feat: update guest user handling to require email verification and adjust status flags

2026-03-15 01:10:35 +01:00 · 2026-03-15 01:10:35 +01:00 · 61043e6dc8
commit 61043e6dc8
parent 729ac2d4da
3 changed files with 18 additions and 10 deletions
--- a/middleware/guestRestriction.js
+++ b/middleware/guestRestriction.js
@ -22,6 +22,8 @@ const GUEST_ALLOWED_PREFIXES = [
  '/refresh',
  '/coffee/active',
  '/tax/vat-rates',
  '/send-verification-email',
  '/verify-email-code',
 ];
 function guestRestriction(req, res, next) {
@ -31,8 +33,10 @@ function guestRestriction(req, res, next) {
  }
  const urlPath = req.originalUrl.split('?')[0];
  // Strip /api prefix if present (routes are mounted at /api but prefixes listed without it)
  const normalizedPath = urlPath.startsWith('/api/') ? urlPath.slice(4) : urlPath;
-  const isAllowed = GUEST_ALLOWED_PREFIXES.some((prefix) => urlPath.startsWith(prefix));
+  const isAllowed = GUEST_ALLOWED_PREFIXES.some((prefix) => normalizedPath.startsWith(prefix));
  if (isAllowed) {
    return next();
--- a/services/status/UserStatusService.js
+++ b/services/status/UserStatusService.js
@ -58,23 +58,26 @@ class UserStatusService {
      const status = await repo.getStatusByUserId(userId);
      if (!status) return null;
-      // Guest users are always fully onboarded — skip quickaction flow
+      // Guest users: check if email verification is still needed
      if (status.status === 'active') {
        // Check if this is a guest user
        const conn = unitOfWork.connection;
        const [userRows] = await conn.query('SELECT role FROM users WHERE id = ? LIMIT 1', [userId]);
        if (userRows?.[0]?.role === 'guest') {
-          const allCompleteSteps = [
+          // For guests, only email_verified matters — other steps are auto-completed
-            { key: 'email_verified', label: 'Email Verified', completed: true },
+          const emailVerified = !!status.email_verified;
          const guestSteps = [
            { key: 'email_verified', label: 'Email Verified', completed: emailVerified },
            { key: 'profile_completed', label: 'Profile Completed', completed: true },
            { key: 'documents_uploaded', label: 'Documents Uploaded', completed: true },
            { key: 'contract_signed', label: 'Contract Signed', completed: true },
          ];
          const completedCount = guestSteps.filter(s => s.completed).length;
          return {
            status: 'active',
-            steps: allCompleteSteps,
+            isGuest: true,
-            completedSteps: allCompleteSteps.map(s => s.label),
+            steps: guestSteps,
-            progressPercent: 100,
+            completedSteps: guestSteps.filter(s => s.completed).map(s => s.label),
            progressPercent: Math.round((completedCount / guestSteps.length) * 100),
          };
        }
      }
--- a/services/user/guest/GuestUserService.js
+++ b/services/user/guest/GuestUserService.js
@ -48,9 +48,10 @@ class GuestUserService {
      // Initialize user status as active (skip full registration flow for guests)
      await UserStatusService.initializeUserStatus(userId, 'personal', unitOfWork, 'active');
-      // Mark ALL status flags as completed for guests — they skip the entire quickaction flow
+      // Mark non-email status flags as completed for guests — they skip ID upload, profile, and contract
      // email_verified stays FALSE so guests must verify their email on first login
      await conn.query(
-        `UPDATE user_status SET email_verified = TRUE, profile_completed = TRUE, documents_uploaded = TRUE, contract_signed = TRUE, registration_completed = TRUE, is_admin_verified = TRUE WHERE user_id = ?`,
+        `UPDATE user_status SET email_verified = FALSE, profile_completed = TRUE, documents_uploaded = TRUE, contract_signed = TRUE, registration_completed = TRUE, is_admin_verified = TRUE WHERE user_id = ?`,
        [userId]
      );