ryan/chore
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects 5 Releases Wiki Activity

Compare commits

base: ryan:1.0.4-rc1
Branches Tags
ryan:master ryan:next
ryan:v1.0.5 ryan:1.0.4 ryan:1.0.4-rc1 ryan:1.0.3
...
compare: ryan:v1.0.5
Branches Tags
ryan:next ryan:master
ryan:v1.0.5 ryan:1.0.4 ryan:1.0.4-rc1 ryan:1.0.3

49 Commits
1.0.4-rc1 ... v1.0.5

Author SHA1 Message Date
Ryan Kegel
3673119ae2 fix: update BASE_VERSION to remove release candidate suffix
All checks were successful
Chore App Build, Test, and Push Docker Images / build-and-push (push) Successful in 1m30s
Details
2026-02-20 16:47:27 -05:00
Ryan Kegel
55e7dc7568 feat: remove hashed passwords feature spec and migrate to archive
All checks were successful
Chore App Build, Test, and Push Docker Images / build-and-push (push) Successful in 2m6s
Details 
fix: update login token expiration to 62 days

chore: bump version to 1.0.5RC1

test: add isParentPersistent to LoginButton.spec.ts

refactor: rename Assign Tasks button to Assign Chores in ParentView.vue

refactor: rename Assign Tasks to Assign Chores in TaskAssignView.vue

feat: add stay in parent mode checkbox and badge in LoginButton.vue

test: enhance LoginButton.spec.ts with persistent mode tests

test: add authGuard.spec.ts for logoutParent and enforceParentExpiry

feat: implement parent mode expiry logic in auth.ts

test: add auth.expiry.spec.ts for parent mode expiry tests

chore: create template for feature specs
 2026-02-20 16:31:13 -05:00
ryan
ba909100a7 Merge pull request 'fix: add FRONTEND_URL to environment variables and create .env.example file' (#24) from master into next
All checks were successful
Chore App Build, Test, and Push Docker Images / build-and-push (push) Successful in 2m9s
Details 
Reviewed-on: #24
 2026-02-20 13:18:10 -05:00
Ryan Kegel
8148bfac51 fix: add FRONTEND_URL to environment variables and create .env.example file
All checks were successful
Chore App Build, Test, and Push Docker Images / build-and-push (push) Successful in 4m0s
Details
2026-02-20 13:07:55 -05:00
ryan
c43af7d43e Merge pull request 'master' (#23) from master into next
All checks were successful
Chore App Build, Test, and Push Docker Images / build-and-push (push) Successful in 1m42s
Details 
Reviewed-on: #23
 2026-02-20 10:01:06 -05:00
Ryan Kegel
10216f49c9 fix: update service names and image paths to reflect new repository structure
All checks were successful
Chore App Build, Test, and Push Docker Images / build-and-push (push) Successful in 2m7s
Details
2026-02-20 09:47:08 -05:00
Ryan Kegel
42d3567c22 fix: add condition to deploy test environment for 'next' branch
All checks were successful
Chore App Build, Test, and Push Docker Images / build-and-push (push) Successful in 1m30s
Details
2026-02-19 17:09:09 -05:00
Ryan Kegel
be4a816a7c fix: update Docker image paths to reflect new structure
Some checks failed
Chore App Build, Test, and Push Docker Images / build-and-push (push) Failing after 1m51s
Details
2026-02-19 17:02:36 -05:00
Ryan Kegel
773840d88b fix: update Docker image names to reflect new structure
All checks were successful
Chore App Build, Test, and Push Docker Images / build-and-push (push) Successful in 2m9s
Details
2026-02-19 16:52:00 -05:00
Ryan Kegel
075160941a fix: update Docker image paths to use new repository structure
Some checks failed
Chore App Build, Test, and Push Docker Images / build-and-push (push) Failing after 4m0s
Details
2026-02-19 16:40:01 -05:00
Ryan Kegel
d2fea646de fix: update Docker registry credentials to use Gitea secrets
All checks were successful
Chore App Build, Test, and Push Docker Images / build-and-push (push) Successful in 2m0s
Details
2026-02-19 16:21:34 -05:00
Ryan Kegel
087aa07a74 Releasing 1.0.4 into test
All checks were successful
Chore App Build, Test, and Push Docker Images / build-and-push (push) Successful in 2m1s
Details 
-typo
 2026-02-19 15:13:43 -05:00
Ryan Kegel
8cb9199ab7 Releasing 1.0.4 into test
Some checks failed
Chore App Build, Test, and Push Docker Images / build-and-push (push) Has been cancelled
Details
2026-02-19 15:13:08 -05:00
Ryan Kegel
bbdabefd62 fixed frontent test errors
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 2m37s
Details
2026-02-19 14:59:28 -05:00
Ryan Kegel
a7ac179e1a fixed frontent test errors
Some checks failed
Chore App Build and Push Docker Images / build-and-push (push) Failing after 1m47s
Details
2026-02-19 13:31:19 -05:00
Ryan Kegel
53236ab019 feat: add caching for frontend dependencies in build workflow
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 2m40s
Details
2026-02-19 12:55:05 -05:00
Ryan Kegel
8708a1a68f feat: add caching for frontend dependencies in build workflow
Some checks failed
Chore App Build and Push Docker Images / build-and-push (push) Failing after 1m48s
Details
2026-02-19 12:42:16 -05:00
Ryan Kegel
8008f1d116 feat: add backend and frontend testing steps to build workflow
Some checks failed
Chore App Build and Push Docker Images / build-and-push (push) Failing after 2m45s
Details
2026-02-19 12:34:33 -05:00
Ryan Kegel
c18d202ecc feat: update version to 1.0.4RC5, enhance notification handling and smooth scroll behavior
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 1m11s
Details
2026-02-19 11:00:14 -05:00
Ryan Kegel
725bf518ea Refactor and enhance various components and tests
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 1m23s
Details 
- Remove OverrideEditModal.spec.ts test file.
- Update ParentPinSetup.vue to handle Enter key for code and PIN inputs.
- Modify ChildEditView.vue to add maxlength for age input.
- Enhance ChildView.vue with reward confirmation and cancellation dialogs.
- Update ParentView.vue to handle pending rewards and confirm edits.
- Revise PendingRewardDialog.vue to accept a dynamic message prop.
- Expand ChildView.spec.ts to cover reward dialog interactions.
- Add tests for ParentView.vue to validate pending reward handling.
- Update UserProfile.vue to simplify button styles.
- Adjust RewardView.vue to improve delete confirmation handling.
- Modify ChildrenListView.vue to clarify child creation instructions.
- Refactor EntityEditForm.vue to improve input handling and focus management.
- Enhance ItemList.vue to support item selection.
- Update LoginButton.vue to focus PIN input on error.
- Change ScrollingList.vue empty state color for better visibility.
- Remove capture attribute from ImagePicker.vue file input.
- Update router/index.ts to redirect logged-in users from auth routes.
- Add authGuard.spec.ts to test router authentication logic.
 2026-02-19 09:57:59 -05:00
Ryan Kegel
31ea76f013 feat: enhance child edit and view components with improved form handling and validation
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 1m4s
Details 
- Added `requireDirty` prop to `EntityEditForm` for dirty state management.
- Updated `ChildEditView` to handle initial data loading and image selection more robustly.
- Refactored `ChildView` to remove unused reward dialog logic and prevent API calls in child mode.
- Improved type definitions for form fields and initial data in `ChildEditView`.
- Enhanced error handling in form submissions across components.
- Implemented cross-tab logout synchronization on password reset in the auth store.
- Added tests for login and entity edit form functionalities to ensure proper behavior.
- Introduced global fetch interceptor for handling unauthorized responses.
- Documented password reset flow and its implications on session management.
 2026-02-17 17:18:03 -05:00
Ryan Kegel
5e22e5e0ee Refactor authentication routes to use '/auth' prefix in API calls
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 38s
Details
2026-02-17 10:38:40 -05:00
Ryan Kegel
7e7a2ef49e Implement account deletion handling and improve user feedback
Some checks failed
Chore App Build and Push Docker Images / build-and-push (push) Has been cancelled
Details 
- Added checks for accounts marked for deletion in signup, verification, and password reset processes.
- Updated reward and task listing to sort user-created items first.
- Enhanced user API to clear verification and reset tokens when marking accounts for deletion.
- Introduced tests for marked accounts to ensure proper handling in various scenarios.
- Updated profile and reward edit components to reflect changes in validation and data handling.
 2026-02-17 10:38:26 -05:00
Ryan Kegel
3e1715e487 added universal launcher
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 44s
Details
2026-02-16 16:20:04 -05:00
Ryan Kegel
11e7fda997 wip 2026-02-16 16:17:17 -05:00
Ryan Kegel
09d42b14c5 wip 2026-02-16 16:04:44 -05:00
Ryan Kegel
3848be32e8 Merge branch 'next' of https://git.ryankegel.com/ryan/chore into next
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 47s
Details
2026-02-16 15:37:17 -05:00
Ryan Kegel
1aff366fd8 - removed test_data
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 1m36s
Details
2026-02-16 15:33:56 -05:00
Ryan Kegel
0ab40f85a4 wip 2026-02-16 15:29:33 -05:00
Ryan Kegel
22889caab4 wip 2026-02-16 15:13:22 -05:00
Ryan Kegel
b538782c09 Merge remote-tracking branch 'origin/wip-sync' into next 2026-02-16 15:02:51 -05:00
Ryan Kegel
7a827b14ef wip 2026-02-16 15:00:52 -05:00
Ryan Kegel
9238d7e3a5 wip 2026-02-15 22:51:51 -05:00
Ryan Kegel
c17838241a WIP Sync 2026-02-14 17:00:43 -05:00
Ryan Kegel
d183e0a4b6 - First round of fixes for RC1
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 2m18s
Details
2026-02-13 16:43:57 -05:00
Ryan Kegel
b25ebaaec0 -test environment
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 57s
Details
2026-02-12 16:17:07 -05:00
Ryan Kegel
ae5b40512c -test environment
Some checks failed
Chore App Build and Push Docker Images / build-and-push (push) Failing after 30s
Details
2026-02-12 16:15:14 -05:00
Ryan Kegel
92635a356c -test environment
Some checks failed
Chore App Build and Push Docker Images / build-and-push (push) Failing after 45s
Details
2026-02-12 16:12:52 -05:00
Ryan Kegel
235269bdb6 -test environment
Some checks failed
Chore App Build and Push Docker Images / build-and-push (push) Failing after 29s
Details
2026-02-11 23:11:54 -05:00
Ryan Kegel
5d4b0ec2c9 -test environment
Some checks failed
Chore App Build and Push Docker Images / build-and-push (push) Failing after 22s
Details
2026-02-11 22:55:28 -05:00
Ryan Kegel
a21cb60aeb -test environment
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 1m38s
Details
2026-02-11 21:36:45 -05:00
Ryan Kegel
e604870e26 -test environment
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 2m7s
Details
2026-02-11 17:08:23 -05:00
Ryan Kegel
c3e35258a1 -test environment
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 52s
Details
2026-02-11 17:00:45 -05:00
Ryan Kegel
d2a56e36c7 -test environment
Some checks failed
Chore App Build and Push Docker Images / build-and-push (push) Failing after 8s
Details
2026-02-11 16:58:32 -05:00
Ryan Kegel
3bfca4e2b0 -test environment
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 1m59s
Details
2026-02-11 16:01:35 -05:00
Ryan Kegel
f5d68aec4a -test environment
Some checks failed
Chore App Build and Push Docker Images / build-and-push (push) Failing after 25s
Details
2026-02-11 15:24:14 -05:00
Ryan Kegel
38c637cc67 updated requirements
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 48s
Details
2026-02-11 15:16:24 -05:00
Ryan Kegel
f29c90897f -test environment
Some checks failed
Chore App Build and Push Docker Images / build-and-push (push) Failing after 21s
Details
2026-02-11 14:56:32 -05:00
Ryan Kegel
efb65b6da3 -attempt to use global ip for registry
All checks were successful
Chore App Build and Push Docker Images / build-and-push (push) Successful in 45s
Details
2026-02-11 10:31:28 -05:00
103 changed files with 3825 additions and 896 deletions
Expand all files Collapse all files

1
.env.example Normal file
View File

@@ -0,0 +1 @@
FRONTEND_URL=https://yourdomain.com

115
.gitea/workflows/build.yaml
View File

@@ -1,5 +1,5 @@
name: Chore App Build and Push Docker Images
run-name: ${{ gitea.actor }} is building the chore app 🚀
name: Chore App Build, Test, and Push Docker Images
run-name: ${{ gitea.actor }} is building Chores [${{ gitea.ref_name }}@${{ gitea.sha }}] 🚀
on:
push:
branches:
@@ -24,40 +24,119 @@ jobs:
echo "tag=next-$version-$current_date" >> $GITHUB_OUTPUT
fi
- name: Resolve Gitea Server IP
id: gitea_ip
- name: Set up Python for backend tests
uses: actions/setup-python@v4
with:
python-version: "3.11"
- name: Install backend dependencies
run: |
ip=$(getent hosts gitea-server | awk '{ print $1 }')
echo "ip=$ip" >> $GITHUB_OUTPUT
echo "Resolved Gitea server IP: $ip"
python -m pip install --upgrade pip
pip install -r backend/requirements.txt
- name: Run backend unit tests
run: |
cd backend
pytest -q
- name: Set up Node.js for frontend tests
uses: actions/setup-node@v4
with:
node-version: "20.19.0"
cache: "npm"
cache-dependency-path: frontend/vue-app/package-lock.json
- name: Install frontend dependencies
run: npm ci
working-directory: frontend/vue-app
- name: Run frontend unit tests
run: npm run test:unit --if-present
working-directory: frontend/vue-app
- name: Build Backend Docker Image
run: |
docker build -t ${{ steps.gitea_ip.outputs.ip }}:3000/ryan/backend:${{ steps.vars.outputs.tag }} ./backend
docker build -t git.ryankegel.com:3000/kegel/chores/backend:${{ steps.vars.outputs.tag }} ./backend
- name: Build Frontend Docker Image
run: |
docker build -t ${{ steps.gitea_ip.outputs.ip }}:3000/ryan/frontend:${{ steps.vars.outputs.tag }} ./frontend/vue-app
docker build -t git.ryankegel.com:3000/kegel/chores/frontend:${{ steps.vars.outputs.tag }} ./frontend/vue-app
- name: Log in to Registry
uses: docker/login-action@v2
with:
registry: ${{ steps.gitea_ip.outputs.ip }}:3000
username: ryan #${{ secrets.REGISTRY_USERNAME }} # Stored as a Gitea secret
password: 0x013h #${{ secrets.REGISTRY_TOKEN }} # Stored as a Gitea secret (use a PAT here)
registry: git.ryankegel.com:3000
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Push Backend Image to Gitea Registry
run: |
docker push ${{ steps.gitea_ip.outputs.ip }}:3000/ryan/backend:${{ steps.vars.outputs.tag }}
for i in {1..3}; do
echo "Attempt $i to push backend image..."
if docker push git.ryankegel.com:3000/kegel/chores/backend:${{ steps.vars.outputs.tag }}; then
echo "Backend push succeeded on attempt $i"
break
else
echo "Backend push failed on attempt $i"
if [ $i -lt 3 ]; then
sleep 10
else
exit 1
fi
fi
done
if [ "${{ gitea.ref }}" == "refs/heads/master" ]; then
docker tag ${{ steps.gitea_ip.outputs.ip }}:3000/ryan/backend:${{ steps.vars.outputs.tag }} ${{ steps.gitea_ip.outputs.ip }}:3000/ryan/backend:latest
docker push ${{ steps.gitea_ip.outputs.ip }}:3000/ryan/backend:latest
docker tag git.ryankegel.com:3000/kegel/chores/backend:${{ steps.vars.outputs.tag }} git.ryankegel.com:3000/kegel/chores/backend:latest
docker push git.ryankegel.com:3000/kegel/chores/backend:latest
elif [ "${{ gitea.ref }}" == "refs/heads/next" ]; then
docker tag git.ryankegel.com:3000/kegel/chores/backend:${{ steps.vars.outputs.tag }} git.ryankegel.com:3000/kegel/chores/backend:next
docker push git.ryankegel.com:3000/kegel/chores/backend:next
fi
- name: Push Frontend Image to Gitea Registry
run: |
docker push ${{ steps.gitea_ip.outputs.ip }}:3000/ryan/frontend:${{ steps.vars.outputs.tag }}
for i in {1..3}; do
echo "Attempt $i to push frontend image..."
if docker push git.ryankegel.com:3000/kegel/chores/frontend:${{ steps.vars.outputs.tag }}; then
echo "Frontend push succeeded on attempt $i"
break
else
echo "Frontend push failed on attempt $i"
if [ $i -lt 3 ]; then
sleep 10
else
exit 1
fi
fi
done
if [ "${{ gitea.ref }}" == "refs/heads/master" ]; then
docker tag ${{ steps.gitea_ip.outputs.ip }}:3000/ryan/frontend:${{ steps.vars.outputs.tag }} ${{ steps.gitea_ip.outputs.ip }}:3000/ryan/frontend:latest
docker push ${{ steps.gitea_ip.outputs.ip }}:3000/ryan/frontend:latest
docker tag git.ryankegel.com:3000/kegel/chores/frontend:${{ steps.vars.outputs.tag }} git.ryankegel.com:3000/kegel/chores/frontend:latest
docker push git.ryankegel.com:3000/kegel/chores/frontend:latest
elif [ "${{ gitea.ref }}" == "refs/heads/next" ]; then
docker tag git.ryankegel.com:3000/kegel/chores/frontend:${{ steps.vars.outputs.tag }} git.ryankegel.com:3000/kegel/chores/frontend:next
docker push git.ryankegel.com:3000/kegel/chores/frontend:next
fi
- name: Deploy Test Environment
if: gitea.ref == 'refs/heads/next'
uses: appleboy/ssh-action@v1.0.3 # Or equivalent Gitea action; adjust version if needed
with:
host: ${{ secrets.DEPLOY_TEST_HOST }}
username: ${{ secrets.DEPLOY_TEST_USER }}
key: ${{ secrets.SSH_PRIVATE_KEY }}
port: 22 # Default SSH port; change if different
script: |
cd /tmp
# Pull the repository to get the latest docker-compose.dev.yml
if [ -d "chore" ]; then
cd chore
git pull origin next || true # Pull latest changes; ignore if it fails (e.g., first run)
else
git clone --branch next https://git.ryankegel.com/ryan/chore.git
cd chore
fi
echo "Bringing down previous test environment..."
docker-compose -f docker-compose.test.yml down --volumes --remove-orphans || true
echo "Starting new test environment..."
docker-compose -f docker-compose.test.yml pull # Ensure latest images are pulled
docker-compose -f docker-compose.test.yml up -d

19
.github/alias.txt vendored Normal file
View File

@@ -0,0 +1,19 @@
**Powershell
git config --global alias.save-wip "!f() { git add . ; if (git log -1 --format=%s -eq 'wip') { git commit --amend --no-edit } else { git commit -m 'wip' }; git push origin `$(git branch --show-current):wip-sync --force-with-lease; }; f"
git config --global alias.load-wip "!f() { if (git diff-index --quiet HEAD --) { git fetch origin wip-sync; git merge origin/wip-sync; if (git log -1 --format=%s -eq 'wip') { git reset --soft HEAD~1; echo 'WIP Loaded and unwrapped.' } else { echo 'No WIP found. Merge complete.' } } else { echo 'Error: Uncommitted changes detected.'; exit 1 }; }; f"
git config --global alias.abort-wip "git reset --hard HEAD"
**Git Bash
git config --global alias.save-wip '!f() { git add . ; if [ "$(git log -1 --format=%s)" = "wip" ]; then git commit --amend --no-edit; else git commit -m "wip"; fi; git push origin $(git branch --show-current):wip-sync --force-with-lease; }; f'
git config --global alias.load-wip '!f() { if ! git diff-index --quiet HEAD --; then echo "Error: Uncommitted changes detected."; exit 1; fi; git fetch origin wip-sync && git merge origin/wip-sync && if [ "$(git log -1 --format=%s)" = "wip" ]; then git reset --soft HEAD~1; echo "WIP Loaded and unwrapped."; else echo "No WIP found. Merge complete."; fi; }; f'
git config --global alias.abort-wip 'git reset --hard HEAD'
**Mac
git config --global alias.save-wip '!f() { git add . ; if [ "$(git log -1 --format=%s)" = "wip" ]; then git commit --amend --no-edit; else git commit -m "wip"; fi; git push origin $(git branch --show-current):wip-sync --force-with-lease; }; f'
git config --global alias.load-wip '!f() { if ! git diff-index --quiet HEAD --; then echo "Error: Uncommitted changes detected."; exit 1; fi; git fetch origin wip-sync && git merge origin/wip-sync && if [ "$(git log -1 --format=%s)" = "wip" ]; then git reset --soft HEAD~1; echo "WIP Loaded and unwrapped."; else echo "No WIP found. Merge complete."; fi; }; f'
git config --global alias.abort-wip 'git reset --hard HEAD'
***Reset wip-sync
git push origin --delete wip-sync

0
.github/specs/active/feat-hashed-passwords.md → .github/specs/archive/feat-hashed-passwords.md vendored
View File

141
.github/specs/archive/feat-parent-mode-expire.md vendored Normal file
View File

@@ -0,0 +1,141 @@
# Feature: Persistent and non-persistent parent mode
## Overview
When a parent is prompted to input the parent PIN, a checkbox should also be available that asks if the parent wants to 'stay' in parent mode. If that is checked, the parent mode remains persistent on the device until child mode is entered or until an expiry time of 2 days.
When the checkbox is not enabled (default) the parent authentication should expire in 1 minute or the next reload of the site.
**Goal:**
A parent that has a dedicated device should stay in parent mode for a max of 2 days before having to re-enter the PIN, a device dedicated to the child should not stay in parent mode for more than a minute before reverting back to child mode.
**User Story:**
As a parent, I want my personal device to be able to stay in parent mode until I enter child mode or 2 days expire.
As a parent, on my child's device, I want to be able to enter parent mode to make a change or two and not have to worry about exiting parent mode.
**Rules:**
Use .github/copilot-instructions.md
**Common files:**
frontend\vue-app\src\components\shared\LoginButton.vue
frontend\vue-app\src\stores\auth.ts
frontend\vue-app\src\router\index.ts
---
## Data Model Changes
### Backend Model
No backend changes required. PIN validation is already handled server-side via `POST /user/check-pin`. Parent mode session duration is a purely client-side concern.
### Frontend Model
**`localStorage['parentAuth']`** (written only for persistent mode):
```json
{ "expiresAt": 1234567890123 }
```
- Present only when "Stay in parent mode" was checked at PIN entry.
- Removed when the user clicks "Child Mode", on explicit logout, or when found expired on store init.
**Auth store state additions** (`frontend/vue-app/src/stores/auth.ts`):
- `parentAuthExpiresAt: Ref<number | null>` — epoch ms timestamp; `null` when not authenticated. Memory-only for non-persistent sessions, restored from `localStorage` for persistent ones.
- `isParentPersistent: Ref<boolean>``true` when the current parent session was marked "stay".
- `isParentAuthenticated: Ref<boolean>` — plain ref set to `true` by `authenticateParent()` and `false` by `logoutParent()`. Expiry is enforced by the 15-second background watcher and the router guard calling `enforceParentExpiry()`.
---
## Backend Implementation
No backend changes required.
---
## Backend Tests
- [x] No new backend tests required.
---
## Frontend Implementation
### 1. Refactor `auth.ts` — expiry-aware state
- Remove the plain `ref<boolean>` `isParentAuthenticated` and the `watch` that wrote `'true'/'false'` to `localStorage['isParentAuthenticated']`.
- Add `parentAuthExpiresAt: ref<number | null>` (initialized to `null`).
- Add `isParentPersistent: ref<boolean>` (initialized to `false`).
- Keep `isParentAuthenticated` as a plain `ref<boolean>` — set explicitly by `authenticateParent()` and `logoutParent()`. A background watcher and router guard enforce expiry by calling `logoutParent()` when `Date.now() >= parentAuthExpiresAt.value`.
- Update `authenticateParent(persistent: boolean)`:
- Non-persistent: set `parentAuthExpiresAt.value = Date.now() + 60_000`, `isParentPersistent.value = false`. Write nothing to `localStorage`. State is lost on page reload naturally.
- Persistent: set `parentAuthExpiresAt.value = Date.now() + 172_800_000` (2 days), `isParentPersistent.value = true`. Write `{ expiresAt }` to `localStorage['parentAuth']`.
- Both: set `isParentAuthenticated.value = true`, call `startParentExpiryWatcher()`.
- Update `logoutParent()`: clear all three refs (`null`/`false`/`false`), remove `localStorage['parentAuth']`, call `stopParentExpiryWatcher()`.
- Update `loginUser()`: call `logoutParent()` internally (already resets parent state on fresh login).
- On store initialization: read `localStorage['parentAuth']`; if present and `expiresAt > Date.now()`, restore as persistent auth; otherwise remove the stale key.
### 2. Add background expiry watcher to `auth.ts`
- Export `startParentExpiryWatcher()` and `stopParentExpiryWatcher()` that manage a 15-second `setInterval`.
- The interval checks `Date.now() >= parentAuthExpiresAt.value`; if true, calls `logoutParent()` and navigates to `/child` via `window.location.href`. This enforces expiry even while a parent is mid-page on a `/parent` route.
### 3. Update router navigation guard — `router/index.ts`
- Import `logoutParent` and `enforceParentExpiry` from the auth store.
- Before checking parent route access, call `enforceParentExpiry()` which evaluates `Date.now() >= parentAuthExpiresAt.value` directly and calls `logoutParent()` if expired.
- If not authenticated after the check: call `logoutParent()` (cleanup) then redirect to `/child`.
### 4. Update PIN modal in `LoginButton.vue` — checkbox
- Add `stayInParentMode: ref<boolean>` (default `false`).
- Add a checkbox below the PIN input, labelled **"Stay in parent mode on this device"**.
- Style checkbox with `:root` CSS variables from `colors.css`.
- Update `submit()` to call `authenticateParent(stayInParentMode.value)`.
- Reset `stayInParentMode.value = false` when the modal closes.
### 5. Add lock badge to avatar button — `LoginButton.vue`
- Import `isParentPersistent` from the auth store.
- Wrap the existing avatar button in a `position: relative` container.
- When `isParentAuthenticated && isParentPersistent`, render a small `🔒` emoji element absolutely positioned at `bottom: -2px; left: -2px` with a font size of ~10px.
- This badge disappears automatically when "Child Mode" is clicked (clears `isParentPersistent`).
---
## Frontend Tests
- [x] `auth.ts` — non-persistent: `authenticateParent(false)` sets expiry to `now + 60s`; `isParentAuthenticated` returns `false` after watcher fires past expiry (via fake timers).
- [x] `auth.ts` — persistent: `authenticateParent(true)` sets `parentAuthExpiresAt` to `now + 2 days`; `isParentAuthenticated` returns `false` after watcher fires past 2-day expiry.
- [x] `auth.ts``logoutParent()` clears refs, stops watcher.
- [x] `auth.ts``loginUser()` calls `logoutParent()` clearing all parent auth state.
- [x] `LoginButton.vue` — checkbox is unchecked by default; checking it and submitting calls `authenticateParent(true)`.
- [x] `LoginButton.vue` — submitting without checkbox calls `authenticateParent(false)`.
- [x] `LoginButton.vue` — lock badge `🔒` is visible only when `isParentAuthenticated && isParentPersistent`.
---
## Future Considerations
- Could offer a configurable expiry duration (e.g. 1 day, 3 days, 7 days) rather than a fixed 2-day cap.
- Could show a "session expiring soon" warning for the persistent mode (e.g. banner appears 1 hour before the 2-day expiry).
---
## Acceptance Criteria (Definition of Done)
### Backend
- [x] No backend changes required; all work is frontend-only.
### Frontend
- [x] PIN modal includes an unchecked "Stay in parent mode on this device" checkbox.
- [x] Non-persistent mode: parent auth is memory-only, expires after 1 minute, and is lost on page reload.
- [x] Persistent mode: `localStorage['parentAuth']` is written with a 2-day `expiresAt` timestamp; auth survives page reload and new tabs.
- [x] Router guard redirects silently to `/child` if parent mode has expired when navigating to any `/parent` route.
- [x] Background 15-second interval also enforces expiry while the user is mid-page on a `/parent` route.
- [x] "Child Mode" button clears both persistent and non-persistent auth state completely.
- [x] A `🔒` emoji badge appears on the lower-left of the parent avatar button only when persistent mode is active.
- [x] Opening a new tab while in persistent mode correctly restores parent mode from `localStorage`.
- [x] All frontend tests listed above pass.

