missing."""
-    if "Trusted_Connection=yes" not in CONN_STR:
-        if not os.getenv("DB_USER") or not os.getenv("DB_PASSWORD"):
-            raise RuntimeError("DB_USER/DB_PASSWORD are not set in the environment.")
-    return pyodbc.connect(CONN_STR, timeout=5)
-
-# ------------------------------------------------------------------------------
-# Auth utilities
-# ------------------------------------------------------------------------------
-def token_required(f):
-    @wraps(f)
-    def decorated(*args, **kwargs):
-        token = request.cookies.get('access_token')
-        if not token:
-            return jsonify({"message": "Token is missing"}), 401
-
-        try:
-            # Check blacklist
-            conn = get_db_connection()
-            cur = conn.cursor()
-            cur.execute("SELECT token FROM BlacklistedTokens WHERE token = ?", (token,))
-            if cur.fetchone():
-                conn.close()
-                return jsonify({"message": "Token has been revoked. Please log in again."}), 401
-            conn.close()
-
-            data = jwt.decode(token, app.config['SECRET_KEY'], algorithms=["HS256"])
-            return f(data['username'], *args, **kwargs)
-
-        except jwt.ExpiredSignatureError:
-            return jsonify({"message": "Token has expired"}), 401
-        except jwt.InvalidTokenError:
-            return jsonify({"message": "Invalid token"}), 401
-        except Exception as e:
-            app.logger.exception("Auth error: %s", e)
-            return jsonify({"message": "Server error"}), 500
-    return decorated
-
-@app.get("/db/diag")
-@token_required
-def db_diag(username):
-    """Database diagnostics - ADMIN ONLY"""
-    # Security: Only allow admin users to access diagnostic information
-    try:
-        conn = get_db_connection()
-        cur = conn.cursor()
-        cur.execute("SELECT role FROM Users WHERE username = ?", (username,))
-        row = cur.fetchone()
-        
-        if not row or row[0] != 'admin':
-            conn.close()
-            user_hash = anonymize_username(username)
-            app.logger.warning(f"Unauthorized db/diag access attempt by user_hash: {user_hash} from IP: {request.remote_addr}")
-            return jsonify({"message": "Unauthorized - Admin access required"}), 403
-        
-        conn.close()
-    except Exception as e:
-        app.logger.exception("DB access error in db_diag: %s", e)
-        return jsonify({"message": "Database is unavailable"}), 503
-
-    # Proceed with diagnostics for admin users only
-    info = {}
-    try:
-        info["drivers_found"] = pyodbc.drivers()
-    except Exception as e:
-        info["drivers_found_error"] = str(e)
-
-    # Only show minimal, safe information
-    info["database_name"] = DB_DATABASE  # Safe to show database name to admin
-    info["server_type"] = "LocalDB" if is_local else "Remote"  # General info only
-    
-    # Test connection without exposing sensitive details
-    try:
-        conn = get_db_connection()
-        conn.close()
-        info["connection_status"] = "ok"
-    except Exception as e:
-        info["connection_status"] = "error"
-        info["error_type"] = type(e).__name__  # General error type only
-
-    # Security logging (ANONYMIZED)
-    user_hash = anonymize_username(username)
-    app.logger.info(f"Admin user_hash: {user_hash} accessed database diagnostics from IP: {request.remote_addr}")
-    
-    return jsonify(info), 200
-
-def init_db():
-    """Create tables if they do not exist."""
-    conn = get_db_connection()
-    cur = conn.cursor()
-
-    cur.execute("""
-        IF OBJECT_ID('Users', 'U') IS NULL
-        CREATE TABLE Users (
-            id INT IDENTITY(1,1) PRIMARY KEY,
-            username NVARCHAR(100) UNIQUE NOT NULL,
-            password_hash NVARCHAR(500) NOT NULL,
-            role NVARCHAR(50) DEFAULT 'user'
-        )
-    """)
-
-    cur.execute("""
-        IF OBJECT_ID('BlacklistedTokens', 'U') IS NULL
-        CREATE TABLE BlacklistedTokens (
-            id INT IDENTITY(1,1) PRIMARY KEY,
-            token NVARCHAR(1000) UNIQUE NOT NULL,
-            created_at DATETIME DEFAULT GETDATE()
-        )
-    """)
-
-    cur.execute("""
-        IF OBJECT_ID('RefreshTokens', 'U') IS NULL
-        CREATE TABLE RefreshTokens (
-            id INT IDENTITY(1,1) PRIMARY KEY,
-            username NVARCHAR(100) NOT NULL,
-            token NVARCHAR(1000) UNIQUE NOT NULL,
-            created_at DATETIME DEFAULT GETDATE(),
-            FOREIGN KEY (username) REFERENCES Users(username) ON DELETE CASCADE
-        )
-    """)
-
-    conn.commit()
-    conn.close()
-
-# ------------------------------------------------------------------------------
-# One-time DB initialisation (Flask 3.x safe)
-# ------------------------------------------------------------------------------
-_db_init_done = False
-_db_init_lock = Lock()
-_should_init = os.getenv("RUN_INIT_DB", "0") == "1"
-
-@app.before_request
-def maybe_init_db():
-    global _db_init_done
-    if _should_init and not _db_init_done:
-        with _db_init_lock:
-            if not _db_init_done:
-                try:
-                    init_db()
-                    app.logger.info("Database initialised.")
-                except Exception as e:
-                    app.logger.exception("DB init failed: %s", e)
-                finally:
-                    _db_init_done = True
-
-# ------------------------------------------------------------------------------
-# Cookie helpers
-# ------------------------------------------------------------------------------
-def add_cookie(resp, name: str, value: str, max_age: int):
-    """
-    In prod: Secure + SameSite=None + Partitioned (works with third-party cookie protections).
-    In dev:  SameSite=Lax, not Secure.
-    """
-    if IS_PROD:
-        resp.headers.add(
-            "Set-Cookie",
-            f"{name}={value}; Path=/; Max-Age={max_age}; Secure; HttpOnly; SameSite=None; Partitioned"
-        )
-    else:
-        resp.set_cookie(name, value, httponly=True, secure=False, samesite="Lax", max_age=max_age, path="/")
-
-# ------------------------------------------------------------------------------
-# Health
-# ------------------------------------------------------------------------------
-@app.get("/")
-def health():
-    return {"status": "ok"}, 200
-
-# ------------------------------------------------------------------------------
-# Routes (verification/auth only)
-# ----------------------------------------------------------------------------
-@app.get("/dashboard")
-@token_required
-def dashboard(username):
-    return jsonify({"message": f"Welcome {username} to your dashboard!"})
-
-@app.post("/login")
-def login():
-    data = request.json or {}
-    username = data.get('username', '').strip()
-    password = data.get('password', '')
-
-    # ADDED: Input validation
-    if not username or not password:
-        return jsonify({"message": "Username and password are required"}), 400
     
