feat: update guest user handling to require email verification and adjust status flags

middleware/guestRestriction.js

@@ -22,6 +22,8 @@ const GUEST_ALLOWED_PREFIXES = [
   '/refresh',
   '/coffee/active',
   '/tax/vat-rates',
+  '/send-verification-email',
+  '/verify-email-code',
 ];
 
 function guestRestriction(req, res, next) {
@@ -31,8 +33,10 @@ function guestRestriction(req, res, next) {
   }
 
   const urlPath = req.originalUrl.split('?')[0];
+  // Strip /api prefix if present (routes are mounted at /api but prefixes listed without it)
+  const normalizedPath = urlPath.startsWith('/api/') ? urlPath.slice(4) : urlPath;
 
-  const isAllowed = GUEST_ALLOWED_PREFIXES.some((prefix) => urlPath.startsWith(prefix));
+  const isAllowed = GUEST_ALLOWED_PREFIXES.some((prefix) => normalizedPath.startsWith(prefix));
 
   if (isAllowed) {
     return next();

services/status/UserStatusService.js

@@ -58,23 +58,26 @@ class UserStatusService {
       const status = await repo.getStatusByUserId(userId);
       if (!status) return null;
 
-      // Guest users are always fully onboarded — skip quickaction flow
+      // Guest users: check if email verification is still needed
       if (status.status === 'active') {
-        // Check if this is a guest user
         const conn = unitOfWork.connection;
         const [userRows] = await conn.query('SELECT role FROM users WHERE id = ? LIMIT 1', [userId]);
         if (userRows?.[0]?.role === 'guest') {
-          const allCompleteSteps = [
-            { key: 'email_verified', label: 'Email Verified', completed: true },
+          // For guests, only email_verified matters — other steps are auto-completed
+          const emailVerified = !!status.email_verified;
+          const guestSteps = [
+            { key: 'email_verified', label: 'Email Verified', completed: emailVerified },
             { key: 'profile_completed', label: 'Profile Completed', completed: true },
             { key: 'documents_uploaded', label: 'Documents Uploaded', completed: true },
             { key: 'contract_signed', label: 'Contract Signed', completed: true },
           ];
+          const completedCount = guestSteps.filter(s => s.completed).length;
           return {
             status: 'active',
-            steps: allCompleteSteps,
-            completedSteps: allCompleteSteps.map(s => s.label),
-            progressPercent: 100,
+            isGuest: true,
+            steps: guestSteps,
+            completedSteps: guestSteps.filter(s => s.completed).map(s => s.label),
+            progressPercent: Math.round((completedCount / guestSteps.length) * 100),
           };
         }
       }

services/user/guest/GuestUserService.js

@@ -48,9 +48,10 @@ class GuestUserService {
       // Initialize user status as active (skip full registration flow for guests)
       await UserStatusService.initializeUserStatus(userId, 'personal', unitOfWork, 'active');
 
-      // Mark ALL status flags as completed for guests — they skip the entire quickaction flow
+      // Mark non-email status flags as completed for guests — they skip ID upload, profile, and contract
+      // email_verified stays FALSE so guests must verify their email on first login
       await conn.query(
-        `UPDATE user_status SET email_verified = TRUE, profile_completed = TRUE, documents_uploaded = TRUE, contract_signed = TRUE, registration_completed = TRUE, is_admin_verified = TRUE WHERE user_id = ?`,
+        `UPDATE user_status SET email_verified = FALSE, profile_completed = TRUE, documents_uploaded = TRUE, contract_signed = TRUE, registration_completed = TRUE, is_admin_verified = TRUE WHERE user_id = ?`,
         [userId]
       );