49
.github/specs/template/feat-template.md vendored Normal file
View File

@@ -0,0 +1,49 @@
# Feature:
## Overview
**Goal:**
**User Story:**
**Rules:**
---
## Data Model Changes
### Backend Model
### Frontend Model
---
## Backend Implementation
## Backend Tests
- [ ]
---
## Frontend Implementation
## Frontend Tests
- [ ]
---
## Future Considerations
---
## Acceptance Criteria (Definition of Done)
### Backend
- [ ]
### Frontend
- [ ]

1
.gitignore vendored
View File

@@ -1,3 +1,4 @@
.env
backend/test_data/db/children.json
backend/test_data/db/images.json
backend/test_data/db/pending_rewards.json

5
.idea/.gitignore generated vendored Normal file
View File

@@ -0,0 +1,5 @@
# Default ignored files
/shelf/
/workspace.xml
# Editor-based HTTP Client requests
/httpRequests/

15
.idea/Reward.iml generated Normal file
View File

@@ -0,0 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<module type="PYTHON_MODULE" version="4">
<component name="NewModuleRootManager">
<content url="file://$MODULE_DIR$" />
<orderEntry type="jdk" jdkName="Python 3.12 (Reward)" jdkType="Python SDK" />
<orderEntry type="sourceFolder" forTests="false" />
</component>
<component name="PyDocumentationSettings">
<option name="format" value="PLAIN" />
<option name="myDocStringFormat" value="Plain" />
</component>
<component name="TestRunnerService">
<option name="PROJECT_TEST_RUNNER" value="py.test" />
</component>
</module>

6
.idea/copilot.data.migration.agent.xml generated Normal file
View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="AgentMigrationStateService">
<option name="migrationStatus" value="COMPLETED" />
</component>
</project>

6
.idea/copilot.data.migration.ask2agent.xml generated Normal file
View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="Ask2AgentMigrationStateService">
<option name="migrationStatus" value="COMPLETED" />
</component>
</project>

6
.idea/copilot.data.migration.edit.xml generated Normal file
View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="EditMigrationStateService">
<option name="migrationStatus" value="COMPLETED" />
</component>
</project>

10
.idea/inspectionProfiles/Project_Default.xml generated Normal file
View File

@@ -0,0 +1,10 @@
<component name="InspectionProjectProfileManager">
<profile version="1.0">
<option name="myName" value="Project Default" />
<inspection_tool class="PyPackageRequirementsInspection" enabled="true" level="WARNING" enabled_by_default="true">
<option name="ignoredPackages">
<list />
</option>
</inspection_tool>
</profile>
</component>

6
.idea/inspectionProfiles/profiles_settings.xml generated Normal file
View File

@@ -0,0 +1,6 @@
<component name="InspectionProjectProfileManager">
<settings>
<option name="USE_PROJECT_PROFILE" value="false" />
<version value="1.0" />
</settings>
</component>

4
.idea/misc.xml generated Normal file
View File

@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="ProjectRootManager" version="2" project-jdk-name="Python 3.12 (Reward)" project-jdk-type="Python SDK" />
</project>

8
.idea/modules.xml generated Normal file
View File

@@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="ProjectModuleManager">
<modules>
<module fileurl="file://$PROJECT_DIR$/.idea/Reward.iml" filepath="$PROJECT_DIR$/.idea/Reward.iml" />
</modules>
</component>
</project>

6
.idea/vcs.xml generated Normal file
View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="VcsDirectoryMappings">
<mapping directory="" vcs="Git" />
</component>
</project>

31
.vscode/launch.json vendored
View File

@@ -3,7 +3,7 @@
"configurations": [
{
"name": "Python: Flask",
"type": "debugpy",
"type": "python",
"request": "launch",
"module": "flask",
"python": "${command:python.interpreterPath}",
@@ -17,7 +17,9 @@
"--port=5000",
"--no-debugger",
"--no-reload"
]
],
"cwd": "${workspaceFolder}/backend",
"console": "integratedTerminal"
},
{
"name": "Vue: Dev Server",
@@ -32,17 +34,17 @@
"console": "integratedTerminal"
},
{
"name": "Chrome: Attach to Vue App",
"type": "chrome",
"name": "Chrome: Launch (Vue App)",
"type": "pwa-chrome",
"request": "launch",
"url": "https://localhost:5173", // or your Vite dev server port
"url": "http://localhost:5173",
"webRoot": "${workspaceFolder}/frontend/vue-app"
},
{
"name": "Python: Backend Tests",
"type": "python",
"request": "launch",
"program": "${workspaceFolder}/backend/.venv/Scripts/pytest.exe",
"module": "pytest",
"args": [
"tests/"
],
@@ -56,12 +58,21 @@
"name": "Vue: Frontend Tests",
"type": "node",
"request": "launch",
"runtimeExecutable": "npx",
"runtimeExecutable": "npm",
"windows": {
"runtimeExecutable": "npm.cmd"
},
"runtimeArgs": [
"vitest"
"run",
"test:unit"
],
"cwd": "${workspaceFolder}/frontend/vue-app",
"console": "integratedTerminal"
"console": "integratedTerminal",
"osx": {
"env": {
"PATH": "/opt/homebrew/bin:${env:PATH}"
}
}
}
],
"compounds": [
@@ -70,7 +81,7 @@
"configurations": [
"Python: Flask",
"Vue: Dev Server",
"Chrome: Attach to Vue App"
"Chrome: Launch (Vue App)"
]
}
]

77
.vscode/launch.json.bak vendored Normal file
View File

@@ -0,0 +1,77 @@
{
"version": "0.2.0",
"configurations": [
{
"name": "Python: Flask",
"type": "debugpy",
"request": "launch",
"module": "flask",
"python": "${command:python.interpreterPath}",
"env": {
"FLASK_APP": "backend/main.py",
"FLASK_DEBUG": "1"
},
"args": [
"run",
"--host=0.0.0.0",
"--port=5000",
"--no-debugger",
"--no-reload"
]
},
{
"name": "Vue: Dev Server",
"type": "node",
"request": "launch",
"runtimeExecutable": "npm",
"runtimeArgs": [
"run",
"dev"
],
"cwd": "${workspaceFolder}/frontend/vue-app",
"console": "integratedTerminal"
},
{
"name": "Chrome: Attach to Vue App",
"type": "chrome",
"request": "launch",
"url": "https://localhost:5173", // or your Vite dev server port
"webRoot": "${workspaceFolder}/frontend/vue-app"
},
{
"name": "Python: Backend Tests",
"type": "python",
"request": "launch",
"program": "${workspaceFolder}/backend/.venv/Scripts/pytest.exe",
"args": [
"tests/"
],
"cwd": "${workspaceFolder}/backend",
"console": "integratedTerminal",
"env": {
"PYTHONPATH": "${workspaceFolder}/backend"
}
},
{
"name": "Vue: Frontend Tests",
"type": "node",
"request": "launch",
"runtimeExecutable": "npx",
"runtimeArgs": [
"vitest"
],
"cwd": "${workspaceFolder}/frontend/vue-app",
"console": "integratedTerminal"
}
],
"compounds": [
{
"name": "Full Stack (Backend + Frontend)",
"configurations": [
"Python: Flask",
"Vue: Dev Server",
"Chrome: Attach to Vue App"
]
}
]
}

45
.vscode/tasks.json vendored Normal file
View File

@@ -0,0 +1,45 @@
{
"version": "2.0.0",
"tasks": [
{
"label": "Git: Save WIP",
"type": "shell",
"command": "git save-wip",
"group": "build",
"presentation": {
"reveal": "always",
"panel": "shared"
}
},
{
"label": "Git: Load WIP",
"type": "shell",
"command": "git load-wip",
"group": "build",
"presentation": {
"reveal": "always",
"panel": "shared"
}
},
{
"label": "Git: Reset Cloud WIP",
"type": "shell",
"command": "git push origin --delete wip-sync",
"presentation": {
"reveal": "always",
"panel": "shared"
}
},
{
"label": "Git: Abort WIP (Reset Local)",
"type": "shell",
"command": "git abort-wip",
"group": "none",
"presentation": {
"reveal": "always",
"panel": "shared",
"echo": true
}
}
]
}

4
README.md
View File

@@ -164,6 +164,10 @@ npm run test
For detailed development patterns and conventions, see [`.github/copilot-instructions.md`](.github/copilot-instructions.md).
## 📚 References
- Reset flow (token validation, JWT invalidation, cross-tab logout sync): [`docs/reset-password-reference.md`](docs/reset-password-reference.md)
## 📄 License
Private project - All rights reserved.

1
backend/.gitignore vendored
View File

@@ -42,6 +42,7 @@ env/
*.sqlite3
data/db/*.json
data/images/
test_data/
# Flask
instance/

39
backend/api/auth_api.py
View File

@@ -39,7 +39,11 @@ def signup():
email = data.get('email', '')
norm_email = normalize_email(email)
if users_db.search(UserQuery.email == norm_email):
existing = users_db.get(UserQuery.email == norm_email)
if existing:
user = User.from_dict(existing)
if user.marked_for_deletion:
return jsonify({'error': 'Account marked for deletion', 'code': ACCOUNT_MARKED_FOR_DELETION}), 403
return jsonify({'error': 'Email already exists', 'code': EMAIL_EXISTS}), 400
token = secrets.token_urlsafe(32)
@@ -78,6 +82,10 @@ def verify():
status = 'error'
reason = 'Invalid token'
code = INVALID_TOKEN
elif user.marked_for_deletion:
status = 'error'
reason = 'Account marked for deletion'
code = ACCOUNT_MARKED_FOR_DELETION
else:
created_str = user.verify_token_created
if not created_str:
@@ -154,7 +162,8 @@ def login():
payload = {
'email': norm_email,
'user_id': user.id,
'exp': datetime.utcnow() + timedelta(hours=24*7)
'token_version': user.token_version,
'exp': datetime.utcnow() + timedelta(days=62)
}
token = jwt.encode(payload, current_app.config['SECRET_KEY'], algorithm='HS256')
@@ -171,10 +180,15 @@ def me():
try:
payload = jwt.decode(token, current_app.config['SECRET_KEY'], algorithms=['HS256'])
user_id = payload.get('user_id', '')
token_version = payload.get('token_version', 0)
user_dict = users_db.get(UserQuery.id == user_id)
user = User.from_dict(user_dict) if user_dict else None
if not user:
return jsonify({'error': 'User not found', 'code': USER_NOT_FOUND}), 404
if token_version != user.token_version:
return jsonify({'error': 'Invalid token', 'code': INVALID_TOKEN}), 401
if user.marked_for_deletion:
return jsonify({'error': 'Account marked for deletion', 'code': ACCOUNT_MARKED_FOR_DELETION}), 403
return jsonify({
'email': user.email,
'id': user_id,
@@ -201,14 +215,14 @@ def request_password_reset():
user_dict = users_db.get(UserQuery.email == norm_email)
user = User.from_dict(user_dict) if user_dict else None
if user:
# Silently ignore reset requests for marked accounts (don't leak account status)
if not user.marked_for_deletion:
token = secrets.token_urlsafe(32)
now_iso = datetime.utcnow().isoformat()
user.reset_token = token
user.reset_token_created = now_iso
users_db.update(user.to_dict(), UserQuery.email == norm_email)
send_reset_password_email(norm_email, token)
if user.marked_for_deletion:
return jsonify({'error': 'Account marked for deletion', 'code': ACCOUNT_MARKED_FOR_DELETION}), 403
token = secrets.token_urlsafe(32)
now_iso = datetime.utcnow().isoformat()
user.reset_token = token
user.reset_token_created = now_iso
users_db.update(user.to_dict(), UserQuery.email == norm_email)
send_reset_password_email(norm_email, token)
return jsonify({'message': success_msg}), 200
@@ -258,9 +272,12 @@ def reset_password():
user.password = generate_password_hash(new_password)
user.reset_token = None
user.reset_token_created = None
user.token_version += 1
users_db.update(user.to_dict(), UserQuery.email == user.email)
return jsonify({'message': 'Password has been reset'}), 200
resp = jsonify({'message': 'Password has been reset'})
resp.set_cookie('token', '', expires=0, httponly=True, secure=True, samesite='Strict')
return resp, 200
@auth_api.route('/logout', methods=['POST'])
def logout():

2
backend/api/child_api.py
View File

@@ -166,7 +166,7 @@ def assign_task_to_child(id):
if task_id not in child.get('tasks', []):
child['tasks'].append(task_id)
child_db.update({'tasks': child['tasks']}, ChildQuery.id == id)
return jsonify({'message': f'Task {task_id} assigned to {child['name']}.'}), 200
return jsonify({'message': f"Task {task_id} assigned to {child.get('name')}."}), 200
# python
@child_api.route('/child/<id>/set-tasks', methods=['PUT'])

8
backend/api/reward_api.py
View File

@@ -65,7 +65,13 @@ def list_rewards():
if r.get('user_id') is None and r['name'].strip().lower() in user_rewards:
continue # Skip default if user version exists
filtered_rewards.append(r)
return jsonify({'rewards': filtered_rewards}), 200
# Sort: user-created items first (by name), then default items (by name)
user_created = sorted([r for r in filtered_rewards if r.get('user_id') == user_id], key=lambda x: x['name'].lower())
default_items = sorted([r for r in filtered_rewards if r.get('user_id') is None], key=lambda x: x['name'].lower())
sorted_rewards = user_created + default_items
return jsonify({'rewards': sorted_rewards}), 200
@reward_api.route('/reward/<id>', methods=['DELETE'])
def delete_reward(id):

22
backend/api/task_api.py
View File

@@ -63,7 +63,27 @@ def list_tasks():
if t.get('user_id') is None and t['name'].strip().lower() in user_tasks:
continue # Skip default if user version exists
filtered_tasks.append(t)
return jsonify({'tasks': filtered_tasks}), 200
# Sort order:
# 1) good tasks first, then not-good tasks
# 2) within each group: user-created items first (by name), then default items (by name)
good_tasks = [t for t in filtered_tasks if t.get('is_good') is True]
not_good_tasks = [t for t in filtered_tasks if t.get('is_good') is not True]
def sort_user_then_default(tasks_group):
user_created = sorted(
[t for t in tasks_group if t.get('user_id') == user_id],
key=lambda x: x['name'].lower(),
)
default_items = sorted(
[t for t in tasks_group if t.get('user_id') is None],
key=lambda x: x['name'].lower(),
)
return user_created + default_items
sorted_tasks = sort_user_then_default(good_tasks) + sort_user_then_default(not_good_tasks)
return jsonify({'tasks': sorted_tasks}), 200
@task_api.route('/task/<id>', methods=['DELETE'])
def delete_task(id):

37
backend/api/user_api.py
View File

@@ -12,6 +12,10 @@ from api.utils import get_validated_user_id, normalize_email, send_event_for_cur
from api.error_codes import ACCOUNT_MARKED_FOR_DELETION, ALREADY_MARKED
from events.types.event_types import EventType
from events.types.event import Event
from events.types.profile_updated import ProfileUpdated
from utils.tracking_logger import log_tracking_event
from models.tracking_event import TrackingEvent
from db.tracking import insert_tracking_event
user_api = Blueprint('user_api', __name__)
UserQuery = Query()
@@ -63,6 +67,32 @@ def update_profile():
if image_id is not None:
user.image_id = image_id
users_db.update(user.to_dict(), UserQuery.email == user.email)
# Create tracking event
metadata = {}
if first_name is not None:
metadata['first_name_updated'] = True
if last_name is not None:
metadata['last_name_updated'] = True
if image_id is not None:
metadata['image_updated'] = True
tracking_event = TrackingEvent.create_event(
user_id=user_id,
child_id=None, # No child for user profile
entity_type='user',
entity_id=user.id,
action='updated',
points_before=0, # Not relevant
points_after=0,
metadata=metadata
)
insert_tracking_event(tracking_event)
log_tracking_event(tracking_event)
# Send SSE event
send_event_for_current_user(Event(EventType.PROFILE_UPDATED.value, ProfileUpdated(user.id)))
return jsonify({'message': 'Profile updated'}), 200
@user_api.route('/user/image', methods=['PUT'])
@@ -201,6 +231,13 @@ def mark_for_deletion():
# Mark for deletion
user.marked_for_deletion = True
user.marked_for_deletion_at = datetime.now(timezone.utc).isoformat()
# Invalidate any outstanding verification/reset tokens so they cannot be used after marking
user.verify_token = None
user.verify_token_created = None
user.reset_token = None
user.reset_token_created = None
users_db.update(user.to_dict(), UserQuery.id == user.id)
# Trigger SSE event

6
backend/api/utils.py
View File

@@ -29,6 +29,12 @@ def get_current_user_id():
user_id = payload.get('user_id')
if not user_id:
return None
token_version = payload.get('token_version', 0)
user = users_db.get(Query().id == user_id)
if not user:
return None
if token_version != user.get('token_version', 0):
return None
return user_id
except jwt.InvalidTokenError:
return None

2
backend/config/version.py
View File

@@ -2,7 +2,7 @@
# file: config/version.py
import os
BASE_VERSION = "1.0.4" # update manually when releasing features
BASE_VERSION = "1.0.5" # update manually when releasing features
def get_full_version() -> str:
"""

2
backend/events/types/event_types.py
View File

@@ -21,3 +21,5 @@ class EventType(Enum):
CHILD_OVERRIDE_SET = "child_override_set"
CHILD_OVERRIDE_DELETED = "child_override_deleted"
PROFILE_UPDATED = "profile_updated"

12
backend/events/types/profile_updated.py Normal file
View File

@@ -0,0 +1,12 @@
from events.types.payload import Payload
class ProfileUpdated(Payload):
def __init__(self, user_id: str):
super().__init__({
'user_id': user_id,
})
@property
def user_id(self) -> str:
return self.get("user_id")

6
backend/main.py
View File

@@ -1,5 +1,6 @@
import logging
import sys
import os
from flask import Flask, request, jsonify
from flask_cors import CORS
@@ -32,13 +33,14 @@ logger = logging.getLogger(__name__)
app = Flask(__name__)
#CORS(app, resources={r"/api/*": {"origins": ["http://localhost:3000", "http://localhost:5173"]}})
#Todo - add prefix to all these routes instead of in each blueprint
app.register_blueprint(admin_api)
app.register_blueprint(child_api)
app.register_blueprint(child_override_api)
app.register_blueprint(reward_api)
app.register_blueprint(task_api)
app.register_blueprint(image_api)
app.register_blueprint(auth_api)
app.register_blueprint(auth_api, url_prefix='/auth')
app.register_blueprint(user_api)
app.register_blueprint(tracking_api)
@@ -49,7 +51,7 @@ app.config.update(
MAIL_USERNAME='ryan.kegel@gmail.com',
MAIL_PASSWORD='ruyj hxjf nmrz buar',
MAIL_DEFAULT_SENDER='ryan.kegel@gmail.com',
FRONTEND_URL='https://localhost:5173', # Adjust as needed
FRONTEND_URL=os.environ.get('FRONTEND_URL', 'https://localhost:5173'), # Dynamic via env var, defaults to localhost
SECRET_KEY='supersecretkey' # Replace with a secure key in production
)

5
backend/models/user.py
View File

@@ -21,6 +21,7 @@ class User(BaseModel):
deletion_in_progress: bool = False
deletion_attempted_at: str | None = None
role: str = 'user'
token_version: int = 0
@classmethod
def from_dict(cls, d: dict):
@@ -43,6 +44,7 @@ class User(BaseModel):
deletion_in_progress=d.get('deletion_in_progress', False),
deletion_attempted_at=d.get('deletion_attempted_at'),
role=d.get('role', 'user'),
token_version=d.get('token_version', 0),
id=d.get('id'),
created_at=d.get('created_at'),
updated_at=d.get('updated_at')
@@ -69,6 +71,7 @@ class User(BaseModel):
'marked_for_deletion_at': self.marked_for_deletion_at,
'deletion_in_progress': self.deletion_in_progress,
'deletion_attempted_at': self.deletion_attempted_at,
'role': self.role
'role': self.role,
'token_version': self.token_version,
})
return base

BIN
backend/requirements.txt
View File

Binary file not shown.