-    if len(username) < 3 or len(username) > 50:
-        return jsonify({"message": "Invalid username format"}), 400
+    @app.before_request
+    def handle_options_early():
+        if request.method == "OPTIONS":
+            resp = app.make_default_options_response()
+            origin = request.headers.get("Origin")
+            if origin and origin in ALLOWED_ORIGINS:
+                resp.headers["Access-Control-Allow-Origin"] = origin
+                resp.headers["Access-Control-Allow-Credentials"] = "true"
+            # Mirror browser's requested headers/methods
+            req_headers = request.headers.get("Access-Control-Request-Headers", "Content-Type, Authorization, X-Requested-With, X-User")
+            req_method = request.headers.get("Access-Control-Request-Method", "POST")
+            resp.headers["Access-Control-Allow-Headers"] = req_headers
+            resp.headers["Access-Control-Allow-Methods"] = req_method
+            return resp
     
-    # ADDED: Normalize username to prevent case sensitivity issues
-    username = username.lower()
-
-    try:
-        conn = get_db_connection()
-        cur = conn.cursor()
-        cur.execute("SELECT password_hash FROM Users WHERE username = ?", (username,))
-        row = cur.fetchone()
-        conn.close()
-    except Exception as e:
-        app.logger.exception("DB access error on login: %s", e)
-        return jsonify({"message": "Database is unavailable"}), 503
-
-    if not row:
-        # ADDED: Security logging for failed login attempts (ANONYMIZED)
-        user_hash = anonymize_username(username)
-        app.logger.warning(f"Failed login attempt for user_hash: {user_hash} from IP: {request.remote_addr}")
-        return jsonify({"message": "Invalid credentials"}), 401
-
-    stored_hash = row[0]
-    if not bcrypt.checkpw(password.encode('utf-8'), stored_hash.encode('utf-8')):
-        # ADDED: Security logging for wrong password (ANONYMIZED)
-        user_hash = anonymize_username(username)
-        app.logger.warning(f"Failed login (wrong password) for user_hash: {user_hash} from IP: {request.remote_addr}")
-        return jsonify({"message": "Invalid credentials"}), 401
-
-    # ADDED: Security logging for successful login (ANONYMIZED)
-    user_hash = anonymize_username(username)
-    app.logger.info(f"Successful login for user_hash: {user_hash} from IP: {request.remote_addr}")
-
-    access_token = jwt.encode(
-        {'username': username, 'exp': datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(minutes=15)},
-        app.config['SECRET_KEY'],
-        algorithm="HS256"
-    )
-    refresh_token = jwt.encode(
-        {'username': username, 'exp': datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=7)},
-        app.config['SECRET_KEY'],
-        algorithm="HS256"
-    )
-
-    try:
-        conn = get_db_connection()
-        cur = conn.cursor()
-        cur.execute("INSERT INTO RefreshTokens (username, token) VALUES (?, ?)", (username, refresh_token))
-        conn.commit()
-        conn.close()
-    except Exception as e:
-        app.logger.exception("DB write error on login: %s", e)
-        return jsonify({"message": "Database is unavailable"}), 503
-
-    resp = make_response(jsonify({"message": "Login successful"}))
-    add_cookie(resp, 'access_token', access_token, 900)                 # 15 min
-    add_cookie(resp, 'refresh_token', refresh_token, 7*24*60*60)       # 7 days
-    return resp
-
-@app.post("/refresh")
-def refresh():
-    refresh_token = request.cookies.get("refresh_token")
-    if not refresh_token:
-        return jsonify({'message': 'Refresh token is missing'}), 400
-
-    try:
-        payload = jwt.decode(refresh_token, app.config['SECRET_KEY'], algorithms=["HS256"])
-    except jwt.ExpiredSignatureError:
-        return jsonify({'message': 'Refresh token has expired'}), 401
-    except jwt.InvalidTokenError:
-        return jsonify({'message': 'Invalid refresh token'}), 401
-
-    try:
-        conn = get_db_connection()
-        cur = conn.cursor()
-        cur.execute("SELECT username FROM RefreshTokens WHERE token = ?", (refresh_token,))
-        row = cur.fetchone()
-        conn.close()
-    except Exception as e:
-        app.logger.exception("DB access error on refresh: %s", e)
-        return jsonify({"message": "Database is unavailable"}), 503
-
-    if not row:
-        return jsonify({'message': 'Invalid refresh token'}), 401
-
-    username = row[0]
-    # FIXED: Use updated datetime format
-    new_access = jwt.encode(
-        {'username': username, 'exp': datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(minutes=15)},
-        app.config['SECRET_KEY'],
-        algorithm="HS256"
-    )
-
-    resp = make_response(jsonify({'access_token': new_access}))
-    add_cookie(resp, 'access_token', new_access, 900)
-    return resp
-
-@app.post("/logout")
-@token_required
-def logout(username):  # Use this username from decorator!
-    token = request.cookies.get('access_token')
-    if not token:
-        return jsonify({"message": "Invalid token format"}), 401
-
-    try:
-        conn = get_db_connection()
-        cur = conn.cursor()
-        
-        # Add to blacklist
-        cur.execute("SELECT token FROM BlacklistedTokens WHERE token = ?", (token,))
-        if not cur.fetchone():
-            cur.execute("INSERT INTO BlacklistedTokens (token) VALUES (?", (token,))
-        
-        # Delete refresh tokens (use username from decorator)
-        cur.execute("DELETE FROM RefreshTokens WHERE username = ?", (username,))
-        conn.commit()
-        conn.close()
-        
-        # ADDED: Security logging for logout (ANONYMIZED)
-        user_hash = anonymize_username(username)
-        app.logger.info(f"User logged out: user_hash: {user_hash} from IP: {request.remote_addr}")
-        
-    except Exception as e:
-        app.logger.exception("DB write error on logout: %s", e)
-        return jsonify({"message": "Database is unavailable"}), 503
-
-    resp = make_response(jsonify({"message": "Logged out successfully!"}))
-    resp.delete_cookie('access_token', path='/')
-    resp.delete_cookie('refresh_token', path='/')
-    return resp
-
-@app.get("/check-auth")
-@token_required
-def check_auth(username):
-    return jsonify({"message": "Authenticated", "username": username}), 200
-
-@app.post("/signup")
-def signup():
-    """Register a new user"""
-    data = request.json or {}
-    username = data.get('username', '').strip()
-    password = data.get('password', '')
+    # Initialize database before first request (Flask 3.x compatible)
+    @app.before_request
+    def maybe_initialize_database():
+        if not hasattr(app, '_db_initialized'):
+            try:
+                ensure_database_initialized()
+                app._db_initialized = True
+            except Exception as e:
+                app.logger.exception("Database initialization failed: %s", e)
     