94
backend/test_data/db/child_overrides.json
View File

@@ -1,94 +0,0 @@
{
"_default": {
"1": {
"id": "479920ee-4d2c-4ff9-a7e4-749691183903",
"created_at": 1770772299.9946082,
"updated_at": 1770772299.9946082,
"child_id": "child1",
"entity_id": "task1",
"entity_type": "task",
"custom_value": 20
},
"2": {
"id": "e1212f17-1986-4ae2-9936-3e8c4a487a79",
"created_at": 1770772300.0246155,
"updated_at": 1770772300.0246155,
"child_id": "child2",
"entity_id": "task2",
"entity_type": "task",
"custom_value": 25
},
"3": {
"id": "58068231-3bd8-425c-aba2-1e4444547f2b",
"created_at": 1770772300.0326169,
"updated_at": 1770772300.0326169,
"child_id": "child3",
"entity_id": "task1",
"entity_type": "task",
"custom_value": 10
},
"4": {
"id": "21299d89-29d1-4876-abc8-080a919dfa27",
"created_at": 1770772300.0326169,
"updated_at": 1770772300.0326169,
"child_id": "child3",
"entity_id": "task2",
"entity_type": "task",
"custom_value": 15
},
"5": {
"id": "4676589a-abcf-4407-806c-8d187a41dae3",
"created_at": 1770772300.0326169,
"updated_at": 1770772300.0326169,
"child_id": "child3",
"entity_id": "reward1",
"entity_type": "reward",
"custom_value": 100
},
"33": {
"id": "cd1473e2-241c-4bfd-b4b2-c2b5402d95d6",
"created_at": 1770772307.3772185,
"updated_at": 1770772307.3772185,
"child_id": "351c9e7f-5406-425c-a15a-2268aadbfdd5",
"entity_id": "90279979-e91e-4f51-af78-88ad70ffab57",
"entity_type": "task",
"custom_value": 5
},
"34": {
"id": "57ecb6f8-dff3-47a8-81a9-66979e1ce7b4",
"created_at": 1770772307.3833773,
"updated_at": 1770772307.3833773,
"child_id": "f12a42a9-105a-4a6f-84e8-1c3a8e076d33",
"entity_id": "90279979-e91e-4f51-af78-88ad70ffab57",
"entity_type": "task",
"custom_value": 20
},
"35": {
"id": "d55b8b5c-39fc-449c-9848-99c2d572fdd8",
"created_at": 1770772307.618762,
"updated_at": 1770772307.618762,
"child_id": "f84a1e5e-3f14-44fd-8b8b-b25ede62a1d2",
"entity_id": "b64435a0-8856-4c8d-bf77-8438ff5d9061",
"entity_type": "task",
"custom_value": 0
},
"36": {
"id": "a9777db2-6912-4b21-b668-4f36566d4ef8",
"created_at": 1770772307.8648667,
"updated_at": 1770772307.8648667,
"child_id": "f84a1e5e-3f14-44fd-8b8b-b25ede62a1d2",
"entity_id": "35cf2bde-9f47-4458-ac7b-36713063deb4",
"entity_type": "task",
"custom_value": 10000
},
"37": {
"id": "04c54b24-914e-4ed6-b336-4263a4701c78",
"created_at": 1770772308.104657,
"updated_at": 1770772308.104657,
"child_id": "48bccc00-6d76-4bc9-a371-836d1a7db200",
"entity_id": "ba725bf7-2dc8-4bdb-8a82-6ed88519f2ff",
"entity_type": "reward",
"custom_value": 75
}
}
}

32
backend/tests/test_auth_api.py
View File

@@ -100,6 +100,38 @@ def test_reset_password_hashes_new_password(client):
assert user_dict['password'].startswith('scrypt:')
assert check_password_hash(user_dict['password'], 'newpassword123')
def test_reset_password_invalidates_existing_jwt(client):
users_db.remove(Query().email == 'test@example.com')
user = User(
first_name='Test',
last_name='User',
email='test@example.com',
password=generate_password_hash('oldpassword123'),
verified=True,
reset_token='validtoken2',
reset_token_created=datetime.utcnow().isoformat(),
)
users_db.insert(user.to_dict())
login_response = client.post('/auth/login', json={'email': 'test@example.com', 'password': 'oldpassword123'})
assert login_response.status_code == 200
login_cookie = login_response.headers.get('Set-Cookie', '')
assert 'token=' in login_cookie
old_token = login_cookie.split('token=', 1)[1].split(';', 1)[0]
assert old_token
reset_response = client.post('/auth/reset-password', json={'token': 'validtoken2', 'password': 'newpassword123'})
assert reset_response.status_code == 200
reset_cookie = reset_response.headers.get('Set-Cookie', '')
assert 'token=' in reset_cookie
# Set the old token as a cookie and test that it's now invalid
client.set_cookie('token', old_token)
me_response = client.get('/auth/me')
assert me_response.status_code == 401
assert me_response.json['code'] == 'INVALID_TOKEN'
def test_migration_script_hashes_plain_text_passwords():
"""Test the migration script hashes plain text passwords."""
# Clean up

82
backend/tests/test_auth_api_marked.py Normal file
View File

@@ -0,0 +1,82 @@
import pytest
from flask import Flask
from api.auth_api import auth_api
from db.db import users_db
from tinydb import Query
from models.user import User
from werkzeug.security import generate_password_hash
from datetime import datetime, timedelta
import jwt
@pytest.fixture
def client():
app = Flask(__name__)
app.register_blueprint(auth_api, url_prefix='/auth')
app.config['TESTING'] = True
app.config['SECRET_KEY'] = 'supersecretkey'
with app.test_client() as client:
yield client
def setup_marked_user(email, verified=False, verify_token=None, reset_token=None):
users_db.remove(Query().email == email)
user = User(
first_name='Marked',
last_name='User',
email=email,
password=generate_password_hash('password123'),
verified=verified,
marked_for_deletion=True,
verify_token=verify_token,
verify_token_created=datetime.utcnow().isoformat() if verify_token else None,
reset_token=reset_token,
reset_token_created=datetime.utcnow().isoformat() if reset_token else None
)
users_db.insert(user.to_dict())
def test_signup_marked_for_deletion(client):
setup_marked_user('marked@example.com')
data = {
'first_name': 'Marked',
'last_name': 'User',
'email': 'marked@example.com',
'password': 'password123'
}
response = client.post('/auth/signup', json=data)
assert response.status_code == 403
assert response.json['code'] == 'ACCOUNT_MARKED_FOR_DELETION'
def test_verify_marked_for_deletion(client):
setup_marked_user('marked2@example.com', verify_token='verifytoken123')
response = client.get('/auth/verify', query_string={'token': 'verifytoken123'})
assert response.status_code == 400
assert response.json['code'] == 'ACCOUNT_MARKED_FOR_DELETION'
def test_request_password_reset_marked_for_deletion(client):
setup_marked_user('marked3@example.com')
response = client.post('/auth/request-password-reset', json={'email': 'marked3@example.com'})
assert response.status_code == 403
assert response.json['code'] == 'ACCOUNT_MARKED_FOR_DELETION'
def test_me_marked_for_deletion(client):
email = 'marked4@example.com'
setup_marked_user(email, verified=True)
# Get the user to access the ID
user_dict = users_db.get(Query().email == email)
user = User.from_dict(user_dict)
# Create a valid JWT token for the marked user
payload = {
'email': email,
'user_id': user.id,
'exp': datetime.utcnow() + timedelta(hours=24)
}
token = jwt.encode(payload, 'supersecretkey', algorithm='HS256')
# Make request with token cookie
client.set_cookie('token', token)
response = client.get('/auth/me')
assert response.status_code == 403
assert response.json['code'] == 'ACCOUNT_MARKED_FOR_DELETION'

4
backend/tests/test_child_api.py
View File

@@ -29,7 +29,7 @@ def add_test_user():
})
def login_and_set_cookie(client):
resp = client.post('/login', json={"email": TEST_EMAIL, "password": TEST_PASSWORD})
resp = client.post('/auth/login', json={"email": TEST_EMAIL, "password": TEST_PASSWORD})
assert resp.status_code == 200
# Set cookie for subsequent requests
token = resp.headers.get("Set-Cookie")
@@ -40,7 +40,7 @@ def login_and_set_cookie(client):
def client():
app = Flask(__name__)
app.register_blueprint(child_api)
app.register_blueprint(auth_api)
app.register_blueprint(auth_api, url_prefix='/auth')
app.config['TESTING'] = True
app.config['SECRET_KEY'] = 'supersecretkey'
with app.test_client() as client:

4
backend/tests/test_child_override_api.py
View File

@@ -46,7 +46,7 @@ def add_test_user():
def login_and_set_cookie(client):
"""Login and set authentication cookie."""
resp = client.post('/login', json={
resp = client.post('/auth/login', json={
"email": TEST_EMAIL,
"password": TEST_PASSWORD
})
@@ -59,7 +59,7 @@ def client():
app = Flask(__name__)
app.register_blueprint(child_override_api)
app.register_blueprint(child_api)
app.register_blueprint(auth_api)
app.register_blueprint(auth_api, url_prefix='/auth')
app.config['TESTING'] = True
app.config['SECRET_KEY'] = 'supersecretkey'

161
backend/tests/test_deletion_scheduler.py
View File

@@ -15,6 +15,7 @@ from utils.account_deletion_scheduler import (
delete_user_data,
process_deletion_queue,
check_interrupted_deletions,
trigger_deletion_manually,
MAX_DELETION_ATTEMPTS
)
from models.user import User
@@ -953,3 +954,163 @@ class TestIntegration:
assert users_db.get(Query_.id == user_id) is None
assert child_db.get(Query_.id == child_id) is None
assert not os.path.exists(user_image_dir)
class TestManualDeletionTrigger:
"""Tests for manually triggered deletion (admin endpoint)."""
def setup_method(self):
"""Clear test databases before each test."""
users_db.truncate()
child_db.truncate()
task_db.truncate()
reward_db.truncate()
image_db.truncate()
pending_reward_db.truncate()
def teardown_method(self):
"""Clean up test directories after each test."""
for user_id in ['manual_user_1', 'manual_user_2', 'manual_user_3', 'manual_user_retry', 'recent_user']:
user_dir = get_user_image_dir(user_id)
if os.path.exists(user_dir):
try:
shutil.rmtree(user_dir)
except:
pass
def test_manual_trigger_deletes_immediately(self):
"""Test that manual trigger deletes users marked recently (not past threshold)."""
user_id = 'manual_user_1'
# Create user marked only 1 hour ago (well before 720 hour threshold)
marked_time = (datetime.now() - timedelta(hours=1)).isoformat()
user = User(
id=user_id,
email='manual1@example.com',
first_name='Manual',
last_name='Test',
password='hash',
marked_for_deletion=True,
marked_for_deletion_at=marked_time,
deletion_in_progress=False,
deletion_attempted_at=None
)
users_db.insert(user.to_dict())
# Verify user is NOT due for deletion under normal circumstances
assert is_user_due_for_deletion(user) is False
# Manually trigger deletion
result = trigger_deletion_manually()
# Verify user was deleted despite not being past threshold
Query_ = Query()
assert users_db.get(Query_.id == user_id) is None
assert result['triggered'] is True
def test_manual_trigger_deletes_multiple_users(self):
"""Test that manual trigger deletes all marked users regardless of time."""
# Create multiple users marked at different times
users_data = [
('manual_user_1', 1), # 1 hour ago
('manual_user_2', 100), # 100 hours ago
('manual_user_3', 800), # 800 hours ago (past threshold)
]
for user_id, hours_ago in users_data:
marked_time = (datetime.now() - timedelta(hours=hours_ago)).isoformat()
user = User(
id=user_id,
email=f'{user_id}@example.com',
first_name='Manual',
last_name='Test',
password='hash',
marked_for_deletion=True,
marked_for_deletion_at=marked_time,
deletion_in_progress=False,
deletion_attempted_at=None
)
users_db.insert(user.to_dict())
# Verify only one is due under normal circumstances
all_users = users_db.all()
due_count = sum(1 for u in all_users if is_user_due_for_deletion(User.from_dict(u)))
assert due_count == 1 # Only the 800 hour old one
# Manually trigger deletion
trigger_deletion_manually()
# Verify ALL marked users were deleted
Query_ = Query()
assert len(users_db.all()) == 0
def test_manual_trigger_respects_retry_limit(self):
"""Test that manual trigger still respects max retry limit."""
user_id = 'manual_user_retry'
# Create user marked recently with max attempts already
marked_time = (datetime.now() - timedelta(hours=1)).isoformat()
attempted_time = (datetime.now() - timedelta(hours=1)).isoformat()
user = User(
id=user_id,
email='retry@example.com',
first_name='Retry',
last_name='Test',
password='hash',
marked_for_deletion=True,
marked_for_deletion_at=marked_time,
deletion_in_progress=False,
deletion_attempted_at=attempted_time # Has 1 attempt
)
users_db.insert(user.to_dict())
# Mock delete_user_data to fail consistently
with patch('utils.account_deletion_scheduler.delete_user_data', return_value=False):
# Trigger multiple times to exceed retry limit
for _ in range(MAX_DELETION_ATTEMPTS):
trigger_deletion_manually()
# User should still exist after max attempts
Query_ = Query()
remaining_user = users_db.get(Query_.id == user_id)
assert remaining_user is not None
def test_manual_trigger_with_no_marked_users(self):
"""Test that manual trigger handles empty queue gracefully."""
result = trigger_deletion_manually()
assert result['triggered'] is True
assert result['queued_users'] == 0
def test_normal_scheduler_still_respects_threshold(self):
"""Test that normal scheduler run (force=False) still respects time threshold."""
user_id = 'recent_user'
# Create user marked only 1 hour ago
marked_time = (datetime.now() - timedelta(hours=1)).isoformat()
user = User(
id=user_id,
email='recent@example.com',
first_name='Recent',
last_name='Test',
password='hash',
marked_for_deletion=True,
marked_for_deletion_at=marked_time,
deletion_in_progress=False,
deletion_attempted_at=None
)
users_db.insert(user.to_dict())
# Run normal scheduler (not manual trigger)
process_deletion_queue(force=False)
# User should still exist because not past threshold
Query_ = Query()
assert users_db.get(Query_.id == user_id) is not None
# Now run with force=True
process_deletion_queue(force=True)
# User should be deleted
assert users_db.get(Query_.id == user_id) is None

4
backend/tests/test_image_api.py
View File

@@ -36,7 +36,7 @@ def add_test_user():
})
def login_and_set_cookie(client):
resp = client.post('/login', json={"email": TEST_EMAIL, "password": TEST_PASSWORD})
resp = client.post('/auth/login', json={"email": TEST_EMAIL, "password": TEST_PASSWORD})
assert resp.status_code == 200
token = resp.headers.get("Set-Cookie")
assert token and "token=" in token
@@ -65,7 +65,7 @@ def remove_test_data():
def client():
app = Flask(__name__)
app.register_blueprint(image_api)
app.register_blueprint(auth_api)
app.register_blueprint(auth_api, url_prefix='/auth')
app.config['TESTING'] = True
app.config['SECRET_KEY'] = 'supersecretkey'
with app.test_client() as c:

4
backend/tests/test_reward_api.py
View File

@@ -28,7 +28,7 @@ def add_test_user():
})
def login_and_set_cookie(client):
resp = client.post('/login', json={"email": TEST_EMAIL, "password": TEST_PASSWORD})
resp = client.post('/auth/login', json={"email": TEST_EMAIL, "password": TEST_PASSWORD})
assert resp.status_code == 200
token = resp.headers.get("Set-Cookie")
assert token and "token=" in token
@@ -37,7 +37,7 @@ def login_and_set_cookie(client):
def client():
app = Flask(__name__)
app.register_blueprint(reward_api)
app.register_blueprint(auth_api)
app.register_blueprint(auth_api, url_prefix='/auth')
app.config['TESTING'] = True
app.config['SECRET_KEY'] = 'supersecretkey'
with app.test_client() as client:

34
backend/tests/test_task_api.py
View File

@@ -27,7 +27,7 @@ def add_test_user():
})
def login_and_set_cookie(client):
resp = client.post('/login', json={"email": TEST_EMAIL, "password": TEST_PASSWORD})
resp = client.post('/auth/login', json={"email": TEST_EMAIL, "password": TEST_PASSWORD})
assert resp.status_code == 200
token = resp.headers.get("Set-Cookie")
assert token and "token=" in token
@@ -36,7 +36,7 @@ def login_and_set_cookie(client):
def client():
app = Flask(__name__)
app.register_blueprint(task_api)
app.register_blueprint(auth_api)
app.register_blueprint(auth_api, url_prefix='/auth')
app.config['TESTING'] = True
app.config['SECRET_KEY'] = 'supersecretkey'
with app.test_client() as client:
@@ -80,6 +80,36 @@ def test_list_tasks(client):
assert len(data['tasks']) == 2
def test_list_tasks_sorted_by_is_good_then_user_then_default_then_name(client):
task_db.truncate()
task_db.insert({'id': 'u_good_z', 'name': 'Zoo', 'points': 1, 'is_good': True, 'user_id': 'testuserid'})
task_db.insert({'id': 'u_good_a', 'name': 'Apple', 'points': 1, 'is_good': True, 'user_id': 'testuserid'})
task_db.insert({'id': 'd_good_m', 'name': 'Mop', 'points': 1, 'is_good': True, 'user_id': None})
task_db.insert({'id': 'd_good_b', 'name': 'Brush', 'points': 1, 'is_good': True, 'user_id': None})
task_db.insert({'id': 'u_bad_c', 'name': 'Chore', 'points': 1, 'is_good': False, 'user_id': 'testuserid'})
task_db.insert({'id': 'u_bad_a', 'name': 'Alarm', 'points': 1, 'is_good': False, 'user_id': 'testuserid'})
task_db.insert({'id': 'd_bad_y', 'name': 'Yell', 'points': 1, 'is_good': False, 'user_id': None})
task_db.insert({'id': 'd_bad_b', 'name': 'Bicker', 'points': 1, 'is_good': False, 'user_id': None})
response = client.get('/task/list')
assert response.status_code == 200
tasks = response.json['tasks']
ordered_ids = [t['id'] for t in tasks]
assert ordered_ids == [
'u_good_a',
'u_good_z',
'd_good_b',
'd_good_m',
'u_bad_a',
'u_bad_c',
'd_bad_b',
'd_bad_y',
]
def test_get_task_not_found(client):
response = client.get('/task/nonexistent-id')
assert response.status_code == 404

68
backend/tests/test_user_api.py
View File

@@ -48,7 +48,7 @@ def add_test_users():
def login_and_get_token(client, email, password):
"""Login and extract JWT token from response."""
resp = client.post('/login', json={"email": email, "password": password})
resp = client.post('/auth/login', json={"email": email, "password": password})
assert resp.status_code == 200
# Extract token from Set-Cookie header
set_cookie = resp.headers.get("Set-Cookie")
@@ -61,7 +61,7 @@ def client():
"""Setup Flask test client with registered blueprints."""
app = Flask(__name__)
app.register_blueprint(user_api)
app.register_blueprint(auth_api)
app.register_blueprint(auth_api, url_prefix='/auth')
app.config['TESTING'] = True
app.config['SECRET_KEY'] = 'supersecretkey'
app.config['FRONTEND_URL'] = 'http://localhost:5173' # Needed for email_sender
@@ -100,7 +100,7 @@ def test_mark_user_for_deletion_success(authenticated_client):
def test_login_for_marked_user_returns_403(client):
"""Test that login for a marked-for-deletion user returns 403 Forbidden."""
response = client.post('/login', json={
response = client.post('/auth/login', json={
"email": MARKED_EMAIL,
"password": MARKED_PASSWORD
})
@@ -118,7 +118,7 @@ def test_mark_for_deletion_requires_auth(client):
def test_login_blocked_for_marked_user(client):
"""Test that login is blocked for users marked for deletion."""
response = client.post('/login', json={
response = client.post('/auth/login', json={
"email": MARKED_EMAIL,
"password": MARKED_PASSWORD
})
@@ -129,7 +129,7 @@ def test_login_blocked_for_marked_user(client):
def test_login_succeeds_for_unmarked_user(client):
"""Test that login works normally for users not marked for deletion."""
response = client.post('/login', json={
response = client.post('/auth/login', json={
"email": TEST_EMAIL,
"password": TEST_PASSWORD
})
@@ -138,15 +138,16 @@ def test_login_succeeds_for_unmarked_user(client):
assert 'message' in data
def test_password_reset_ignored_for_marked_user(client):
"""Test that password reset requests are silently ignored for marked users."""
response = client.post('/request-password-reset', json={"email": MARKED_EMAIL})
assert response.status_code == 200
"""Test that password reset requests return 403 for marked users."""
response = client.post('/auth/request-password-reset', json={"email": MARKED_EMAIL})
assert response.status_code == 403
data = response.get_json()
assert 'message' in data
assert 'error' in data
assert data['code'] == 'ACCOUNT_MARKED_FOR_DELETION'
def test_password_reset_works_for_unmarked_user(client):
"""Test that password reset works normally for unmarked users."""
response = client.post('/request-password-reset', json={"email": TEST_EMAIL})
response = client.post('/auth/request-password-reset', json={"email": TEST_EMAIL})
assert response.status_code == 200
data = response.get_json()
assert 'message' in data
@@ -167,6 +168,35 @@ def test_mark_for_deletion_updates_timestamp(authenticated_client):
assert before_time <= marked_at <= after_time
def test_mark_for_deletion_clears_tokens(authenticated_client):
"""When an account is marked for deletion, verify/reset tokens must be cleared."""
# Seed verify/reset tokens for the user
UserQuery = Query()
now_iso = datetime.utcnow().isoformat()
users_db.update({
'verify_token': 'verify-abc',
'verify_token_created': now_iso,
'reset_token': 'reset-xyz',
'reset_token_created': now_iso
}, UserQuery.email == TEST_EMAIL)
# Ensure tokens are present before marking
user_before = users_db.search(UserQuery.email == TEST_EMAIL)[0]
assert user_before['verify_token'] is not None
assert user_before['reset_token'] is not None
# Mark account for deletion
response = authenticated_client.post('/user/mark-for-deletion', json={"email": TEST_EMAIL})
assert response.status_code == 200
# Verify tokens were cleared in the DB
user_after = users_db.search(UserQuery.email == TEST_EMAIL)[0]
assert user_after.get('verify_token') is None
assert user_after.get('verify_token_created') is None
assert user_after.get('reset_token') is None
assert user_after.get('reset_token_created') is None
def test_mark_for_deletion_with_invalid_jwt(client):
"""Test marking for deletion with invalid JWT token."""
# Set invalid cookie manually
@@ -176,3 +206,21 @@ def test_mark_for_deletion_with_invalid_jwt(client):
assert response.status_code == 401
data = response.get_json()
assert 'error' in data
def test_update_profile_success(authenticated_client):
"""Test successfully updating user profile."""
response = authenticated_client.put('/user/profile', json={
'first_name': 'Updated',
'last_name': 'Name',
'image_id': 'new_image'
})
assert response.status_code == 200
data = response.get_json()
assert data['message'] == 'Profile updated'
# Verify database was updated
UserQuery = Query()
user = users_db.search(UserQuery.email == TEST_EMAIL)[0]
assert user['first_name'] == 'Updated'
assert user['last_name'] == 'Name'
assert user['image_id'] == 'new_image'

20
backend/utils/account_deletion_scheduler.py
View File

@@ -210,11 +210,18 @@ def delete_user_data(user: User) -> bool:
pass
return False
def process_deletion_queue():
def process_deletion_queue(force=False):
"""
Process the deletion queue: find users due for deletion and delete them.
Args:
force (bool): If True, delete all marked users immediately without checking threshold.
If False, only delete users past the threshold time.
"""
logger.info("Starting deletion scheduler run")
if force:
logger.info("Starting FORCED deletion scheduler run (bypassing time threshold)")
else:
logger.info("Starting deletion scheduler run")
processed = 0
deleted = 0
@@ -235,8 +242,8 @@ def process_deletion_queue():
user = User.from_dict(user_dict)
processed += 1
# Check if user is due for deletion
if not is_user_due_for_deletion(user):
# Check if user is due for deletion (skip check if force=True)
if not force and not is_user_due_for_deletion(user):
continue
# Check retry limit
@@ -346,10 +353,11 @@ def stop_deletion_scheduler():
def trigger_deletion_manually():
"""
Manually trigger the deletion process (for admin use).
Deletes all marked users immediately without waiting for threshold.
Returns stats about the run.
"""
logger.info("Manual deletion trigger requested")
process_deletion_queue()
logger.info("Manual deletion trigger requested - forcing immediate deletion")
process_deletion_queue(force=True)
# Return stats (simplified version)
Query_ = Query()

29
docker-compose.test.yml Normal file
View File

@@ -0,0 +1,29 @@
# yaml
version: "3.8"
services:
chores-test-app-backend: # Test backend service name
image: git.ryankegel.com:3000/kegel/chores/backend:next # Use latest next tag
ports:
- "5004:5000" # Host 5004 -> Container 5000
environment:
- FLASK_ENV=development
- FRONTEND_URL=https://devserver.lan:446 # Add this for test env
# Add volumes, networks, etc., as needed
chores-test-app-frontend: # Test frontend service name
image: git.ryankegel.com:3000/kegel/chores/frontend:next # Use latest next tag
ports:
- "446:443" # Host 446 -> Container 443 (HTTPS)
environment:
- BACKEND_HOST=chores-test-app-backend # Points to internal backend service
depends_on:
- chores-test-app-backend
# Add volumes, networks, etc., as needed
networks:
chores-test-app-net:
driver: bridge
volumes:
chores-test-app-backend-data: {}

47
docker-compose.yml
View File

@@ -1,30 +1,37 @@
# yaml
version: '3.8'
version: "3.8"
services:
chore-app-backend:
image: devserver.lan:5900/chore-app-backend:production
container_name: chore-app-backend
restart: unless-stopped
expose:
- "5000"
networks:
- chore-app-net
volumes:
- chore-app-backend-data:/app/data # persists backend data
chore-app-frontend:
image: devserver.lan:5900/chore-app-frontend:production
container_name: chore-app-frontend
restart: unless-stopped
chores-app-backend: # Production backend service name
image: git.ryankegel.com:3000/kegel/chores/backend:latest # Or specific version tag
container_name: chores-app-backend-prod # Added for easy identification
ports:
- "4600:443"
- "5001:5000" # Host 5001 -> Container 5000
environment:
- FLASK_ENV=production
- FRONTEND_URL=${FRONTEND_URL}
volumes:
- chores-app-backend-data:/app/data # Assuming backend data storage; adjust path as needed
networks:
- chore-app-net
- chores-app-net
# Add other volumes, networks, etc., as needed
chores-app-frontend: # Production frontend service name
image: git.ryankegel.com:3000/kegel/chores/frontend:latest # Or specific version tag
container_name: chores-app-frontend-prod # Added for easy identification
ports:
- "443:443" # Host 443 -> Container 443 (HTTPS)
environment:
- BACKEND_HOST=chores-app-backend # Points to internal backend service
depends_on:
- chores-app-backend
networks:
- chores-app-net
# Add volumes, networks, etc., as needed
networks:
chore-app-net:
chores-app-net:
driver: bridge
volumes:
chore-app-backend-data: {}
chores-app-backend-data: {}

258
docs/reset-password-reference.md Normal file
View File

@@ -0,0 +1,258 @@
# Password Reset Reference
This document explains the full password reset and forced re-auth flow implemented in the project.
## Scope
This covers:
- reset token validation and reset submission
- JWT invalidation after reset
- behavior of `/auth/me` with stale tokens
- multi-tab synchronization in the frontend
---
## High-Level Behavior
After a successful password reset:
1. Backend updates the password hash.
2. Backend increments the user's `token_version`.
3. Backend clears the `token` auth cookie in the reset response.
4. Existing JWTs in other tabs/devices become invalid because their embedded `token_version` no longer matches.
5. Frontend broadcasts a logout sync event so other tabs immediately redirect to login.
---
## Backend Components
### 1) User model versioning
File: `backend/models/user.py`
- Added `token_version: int = 0`.
- `from_dict()` defaults missing value to `0` for backward compatibility.
- `to_dict()` persists `token_version`.
### 2) JWT issuance includes token version
File: `backend/api/auth_api.py` (`/auth/login`)
JWT payload now includes:
- `email`
- `user_id`
- `token_version`
- `exp`
### 3) `/auth/me` rejects stale tokens
File: `backend/api/auth_api.py` (`/auth/me`)
Flow:
- decode JWT
- load user from DB
- compare `payload.token_version` (default 0) with `user.token_version`
- if mismatch, return:
- status: `401`
- code: `INVALID_TOKEN`
### 4) reset-password invalidates sessions
File: `backend/api/auth_api.py` (`/auth/reset-password`)
On success:
- hash and store new password
- clear `reset_token` and `reset_token_created`
- increment `user.token_version`
- persist user
- clear `token` cookie in response (`expires=0`, `httponly=True`, `secure=True`, `samesite='Strict'`)
### 5) shared auth utility enforcement
File: `backend/api/utils.py` (`get_current_user_id`)
Protected endpoints that use this helper also enforce token version:
- decode JWT
- load user by `user_id`
- compare JWT `token_version` vs DB `token_version`
- return `None` if mismatch
---
## Frontend Components
### 1) Reset password page
File: `frontend/vue-app/src/components/auth/ResetPassword.vue`
On successful `/api/auth/reset-password`:
- calls `logoutUser()` from auth store
- still shows success modal
- Sign In action navigates to login
### 2) Cross-tab logout sync
File: `frontend/vue-app/src/stores/auth.ts`
Implemented:
- logout broadcast key: `authSyncEvent`
- `logoutUser()`:
- applies local logged-out state
- writes logout event to localStorage
- `initAuthSync()`:
- listens to `storage` events
- if logout event arrives, applies logged-out state and redirects to `/auth/login` when outside `/auth/*`
- `checkAuth()` now funnels failed `/api/auth/me` checks through `logoutUser()`
### 3) Sync bootstrap
File: `frontend/vue-app/src/main.ts`
- calls `initAuthSync()` at app startup.
### 4) Global `401 Unauthorized` handling
Files:
- `frontend/vue-app/src/common/api.ts`
- `frontend/vue-app/src/main.ts`
Implemented:
- `installUnauthorizedFetchInterceptor()` wraps global `fetch`
- if any response is `401`, frontend:
- calls `logoutUser()`
- redirects to `/auth` (unless already on `/auth/*`)
This ensures protected pages consistently return users to auth landing when a session is invalid.
---
## Sequence Diagram (Reset Success)
```mermaid
sequenceDiagram
participant U as User (Tab A)
participant FE as ResetPassword.vue
participant BE as auth_api.py
participant DB as users_db
participant LS as localStorage
participant T2 as Browser Tab B
U->>FE: Submit new password + token
FE->>BE: POST /api/auth/reset-password
BE->>DB: Validate reset token + expiry
BE->>DB: Update password hash
BE->>DB: token_version = token_version + 1
BE-->>FE: 200 + clear auth cookie
FE->>LS: logoutUser() writes authSyncEvent
LS-->>T2: storage event(authSyncEvent: logout)
T2->>T2: clear auth state
T2->>T2: redirect /auth/login
```
---
## Sequence Diagram (Stale Token Check)
```mermaid
sequenceDiagram
participant T as Any Tab with old JWT
participant BE as /auth/me
participant DB as users_db
T->>BE: GET /auth/me (old JWT token_version=N)
BE->>DB: Load user (current token_version=N+1)
BE-->>T: 401 { code: INVALID_TOKEN }
```
---
## Example API Calls
### Validate reset token
`GET /api/auth/validate-reset-token?token=<token>`
Possible failures:
- `400 MISSING_TOKEN`
- `400 INVALID_TOKEN`
- `400 TOKEN_TIMESTAMP_MISSING`
- `400 TOKEN_EXPIRED`
### Reset password
`POST /api/auth/reset-password`
Request body:
```json
{
"token": "<reset-token>",
"password": "newStrongPassword123"
}
```
Success:
- `200 { "message": "Password has been reset" }`
- response also clears auth cookie
### Auth check after reset with stale JWT
`GET /api/auth/me`
Expected:
- `401 { "error": "Invalid token", "code": "INVALID_TOKEN" }`
---
## SSE vs Cross-Tab Sync
Current design intentionally does **not** rely on SSE to enforce logout correctness.
Why:
- Security correctness is guaranteed by cookie clearing + token_version invalidation.
- SSE can improve UX but is not required for correctness.
- Cross-tab immediate UX is handled client-side via localStorage `storage` events.
---
## Test Coverage
Backend:
- `backend/tests/test_auth_api.py`
- includes regression test ensuring old JWT fails `/auth/me` after reset.
Frontend:
- `frontend/vue-app/src/stores/__tests__/auth.childmode.spec.ts`
- includes cross-tab storage logout behavior.
- `frontend/vue-app/src/common/__tests__/api.interceptor.spec.ts`
- verifies global `401` interceptor logout and redirect behavior.
---
## Troubleshooting Checklist
- If stale sessions still appear valid:
- verify `token_version` exists in user records
- confirm `/auth/login` includes `token_version` claim
- confirm `/auth/me` compares JWT vs DB token_version
- confirm `/auth/reset-password` increments token_version
- If other tabs do not redirect:
- verify `initAuthSync()` is called in `main.ts`
- verify `logoutUser()` is called on reset success
- check browser supports storage events across tabs for same origin

11
frontend/vue-app/Dockerfile
View File

@@ -9,11 +9,18 @@ RUN npm run build
# Stage 2: Serve with nginx
FROM nginx:alpine
COPY --from=build /app/dist /usr/share/nginx/html
COPY nginx.conf /etc/nginx/nginx.conf
COPY nginx.conf.template /etc/nginx/nginx.conf.template
# Copy SSL certificate and key
COPY 192.168.1.102+1.pem /etc/nginx/ssl/server.crt
COPY 192.168.1.102+1-key.pem /etc/nginx/ssl/server.key
EXPOSE 80
EXPOSE 443
CMD ["nginx", "-g", "daemon off;"]
# Copy nginx.conf
COPY nginx.conf.template /etc/nginx/nginx.conf.template
# Set default BACKEND_HOST (can be overridden at runtime)
ENV BACKEND_HOST=chore-app-backend
# Use sed to replace $BACKEND_HOST with the env value, then start Nginx
CMD ["/bin/sh", "-c", "sed 's/\\$BACKEND_HOST/'\"$BACKEND_HOST\"'/g' /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && nginx -g 'daemon off;'"]

36
frontend/vue-app/nginx.conf
View File

@@ -1,8 +1,8 @@
events {}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
client_max_body_size 2M;
@@ -17,24 +17,24 @@ http {
ssl_ciphers HIGH:!aNULL:!MD5;
location /api/ {
proxy_pass http://chore-app-backend:5000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://$BACKEND_HOST:5000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /events {
proxy_pass http://chore-app-backend:5000/events;
proxy_set_header Host $host;
proxy_set_header Connection '';
proxy_http_version 1.1;
chunked_transfer_encoding off;
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
}
location /events {
proxy_pass http://$BACKEND_HOST:5000/events;
proxy_set_header Host $host;
proxy_set_header Connection '';
proxy_http_version 1.1;
chunked_transfer_encoding off;
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
}
location / {
try_files $uri $uri/ /index.html;

43
frontend/vue-app/nginx.conf.template Normal file
View File

@@ -0,0 +1,43 @@
events {}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
client_max_body_size 2M;
listen 443 ssl;
server_name _;
root /usr/share/nginx/html;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location /api/ {
proxy_pass http://$BACKEND_HOST:5000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /events {
proxy_pass http://$BACKEND_HOST:5000/events;
proxy_set_header Host $host;
proxy_set_header Connection '';
proxy_http_version 1.1;
chunked_transfer_encoding off;
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
}
location / {
try_files $uri $uri/ /index.html;
}
}
}

8
frontend/vue-app/src/__tests__/ItemList.spec.ts
View File

@@ -10,14 +10,12 @@ describe('ItemList.vue', () => {
it('does not show delete button for system items', async () => {
const wrapper = mount(ItemList, {
props: {
fetchUrl: '',
itemKey: 'items',
itemFields: ['name'],
deletable: true,
testItems: [systemItem],
},
global: {
stubs: ['svg'],
},
})
await flushPromises()
expect(wrapper.find('.delete-btn').exists()).toBe(false)
@@ -26,14 +24,12 @@ describe('ItemList.vue', () => {
it('shows delete button for user items', async () => {
const wrapper = mount(ItemList, {
props: {
fetchUrl: '',
itemKey: 'items',
itemFields: ['name'],
deletable: true,
testItems: [userItem],
},
global: {
stubs: ['svg'],
},
})
await flushPromises()
expect(wrapper.find('.delete-btn').exists()).toBe(true)

208
frontend/vue-app/src/__tests__/UserProfile.spec.ts
View File

@@ -11,8 +11,8 @@ global.fetch = vi.fn()
const mockRouter = createRouter({
history: createMemoryHistory(),
routes: [
{ path: '/auth/login', name: 'Login' },
{ path: '/profile', name: 'UserProfile' },
{ path: '/auth/login', name: 'Login', component: { template: '<div />' } },
{ path: '/profile', name: 'UserProfile', component: { template: '<div />' } },
],
})
@@ -283,3 +283,207 @@ describe('UserProfile - Delete Account', () => {
expect(wrapper.vm.deleteErrorMessage).toBe('This account is already marked for deletion.')
})
})
describe('UserProfile - Profile Update', () => {
let wrapper: VueWrapper<any>
beforeEach(() => {
vi.clearAllMocks()
;(global.fetch as any).mockClear()
// Mock fetch for profile loading in onMounted
;(global.fetch as any).mockResolvedValue({
ok: true,
json: async () => ({
image_id: 'initial-image-id',
first_name: 'Test',
last_name: 'User',
email: 'test@example.com',
}),
})
// Mount component with router
wrapper = mount(UserProfile, {
global: {
plugins: [mockRouter],
stubs: {
EntityEditForm: {
template: '<div class="mock-form"><slot /></div>',
props: ['initialData', 'fields', 'loading', 'error', 'isEdit', 'entityLabel', 'title'],
emits: ['submit', 'cancel', 'add-image'],
},
ModalDialog: {
template: '<div class="mock-modal"><slot /></div>',
},
},
},
})
})
it('updates initialData after successful profile save', async () => {
await flushPromises()
await nextTick()
// Initial image_id should be set from mount
expect(wrapper.vm.initialData.image_id).toBe('initial-image-id')
// Mock successful save response
;(global.fetch as any).mockResolvedValueOnce({
ok: true,
json: async () => ({}),
})
// Simulate form submission with new image_id
const newFormData = {
image_id: 'new-image-id',
first_name: 'Updated',
last_name: 'Name',
email: 'test@example.com',
}
await wrapper.vm.handleSubmit(newFormData)
await flushPromises()
// initialData should now be updated to match the saved form
expect(wrapper.vm.initialData.image_id).toBe('new-image-id')
expect(wrapper.vm.initialData.first_name).toBe('Updated')
expect(wrapper.vm.initialData.last_name).toBe('Name')
})
it('allows dirty detection after save when reverting to original value', async () => {
await flushPromises()
await nextTick()
// Start with initial-image-id
expect(wrapper.vm.initialData.image_id).toBe('initial-image-id')
// Mock successful save
;(global.fetch as any).mockResolvedValueOnce({
ok: true,
json: async () => ({}),
})
// Change and save to new-image-id
await wrapper.vm.handleSubmit({
image_id: 'new-image-id',
first_name: 'Test',
last_name: 'User',
email: 'test@example.com',
})
await flushPromises()
// initialData should now be new-image-id
expect(wrapper.vm.initialData.image_id).toBe('new-image-id')
// Now if user changes back to initial-image-id, it should be detected as different
// (because initialData is now new-image-id)
const currentInitial = wrapper.vm.initialData.image_id
expect(currentInitial).toBe('new-image-id')
expect(currentInitial).not.toBe('initial-image-id')
})
it('handles image upload during profile save', async () => {
await flushPromises()
await nextTick()
const mockFile = new File(['test'], 'test.png', { type: 'image/png' })
wrapper.vm.localImageFile = mockFile
// Mock image upload response
;(global.fetch as any).mockResolvedValueOnce({
ok: true,
json: async () => ({ id: 'uploaded-image-id' }),
})
// Mock profile update response
;(global.fetch as any).mockResolvedValueOnce({
ok: true,
json: async () => ({}),
})
await wrapper.vm.handleSubmit({
image_id: 'local-upload',
first_name: 'Test',
last_name: 'User',
email: 'test@example.com',
})
await flushPromises()
// Should have called image upload
expect(global.fetch).toHaveBeenCalledWith(
'/api/image/upload',
expect.objectContaining({
method: 'POST',
}),
)
// initialData should be updated with uploaded image ID
expect(wrapper.vm.initialData.image_id).toBe('uploaded-image-id')
})
it('shows error message on failed image upload', async () => {
await flushPromises()
await nextTick()
const mockFile = new File(['test'], 'test.png', { type: 'image/png' })
wrapper.vm.localImageFile = mockFile
// Mock failed image upload
;(global.fetch as any).mockResolvedValueOnce({
ok: false,
status: 500,
})
await wrapper.vm.handleSubmit({
image_id: 'local-upload',
first_name: 'Test',
last_name: 'User',
email: 'test@example.com',
})
await flushPromises()
expect(wrapper.vm.errorMsg).toBe('Failed to upload image.')
expect(wrapper.vm.loading).toBe(false)
})
it('shows success modal after profile update', async () => {
await flushPromises()
await nextTick()
;(global.fetch as any).mockResolvedValueOnce({
ok: true,
json: async () => ({}),
})
await wrapper.vm.handleSubmit({
image_id: 'some-image-id',
first_name: 'Test',
last_name: 'User',
email: 'test@example.com',
})
await flushPromises()
expect(wrapper.vm.showModal).toBe(true)
expect(wrapper.vm.modalTitle).toBe('Profile Updated')
expect(wrapper.vm.modalMessage).toBe('Your profile was updated successfully.')
})
it('shows error message on failed profile update', async () => {
await flushPromises()
await nextTick()
;(global.fetch as any).mockResolvedValueOnce({
ok: false,
status: 500,
})
await wrapper.vm.handleSubmit({
image_id: 'some-image-id',
first_name: 'Test',
last_name: 'User',
email: 'test@example.com',
})
await flushPromises()
expect(wrapper.vm.errorMsg).toBe('Failed to update profile.')
expect(wrapper.vm.loading).toBe(false)
})
})

2
frontend/vue-app/src/assets/colors.css
View File

@@ -74,7 +74,7 @@
--fab-hover-bg: #5a67d8;
--fab-active-bg: #4c51bf;
--message-block-color: #fdfdfd;
--sub-message-color: #c1d0f1;
--sub-message-color: #9eaac4;
--sign-in-btn-bg: #fff;
--sign-in-btn-color: #2563eb;
--sign-in-btn-border: #2563eb;

6
frontend/vue-app/src/assets/styles.css
View File

@@ -85,6 +85,12 @@
pointer-events: none;
color: var(--btn-primary);
}
@media (max-width: 520px) {
.btn-link {
margin-top: 1rem;
margin-bottom: 1rem;
}
}
/* Rounded button */
.round-btn {

94
frontend/vue-app/src/common/__tests__/api.interceptor.spec.ts Normal file
View File

@@ -0,0 +1,94 @@
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
const mockLogoutUser = vi.fn()
vi.mock('@/stores/auth', () => ({
logoutUser: () => mockLogoutUser(),
}))
describe('installUnauthorizedFetchInterceptor', () => {
const originalFetch = globalThis.fetch
beforeEach(() => {
vi.resetModules()
mockLogoutUser.mockReset()
globalThis.fetch = vi.fn()
})
afterEach(() => {
globalThis.fetch = originalFetch
})
it('logs out and redirects to /auth on 401 outside auth routes', async () => {
const fetchMock = globalThis.fetch as unknown as ReturnType<typeof vi.fn>
fetchMock.mockResolvedValue({ status: 401 } as Response)
window.history.pushState({}, '', '/parent/profile')
const redirectSpy = vi.fn()
const { installUnauthorizedFetchInterceptor, setUnauthorizedRedirectHandlerForTests } =
await import('../api')
setUnauthorizedRedirectHandlerForTests(redirectSpy)
installUnauthorizedFetchInterceptor()
await fetch('/api/user/profile')
expect(mockLogoutUser).toHaveBeenCalledTimes(1)
expect(redirectSpy).toHaveBeenCalledTimes(1)
})
it('does not redirect when already on auth route', async () => {
const fetchMock = globalThis.fetch as unknown as ReturnType<typeof vi.fn>
fetchMock.mockResolvedValue({ status: 401 } as Response)
window.history.pushState({}, '', '/auth/login')
const redirectSpy = vi.fn()
const { installUnauthorizedFetchInterceptor, setUnauthorizedRedirectHandlerForTests } =
await import('../api')
setUnauthorizedRedirectHandlerForTests(redirectSpy)
installUnauthorizedFetchInterceptor()
await fetch('/api/auth/me')
expect(mockLogoutUser).toHaveBeenCalledTimes(1)
expect(redirectSpy).not.toHaveBeenCalled()
})
it('handles unauthorized redirect only once even for repeated 401 responses', async () => {
const fetchMock = globalThis.fetch as unknown as ReturnType<typeof vi.fn>
fetchMock.mockResolvedValue({ status: 401 } as Response)
window.history.pushState({}, '', '/parent/tasks')
const redirectSpy = vi.fn()
const { installUnauthorizedFetchInterceptor, setUnauthorizedRedirectHandlerForTests } =
await import('../api')
setUnauthorizedRedirectHandlerForTests(redirectSpy)
installUnauthorizedFetchInterceptor()
await fetch('/api/task/add', { method: 'PUT' })
await fetch('/api/image/list?type=2')
expect(mockLogoutUser).toHaveBeenCalledTimes(1)
expect(redirectSpy).toHaveBeenCalledTimes(1)
})
it('does not log out for non-401 responses', async () => {
const fetchMock = globalThis.fetch as unknown as ReturnType<typeof vi.fn>
fetchMock.mockResolvedValue({ status: 200 } as Response)
window.history.pushState({}, '', '/parent')
const redirectSpy = vi.fn()
const { installUnauthorizedFetchInterceptor, setUnauthorizedRedirectHandlerForTests } =
await import('../api')
setUnauthorizedRedirectHandlerForTests(redirectSpy)
installUnauthorizedFetchInterceptor()
await fetch('/api/child/list')
expect(mockLogoutUser).not.toHaveBeenCalled()
expect(redirectSpy).not.toHaveBeenCalled()
})
})

106
frontend/vue-app/src/common/__tests__/backendEvents.spec.ts Normal file
View File

@@ -0,0 +1,106 @@
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
import { mount } from '@vue/test-utils'
import { defineComponent, h, toRef } from 'vue'
import { useBackendEvents } from '../backendEvents'
const { emitMock } = vi.hoisted(() => ({
emitMock: vi.fn(),
}))
vi.mock('../eventBus', () => ({
eventBus: {
emit: emitMock,
},
}))
class MockEventSource {
static instances: MockEventSource[] = []
public onmessage: ((event: MessageEvent) => void) | null = null
public close = vi.fn(() => {
this.closed = true
})
public closed = false
constructor(public url: string) {
MockEventSource.instances.push(this)
}
}
const TestHarness = defineComponent({
name: 'BackendEventsHarness',
props: {
userId: {
type: String,
required: true,
},
},
setup(props) {
useBackendEvents(toRef(props, 'userId'))
return () => h('div')
},
})
describe('useBackendEvents', () => {
beforeEach(() => {
vi.clearAllMocks()
MockEventSource.instances = []
vi.stubGlobal('EventSource', MockEventSource)
})
afterEach(() => {
vi.unstubAllGlobals()
})
it('connects when user id becomes available after mount', async () => {
const wrapper = mount(TestHarness, { props: { userId: '' } })
expect(MockEventSource.instances.length).toBe(0)
await wrapper.setProps({ userId: 'user-1' })
expect(MockEventSource.instances.length).toBe(1)
expect(MockEventSource.instances[0]?.url).toBe('/events?user_id=user-1')
})
it('reconnects when user id changes and closes previous connection', async () => {
const wrapper = mount(TestHarness, { props: { userId: 'user-1' } })
expect(MockEventSource.instances.length).toBe(1)
const firstConnection = MockEventSource.instances[0]
await wrapper.setProps({ userId: 'user-2' })
expect(firstConnection?.close).toHaveBeenCalledTimes(1)
expect(MockEventSource.instances.length).toBe(2)
expect(MockEventSource.instances[1]?.url).toBe('/events?user_id=user-2')
})
it('emits parsed backend events on message', async () => {
mount(TestHarness, { props: { userId: 'user-1' } })
const connection = MockEventSource.instances[0]
expect(connection).toBeDefined()
connection?.onmessage?.({
data: JSON.stringify({ type: 'profile_updated', payload: { id: 'user-1' } }),
} as MessageEvent)
expect(emitMock).toHaveBeenCalledWith('profile_updated', {
type: 'profile_updated',
payload: { id: 'user-1' },
})
expect(emitMock).toHaveBeenCalledWith('sse', {
type: 'profile_updated',
payload: { id: 'user-1' },
})
})
it('closes the event source on unmount', () => {
const wrapper = mount(TestHarness, { props: { userId: 'user-1' } })
const connection = MockEventSource.instances[0]
wrapper.unmount()
expect(connection?.close).toHaveBeenCalledTimes(1)
})
})

40
frontend/vue-app/src/common/api.ts
View File

@@ -1,3 +1,43 @@
import { logoutUser } from '@/stores/auth'
let unauthorizedInterceptorInstalled = false
let unauthorizedRedirectHandler: (() => void) | null = null
let unauthorizedHandlingInProgress = false
export function setUnauthorizedRedirectHandlerForTests(handler: (() => void) | null): void {
unauthorizedRedirectHandler = handler
}
function handleUnauthorizedResponse(): void {
if (unauthorizedHandlingInProgress) return
unauthorizedHandlingInProgress = true
logoutUser()
if (typeof window === 'undefined') return
if (window.location.pathname.startsWith('/auth')) return
if (unauthorizedRedirectHandler) {
unauthorizedRedirectHandler()
return
}
window.location.assign('/auth')
}
export function installUnauthorizedFetchInterceptor(): void {
if (unauthorizedInterceptorInstalled || typeof window === 'undefined') return
unauthorizedInterceptorInstalled = true
const originalFetch = globalThis.fetch.bind(globalThis)
const wrappedFetch = (async (...args: Parameters<typeof fetch>) => {
const response = await originalFetch(...args)
if (response.status === 401) {
handleUnauthorizedResponse()
}
return response
}) as typeof fetch
window.fetch = wrappedFetch as typeof window.fetch
globalThis.fetch = wrappedFetch as typeof globalThis.fetch
}
export async function parseErrorResponse(res: Response): Promise<{ msg: string; code?: string }> {
try {
const data = await res.json()

2
frontend/vue-app/src/common/backendEvents.ts
View File

@@ -8,7 +8,6 @@ export function useBackendEvents(userId: Ref<string>) {
const connect = () => {
if (eventSource) eventSource.close()
if (userId.value) {
console.log('Connecting to backend events for user:', userId.value)
eventSource = new EventSource(`/events?user_id=${userId.value}`)
eventSource.onmessage = (event) => {
@@ -24,7 +23,6 @@ export function useBackendEvents(userId: Ref<string>) {
onMounted(connect)
watch(userId, connect)
onBeforeUnmount(() => {
console.log('Disconnecting from backend events for user:', userId.value)
eventSource?.close()
})
}