-    # INPUT VALIDATION
-    if not username or not password:
-        return jsonify({"message": "Username and password are required"}), 400
+    # Health check endpoint
+    @app.route("/")
+    def health():
+        return {"status": "ok", "service": "MJ Learn Backend"}, 200
     
-    if len(username) < 3 or len(username) > 50:
-        return jsonify({"message": "Username must be 3-50 characters"}), 400
+    # Register authentication blueprint
+    app.register_blueprint(auth_bp, url_prefix="/auth")
     
-    if len(password) < 8:
-        return jsonify({"message": "Password must be at least 8 characters"}), 400
+    # Register other feature blueprints
+    register_feature_blueprints(app)
     
-    # Normalize username (prevent duplicates like "Admin" and "admin")
-    username = username.lower()
+    return app
+
+
+def register_feature_blueprints(app):
+    """Register feature blueprints with error handling"""
+    blueprints = [
+        ("chat", "movie_bp", "/media"),
+        ("ragg.app", "rag_bp", "/rag"),
+        ("pron", "pron_bp", "/pron"),
+        ("pronvideo", "pronvideo_bp", "/pronvideo"),
+        ("pronragg", "pronragg_bp", "/pronragg"),
+        ("pronragupgrade", "pronragupgrade_bp", "/pronragupgrade"),
+        ("ragg.ingest_trigger", "ingest_trigger_bp", "/rag"),
+    ]
     