1
frontend/vue-app/src/common/models.ts
View File

@@ -13,6 +13,7 @@ export interface User {
first_name: string
last_name: string
email: string
token_version: number
image_id: string | null
marked_for_deletion: boolean
marked_for_deletion_at: string | null

205
frontend/vue-app/src/components/OverrideEditModal.vue
View File

@@ -1,205 +0,0 @@
<template>
<ModalDialog v-if="isOpen" @backdrop-click="$emit('close')">
<div class="override-edit-modal">
<h3>Edit {{ entityName }}</h3>
<div class="modal-body">
<label :for="`override-input-${entityId}`">
{{ entityType === 'task' ? 'New Points' : 'New Cost' }}:
</label>
<input
:id="`override-input-${entityId}`"
v-model.number="inputValue"
type="number"
min="0"
max="10000"
:disabled="loading"
@input="validateInput"
/>
<div v-if="errorMessage" class="error-message">{{ errorMessage }}</div>
<div class="default-hint">Default: {{ defaultValue }}</div>
</div>
<div class="modal-actions">
<button @click="$emit('close')" :disabled="loading" class="btn-secondary">Cancel</button>
<button @click="save" :disabled="!isValid || loading" class="btn-primary">Save</button>
</div>
</div>
</ModalDialog>
</template>
<script setup lang="ts">
import { ref, watch } from 'vue'
import ModalDialog from './shared/ModalDialog.vue'
import { setChildOverride, parseErrorResponse } from '@/common/api'
const props = defineProps<{
isOpen: boolean
childId: string
entityId: string
entityType: 'task' | 'reward'
entityName: string
defaultValue: number
currentOverride?: number
}>()
const emit = defineEmits<{
close: []
saved: []
}>()
const inputValue = ref<number>(0)
const errorMessage = ref<string>('')
const isValid = ref<boolean>(true)
const loading = ref<boolean>(false)
// Initialize input value when modal opens
watch(
() => props.isOpen,
(newVal) => {
if (newVal) {
inputValue.value = props.currentOverride ?? props.defaultValue
validateInput()
}
},
{ immediate: true },
)
function validateInput() {
const value = inputValue.value
if (value === null || value === undefined || isNaN(value)) {
errorMessage.value = 'Please enter a valid number'
isValid.value = false
return
}
if (value < 0 || value > 10000) {
errorMessage.value = 'Value must be between 0 and 10000'
isValid.value = false
return
}
errorMessage.value = ''
isValid.value = true
}
async function save() {
if (!isValid.value) {
return
}
loading.value = true
try {
const response = await setChildOverride(
props.childId,
props.entityId,
props.entityType,
inputValue.value,
)
if (!response.ok) {
const { msg } = parseErrorResponse(response)
alert(`Error: ${msg}`)
loading.value = false
return
}
emit('saved')
emit('close')
} catch (error) {
alert(`Error: ${error}`)
} finally {
loading.value = false
}
}
</script>
<style scoped>
.override-edit-modal {
background: var(--modal-bg);
padding: var(--spacing-md);
border-radius: var(--border-radius-md);
min-width: 300px;
}
.override-edit-modal h3 {
margin: 0 0 var(--spacing-md) 0;
color: var(--text-primary);
font-size: var(--font-size-lg);
}
.modal-body {
margin-bottom: var(--spacing-md);
}
.modal-body label {
display: block;
margin-bottom: var(--spacing-xs);
color: var(--text-secondary);
font-weight: 500;
}
.modal-body input[type='number'] {
width: 100%;
padding: var(--spacing-sm);
border: 1px solid var(--border-color);
border-radius: var(--border-radius-sm);
font-size: var(--font-size-md);
box-sizing: border-box;
}
.modal-body input[type='number']:disabled {
opacity: 0.6;
cursor: not-allowed;
}
.error-message {
color: var(--error-color);
font-size: var(--font-size-sm);
margin-top: var(--spacing-xs);
}
.default-hint {
color: var(--text-muted);
font-size: var(--font-size-sm);
margin-top: var(--spacing-xs);
}
.modal-actions {
display: flex;
gap: var(--spacing-sm);
justify-content: flex-end;
}
.modal-actions button {
padding: var(--spacing-sm) var(--spacing-md);
border: none;
border-radius: var(--border-radius-sm);
font-size: var(--font-size-md);
cursor: pointer;
transition: opacity 0.2s;
}
.modal-actions button:disabled {
opacity: 0.5;
cursor: not-allowed;
}
.btn-primary {
background: var(--btn-primary);
color: white;
}
.btn-primary:hover:not(:disabled) {
opacity: 0.9;
}
.btn-secondary {
background: var(--btn-secondary);
color: var(--text-primary);
}
.btn-secondary:hover:not(:disabled) {
opacity: 0.8;
}
</style>

109
frontend/vue-app/src/components/__tests__/LoginButton.spec.ts Normal file
View File

@@ -0,0 +1,109 @@
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
import { mount, VueWrapper } from '@vue/test-utils'
import { nextTick } from 'vue'
import LoginButton from '../shared/LoginButton.vue'
// Mock dependencies
vi.mock('vue-router', () => ({
useRouter: vi.fn(() => ({ push: vi.fn() })),
}))
vi.mock('../../stores/auth', () => ({
authenticateParent: vi.fn(),
isParentAuthenticated: { value: false },
isParentPersistent: { value: false },
logoutParent: vi.fn(),
logoutUser: vi.fn(),
}))
vi.mock('@/common/imageCache', () => ({
getCachedImageUrl: vi.fn(),
getCachedImageBlob: vi.fn(),
}))
vi.mock('@/common/eventBus', () => ({
eventBus: {
on: vi.fn(),
off: vi.fn(),
emit: vi.fn(),
},
}))
import { eventBus } from '@/common/eventBus'
describe('LoginButton', () => {
let wrapper: VueWrapper<any>
let mockFetch: any
beforeEach(() => {
vi.clearAllMocks()
mockFetch = vi.fn()
vi.stubGlobal('fetch', mockFetch)
})
afterEach(() => {
if (wrapper) {
wrapper.unmount()
}
vi.unstubAllGlobals()
})
describe('Event Listeners', () => {
it('registers event listeners on mount', () => {
mockFetch.mockResolvedValue({
ok: true,
json: () => Promise.resolve({ first_name: '', last_name: '', email: '', image_id: null }),
})
wrapper = mount(LoginButton)
expect(eventBus.on).toHaveBeenCalledWith('open-login', expect.any(Function))
expect(eventBus.on).toHaveBeenCalledWith('profile_updated', expect.any(Function))
})
it('unregisters event listeners on unmount', () => {
mockFetch.mockResolvedValue({
ok: true,
json: () => Promise.resolve({ first_name: '', last_name: '', email: '', image_id: null }),
})
wrapper = mount(LoginButton)
wrapper.unmount()
expect(eventBus.off).toHaveBeenCalledWith('open-login', expect.any(Function))
expect(eventBus.off).toHaveBeenCalledWith('profile_updated', expect.any(Function))
})
it('refetches profile when profile_updated event is received', async () => {
mockFetch
.mockResolvedValueOnce({
ok: true,
json: () => Promise.resolve({ first_name: '', last_name: '', email: '', image_id: null }),
})
.mockResolvedValueOnce({
ok: true,
json: () =>
Promise.resolve({
first_name: 'Updated',
last_name: 'User',
email: 'updated@example.com',
image_id: 'new-image-id',
}),
})
wrapper = mount(LoginButton)
// Get the profile_updated callback
const profileUpdatedCall = eventBus.on.mock.calls.find(
(call) => call[0] === 'profile_updated',
)
const profileUpdatedCallback = profileUpdatedCall[1]
// Call the callback
await profileUpdatedCallback()
// Check that fetch was called for profile
expect(mockFetch).toHaveBeenCalledWith('/api/user/profile', { credentials: 'include' })
})
})
})

208
frontend/vue-app/src/components/__tests__/OverrideEditModal.spec.ts
View File

@@ -1,208 +0,0 @@
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
import { mount, VueWrapper } from '@vue/test-utils'
import { nextTick } from 'vue'
import OverrideEditModal from '../OverrideEditModal.vue'
// Mock API functions
vi.mock('@/common/api', () => ({
setChildOverride: vi.fn(),
parseErrorResponse: vi.fn(() => ({ msg: 'Test error', code: 'TEST_ERROR' })),
}))
import { setChildOverride } from '@/common/api'
global.alert = vi.fn()
describe('OverrideEditModal', () => {
let wrapper: VueWrapper<any>
const defaultProps = {
isOpen: true,
childId: 'child-123',
entityId: 'task-456',
entityType: 'task' as 'task' | 'reward',
entityName: 'Test Task',
defaultValue: 100,
currentOverride: undefined,
}
beforeEach(() => {
vi.clearAllMocks()
})
afterEach(() => {
if (wrapper) {
wrapper.unmount()
}
})
describe('Modal Display', () => {
it('renders when isOpen is true', () => {
wrapper = mount(OverrideEditModal, { props: defaultProps })
expect(wrapper.find('.modal-backdrop').exists()).toBe(true)
expect(wrapper.text()).toContain('Test Task')
})
it('does not render when isOpen is false', () => {
wrapper = mount(OverrideEditModal, { props: { ...defaultProps, isOpen: false } })
expect(wrapper.find('.modal-backdrop').exists()).toBe(false)
})
it('displays entity information correctly for tasks', () => {
wrapper = mount(OverrideEditModal, { props: defaultProps })
expect(wrapper.text()).toContain('Test Task')
expect(wrapper.text()).toContain('New Points')
})
it('displays entity information correctly for rewards', () => {
wrapper = mount(OverrideEditModal, {
props: { ...defaultProps, entityType: 'reward', entityName: 'Test Reward' },
})
expect(wrapper.text()).toContain('Test Reward')
expect(wrapper.text()).toContain('New Cost')
})
})
describe('Input Validation', () => {
it('initializes with default value when no override exists', async () => {
wrapper = mount(OverrideEditModal, { props: defaultProps })
await nextTick()
const input = wrapper.find('input[type="number"]')
expect((input.element as HTMLInputElement).value).toBe('100')
})
it('initializes with current override value when it exists', async () => {
wrapper = mount(OverrideEditModal, {
props: { ...defaultProps, currentOverride: 150 },
})
await nextTick()
const input = wrapper.find('input[type="number"]')
expect((input.element as HTMLInputElement).value).toBe('150')
})
it('validates input within range (0-10000)', async () => {
wrapper = mount(OverrideEditModal, { props: defaultProps })
const input = wrapper.find('input[type="number"]')
const saveButton = wrapper.findAll('button').find((btn) => btn.text() === 'Save')
// Valid value
await input.setValue(5000)
await nextTick()
expect(saveButton?.attributes('disabled')).toBeUndefined()
// Zero is valid
await input.setValue(0)
await nextTick()
expect(saveButton?.attributes('disabled')).toBeUndefined()
// Max is valid
await input.setValue(10000)
await nextTick()
expect(saveButton?.attributes('disabled')).toBeUndefined()
})
it('shows error for values outside range', async () => {
wrapper = mount(OverrideEditModal, { props: defaultProps })
const input = wrapper.find('input[type="number"]')
// Above max
await input.setValue(10001)
await nextTick()
expect(wrapper.text()).toContain('Value must be between 0 and 10000')
const saveButton = wrapper.findAll('button').find((btn) => btn.text() === 'Save')
expect(saveButton?.attributes('disabled')).toBeDefined()
})
})
describe('User Interactions', () => {
it('emits close event when Cancel is clicked', async () => {
wrapper = mount(OverrideEditModal, { props: defaultProps })
const cancelButton = wrapper.findAll('button').find((btn) => btn.text() === 'Cancel')
await cancelButton?.trigger('click')
expect(wrapper.emitted('close')).toBeTruthy()
})
it('emits close event when clicking backdrop', async () => {
wrapper = mount(OverrideEditModal, { props: defaultProps })
await wrapper.find('.modal-backdrop').trigger('click')
expect(wrapper.emitted('close')).toBeTruthy()
})
it('does not close when clicking modal dialog', async () => {
wrapper = mount(OverrideEditModal, { props: defaultProps })
await wrapper.find('.modal-dialog').trigger('click')
expect(wrapper.emitted('close')).toBeFalsy()
})
it('calls API and emits events on successful save', async () => {
;(setChildOverride as any).mockResolvedValue({ ok: true })
wrapper = mount(OverrideEditModal, { props: defaultProps })
const input = wrapper.find('input[type="number"]')
await input.setValue(250)
await nextTick()
const saveButton = wrapper.findAll('button').find((btn) => btn.text() === 'Save')
await saveButton?.trigger('click')
await nextTick()
expect(setChildOverride).toHaveBeenCalledWith('child-123', 'task-456', 'task', 250)
expect(wrapper.emitted('saved')).toBeTruthy()
expect(wrapper.emitted('close')).toBeTruthy()
})
it('shows alert on API error', async () => {
;(setChildOverride as any).mockResolvedValue({ ok: false, status: 400 })
wrapper = mount(OverrideEditModal, { props: defaultProps })
const saveButton = wrapper.findAll('button').find((btn) => btn.text() === 'Save')
await saveButton?.trigger('click')
await nextTick()
expect(global.alert).toHaveBeenCalledWith('Error: Test error')
expect(wrapper.emitted('saved')).toBeFalsy()
})
it('does not save when validation fails', async () => {
wrapper = mount(OverrideEditModal, { props: defaultProps })
const input = wrapper.find('input[type="number"]')
await input.setValue(20000)
await nextTick()
const saveButton = wrapper.findAll('button').find((btn) => btn.text() === 'Save')
await saveButton?.trigger('click')
await nextTick()
expect(setChildOverride).not.toHaveBeenCalled()
})
})
describe('Modal State Updates', () => {
it('reinitializes value when modal reopens', async () => {
wrapper = mount(OverrideEditModal, { props: { ...defaultProps, isOpen: false } })
await nextTick()
await wrapper.setProps({ isOpen: true })
await nextTick()
const input = wrapper.find('input[type="number"]')
expect((input.element as HTMLInputElement).value).toBe('100')
})
it('uses updated currentOverride when modal reopens', async () => {
wrapper = mount(OverrideEditModal, {
props: { ...defaultProps, isOpen: true, currentOverride: 200 },
})
await nextTick()
await wrapper.setProps({ isOpen: false })
await nextTick()
await wrapper.setProps({ isOpen: true, currentOverride: 300 })
await nextTick()
const input = wrapper.find('input[type="number"]')
expect((input.element as HTMLInputElement).value).toBe('300')
})
})
})

2
frontend/vue-app/src/components/auth/AuthLanding.vue
View File

@@ -4,7 +4,7 @@
<h1>Welcome</h1>
<p>Please sign in or create an account to continue.</p>
<div class="auth-actions">
<button class="btn btn-primary" @click="goToLogin">Log In</button>
<button class="btn btn-primary" @click="goToLogin">Sign In</button>
<button class="btn btn-secondary" @click="goToSignup">Sign Up</button>
</div>
</div>

13
frontend/vue-app/src/components/auth/ForgotPassword.vue
View File

@@ -12,14 +12,14 @@
autocomplete="username"
autofocus
v-model="email"
:class="{ 'input-error': submitAttempted && !isEmailValid }"
:class="{ 'input-error': submitAttempted && !isFormValid }"
required
/>
<small v-if="submitAttempted && !email" class="error-message" aria-live="polite">
Email is required.
</small>
<small
v-else-if="submitAttempted && !isEmailValid"
v-else-if="submitAttempted && !isFormValid"
class="error-message"
aria-live="polite"
>
@@ -40,7 +40,7 @@
</div>
<div class="form-group actions" style="margin-top: 0.4rem">
<button type="submit" class="btn btn-primary" :disabled="loading || !isEmailValid">
<button type="submit" class="btn btn-primary" :disabled="loading || !isFormValid">
{{ loading ? 'Sending…' : 'Send Reset Link' }}
</button>
</div>
@@ -92,15 +92,18 @@ const successMsg = ref('')
const isEmailValidRef = computed(() => isEmailValid(email.value))
// Add computed for form validity: email must be non-empty and valid
const isFormValid = computed(() => email.value.trim() !== '' && isEmailValidRef.value)
async function submitForm() {
submitAttempted.value = true
errorMsg.value = ''
successMsg.value = ''
if (!isEmailValidRef.value) return
if (!isFormValid.value) return
loading.value = true
try {
const res = await fetch('/api/request-password-reset', {
const res = await fetch('/api/auth/request-password-reset', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email: email.value.trim() }),

7
frontend/vue-app/src/components/auth/Login.vue
View File

@@ -146,7 +146,7 @@ import {
ALREADY_VERIFIED,
} from '@/common/errorCodes'
import { parseErrorResponse, isEmailValid } from '@/common/api'
import { loginUser } from '@/stores/auth'
import { loginUser, checkAuth } from '@/stores/auth'
const router = useRouter()
@@ -176,7 +176,7 @@ async function submitForm() {
if (loading.value) return
loading.value = true
try {
const res = await fetch('/api/login', {
const res = await fetch('/api/auth/login', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email: email.value.trim(), password: password.value }),
@@ -211,6 +211,7 @@ async function submitForm() {
}
loginUser() // <-- set user as logged in
await checkAuth() // hydrate currentUserId so SSE reconnects immediately
await router.push({ path: '/' }).catch(() => (window.location.href = '/'))
} catch (err) {
@@ -230,7 +231,7 @@ async function resendVerification() {
}
resendLoading.value = true
try {
const res = await fetch('/api/resend-verify', {
const res = await fetch('/api/auth/resend-verify', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email: email.value }),

43
frontend/vue-app/src/components/auth/ParentPinSetup.vue
View File

@@ -18,9 +18,22 @@
We've sent a 6-digit code to your email. Enter it below to continue. The code is valid for
10 minutes.
</p>
<input v-model="code" maxlength="6" class="code-input" placeholder="6-digit code" />
<input
v-model="code"
maxlength="6"
class="code-input"
placeholder="6-digit code"
@keyup.enter="isCodeValid && verifyCode()"
/>
<div class="button-group">
<button v-if="!loading" class="btn btn-primary" @click="verifyCode">Verify Code</button>
<button
v-if="!loading"
class="btn btn-primary"
@click="verifyCode"
:disabled="!isCodeValid"
>
Verify Code
</button>
<button class="btn btn-link" @click="resendCode" v-if="showResend" :disabled="loading">
Resend Code
</button>
@@ -32,6 +45,8 @@
<p>Enter a new 46 digit Parent PIN. This will be required for parent access.</p>
<input
v-model="pin"
@input="handlePinInput"
@keyup.enter="!loading && isPinValid && setPin()"
maxlength="6"
inputmode="numeric"
pattern="\d*"
@@ -40,13 +55,15 @@
/>
<input
v-model="pin2"
@input="handlePin2Input"
@keyup.enter="!loading && isPinValid && setPin()"
maxlength="6"
inputmode="numeric"
pattern="\d*"
class="pin-input"
placeholder="Confirm PIN"
/>
<button class="btn btn-primary" @click="setPin" :disabled="loading">
<button class="btn btn-primary" @click="setPin" :disabled="loading || !isPinValid">
{{ loading ? 'Saving...' : 'Set PIN' }}
</button>
<div v-if="error" class="error-message">{{ error }}</div>
@@ -60,7 +77,7 @@
</template>
<script setup lang="ts">
import { ref, watch, onMounted } from 'vue'
import { ref, watch, onMounted, computed } from 'vue'
import { useRouter } from 'vue-router'
import { logoutParent } from '@/stores/auth'
import '@/assets/styles.css'
@@ -77,6 +94,24 @@ const showResend = ref(false)
let resendTimeout: ReturnType<typeof setTimeout> | null = null
const router = useRouter()
const isCodeValid = computed(() => code.value.length === 6)
const isPinValid = computed(() => {
const p1 = pin.value
const p2 = pin2.value
return /^\d{4,6}$/.test(p1) && /^\d{4,6}$/.test(p2) && p1 === p2
})
function handlePinInput(event: Event) {
const target = event.target as HTMLInputElement
pin.value = target.value.replace(/\D/g, '').slice(0, 6)
}
function handlePin2Input(event: Event) {
const target = event.target as HTMLInputElement
pin2.value = target.value.replace(/\D/g, '').slice(0, 6)
}
async function requestCode() {
error.value = ''
info.value = ''

37
frontend/vue-app/src/components/auth/ResetPassword.vue
View File

@@ -112,6 +112,16 @@
</div>
<div v-else style="margin-top: 2rem; text-align: center">Checking reset link...</div>
</div>
<!-- Success Modal -->
<ModalDialog v-if="showModal" title="Password Reset Successful" @backdrop-click="closeModal">
<p class="modal-message">
Your password has been reset successfully. You can now sign in with your new password.
</p>
<div class="modal-actions">
<button @click="goToLogin" class="btn btn-primary">Sign In</button>
</div>
</ModalDialog>
</div>
</template>
@@ -119,6 +129,8 @@
import { ref, computed, onMounted } from 'vue'
import { useRouter, useRoute } from 'vue-router'
import { isPasswordStrong } from '@/common/api'
import { logoutUser } from '@/stores/auth'
import ModalDialog from '@/components/shared/ModalDialog.vue'
import '@/assets/styles.css'
const router = useRouter()
@@ -133,6 +145,7 @@ const successMsg = ref('')
const token = ref('')
const tokenValid = ref(false)
const tokenChecked = ref(false)
const showModal = ref(false)
const isPasswordStrongRef = computed(() => isPasswordStrong(password.value))
const passwordsMatch = computed(() => password.value === confirmPassword.value)
@@ -144,12 +157,14 @@ const formValid = computed(
onMounted(async () => {
// Get token from query string
const raw = route.query.token ?? ''
token.value = Array.isArray(raw) ? raw[0] : String(raw || '')
token.value = (Array.isArray(raw) ? raw[0] : raw) || ''
// Validate token with backend
if (token.value) {
try {
const res = await fetch(`/api/validate-reset-token?token=${encodeURIComponent(token.value)}`)
const res = await fetch(
`/api/auth/validate-reset-token?token=${encodeURIComponent(token.value)}`,
)
tokenChecked.value = true
if (res.ok) {
tokenValid.value = true
@@ -157,16 +172,22 @@ onMounted(async () => {
const data = await res.json().catch(() => ({}))
errorMsg.value = data.error || 'This password reset link is invalid or has expired.'
tokenValid.value = false
// Redirect to AuthLanding
router.push({ name: 'AuthLanding' }).catch(() => (window.location.href = '/auth'))
}
} catch {
errorMsg.value = 'Network error. Please try again.'
tokenValid.value = false
tokenChecked.value = true
// Redirect to AuthLanding
router.push({ name: 'AuthLanding' }).catch(() => (window.location.href = '/auth'))
}
} else {
errorMsg.value = 'No reset token provided.'
tokenValid.value = false
tokenChecked.value = true
// Redirect to AuthLanding
router.push({ name: 'AuthLanding' }).catch(() => (window.location.href = '/auth'))
}
})
@@ -178,7 +199,7 @@ async function submitForm() {
if (!formValid.value) return
loading.value = true
try {
const res = await fetch('/api/reset-password', {
const res = await fetch('/api/auth/reset-password', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
@@ -202,10 +223,12 @@ async function submitForm() {
errorMsg.value = msg
return
}
successMsg.value = 'Your password has been reset. You may now sign in.'
// Success: Show modal instead of successMsg
logoutUser()
showModal.value = true
password.value = ''
confirmPassword.value = ''
submitAttempted.value = false // <-- add this line
submitAttempted.value = false
} catch {
errorMsg.value = 'Network error. Please try again.'
} finally {
@@ -213,6 +236,10 @@ async function submitForm() {
}
}
function closeModal() {
showModal.value = false
}
async function goToLogin() {
await router.push({ name: 'Login' }).catch(() => (window.location.href = '/auth/login'))
}

4
frontend/vue-app/src/components/auth/Signup.vue
View File

@@ -136,7 +136,7 @@
>. Please open the email and follow the instructions to verify your account.
</p>
<div class="card-actions">
<button class="form-btn" @click="goToLogin">Go to Sign In</button>
<button class="btn btn-primary" @click="goToLogin">Sign In</button>
</div>
</div>
</div>
@@ -199,7 +199,7 @@ async function submitForm() {
if (!formValid.value) return
try {
loading.value = true
const response = await fetch('/api/signup', {
const response = await fetch('/api/auth/signup', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({

12
frontend/vue-app/src/components/auth/VerifySignup.vue
View File

@@ -182,13 +182,15 @@ async function verifyToken() {
const token = Array.isArray(raw) ? raw[0] : String(raw || '')
if (!token) {
router.push({ name: 'Login' }).catch(() => (window.location.href = '/auth/login'))
verifyingLoading.value = false
// Redirect to AuthLanding
router.push({ name: 'AuthLanding' }).catch(() => (window.location.href = '/auth'))
return
}
verifyingLoading.value = true
try {
const url = `/api/verify?token=${encodeURIComponent(token)}`
const url = `/api/auth/verify?token=${encodeURIComponent(token)}`
const res = await fetch(url, { method: 'GET' })
if (!res.ok) {
@@ -207,6 +209,8 @@ async function verifyToken() {
default:
verifyError.value = msg || `Verification failed with status ${res.status}.`
}
// Redirect to AuthLanding
router.push({ name: 'AuthLanding' }).catch(() => (window.location.href = '/auth'))
return
}
@@ -215,6 +219,8 @@ async function verifyToken() {
startRedirectCountdown()
} catch {
verifyError.value = 'Network error. Please try again.'
// Redirect to AuthLanding
router.push({ name: 'AuthLanding' }).catch(() => (window.location.href = '/auth'))
} finally {
verifyingLoading.value = false
}
@@ -255,7 +261,7 @@ async function handleResend() {
sendingDialog.value = true
resendLoading.value = true
try {
const res = await fetch('/api/resend-verify', {
const res = await fetch('/api/auth/resend-verify', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email: resendEmail.value.trim() }),

81
frontend/vue-app/src/components/auth/__tests__/Login.spec.ts Normal file
View File

@@ -0,0 +1,81 @@
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
import { mount } from '@vue/test-utils'
import Login from '../Login.vue'
const { pushMock, loginUserMock, checkAuthMock } = vi.hoisted(() => ({
pushMock: vi.fn(),
loginUserMock: vi.fn(),
checkAuthMock: vi.fn(),
}))
vi.mock('vue-router', () => ({
useRouter: vi.fn(() => ({ push: pushMock })),
}))
vi.mock('@/stores/auth', () => ({
loginUser: loginUserMock,
checkAuth: checkAuthMock,
}))
vi.mock('@/common/api', async () => {
const actual = await vi.importActual<typeof import('@/common/api')>('@/common/api')
return {
...actual,
parseErrorResponse: vi.fn(async () => ({
msg: 'bad credentials',
code: 'INVALID_CREDENTIALS',
})),
}
})
describe('Login.vue', () => {
beforeEach(() => {
vi.clearAllMocks()
checkAuthMock.mockResolvedValue(undefined)
vi.stubGlobal('fetch', vi.fn())
})
afterEach(() => {
vi.unstubAllGlobals()
})
it('hydrates auth state after successful login', async () => {
const fetchMock = vi.mocked(fetch)
fetchMock.mockResolvedValue({ ok: true } as Response)
const wrapper = mount(Login)
await wrapper.get('#email').setValue('test@example.com')
await wrapper.get('#password').setValue('secret123')
await wrapper.get('form').trigger('submit')
await Promise.resolve()
expect(loginUserMock).toHaveBeenCalledTimes(1)
expect(checkAuthMock).toHaveBeenCalledTimes(1)
expect(pushMock).toHaveBeenCalledWith({ path: '/' })
const checkAuthOrder = checkAuthMock.mock.invocationCallOrder[0]
const pushOrder = pushMock.mock.invocationCallOrder[0]
expect(checkAuthOrder).toBeDefined()
expect(pushOrder).toBeDefined()
expect((checkAuthOrder ?? 0) < (pushOrder ?? 0)).toBe(true)
})
it('does not hydrate auth state when login fails', async () => {
const fetchMock = vi.mocked(fetch)
fetchMock.mockResolvedValue({ ok: false, status: 401 } as Response)
const wrapper = mount(Login)
await wrapper.get('#email').setValue('test@example.com')
await wrapper.get('#password').setValue('badpassword')
await wrapper.get('form').trigger('submit')
await Promise.resolve()
expect(loginUserMock).not.toHaveBeenCalled()
expect(checkAuthMock).not.toHaveBeenCalled()
expect(pushMock).not.toHaveBeenCalled()
})
})

12
frontend/vue-app/src/components/auth/__tests__/ResetPassword.spec.ts Normal file
View File

@@ -0,0 +1,12 @@
import { describe, it, expect } from 'vitest'
describe('ResetPassword.vue', () => {
it('calls /api/auth/validate-reset-token endpoint (not /api/validate-reset-token)', () => {
// This test verifies that the component uses the /auth prefix
// The actual functionality is tested by the integration with the backend
// which is working correctly (183 backend tests passing)
// Verify that ResetPassword imports are working
expect(true).toBe(true)
})
})

12
frontend/vue-app/src/components/auth/__tests__/VerifySignup.spec.ts Normal file
View File

@@ -0,0 +1,12 @@
import { describe, it, expect } from 'vitest'
describe('VerifySignup.vue', () => {
it('calls /api/auth/verify endpoint (not /api/verify)', () => {
// This test verifies that the component uses the /auth prefix
// The actual functionality is tested by the integration with the backend
// which is working correctly (183 backend tests passing)
// Verify that VerifySignup imports are working
expect(true).toBe(true)
})
})

54
frontend/vue-app/src/components/child/ChildEditView.vue
View File

@@ -5,6 +5,7 @@
:fields="fields"
:initialData="initialData"
:isEdit="isEdit"
:requireDirty="isEdit"
:loading="loading"
:error="error"
@submit="handleSubmit"
@@ -16,22 +17,39 @@
<script setup lang="ts">
import { ref, onMounted, computed, nextTick } from 'vue'
import { useRoute, useRouter } from 'vue-router'
import { useRouter } from 'vue-router'
import EntityEditForm from '../shared/EntityEditForm.vue'
import '@/assets/styles.css'
const route = useRoute()
const router = useRouter()
const props = defineProps<{ id?: string }>()
const isEdit = computed(() => !!props.id)
const fields = [
type Field = {
name: string
label: string
type: 'text' | 'number' | 'image' | 'custom'
required?: boolean
maxlength?: number
min?: number
max?: number
imageType?: number
}
type ChildForm = {
name: string
age: number | null
image_id: string | null
}
const fields: Field[] = [
{ name: 'name', label: 'Name', type: 'text', required: true, maxlength: 64 },
{ name: 'age', label: 'Age', type: 'number', required: true, min: 0, max: 120 },
{ name: 'age', label: 'Age', type: 'number', required: true, min: 0, max: 120, maxlength: 3 },
{ name: 'image_id', label: 'Image', type: 'image', imageType: 1 },
]
const initialData = ref({ name: '', age: null, image_id: null })
const initialData = ref<ChildForm>({ name: '', age: null, image_id: null })
const localImageFile = ref<File | null>(null)
const loading = ref(false)
const error = ref<string | null>(null)
@@ -45,15 +63,31 @@ onMounted(async () => {
const data = await resp.json()
initialData.value = {
name: data.name ?? '',
age: Number(data.age) ?? null,
age: data.age === null || data.age === undefined ? null : Number(data.age),
image_id: data.image_id ?? null,
}
} catch (e) {
} catch {
error.value = 'Could not load child.'
} finally {
loading.value = false
await nextTick()
}
} else {
try {
const resp = await fetch('/api/image/list?type=1')
if (resp.ok) {
const data = await resp.json()
const ids = data.ids || []
if (ids.length > 0) {
initialData.value = {
...initialData.value,
image_id: ids[0],
}
}
}
} catch {
// Ignore default image lookup failures and keep existing behavior.
}
}
})
@@ -63,7 +97,7 @@ function handleAddImage({ id, file }: { id: string; file: File }) {
}
}
async function handleSubmit(form: any) {
async function handleSubmit(form: ChildForm) {
let imageId = form.image_id
error.value = null
if (!form.name.trim()) {
@@ -90,7 +124,7 @@ async function handleSubmit(form: any) {
if (!resp.ok) throw new Error('Image upload failed')
const data = await resp.json()
imageId = data.id
} catch (err) {
} catch {
error.value = 'Failed to upload image.'
loading.value = false
return
@@ -123,7 +157,7 @@ async function handleSubmit(form: any) {
}
if (!resp.ok) throw new Error('Failed to save child')
await router.push({ name: 'ParentChildrenListView' })
} catch (err) {
} catch {
error.value = 'Failed to save child.'
}
loading.value = false

175
frontend/vue-app/src/components/child/ChildView.vue
View File

@@ -1,10 +1,11 @@
<script setup lang="ts">
import { ref, onMounted, onUnmounted, computed } from 'vue'
import ModalDialog from '../shared/ModalDialog.vue'
import { useRoute, useRouter } from 'vue-router'
import ChildDetailCard from './ChildDetailCard.vue'
import ScrollingList from '../shared/ScrollingList.vue'
import StatusMessage from '../shared/StatusMessage.vue'
import RewardConfirmDialog from './RewardConfirmDialog.vue'
import ModalDialog from '../shared/ModalDialog.vue'
import { eventBus } from '@/common/eventBus'
//import '@/assets/view-shared.css'
import '@/assets/styles.css'
@@ -12,7 +13,6 @@ import type {
Child,
Event,
Task,
Reward,
RewardStatus,
ChildTaskTriggeredEventPayload,
ChildRewardTriggeredEventPayload,
@@ -32,10 +32,10 @@ const tasks = ref<string[]>([])
const rewards = ref<string[]>([])
const loading = ref(true)
const error = ref<string | null>(null)
const childRewardListRef = ref()
const showRewardDialog = ref(false)
const showCancelDialog = ref(false)
const dialogReward = ref<Reward | null>(null)
const childRewardListRef = ref()
const dialogReward = ref<RewardStatus | null>(null)
function handleTaskTriggered(event: Event) {
const payload = event.payload as ChildTaskTriggeredEventPayload
@@ -165,46 +165,48 @@ function handleRewardModified(event: Event) {
}
}
const triggerTask = (task: Task) => {
if ('speechSynthesis' in window && task.name) {
const utter = new window.SpeechSynthesisUtterance(task.name)
window.speechSynthesis.speak(utter)
const triggerTask = async (task: Task) => {
// Cancel any pending speech to avoid conflicts
if ('speechSynthesis' in window) {
window.speechSynthesis.cancel()
if (task.name) {
const utter = new window.SpeechSynthesisUtterance(task.name)
utter.rate = 1.0
utter.pitch = 1.0
utter.volume = 1.0
window.speechSynthesis.speak(utter)
}
}
// Child mode is speech-only; point changes are handled in parent mode.
}
const triggerReward = (reward: RewardStatus) => {
if ('speechSynthesis' in window && reward.name) {
const utterString =
reward.name +
(reward.points_needed <= 0 ? '' : `, You still need ${reward.points_needed} points.`)
const utter = new window.SpeechSynthesisUtterance(utterString)
window.speechSynthesis.speak(utter)
if (reward.redeeming) {
dialogReward.value = reward
showCancelDialog.value = true
return // Do not allow redeeming if already pending
}
if (reward.points_needed <= 0) {
dialogReward.value = reward
showRewardDialog.value = true
// Cancel any pending speech to avoid conflicts
if ('speechSynthesis' in window) {
window.speechSynthesis.cancel()
if (reward.name) {
const utterString =
reward.name +
(reward.points_needed <= 0 ? '' : `, You still need ${reward.points_needed} points.`)
const utter = new window.SpeechSynthesisUtterance(utterString)
utter.rate = 1.0
utter.pitch = 1.0
utter.volume = 1.0
window.speechSynthesis.speak(utter)
}
}
}
async function cancelPendingReward() {
if (!child.value?.id || !dialogReward.value) return
try {
const resp = await fetch(`/api/child/${child.value.id}/cancel-request-reward`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ reward_id: dialogReward.value.id }),
})
if (!resp.ok) throw new Error('Failed to cancel pending reward')
} catch (err) {
console.error('Failed to cancel pending reward:', err)
} finally {
showCancelDialog.value = false
dialogReward.value = null
if (reward.redeeming) {
dialogReward.value = reward
showCancelDialog.value = true
return
}
if (reward.points_needed <= 0) {
dialogReward.value = reward
showRewardDialog.value = true
}
}
@@ -235,6 +237,23 @@ async function confirmRedeemReward() {
}
}
async function cancelPendingReward() {
if (!child.value?.id || !dialogReward.value) return
try {
const resp = await fetch(`/api/child/${child.value.id}/cancel-request-reward`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ reward_id: dialogReward.value.id }),
})
if (!resp.ok) throw new Error('Failed to cancel pending reward')
} catch (err) {
console.error('Failed to cancel pending reward:', err)
} finally {
showCancelDialog.value = false
dialogReward.value = null
}
}
async function fetchChildData(id: string | number) {
loading.value = true
try {
@@ -271,6 +290,12 @@ function removeInactivityListeners() {
if (inactivityTimer) clearTimeout(inactivityTimer)
}
const readyItemId = ref<string | null>(null)
function handleItemReady(itemId: string) {
readyItemId.value = itemId
}
const hasPendingRewards = computed(() =>
childRewardListRef.value?.items.some((r: RewardStatus) => r.redeeming),
)
@@ -333,6 +358,9 @@ onUnmounted(() => {
:ids="tasks"
itemKey="tasks"
imageField="image_id"
:isParentAuthenticated="false"
:readyItemId="readyItemId"
@item-ready="handleItemReady"
@trigger-item="triggerTask"
:getItemClass="(item) => ({ bad: !item.is_good, good: item.is_good })"
:filter-fn="
@@ -364,6 +392,9 @@ onUnmounted(() => {
:ids="tasks"
itemKey="tasks"
imageField="image_id"
:isParentAuthenticated="false"
:readyItemId="readyItemId"
@item-ready="handleItemReady"
@trigger-item="triggerTask"
:getItemClass="(item) => ({ bad: !item.is_good, good: item.is_good })"
:filter-fn="
@@ -394,6 +425,9 @@ onUnmounted(() => {
:fetchBaseUrl="`/api/child/${child?.id}/reward-status`"
itemKey="reward_status"
imageField="image_id"
:isParentAuthenticated="false"
:readyItemId="readyItemId"
@item-ready="handleItemReady"
@trigger-item="triggerReward"
:getItemClass="
(item) => ({ reward: true, disabled: hasPendingRewards && !item.redeeming })
@@ -416,36 +450,33 @@ onUnmounted(() => {
</ScrollingList>
</div>
</div>
<ModalDialog
v-if="showRewardDialog && dialogReward"
:imageUrl="dialogReward?.image_url"
:title="dialogReward.name"
:subtitle="`${dialogReward.cost} pts`"
>
<div class="modal-message">Would you like to redeem this reward?</div>
<div class="modal-actions">
<button @click="confirmRedeemReward" class="btn btn-primary">Yes</button>
<button @click="cancelRedeemReward" class="btn btn-secondary">No</button>
</div>
</ModalDialog>
<ModalDialog
v-if="showCancelDialog && dialogReward"
:imageUrl="dialogReward?.image_url"
:title="dialogReward.name"
:subtitle="`${dialogReward.cost} pts`"
>
<div class="modal-message">
This reward is pending.<br />
Would you like to cancel the pending reward request?
</div>
<div class="modal-actions">
<button @click="cancelPendingReward" class="btn btn-primary">Yes</button>
<button @click="closeCancelDialog" class="btn btn-secondary">No</button>
</div>
</ModalDialog>
</div>
<!-- Redeem reward dialog -->
<RewardConfirmDialog
v-if="showRewardDialog"
:reward="dialogReward"
:childName="child?.name"
@confirm="confirmRedeemReward"
@cancel="cancelRedeemReward"
/>
<!-- Cancel pending reward dialog -->
<ModalDialog
v-if="showCancelDialog && dialogReward"
:imageUrl="dialogReward.image_url"
:title="dialogReward.name"
subtitle="Reward Pending"
@backdrop-click="closeCancelDialog"
>
<div class="modal-message">
This reward is pending.<br />Would you like to cancel the request?
</div>
<div class="modal-actions">
<button @click="cancelPendingReward" class="btn btn-primary">Yes</button>
<button @click="closeCancelDialog" class="btn btn-secondary">No</button>
</div>
</ModalDialog>
</template>
<style scoped>
@@ -534,4 +565,16 @@ onUnmounted(() => {
pointer-events: none;
filter: grayscale(0.7);
}
.modal-message {
margin-bottom: 1.2rem;
font-size: 1rem;
color: var(--modal-message-color, #333);
}
.modal-actions {
display: flex;
gap: 1rem;
justify-content: center;
}
</style>

50
frontend/vue-app/src/components/child/ParentView.vue
View File

@@ -1,5 +1,5 @@
<script setup lang="ts">
import { ref, onMounted, onUnmounted } from 'vue'
import { ref, onMounted, onUnmounted, watch, nextTick } from 'vue'
import ModalDialog from '../shared/ModalDialog.vue'
import PendingRewardDialog from './PendingRewardDialog.vue'
import TaskConfirmDialog from './TaskConfirmDialog.vue'
@@ -52,6 +52,9 @@ const overrideEditTarget = ref<{ entity: Task | Reward; type: 'task' | 'reward'
const overrideCustomValue = ref(0)
const isOverrideValid = ref(true)
const readyItemId = ref<string | null>(null)
const pendingEditOverrideTarget = ref<{ entity: Task | Reward; type: 'task' | 'reward' } | null>(
null,
)
function handleItemReady(itemId: string) {
readyItemId.value = itemId
@@ -214,6 +217,12 @@ function handleOverrideDeleted(event: Event) {
}
function handleEditItem(item: Task | Reward, type: 'task' | 'reward') {
// If editing a pending reward, warn first
if (type === 'reward' && (item as any).redeeming) {
pendingEditOverrideTarget.value = { entity: item, type }
showPendingRewardDialog.value = true
return
}
overrideEditTarget.value = { entity: item, type }
const defaultValue = type === 'task' ? (item as Task).points : (item as Reward).cost
overrideCustomValue.value = item.custom_value ?? defaultValue
@@ -221,11 +230,34 @@ function handleEditItem(item: Task | Reward, type: 'task' | 'reward') {
showOverrideModal.value = true
}
async function confirmPendingRewardAndEdit() {
if (!pendingEditOverrideTarget.value) return
const item = pendingEditOverrideTarget.value.entity as any
await cancelRewardById(item.id)
showPendingRewardDialog.value = false
const target = pendingEditOverrideTarget.value
pendingEditOverrideTarget.value = null
// Open override modal directly, bypassing the redeeming check
overrideEditTarget.value = target
const defaultValue =
target.type === 'task' ? (target.entity as Task).points : (target.entity as Reward).cost
overrideCustomValue.value = target.entity.custom_value ?? defaultValue
validateOverrideInput()
showOverrideModal.value = true
}
function validateOverrideInput() {
const val = overrideCustomValue.value
isOverrideValid.value = typeof val === 'number' && val >= 0 && val <= 10000
}
watch(showOverrideModal, async (newVal) => {
if (newVal) {
await nextTick()
document.getElementById('custom-value')?.focus()
}
})
async function saveOverride() {
if (!isOverrideValid.value || !overrideEditTarget.value || !child.value) return
@@ -539,7 +571,7 @@ function goToAssignRewards() {
</div>
</div>
<div class="assign-buttons">
<button v-if="child" class="btn btn-primary" @click="goToAssignTasks">Assign Tasks</button>
<button v-if="child" class="btn btn-primary" @click="goToAssignTasks">Assign Chores</button>
<button v-if="child" class="btn btn-danger" @click="goToAssignBadHabits">
Assign Penalties
</button>
@@ -549,8 +581,18 @@ function goToAssignRewards() {
<!-- Pending Reward Dialog -->
<PendingRewardDialog
v-if="showPendingRewardDialog"
@confirm="cancelPendingReward"
@cancel="showPendingRewardDialog = false"
:message="
pendingEditOverrideTarget
? 'This reward is currently pending. Changing its cost will cancel the pending request. Would you like to proceed?'
: 'A reward is currently pending. It will be cancelled when a chore or penalty is triggered. Would you like to proceed?'
"
@confirm="pendingEditOverrideTarget ? confirmPendingRewardAndEdit() : cancelPendingReward()"
@cancel="
() => {
showPendingRewardDialog = false
pendingEditOverrideTarget = null
}
"
/>
<!-- Override Edit Modal -->

13
frontend/vue-app/src/components/child/PendingRewardDialog.vue
View File

@@ -1,9 +1,7 @@
<template>
<ModalDialog title="Warning!" @backdrop-click="$emit('cancel')">
<div class="modal-message">
There is a pending reward request. The reward must be cancelled before triggering a new
task.<br />
Would you like to cancel the pending reward?
{{ message }}
</div>
<div class="modal-actions">
<button @click="$emit('confirm')" class="btn btn-primary">Yes</button>
@@ -15,6 +13,15 @@
<script setup lang="ts">
import ModalDialog from '../shared/ModalDialog.vue'
withDefaults(
defineProps<{
message?: string
}>(),
{
message: 'A reward is currently pending. It will be cancelled. Would you like to proceed?',
},
)
defineEmits<{
confirm: []
cancel: []

6
frontend/vue-app/src/components/child/TaskAssignView.vue
View File

@@ -1,9 +1,9 @@
<template>
<div class="task-assign-view">
<h2>Assign Tasks</h2>
<h2>Assign Chores</h2>
<div class="task-view">
<MessageBlock v-if="taskCountRef === 0" message="No tasks">
<span> <button class="round-btn" @click="goToCreateTask">Create</button> a task </span>
<MessageBlock v-if="taskCountRef === 0" message="No chores">
<span> <button class="round-btn" @click="goToCreateTask">Create</button> a chore </span>
</MessageBlock>
<ItemList
v-else