-    # Check if username already exists
-    try:
-        conn = get_db_connection()
-        cur = conn.cursor()
-        cur.execute("SELECT username FROM Users WHERE username = ?", (username,))
-        if cur.fetchone():
-            conn.close()
-            return jsonify({"message": "Username already exists"}), 409
-        
-        # Hash password
-        password_hash = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
-        
-        # Insert new user
-        cur.execute(
-            "INSERT INTO Users (username, password_hash, role) VALUES (?, ?, ?)",
-            (username, password_hash.decode('utf-8'), 'user')
-        )
-        conn.commit()
-        conn.close()
-        
-        # ADDED: Security logging for new user registration (ANONYMIZED)
-        user_hash = anonymize_username(username)
-        app.logger.info(f"New user registered: user_hash: {user_hash} from IP: {request.remote_addr}")
-        
-        return jsonify({"message": "User registered successfully"}), 201
-        
-    except pyodbc.IntegrityError:
-        return jsonify({"message": "Username already exists"}), 409
-    except Exception as e:
-        app.logger.exception("DB error on signup: %s", e)
-        return jsonify({"message": "Database is unavailable"}), 503
-
-@app.post("/admin/promote-user")
-@token_required
-def promote_user(username):
-    """Promote a user to admin role - ADMIN ONLY"""
-    # Check if current user is admin
-    try:
-        conn = get_db_connection()
-        cur = conn.cursor()
-        cur.execute("SELECT role FROM Users WHERE username = ?", (username,))
-        row = cur.fetchone()
-        
-        if not row or row[0] != 'admin':
-            conn.close()
-            user_hash = anonymize_username(username)
-            app.logger.warning(f"Unauthorized promote-user attempt by user_hash: {user_hash} from IP: {request.remote_addr}")
-            return jsonify({"message": "Unauthorized - Admin access required"}), 403
-        
-        # Get target username from request
-        data = request.json or {}
-        target_user = data.get('username', '').strip().lower()
-        
-        if not target_user:
-            conn.close()
-            return jsonify({"message": "Username is required"}), 400
-        
-        # Check if target user exists
-        cur.execute("SELECT role FROM Users WHERE username = ?", (target_user,))
-        target_row = cur.fetchone()
-        
-        if not target_row:
-            conn.close()
-            return jsonify({"message": "User not found"}), 404
-        
-        if target_row[0] == 'admin':
-            conn.close()
-            return jsonify({"message": "User is already an admin"}), 400
-        
-        # Promote user to admin
-        cur.execute("UPDATE Users SET role = 'admin' WHERE username = ?", (target_user,))
-        conn.commit()
-        conn.close()
-        
-        # Security logging
-        admin_hash = anonymize_username(username)
-        target_hash = anonymize_username(target_user)
-        app.logger.info(f"Admin {admin_hash} promoted user {target_hash} to admin from IP: {request.remote_addr}")
-        
-        return jsonify({"message": f"User {target_user} promoted to admin successfully"}), 200
-        
-    except Exception as e:
-        app.logger.exception("DB error in promote-user: %s", e)
-        return jsonify({"message": "Database is unavailable"}), 503
-
-@app.get("/admin/users")
-@token_required
-def list_users(username):
-    """List all users - ADMIN ONLY"""
-    # Check if current user is admin
-    try:
-        conn = get_db_connection()
-        cur = conn.cursor()
-        cur.execute("SELECT role FROM Users WHERE username = ?", (username,))
-        row = cur.fetchone()
-        
-        if not row or row[0] != 'admin':
-            conn.close()
-            user_hash = anonymize_username(username)