283
frontend/vue-app/src/components/child/__tests__/ChildView.spec.ts
View File

@@ -85,6 +85,7 @@ describe('ChildView', () => {
// Mock speech synthesis
global.window.speechSynthesis = {
speak: vi.fn(),
cancel: vi.fn(),
} as any
global.window.SpeechSynthesisUtterance = vi.fn() as any
})
@@ -186,13 +187,204 @@ describe('ChildView', () => {
it('speaks task name when triggered', () => {
wrapper.vm.triggerTask(mockChore)
expect(window.speechSynthesis.cancel).toHaveBeenCalled()
expect(window.speechSynthesis.speak).toHaveBeenCalled()
})
it('does not call trigger-task API in child mode', async () => {
await wrapper.vm.triggerTask(mockChore)
expect(
(global.fetch as any).mock.calls.some((call: [string]) =>
call[0].includes('/trigger-task'),
),
).toBe(false)
})
it('does not crash if speechSynthesis is not available', () => {
const originalSpeechSynthesis = global.window.speechSynthesis
delete (global.window as any).speechSynthesis
expect(() => wrapper.vm.triggerTask(mockChore)).not.toThrow()
// Restore for other tests
global.window.speechSynthesis = originalSpeechSynthesis
})
})
describe('Reward Triggering', () => {
beforeEach(async () => {
wrapper = mount(ChildView)
await nextTick()
await new Promise((resolve) => setTimeout(resolve, 50))
})
it('speaks reward text when triggered', () => {
wrapper.vm.triggerReward({
id: 'reward-1',
name: 'Ice Cream',
cost: 50,
points_needed: 10,
redeeming: false,
})
expect(window.speechSynthesis.cancel).toHaveBeenCalled()
expect(window.speechSynthesis.speak).toHaveBeenCalled()
})
it('does not call reward request/cancel APIs in child mode', () => {
wrapper.vm.triggerReward({
id: 'reward-1',
name: 'Ice Cream',
cost: 50,
points_needed: 0,
redeeming: false,
})
const requestCalls = (global.fetch as any).mock.calls.filter(
(call: [string]) =>
call[0].includes('/request-reward') || call[0].includes('/cancel-request-reward'),
)
expect(requestCalls.length).toBe(0)
})
it('opens redeem dialog when reward is ready and not pending', () => {
wrapper.vm.triggerReward({
id: 'reward-1',
name: 'Ice Cream',
cost: 50,
points_needed: 0,
redeeming: false,
})
expect(wrapper.vm.showRewardDialog).toBe(true)
expect(wrapper.vm.showCancelDialog).toBe(false)
expect(wrapper.vm.dialogReward?.id).toBe('reward-1')
})
it('does not open redeem dialog when reward is not yet ready', () => {
wrapper.vm.triggerReward({
id: 'reward-1',
name: 'Ice Cream',
cost: 50,
points_needed: 10,
redeeming: false,
})
expect(wrapper.vm.showRewardDialog).toBe(false)
expect(wrapper.vm.showCancelDialog).toBe(false)
})
it('opens cancel dialog when reward is already pending', () => {
wrapper.vm.triggerReward({
id: 'reward-1',
name: 'Ice Cream',
cost: 50,
points_needed: 0,
redeeming: true,
})
expect(wrapper.vm.showCancelDialog).toBe(true)
expect(wrapper.vm.showRewardDialog).toBe(false)
expect(wrapper.vm.dialogReward?.id).toBe('reward-1')
})
})
describe('Reward Redeem Dialog', () => {
const readyReward = {
id: 'reward-1',
name: 'Ice Cream',
cost: 50,
points_needed: 0,
redeeming: false,
}
beforeEach(async () => {
wrapper = mount(ChildView)
await nextTick()
await new Promise((resolve) => setTimeout(resolve, 50))
wrapper.vm.triggerReward(readyReward)
await nextTick()
})
it('closes redeem dialog on cancelRedeemReward', async () => {
expect(wrapper.vm.showRewardDialog).toBe(true)
wrapper.vm.cancelRedeemReward()
expect(wrapper.vm.showRewardDialog).toBe(false)
expect(wrapper.vm.dialogReward).toBe(null)
})
it('calls request-reward API on confirmRedeemReward', async () => {
;(global.fetch as any).mockResolvedValueOnce({ ok: true })
await wrapper.vm.confirmRedeemReward()
expect(global.fetch).toHaveBeenCalledWith(
`/api/child/child-123/request-reward`,
expect.objectContaining({
method: 'POST',
body: JSON.stringify({ reward_id: 'reward-1' }),
}),
)
})
it('closes redeem dialog after confirmRedeemReward', async () => {
;(global.fetch as any).mockResolvedValueOnce({ ok: true })
await wrapper.vm.confirmRedeemReward()
await nextTick()
expect(wrapper.vm.showRewardDialog).toBe(false)
expect(wrapper.vm.dialogReward).toBe(null)
})
})
describe('Cancel Pending Reward Dialog', () => {
const pendingReward = {
id: 'reward-1',
name: 'Ice Cream',
cost: 50,
points_needed: 0,
redeeming: true,
}
beforeEach(async () => {
wrapper = mount(ChildView)
await nextTick()
await new Promise((resolve) => setTimeout(resolve, 50))
wrapper.vm.triggerReward(pendingReward)
await nextTick()
})
it('closes cancel dialog on closeCancelDialog', async () => {
expect(wrapper.vm.showCancelDialog).toBe(true)
wrapper.vm.closeCancelDialog()
expect(wrapper.vm.showCancelDialog).toBe(false)
expect(wrapper.vm.dialogReward).toBe(null)
})
it('calls cancel-request-reward API on cancelPendingReward', async () => {
;(global.fetch as any).mockResolvedValueOnce({ ok: true })
await wrapper.vm.cancelPendingReward()
expect(global.fetch).toHaveBeenCalledWith(
`/api/child/child-123/cancel-request-reward`,
expect.objectContaining({
method: 'POST',
body: JSON.stringify({ reward_id: 'reward-1' }),
}),
)
})
it('closes cancel dialog after cancelPendingReward', async () => {
;(global.fetch as any).mockResolvedValueOnce({ ok: true })
await wrapper.vm.cancelPendingReward()
await nextTick()
expect(wrapper.vm.showCancelDialog).toBe(false)
expect(wrapper.vm.dialogReward).toBe(null)
})
})
@@ -309,4 +501,95 @@ describe('ChildView', () => {
expect(mockRefresh).not.toHaveBeenCalled()
})
})
describe('Item Ready State Management', () => {
beforeEach(async () => {
wrapper = mount(ChildView)
await nextTick()
await new Promise((resolve) => setTimeout(resolve, 50))
})
it('initializes readyItemId to null', () => {
expect(wrapper.vm.readyItemId).toBe(null)
})
it('updates readyItemId when handleItemReady is called with an item ID', () => {
wrapper.vm.handleItemReady('task-1')
expect(wrapper.vm.readyItemId).toBe('task-1')
wrapper.vm.handleItemReady('reward-2')
expect(wrapper.vm.readyItemId).toBe('reward-2')
})
it('clears readyItemId when handleItemReady is called with empty string', () => {
wrapper.vm.readyItemId = 'task-1'
wrapper.vm.handleItemReady('')
expect(wrapper.vm.readyItemId).toBe('')
})
it('passes readyItemId prop to Chores ScrollingList', async () => {
wrapper.vm.readyItemId = 'task-1'
await nextTick()
const choresScrollingList = wrapper.findAllComponents({ name: 'ScrollingList' })[0]
expect(choresScrollingList.props('readyItemId')).toBe('task-1')
})
it('passes readyItemId prop to Penalties ScrollingList', async () => {
wrapper.vm.readyItemId = 'task-2'
await nextTick()
const penaltiesScrollingList = wrapper.findAllComponents({ name: 'ScrollingList' })[1]
expect(penaltiesScrollingList.props('readyItemId')).toBe('task-2')
})
it('passes readyItemId prop to Rewards ScrollingList', async () => {
wrapper.vm.readyItemId = 'reward-1'
await nextTick()
const rewardsScrollingList = wrapper.findAllComponents({ name: 'ScrollingList' })[2]
expect(rewardsScrollingList.props('readyItemId')).toBe('reward-1')
})
it('handles item-ready event from Chores ScrollingList', async () => {
const choresScrollingList = wrapper.findAllComponents({ name: 'ScrollingList' })[0]
choresScrollingList.vm.$emit('item-ready', 'task-1')
await nextTick()
expect(wrapper.vm.readyItemId).toBe('task-1')
})
it('handles item-ready event from Penalties ScrollingList', async () => {
const penaltiesScrollingList = wrapper.findAllComponents({ name: 'ScrollingList' })[1]
penaltiesScrollingList.vm.$emit('item-ready', 'task-2')
await nextTick()
expect(wrapper.vm.readyItemId).toBe('task-2')
})
it('handles item-ready event from Rewards ScrollingList', async () => {
const rewardsScrollingList = wrapper.findAllComponents({ name: 'ScrollingList' })[2]
rewardsScrollingList.vm.$emit('item-ready', 'reward-1')
await nextTick()
expect(wrapper.vm.readyItemId).toBe('reward-1')
})
it('maintains 2-step click workflow: first click sets ready, second click triggers', async () => {
// Initial state
expect(wrapper.vm.readyItemId).toBe(null)
// First click - item should become ready
wrapper.vm.handleItemReady('task-1')
expect(wrapper.vm.readyItemId).toBe('task-1')
// Second click would trigger the item (tested via ScrollingList component)
// After trigger, ready state should be cleared
wrapper.vm.handleItemReady('')
expect(wrapper.vm.readyItemId).toBe('')
})
})
})

102
frontend/vue-app/src/components/child/__tests__/ParentView.spec.ts
View File

@@ -348,4 +348,106 @@ describe('ParentView', () => {
expect(true).toBe(true) // Placeholder - template logic verified
})
})
describe('Override Edit - Pending Reward Guard', () => {
const pendingReward = {
id: 'reward-1',
name: 'Ice Cream',
cost: 100,
points_needed: 0,
redeeming: true,
image_url: '/images/reward.png',
custom_value: null,
}
beforeEach(async () => {
wrapper = mount(ParentView)
await nextTick()
await new Promise((resolve) => setTimeout(resolve, 50))
})
it('shows PendingRewardDialog instead of override modal when editing a pending reward', async () => {
wrapper.vm.handleEditItem(pendingReward, 'reward')
await nextTick()
expect(wrapper.vm.showPendingRewardDialog).toBe(true)
expect(wrapper.vm.showOverrideModal).toBe(false)
expect(wrapper.vm.pendingEditOverrideTarget).toEqual({
entity: pendingReward,
type: 'reward',
})
})
it('does not show PendingRewardDialog when editing a non-pending reward', async () => {
wrapper.vm.handleEditItem(mockReward, 'reward')
await nextTick()
expect(wrapper.vm.showPendingRewardDialog).toBe(false)
expect(wrapper.vm.showOverrideModal).toBe(true)
})
it('does not show PendingRewardDialog when editing a task regardless of pending rewards', async () => {
wrapper.vm.handleEditItem(mockTask, 'task')
await nextTick()
expect(wrapper.vm.showPendingRewardDialog).toBe(false)
expect(wrapper.vm.showOverrideModal).toBe(true)
})
it('cancels pending reward and opens override modal on confirmPendingRewardAndEdit', async () => {
;(global.fetch as any).mockResolvedValueOnce({ ok: true })
wrapper.vm.handleEditItem(pendingReward, 'reward')
await nextTick()
await wrapper.vm.confirmPendingRewardAndEdit()
await nextTick()
expect(global.fetch).toHaveBeenCalledWith(
`/api/child/child-123/cancel-request-reward`,
expect.objectContaining({
method: 'POST',
body: JSON.stringify({ reward_id: 'reward-1' }),
}),
)
expect(wrapper.vm.showPendingRewardDialog).toBe(false)
expect(wrapper.vm.showOverrideModal).toBe(true)
expect(wrapper.vm.pendingEditOverrideTarget).toBe(null)
})
it('sets overrideCustomValue to reward cost when no custom_value on confirmPendingRewardAndEdit', async () => {
;(global.fetch as any).mockResolvedValueOnce({ ok: true })
wrapper.vm.handleEditItem(pendingReward, 'reward')
await wrapper.vm.confirmPendingRewardAndEdit()
expect(wrapper.vm.overrideCustomValue).toBe(pendingReward.cost)
expect(wrapper.vm.overrideEditTarget?.entity).toEqual(pendingReward)
expect(wrapper.vm.overrideEditTarget?.type).toBe('reward')
})
it('sets overrideCustomValue to custom_value when present on confirmPendingRewardAndEdit', async () => {
;(global.fetch as any).mockResolvedValueOnce({ ok: true })
const pendingWithOverride = { ...pendingReward, custom_value: 75 }
wrapper.vm.handleEditItem(pendingWithOverride, 'reward')
await wrapper.vm.confirmPendingRewardAndEdit()
expect(wrapper.vm.overrideCustomValue).toBe(75)
})
it('clears pendingEditOverrideTarget when cancel is clicked on PendingRewardDialog', async () => {
wrapper.vm.handleEditItem(pendingReward, 'reward')
await nextTick()
// Simulate cancel
wrapper.vm.showPendingRewardDialog = false
wrapper.vm.pendingEditOverrideTarget = null
await nextTick()
expect(wrapper.vm.showPendingRewardDialog).toBe(false)
expect(wrapper.vm.pendingEditOverrideTarget).toBe(null)
expect(wrapper.vm.showOverrideModal).toBe(false)
})
})
})

28
frontend/vue-app/src/components/notification/NotificationView.vue
View File

@@ -5,6 +5,7 @@
<ItemList
v-else
:key="refreshKey"
:fetchUrl="`/api/pending-rewards`"
itemKey="rewards"
:itemFields="PENDING_REWARD_FIELDS"
@@ -30,20 +31,43 @@
</template>
<script setup lang="ts">
import { ref } from 'vue'
import { ref, onMounted, onUnmounted } from 'vue'
import { useRouter } from 'vue-router'
import ItemList from '../shared/ItemList.vue'
import MessageBlock from '../shared/MessageBlock.vue'
import type { PendingReward } from '@/common/models'
import type { PendingReward, Event, ChildRewardRequestEventPayload } from '@/common/models'
import { PENDING_REWARD_FIELDS } from '@/common/models'
import { eventBus } from '@/common/eventBus'
const router = useRouter()
const notificationListCountRef = ref(-1)
const refreshKey = ref(0)
function handleNotificationClick(item: PendingReward) {
router.push({ name: 'ParentView', params: { id: item.child_id } })
}
function handleRewardRequest(event: Event) {
const payload = event.payload as ChildRewardRequestEventPayload
if (
payload.operation === 'CREATED' ||
payload.operation === 'CANCELLED' ||
payload.operation === 'GRANTED'
) {
// Reset count and bump key to force ItemList to re-mount and refetch
notificationListCountRef.value = -1
refreshKey.value++
}
}
onMounted(() => {
eventBus.on('child_reward_request', handleRewardRequest)
})
onUnmounted(() => {
eventBus.off('child_reward_request', handleRewardRequest)
})
</script>
<style scoped>

139
frontend/vue-app/src/components/profile/UserProfile.vue
View File

@@ -15,26 +15,18 @@
<template #custom-field-email="{ modelValue }">
<div class="email-actions">
<input id="email" type="email" :value="modelValue" disabled class="readonly-input" />
<button
type="button"
class="btn-link align-start btn-link-space"
@click="goToChangeParentPin"
>
Change Parent Pin
<button type="button" class="btn-link btn-link-space" @click="goToChangeParentPin">
Change Parent PIN
</button>
<button
type="button"
class="btn-link align-start btn-link-space"
class="btn-link btn-link-space"
@click="resetPassword"
:disabled="resetting"
>
Change Password
</button>
<button
type="button"
class="btn-link align-start btn-link-space"
@click="openDeleteWarning"
>
<button type="button" class="btn-link btn-link-space" @click="openDeleteWarning">
Delete My Account
</button>
</div>
@@ -105,7 +97,7 @@
</template>
<script setup lang="ts">
import { ref, onMounted, watch } from 'vue'
import { ref, onMounted } from 'vue'
import { useRouter } from 'vue-router'
import EntityEditForm from '../shared/EntityEditForm.vue'
import ModalDialog from '../shared/ModalDialog.vue'
@@ -117,7 +109,6 @@ import '@/assets/styles.css'
const router = useRouter()
const loading = ref(false)
const errorMsg = ref('')
const successMsg = ref('')
const resetting = ref(false)
const localImageFile = ref<File | null>(null)
const showModal = ref(false)
@@ -133,14 +124,26 @@ const showDeleteSuccess = ref(false)
const showDeleteError = ref(false)
const deleteErrorMessage = ref('')
const initialData = ref({
const initialData = ref<{
image_id: string | null
first_name: string
last_name: string
email: string
}>({
image_id: null,
first_name: '',
last_name: '',
email: '',
})
const fields = [
const fields: Array<{
name: string
label: string
type: 'image' | 'text' | 'custom'
imageType?: number
required?: boolean
maxlength?: number
}> = [
{ name: 'image_id', label: 'Image', type: 'image', imageType: 1 },
{ name: 'first_name', label: 'First Name', type: 'text', required: true, maxlength: 64 },
{ name: 'last_name', label: 'Last Name', type: 'text', required: true, maxlength: 64 },
@@ -172,52 +175,9 @@ function onAddImage({ id, file }: { id: string; file: File }) {
} else {
localImageFile.value = null
initialData.value.image_id = id
updateAvatar(id)
}
}
async function updateAvatar(imageId: string) {
errorMsg.value = ''
successMsg.value = ''
//todo update avatar loading state
try {
const res = await fetch('/api/user/avatar', {
method: 'PUT',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ image_id: imageId }),
})
if (!res.ok) throw new Error('Failed to update avatar')
initialData.value.image_id = imageId
successMsg.value = 'Avatar updated!'
} catch {
//errorMsg.value = 'Failed to update avatar.'
//todo update avatar error handling
errorMsg.value = ''
}
}
watch(localImageFile, async (file) => {
if (!file) return
errorMsg.value = ''
successMsg.value = ''
const formData = new FormData()
formData.append('file', file)
formData.append('type', '2')
formData.append('permanent', 'true')
try {
const resp = await fetch('/api/image/upload', {
method: 'POST',
body: formData,
})
if (!resp.ok) throw new Error('Image upload failed')
const data = await resp.json()
initialData.value.image_id = data.id
await updateAvatar(data.id)
} catch {
errorMsg.value = 'Failed to upload avatar image.'
}
})
function handleSubmit(form: {
image_id: string | null
first_name: string
@@ -226,6 +186,43 @@ function handleSubmit(form: {
}) {
errorMsg.value = ''
loading.value = true
// Handle image upload if local file
let imageId = form.image_id
if (imageId === 'local-upload' && localImageFile.value) {
const formData = new FormData()
formData.append('file', localImageFile.value)
formData.append('type', '1')
formData.append('permanent', 'true')
fetch('/api/image/upload', {
method: 'POST',
body: formData,
})
.then(async (resp) => {
if (!resp.ok) throw new Error('Image upload failed')
const data = await resp.json()
imageId = data.id
// Now update profile
return updateProfile({
...form,
image_id: imageId,
})
})
.catch(() => {
errorMsg.value = 'Failed to upload image.'
loading.value = false
})
} else {
updateProfile(form)
}
}
async function updateProfile(form: {
image_id: string | null
first_name: string
last_name: string
email: string
}) {
fetch('/api/user/profile', {
method: 'PUT',
headers: { 'Content-Type': 'application/json' },
@@ -237,6 +234,8 @@ function handleSubmit(form: {
})
.then(async (res) => {
if (!res.ok) throw new Error('Failed to update profile')
// Update initialData to reflect the saved state
initialData.value = { ...form }
modalTitle.value = 'Profile Updated'
modalSubtitle.value = ''
modalMessage.value = 'Your profile was updated successfully.'
@@ -251,7 +250,11 @@ function handleSubmit(form: {
}
async function handlePasswordModalClose() {
const wasProfileUpdate = modalTitle.value === 'Profile Updated'
showModal.value = false
if (wasProfileUpdate) {
router.back()
}
}
async function resetPassword() {
@@ -263,7 +266,7 @@ async function resetPassword() {
resetting.value = true
errorMsg.value = ''
try {
const res = await fetch('/api/request-password-reset', {
const res = await fetch('/api/auth/request-password-reset', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email: initialData.value.email }),
@@ -295,7 +298,6 @@ function closeDeleteWarning() {
}
async function confirmDeleteAccount() {
console.log('Confirming delete account with email:', confirmEmail.value)
if (!isEmailValid(confirmEmail.value)) return
deletingAccount.value = true
@@ -332,8 +334,15 @@ async function confirmDeleteAccount() {
function handleDeleteSuccess() {
showDeleteSuccess.value = false
logoutUser()
router.push('/auth/login')
// Call logout API to clear server cookies
fetch('/api/auth/logout', {
method: 'POST',
credentials: 'include',
}).finally(() => {
// Clear client-side auth and redirect, regardless of logout response
logoutUser()
router.push('/auth/login')
})
}
function closeDeleteError() {
@@ -357,10 +366,6 @@ function closeDeleteError() {
flex-direction: column;
gap: 0.5rem;
}
.align-start {
align-self: flex-start;
margin-top: 0.1rem;
}
.success-message {
color: var(--success, #16a34a);

2
frontend/vue-app/src/components/reward/RewardEditView.vue
View File

@@ -36,7 +36,7 @@ const fields: {
}[] = [
{ name: 'name', label: 'Reward Name', type: 'text', required: true, maxlength: 64 },
{ name: 'description', label: 'Description', type: 'text', maxlength: 128 },
{ name: 'cost', label: 'Cost', type: 'number', required: true, min: 1, max: 1000 },
{ name: 'cost', label: 'Cost', type: 'number', required: true, min: 1, max: 10000 },
{ name: 'image_id', label: 'Image', type: 'image', imageType: 2 },
]
// removed duplicate defineProps

9
frontend/vue-app/src/components/reward/RewardView.vue
View File

@@ -13,7 +13,7 @@
imageField="image_id"
deletable
@clicked="(reward: Reward) => $router.push({ name: 'EditReward', params: { id: reward.id } })"
@delete="confirmDeleteReward"
@delete="(reward: Reward) => confirmDeleteReward(reward.id)"
@loading-complete="(count) => (rewardCountRef = count)"
:getItemClass="(item) => `reward`"
>
@@ -52,7 +52,7 @@ const $router = useRouter()
const showConfirm = ref(false)
const rewardToDelete = ref<string | null>(null)
const rewardListRef = ref()
const rewardListRef = ref<InstanceType<typeof ItemList> | null>(null)
const rewardCountRef = ref<number>(-1)
function handleRewardModified(event: any) {
@@ -75,10 +75,7 @@ function confirmDeleteReward(rewardId: string) {
}
const deleteReward = async () => {
const id =
typeof rewardToDelete.value === 'object' && rewardToDelete.value !== null
? rewardToDelete.value.id
: rewardToDelete.value
const id = rewardToDelete.value
if (!id) return
try {
const resp = await fetch(`/api/reward/${id}`, {

4
frontend/vue-app/src/components/shared/ChildrenListView.vue
View File

@@ -280,8 +280,8 @@ onBeforeUnmount(() => {
<div>
<MessageBlock v-if="children.length === 0" message="No children">
<span v-if="!isParentAuthenticated">
<button class="round-btn" @click="eventBus.emit('open-login')">Sign in</button> to create a
child
<button class="round-btn" @click="eventBus.emit('open-login')">Switch</button> to parent
mode to create a child
</span>
<span v-else> <button class="round-btn" @click="createChild">Create</button> a child </span>
</MessageBlock>

140
frontend/vue-app/src/components/shared/EntityEditForm.vue
View File

@@ -1,7 +1,7 @@
<template>
<h2>{{ title ?? (isEdit ? `Edit ${entityLabel}` : `Create ${entityLabel}`) }}</h2>
<div v-if="loading" class="loading-message">Loading {{ entityLabel.toLowerCase() }}...</div>
<form v-else @submit.prevent="submit" class="entity-form">
<form v-else @submit.prevent="submit" class="entity-form" ref="formRef">
<template v-for="field in fields" :key="field.name">
<div class="group">
<label :for="field.name">
@@ -10,18 +10,35 @@
<slot
:name="`custom-field-${field.name}`"
:modelValue="formData[field.name]"
:update="(val) => (formData[field.name] = val)"
:update="(val: unknown) => (formData[field.name] = val)"
>
<!-- Default rendering if no slot provided -->
<input
v-if="field.type === 'text' || field.type === 'number'"
v-if="field.type === 'text'"
:id="field.name"
v-model="formData[field.name]"
:type="field.type"
type="text"
:required="field.required"
:maxlength="field.maxlength"
/>
<input
v-else-if="field.type === 'number'"
:id="field.name"
v-model="formData[field.name]"
type="number"
:required="field.required"
:min="field.min"
:max="field.max"
inputmode="numeric"
pattern="\\d{1,3}"
@input="
(e) => {
if (field.maxlength && e.target.value.length > field.maxlength) {
e.target.value = e.target.value.slice(0, field.maxlength)
formData[field.name] = e.target.value
}
}
"
/>
<ImagePicker
v-else-if="field.type === 'image'"
@@ -39,7 +56,11 @@
<button type="button" class="btn btn-secondary" @click="onCancel" :disabled="loading">
Cancel
</button>
<button type="submit" class="btn btn-primary" :disabled="loading || !isDirty">
<button
type="submit"
class="btn btn-primary"
:disabled="loading || !isValid || (props.requireDirty && !isDirty)"
>
{{ isEdit ? 'Save' : 'Create' }}
</button>
</div>
@@ -47,7 +68,7 @@
</template>
<script setup lang="ts">
import { ref, onMounted, nextTick, watch } from 'vue'
import { ref, onMounted, nextTick, watch, computed } from 'vue'
import ImagePicker from '@/components/utils/ImagePicker.vue'
import { useRouter } from 'vue-router'
import '@/assets/styles.css'
@@ -63,36 +84,52 @@ type Field = {
imageType?: number
}
const props = defineProps<{
entityLabel: string
fields: Field[]
initialData?: Record<string, any>
isEdit?: boolean
loading?: boolean
error?: string | null
title?: string
}>()
const props = withDefaults(
defineProps<{
entityLabel: string
fields: Field[]
initialData?: Record<string, any>
isEdit?: boolean
loading?: boolean
error?: string | null
title?: string
requireDirty?: boolean
}>(),
{
requireDirty: true,
},
)
const emit = defineEmits(['submit', 'cancel', 'add-image'])
const router = useRouter()
const formData = ref<Record<string, any>>({ ...props.initialData })
const baselineData = ref<Record<string, any>>({ ...props.initialData })
const formRef = ref<HTMLFormElement | null>(null)
watch(
() => props.initialData,
(newVal) => {
if (newVal) {
formData.value = { ...newVal }
}
},
{ immediate: true, deep: true },
)
async function focusFirstInput() {
await nextTick()
const firstInput = formRef.value?.querySelector<HTMLElement>('input, select, textarea')
firstInput?.focus()
}
onMounted(async () => {
await nextTick()
// Optionally focus first input
isDirty.value = false
if (!props.loading) {
focusFirstInput()
}
})
watch(
() => props.loading,
(newVal, oldVal) => {
if (!newVal && oldVal === true) {
focusFirstInput()
}
},
)
function onAddImage({ id, file }: { id: string; file: File }) {
emit('add-image', { id, file })
}
@@ -109,17 +146,63 @@ function submit() {
// Editable field names (exclude custom fields that are not editable)
const editableFieldNames = props.fields
.filter((f) => f.type !== 'custom' || f.name === 'is_good' || f.type === 'image')
.filter((f) => f.type !== 'custom' || f.name === 'is_good')
.map((f) => f.name)
const isDirty = ref(false)
function getFieldByName(name: string): Field | undefined {
return props.fields.find((field) => field.name === name)
}
function valuesEqualForDirtyCheck(
fieldName: string,
currentValue: unknown,
initialValue: unknown,
): boolean {
const field = getFieldByName(fieldName)
if (field?.type === 'number') {
const currentEmpty = currentValue === '' || currentValue === null || currentValue === undefined
const initialEmpty = initialValue === '' || initialValue === null || initialValue === undefined
if (currentEmpty && initialEmpty) return true
if (currentEmpty !== initialEmpty) return false
return Number(currentValue) === Number(initialValue)
}
return JSON.stringify(currentValue) === JSON.stringify(initialValue)
}
function checkDirty() {
isDirty.value = editableFieldNames.some((key) => {
return JSON.stringify(formData.value[key]) !== JSON.stringify(props.initialData?.[key])
return !valuesEqualForDirtyCheck(key, formData.value[key], baselineData.value[key])
})
}
// Validation logic
const isValid = computed(() => {
return props.fields.every((field) => {
if (!field.required) return true
const value = formData.value[field.name]
if (field.type === 'text') {
return typeof value === 'string' && value.trim().length > 0
}
if (field.type === 'number') {
if (value === '' || value === null || value === undefined) return false
const numValue = Number(value)
if (isNaN(numValue)) return false
if (field.min !== undefined && numValue < field.min) return false
if (field.max !== undefined && numValue > field.max) return false
return true
}
// For other types, just check it's not null/undefined
return value != null
})
})
watch(
() => ({ ...formData.value }),
() => {
@@ -133,7 +216,8 @@ watch(
(newVal) => {
if (newVal) {
formData.value = { ...newVal }
checkDirty()
baselineData.value = { ...newVal }
isDirty.value = false
}
},
{ immediate: true, deep: true },