-            app.logger.warning(f"Unauthorized list-users attempt by user_hash: {user_hash} from IP: {request.remote_addr}")
-            return jsonify({"message": "Unauthorized - Admin access required"}), 403
-        
-        # Get all users
-        cur.execute("SELECT id, username, role FROM Users ORDER BY id")
-        users = []
-        for row in cur.fetchall():
-            users.append({
-                "id": row[0],
-                "username": row[1],
-                "role": row[2]
-            })
-        
-        conn.close()
-        
-        # Security logging
-        admin_hash = anonymize_username(username)
-        app.logger.info(f"Admin {admin_hash} viewed user list from IP: {request.remote_addr}")
-        
-        return jsonify({"users": users, "total": len(users)}), 200
-        
-    except Exception as e:
-        app.logger.exception("DB error in list-users: %s", e)
-        return jsonify({"message": "Database is unavailable"}), 503
-
-@app.post("/admin/create-first-admin")
-def create_first_admin():
-    """Create the first admin user - ONLY if no users exist"""
-    try:
-        conn = get_db_connection()
-        cur = conn.cursor()
-        
-        # Check if any users exist
-        cur.execute("SELECT COUNT(*) FROM Users")
-        user_count = cur.fetchone()[0]
-        
-        if user_count > 0:
-            conn.close()
-            return jsonify({"message": "Users already exist. Cannot create first admin."}), 409
-        
-        # Create first admin user
-        username = "admin"
-        password = "admin123"  # Change this!
-        
-        # Hash password
-        password_hash = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
-        
-        # Insert admin user
-        cur.execute(
-            "INSERT INTO Users (username, password_hash, role) VALUES (?, ?, ?)",
-            (username, password_hash.decode('utf-8'), 'admin')
-        )
-        conn.commit()
-        conn.close()
-        
-        # Security logging
-        app.logger.info(f"First admin user created from IP: {request.remote_addr}")
-        
-        return jsonify({
-            "message": "First admin user created successfully",
-            "username": "admin",
-            "password": "admin123",
-            "warning": "CHANGE THE PASSWORD IMMEDIATELY!"
-        }), 201
-        
-    except Exception as e:
-        app.logger.exception("DB error creating first admin: %s", e)
-        return jsonify({"message": "Database is unavailable"}), 503
-# ----------------------------------------------------------------------------
-# Register Blueprint: grammar (and later media) lives in other files
-# ----------------------------------------------------------------------------
-try:
-    from chat import movie_bp
-    app.register_blueprint(movie_bp, url_prefix="/media")
-    print("✅ Registered movie_bp")
-except ImportError as e:
-    print(f"⚠️ Could not import movie_bp: {e}")
-
-try:
-    from ragg.app import rag_bp 
-    app.register_blueprint(rag_bp, url_prefix="/rag")
-    print("✅ Registered rag_bp")
-except ImportError as e:
-    print(f"⚠️ Could not import rag_bp: {e}")
-
-try:
-    from pron import pron_bp
-    app.register_blueprint(pron_bp, url_prefix="/pron")
-    print("✅ Registered pron_bp")
-except ImportError as e:
-    print(f"⚠️ Could not import pron_bp: {e}")
+    for module_name, blueprint_name, url_prefix in blueprints:
+        try:
+            module = __import__(module_name, fromlist=[blueprint_name])
+            blueprint = getattr(module, blueprint_name)
+            app.register_blueprint(blueprint, url_prefix=url_prefix)
+            print(f"? Registered {blueprint_name}")
+        except ImportError as e:
+            print(f"?? Could not import {blueprint_name}: {e}")
+        except AttributeError as e:
+            print(f"?? Blueprint {blueprint_name} not found in {module_name}: {e}")
 
-try:
-    from pronvideo import pronvideo_bp
-    app.register_blueprint(pronvideo_bp, url_prefix="/pronvideo")
-    print("✅ Registered pronvideo_bp")
-except ImportError as e:
-    print(f"⚠️ Could not import pronvideo_bp: {e}")
 
-try:
-    from pronragg import pronragg_bp
-    app.register_blueprint(pronragg_bp, url_prefix="/pronragg")
-    print("✅ Registered pronragg_bp")
-except ImportError as e:
-    print(f"⚠️ Could not import pronragg_bp: {e}")
+# Create Flask app instance
+app = create_app()
 
-try:
-    from pronragupgrade import pronragupgrade_bp
-    app.register_blueprint(pronragupgrade_bp, url_prefix="/pronragupgrade")
-    print("✅ Registered pronragupgrade_bp")
-except ImportError as e:
-    print(f"⚠️ Could not import pronragupgrade_bp: {e}")
+# Configure logging
+logging.basicConfig(level=logging.INFO)
 
-try:
-    from ragg.ingest_trigger import ingest_trigger_bp
-    app.register_blueprint(ingest_trigger_bp, url_prefix="/rag")
-    print("✅ Registered ingest_trigger_bp")
-except ImportError as e:
-    print(f"⚠️ Could not import ingest_trigger_bp: {e}")
 
-# ----------------------------------------------------------------------------
-# Local run (Gunicorn will import `verification:app` on Spaces)
-# ----------------------------------------------------------------------------
 if __name__ == '__main__':
-    print("🚀 Starting Flask Authentication Server...")
-    print(f"✅ SECRET_KEY loaded: {bool(app.config.get('SECRET_KEY'))}")
-    print(f"✅ Database: {DB_DATABASE} on {DB_SERVER}")
-    print(f"✅ CORS Origins: {ALLOWED_ORIGINS}")
-    print("=" * 50)
+    print("?? Starting MJ Learn Backend...")
+    print(f"? SECRET_KEY loaded: {bool(app.config.get('SECRET_KEY'))}")
+    print(f"? Environment: {os.getenv('ENV', 'development')}")
+    print("=" * 60)
     
     port = int(os.getenv("PORT", "5000"))
-    print(f"🌐 Server starting on http://localhost:{port}")
-    print("📍 Available endpoints:")
-    print("   GET  /           - Health check")
-    print("   POST /signup     - User registration")
-    print("   POST /login      - User login")
-    print("   POST /refresh    - Token refresh")
-    print("   POST /logout     - User logout")
-    print("   GET  /dashboard  - Protected endpoint")
-    print("   GET  /check-auth - Auth status check")
-    print("   GET  /db/diag    - Database diagnostics (ADMIN ONLY)")
-    print("   📋 Admin Management:")
-    print("   GET  /admin/users          - List all users (ADMIN ONLY)")
-    print("   POST /admin/promote-user   - Promote user to admin (ADMIN ONLY)")  
-    print("   POST /admin/create-first-admin - Create first admin (if no users exist)")
-    print("=" * 50)
+    print(f"?? Server starting on http://localhost:{port}")
+    print("?? Available endpoints:")
+    print("   GET  /                    - Health check")
+    print("   ?? Authentication:")
+    print("   POST /auth/signup         - User registration")
+    print("   POST /auth/login          - User login")
+    print("   POST /auth/refresh        - Token refresh")
+    print("   POST /auth/logout         - User logout")
+    print("   GET  /auth/dashboard      - Protected endpoint")
+    print("   GET  /auth/check-auth     - Auth status check")
+    print("   GET  /auth/db/diag        - Database diagnostics (ADMIN)")
+    print("   ?? Admin Management:")
+    print("   GET  /auth/admin/users          - List all users (ADMIN)")
+    print("   POST /auth/admin/promote-user   - Promote user to admin (ADMIN)")  
+    print("   POST /auth/admin/create-first-admin - Create first admin")
+    print("=" * 60)
     
     try:
         app.run(host="0.0.0.0", port=port, debug=True)
     except Exception as e:
-        print(f"❌ Failed to start server: {e}")
-        raise
-
+        print(f"? Failed to start server: {e}")
+        raise