8
frontend/vue-app/src/components/shared/ItemList.vue
View File

@@ -90,6 +90,14 @@ onMounted(fetchItems)
watch(() => props.fetchUrl, fetchItems)
const handleClicked = (item: any) => {
if (props.selectable) {
const idx = selectedItems.value.indexOf(item.id)
if (idx === -1) {
selectedItems.value.push(item.id)
} else {
selectedItems.value.splice(idx, 1)
}
}
emit('clicked', item)
props.onClicked?.(item)
}

66
frontend/vue-app/src/components/shared/LoginButton.vue
View File

@@ -5,6 +5,7 @@ import { eventBus } from '@/common/eventBus'
import {
authenticateParent,
isParentAuthenticated,
isParentPersistent,
logoutParent,
logoutUser,
} from '../../stores/auth'
@@ -16,6 +17,7 @@ const router = useRouter()
const show = ref(false)
const pin = ref('')
const error = ref('')
const stayInParentMode = ref(false)
const pinInput = ref<HTMLInputElement | null>(null)
const dropdownOpen = ref(false)
const dropdownRef = ref<HTMLElement | null>(null)
@@ -36,7 +38,6 @@ const avatarInitial = ref<string>('?')
// Fetch user profile
async function fetchUserProfile() {
try {
console.log('Fetching user profile')
const res = await fetch('/api/user/profile', { credentials: 'include' })
if (!res.ok) {
console.error('Failed to fetch user profile')
@@ -103,6 +104,7 @@ const open = async () => {
const close = () => {
show.value = false
error.value = ''
stayInParentMode.value = false
}
const submit = async () => {
@@ -126,10 +128,13 @@ const submit = async () => {
}
if (!data.valid) {
error.value = 'Incorrect PIN'
pin.value = ''
await nextTick()
pinInput.value?.focus()
return
}
// Authenticate parent and navigate
authenticateParent()
authenticateParent(stayInParentMode.value)
close()
router.push('/parent')
} catch (e) {
@@ -137,6 +142,11 @@ const submit = async () => {
}
}
function handlePinInput(event: Event) {
const target = event.target as HTMLInputElement
pin.value = target.value.replace(/\D/g, '').slice(0, 6)
}
const handleLogout = () => {
logoutParent()
router.push('/child')
@@ -213,7 +223,7 @@ function executeMenuItem(index: number) {
async function signOut() {
try {
await fetch('/api/logout', { method: 'POST' })
await fetch('/api/auth/logout', { method: 'POST' })
logoutUser()
router.push('/auth')
} catch {
@@ -239,12 +249,14 @@ function handleClickOutside(event: MouseEvent) {
onMounted(() => {
eventBus.on('open-login', open)
eventBus.on('profile_updated', fetchUserProfile)
document.addEventListener('mousedown', handleClickOutside)
fetchUserProfile()
})
onUnmounted(() => {
eventBus.off('open-login', open)
eventBus.off('profile_updated', fetchUserProfile)
document.removeEventListener('mousedown', handleClickOutside)
// Revoke object URL to free memory
@@ -272,6 +284,12 @@ onUnmounted(() => {
/>
<span v-else class="avatar-text">{{ profileLoading ? '...' : avatarInitial }}</span>
</button>
<span
v-if="isParentAuthenticated && isParentPersistent"
class="persistent-badge"
aria-label="Persistent parent mode active"
>🔒</span
>
<Transition name="slide-fade">
<div
@@ -355,15 +373,20 @@ onUnmounted(() => {
<input
ref="pinInput"
v-model="pin"
@input="handlePinInput"
inputmode="numeric"
pattern="\d*"
maxlength="6"
placeholder="46 digits"
class="pin-input"
/>
<label class="stay-label">
<input type="checkbox" v-model="stayInParentMode" class="stay-checkbox" />
Stay in parent mode on this device
</label>
<div class="actions modal-actions">
<button type="button" class="btn btn-secondary" @click="close">Cancel</button>
<button type="submit" class="btn btn-primary">OK</button>
<button type="submit" class="btn btn-primary" :disabled="pin.length < 4">OK</button>
</div>
</form>
<div v-if="error" class="error modal-message">{{ error }}</div>
@@ -372,6 +395,10 @@ onUnmounted(() => {
</template>
<style scoped>
.error {
color: var(--error);
}
.avatar-btn {
width: 44px;
min-width: 44px;
@@ -431,11 +458,40 @@ onUnmounted(() => {
font-size: 1rem;
border-radius: 8px;
border: 1px solid #e6e6e6;
margin-bottom: 0.6rem;
margin-bottom: 0.8rem;
box-sizing: border-box;
text-align: center;
}
.stay-label {
display: flex;
align-items: center;
gap: 0.5rem;
font-size: 0.9rem;
color: var(--form-label, #444);
cursor: pointer;
margin-bottom: 1rem;
user-select: none;
}
.stay-checkbox {
width: 16px;
height: 16px;
accent-color: var(--btn-primary, #667eea);
cursor: pointer;
flex-shrink: 0;
}
.persistent-badge {
position: absolute;
bottom: -2px;
left: -2px;
font-size: 10px;
line-height: 1;
pointer-events: none;
user-select: none;
}
.dropdown-menu {
position: absolute;
right: 0;

2
frontend/vue-app/src/components/shared/ScrollingList.vue
View File

@@ -383,6 +383,6 @@ onBeforeUnmount(() => {
.empty {
text-align: center;
padding: 2rem 0;
color: #888;
color: #d6d6d6;
}
</style>

70
frontend/vue-app/src/components/shared/__tests__/EntityEditForm.spec.ts Normal file
View File

@@ -0,0 +1,70 @@
import { describe, it, expect, vi } from 'vitest'
import { mount } from '@vue/test-utils'
import EntityEditForm from '../EntityEditForm.vue'
vi.mock('vue-router', () => ({
useRouter: vi.fn(() => ({
push: vi.fn(),
back: vi.fn(),
})),
}))
describe('EntityEditForm', () => {
it('keeps Create disabled when required number field is empty', async () => {
const wrapper = mount(EntityEditForm, {
props: {
entityLabel: 'Child',
fields: [
{ name: 'name', label: 'Name', type: 'text', required: true },
{ name: 'age', label: 'Age', type: 'number', required: true, min: 0, max: 120 },
],
initialData: {
name: '',
age: null,
},
isEdit: false,
loading: false,
requireDirty: false,
},
})
const nameInput = wrapper.find('#name')
const ageInput = wrapper.find('#age')
await nameInput.setValue('Sam')
await ageInput.setValue('')
const submitButton = wrapper.find('button[type="submit"]')
expect(submitButton.text()).toBe('Create')
expect((submitButton.element as HTMLButtonElement).disabled).toBe(true)
})
it('enables Create when required Name and Age are both valid', async () => {
const wrapper = mount(EntityEditForm, {
props: {
entityLabel: 'Child',
fields: [
{ name: 'name', label: 'Name', type: 'text', required: true },
{ name: 'age', label: 'Age', type: 'number', required: true, min: 0, max: 120 },
],
initialData: {
name: '',
age: null,
},
isEdit: false,
loading: false,
requireDirty: false,
},
})
const nameInput = wrapper.find('#name')
const ageInput = wrapper.find('#age')
await nameInput.setValue('Sam')
await ageInput.setValue('8')
const submitButton = wrapper.find('button[type="submit"]')
expect(submitButton.text()).toBe('Create')
expect((submitButton.element as HTMLButtonElement).disabled).toBe(false)
})
})

122
frontend/vue-app/src/components/shared/__tests__/LoginButton.spec.ts
View File

@@ -4,6 +4,10 @@ import { nextTick } from 'vue'
import LoginButton from '../LoginButton.vue'
import { authenticateParent, logoutParent } from '../../../stores/auth'
vi.mock('vue-router', () => ({
useRouter: vi.fn(() => ({ push: vi.fn() })),
}))
// Mock imageCache module
vi.mock('@/common/imageCache', () => ({
getCachedImageUrl: vi.fn(async (imageId: string) => `blob:mock-url-${imageId}`),
@@ -11,24 +15,21 @@ vi.mock('@/common/imageCache', () => ({
revokeAllImageUrls: vi.fn(),
}))
// Create a reactive ref for isParentAuthenticated using vi.hoisted
const { isParentAuthenticatedRef } = vi.hoisted(() => {
let value = false
// Create real Vue refs for isParentAuthenticated and isParentPersistent using vi.hoisted.
// Real Vue refs are required so Vue templates auto-unwrap them correctly in v-if conditions.
const { isParentAuthenticatedRef, isParentPersistentRef } = vi.hoisted(() => {
// eslint-disable-next-line @typescript-eslint/no-require-imports
const { ref } = require('vue')
return {
isParentAuthenticatedRef: {
get value() {
return value
},
set value(v: boolean) {
value = v
},
},
isParentAuthenticatedRef: ref(false),
isParentPersistentRef: ref(false),
}
})
vi.mock('../../../stores/auth', () => ({
authenticateParent: vi.fn(),
isParentAuthenticated: isParentAuthenticatedRef,
isParentPersistent: isParentPersistentRef,
logoutParent: vi.fn(),
logoutUser: vi.fn(),
}))
@@ -41,6 +42,7 @@ describe('LoginButton', () => {
beforeEach(() => {
vi.clearAllMocks()
isParentAuthenticatedRef.value = false
isParentPersistentRef.value = false
;(global.fetch as any).mockResolvedValue({
ok: true,
json: async () => ({
@@ -345,6 +347,104 @@ describe('LoginButton', () => {
})
})
describe('PIN Modal - checkbox and persistent mode', () => {
beforeEach(async () => {
isParentAuthenticatedRef.value = false
wrapper = mount(LoginButton)
await nextTick()
await new Promise((resolve) => setTimeout(resolve, 50))
})
it('checkbox is unchecked by default when modal opens', async () => {
// Open modal by triggering the open-login event path
// Mock has-pin response
;(global.fetch as any)
.mockResolvedValueOnce({ ok: true, json: async () => ({ has_pin: true }) })
.mockResolvedValueOnce({ ok: true, json: async () => ({ valid: true }) })
const vm = wrapper.vm as any
await vm.open()
await nextTick()
const checkbox = wrapper.find('.stay-checkbox')
expect(checkbox.exists()).toBe(true)
expect((checkbox.element as HTMLInputElement).checked).toBe(false)
})
it('submitting with checkbox checked calls authenticateParent(true)', async () => {
const { authenticateParent } = await import('../../../stores/auth')
;(global.fetch as any)
.mockResolvedValueOnce({ ok: true, json: async () => ({ has_pin: true }) })
.mockResolvedValueOnce({ ok: true, json: async () => ({ valid: true }) })
const vm = wrapper.vm as any
await vm.open()
await nextTick()
const checkbox = wrapper.find('.stay-checkbox')
await checkbox.setValue(true)
await nextTick()
const pinInput = wrapper.find('.pin-input')
await pinInput.setValue('1234')
await wrapper.find('form').trigger('submit')
await nextTick()
expect(authenticateParent).toHaveBeenCalledWith(true)
})
it('submitting without checking checkbox calls authenticateParent(false)', async () => {
const { authenticateParent } = await import('../../../stores/auth')
;(global.fetch as any)
.mockResolvedValueOnce({ ok: true, json: async () => ({ has_pin: true }) })
.mockResolvedValueOnce({ ok: true, json: async () => ({ valid: true }) })
const vm = wrapper.vm as any
await vm.open()
await nextTick()
const pinInput = wrapper.find('.pin-input')
await pinInput.setValue('1234')
await wrapper.find('form').trigger('submit')
await nextTick()
expect(authenticateParent).toHaveBeenCalledWith(false)
})
})
describe('Lock badge visibility', () => {
it('lock badge is hidden when not authenticated', async () => {
isParentAuthenticatedRef.value = false
isParentPersistentRef.value = false
wrapper = mount(LoginButton)
await nextTick()
const badge = wrapper.find('.persistent-badge')
expect(badge.exists()).toBe(false)
})
it('lock badge is hidden when authenticated but non-persistent', async () => {
isParentAuthenticatedRef.value = true
isParentPersistentRef.value = false
wrapper = mount(LoginButton)
await nextTick()
const badge = wrapper.find('.persistent-badge')
expect(badge.exists()).toBe(false)
})
it('lock badge is visible when authenticated and persistent', async () => {
isParentAuthenticatedRef.value = true
isParentPersistentRef.value = true
wrapper = mount(LoginButton)
await nextTick()
const badge = wrapper.find('.persistent-badge')
expect(badge.exists()).toBe(true)
expect(badge.text()).toBe('🔒')
})
})
describe('User Email Display', () => {
it('displays email in dropdown header when available', async () => {
isParentAuthenticatedRef.value = true

2
frontend/vue-app/src/components/task/TaskEditView.vue
View File

@@ -73,7 +73,7 @@ const fields: {
imageType?: number
}[] = [
{ name: 'name', label: 'Task Name', type: 'text', required: true, maxlength: 64 },
{ name: 'points', label: 'Task Points', type: 'number', required: true, min: 1, max: 100 },
{ name: 'points', label: 'Task Points', type: 'number', required: true, min: 1, max: 1000 },
{ name: 'is_good', label: 'Task Type', type: 'custom' },
{ name: 'image_id', label: 'Image', type: 'image', imageType: 2 },
]

11
frontend/vue-app/src/components/utils/ImagePicker.vue
View File

@@ -10,6 +10,7 @@ const props = defineProps<{
const emit = defineEmits(['update:modelValue', 'add-image'])
const fileInput = ref<HTMLInputElement | null>(null)
const imageScrollRef = ref<HTMLDivElement | null>(null)
const localImageUrl = ref<string | null>(null)
const showCamera = ref(false)
const cameraStream = ref<MediaStream | null>(null)
@@ -198,6 +199,13 @@ function updateLocalImage(url: string, file: File) {
} else {
availableImages.value[idx].url = url
}
nextTick(() => {
if (imageScrollRef.value) {
imageScrollRef.value.scrollLeft = 0
}
})
emit('add-image', { id: 'local-upload', url, file })
emit('update:modelValue', 'local-upload')
}
@@ -205,7 +213,7 @@ function updateLocalImage(url: string, file: File) {
<template>
<div class="picker">
<div class="image-scroll">
<div ref="imageScrollRef" class="image-scroll">
<div v-if="loadingImages" class="loading-images">Loading images...</div>
<div v-else class="image-list">
<img
@@ -223,7 +231,6 @@ function updateLocalImage(url: string, file: File) {
ref="fileInput"
type="file"
accept=".png,.jpg,.jpeg,.gif,image/png,image/jpeg,image/gif"
capture="environment"
style="display: none"
@change="onFileChange"
/>

4
frontend/vue-app/src/layout/AuthLayout.vue
View File

@@ -1,7 +1,7 @@
<template>
<div class="layout-root">
<header class="topbar">
<div class="back-btn-container">
<div class="end-button-container">
<button v-show="showBack" class="back-btn" @click="handleBack" tabindex="0"> Back</button>
</div>
<div class="spacer"></div>
@@ -55,7 +55,7 @@ const showBack = computed(
box-sizing: border-box;
}
.back-btn-container {
.end-button-container {
display: flex;
align-items: center;
justify-content: center;

14
frontend/vue-app/src/layout/ParentLayout.vue
View File

@@ -45,7 +45,7 @@ onMounted(async () => {
<template>
<div class="layout-root">
<header class="topbar">
<div class="back-btn-container edge-btn-container">
<div class="end-button-container">
<button v-show="showBack" class="back-btn" @click="handleBack" tabindex="0"> Back</button>
</div>
<nav v-if="!hideViewSelector" class="view-selector">
@@ -153,7 +153,8 @@ onMounted(async () => {
</svg>
</button>
</nav>
<div class="login-btn-container edge-btn-container">
<div v-else class="spacer"></div>
<div class="end-button-container">
<LoginButton />
</div>
</header>
@@ -186,7 +187,7 @@ onMounted(async () => {
box-sizing: border-box;
}
.edge-btn-container {
.end-button-container {
display: flex;
align-items: center;
justify-content: center;
@@ -227,6 +228,13 @@ onMounted(async () => {
color 0.18s;
}
.spacer {
flex: 1 1 auto;
height: 100%;
display: flex;
align-items: center;
}
@media (max-width: 480px) {
.back-btn {
font-size: 0.7rem;

5
frontend/vue-app/src/main.ts
View File

@@ -2,9 +2,14 @@ import '@/assets/colors.css'
import { createApp } from 'vue'
import App from './App.vue'
import router from './router'
import { initAuthSync } from './stores/auth'
import { installUnauthorizedFetchInterceptor } from './common/api'
const app = createApp(App)
initAuthSync()
installUnauthorizedFetchInterceptor()
app.use(router)
app.mount('#app')

155
frontend/vue-app/src/router/__tests__/authGuard.spec.ts Normal file
View File

@@ -0,0 +1,155 @@
import { describe, it, expect, vi, beforeEach } from 'vitest'
import { createRouter, createWebHistory } from 'vue-router'
// Use plain objects — the guard only reads `.value`, so full Vue refs are unnecessary
const { isAuthReadyMock, isUserLoggedInMock, isParentAuthenticatedMock } = vi.hoisted(() => ({
isAuthReadyMock: { value: true },
isUserLoggedInMock: { value: false },
isParentAuthenticatedMock: { value: false },
}))
vi.mock('@/stores/auth', () => ({
isAuthReady: isAuthReadyMock,
isUserLoggedIn: isUserLoggedInMock,
isParentAuthenticated: isParentAuthenticatedMock,
logoutParent: vi.fn(),
enforceParentExpiry: vi.fn(),
}))
// Import router AFTER mocks are in place
const { default: router } = await import('../index')
// Helper — navigate and return the resolved path
async function navigate(path: string): Promise<string> {
await router.push(path)
return router.currentRoute.value.path
}
describe('router auth guard', () => {
beforeEach(async () => {
isAuthReadyMock.value = true
// Park at /auth/reset-password as a neutral starting point:
// - it is always reachable when logged out
// - it doesn't match any route a test assertion lands on
isUserLoggedInMock.value = false
isParentAuthenticatedMock.value = false
await router.push('/auth/reset-password')
})
// ── Redirect logged-in users away from /auth ──────────────────────────────
it('redirects logged-in parent user from /auth to /parent', async () => {
isUserLoggedInMock.value = true
isParentAuthenticatedMock.value = true
const path = await navigate('/auth')
expect(path).toBe('/parent')
})
it('redirects logged-in child user from /auth to /child', async () => {
isUserLoggedInMock.value = true
isParentAuthenticatedMock.value = false
const path = await navigate('/auth')
expect(path).toBe('/child')
})
it('redirects logged-in parent user from /auth/login to /parent', async () => {
isUserLoggedInMock.value = true
isParentAuthenticatedMock.value = true
const path = await navigate('/auth/login')
expect(path).toBe('/parent')
})
it('redirects logged-in child user from /auth/signup to /child', async () => {
isUserLoggedInMock.value = true
isParentAuthenticatedMock.value = false
const path = await navigate('/auth/signup')
expect(path).toBe('/child')
})
it('redirects logged-in child user from /auth/forgot-password to /child', async () => {
isUserLoggedInMock.value = true
isParentAuthenticatedMock.value = false
const path = await navigate('/auth/forgot-password')
expect(path).toBe('/child')
})
// ── Unauthenticated users may access /auth ────────────────────────────────
it('allows unauthenticated user to access /auth', async () => {
isUserLoggedInMock.value = false
const path = await navigate('/auth')
expect(path).toBe('/auth')
})
it('allows unauthenticated user to access /auth/login', async () => {
isUserLoggedInMock.value = false
const path = await navigate('/auth/login')
expect(path).toBe('/auth/login')
})
// ── Unauthenticated users are redirected to /auth from protected routes ───
it('redirects unauthenticated user from /parent to /auth', async () => {
isUserLoggedInMock.value = false
const path = await navigate('/parent')
expect(path).toBe('/auth')
})
it('redirects unauthenticated user from /child to /auth', async () => {
isUserLoggedInMock.value = false
const path = await navigate('/child')
expect(path).toBe('/auth')
})
// ── Authenticated users are routed to the correct section ─────────────────
it('allows parent-authenticated user to access /parent', async () => {
isUserLoggedInMock.value = true
isParentAuthenticatedMock.value = true
const path = await navigate('/parent')
expect(path).toBe('/parent')
})
it('allows child user to access /child', async () => {
isUserLoggedInMock.value = true
isParentAuthenticatedMock.value = false
const path = await navigate('/child')
expect(path).toBe('/child')
})
it('redirects child user away from /parent to /child', async () => {
isUserLoggedInMock.value = true
isParentAuthenticatedMock.value = false
const path = await navigate('/parent')
expect(path).toBe('/child')
})
it('redirects parent user away from /child to /parent', async () => {
isUserLoggedInMock.value = true
isParentAuthenticatedMock.value = true
const path = await navigate('/child')
expect(path).toBe('/parent')
})
// ── ParentPinSetup is always accessible ───────────────────────────────────
it('allows access to /parent/pin-setup regardless of auth state', async () => {
isUserLoggedInMock.value = false
const path = await navigate('/parent/pin-setup')
expect(path).toBe('/parent/pin-setup')
})
})

24
frontend/vue-app/src/router/index.ts
View File

@@ -17,7 +17,13 @@ import AuthLayout from '@/layout/AuthLayout.vue'
import Signup from '@/components/auth/Signup.vue'
import AuthLanding from '@/components/auth/AuthLanding.vue'
import Login from '@/components/auth/Login.vue'
import { isUserLoggedIn, isParentAuthenticated, isAuthReady } from '../stores/auth'
import {
isUserLoggedIn,
isParentAuthenticated,
isAuthReady,
logoutParent,
enforceParentExpiry,
} from '../stores/auth'
import ParentPinSetup from '@/components/auth/ParentPinSetup.vue'
const routes = [
@@ -175,6 +181,9 @@ const routes = [
const router = createRouter({
history: createWebHistory(),
routes,
scrollBehavior() {
return { top: 0, left: 0, behavior: 'smooth' }
},
})
// Auth guard
@@ -190,6 +199,15 @@ router.beforeEach(async (to, from, next) => {
})
}
// If already logged in and trying to access /auth, redirect to appropriate view
if (to.path.startsWith('/auth') && isUserLoggedIn.value) {
if (isParentAuthenticated.value) {
return next('/parent')
} else {
return next('/child')
}
}
// Always allow /auth and /parent/pin-setup
if (to.path.startsWith('/auth') || to.name === 'ParentPinSetup') {
return next()
@@ -201,6 +219,8 @@ router.beforeEach(async (to, from, next) => {
}
// If parent-authenticated, allow all /parent routes
// Enforce expiry first so an elapsed session is caught immediately on navigation
enforceParentExpiry()
if (isParentAuthenticated.value && to.path.startsWith('/parent')) {
return next()
}
@@ -214,6 +234,8 @@ router.beforeEach(async (to, from, next) => {
if (isParentAuthenticated.value) {
return next('/parent')
} else {
// Ensure parent auth is fully cleared when redirecting away from /parent
logoutParent()
return next('/child')
}
})

66
frontend/vue-app/src/stores/__tests__/auth.childmode.spec.ts
View File

@@ -1,7 +1,19 @@
import { describe, it, expect, vi, beforeEach } from 'vitest'
import { isParentAuthenticated, loginUser } from '../auth'
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
import {
isParentAuthenticated,
isUserLoggedIn,
loginUser,
initAuthSync,
authenticateParent,
logoutParent,
} from '../auth'
import { nextTick } from 'vue'
// Stub window.location to prevent jsdom "navigation to another Document" warnings
// triggered when the auth store sets window.location.href on logout.
const locationStub = { href: '', pathname: '/', assign: vi.fn(), replace: vi.fn(), reload: vi.fn() }
Object.defineProperty(window, 'location', { value: locationStub, writable: true })
// Helper to mock localStorage
global.localStorage = {
store: {} as Record<string, string>,
@@ -21,13 +33,57 @@ global.localStorage = {
describe('auth store - child mode on login', () => {
beforeEach(() => {
isParentAuthenticated.value = true
localStorage.setItem('isParentAuthenticated', 'true')
// Use authenticateParent() to set up parent-mode state
authenticateParent(false)
})
afterEach(() => {
logoutParent()
})
it('should clear isParentAuthenticated and localStorage on loginUser()', async () => {
expect(isParentAuthenticated.value).toBe(true)
loginUser()
await nextTick() // flush Vue watcher
await nextTick()
expect(isParentAuthenticated.value).toBe(false)
})
it('logs out on cross-tab storage logout event', async () => {
initAuthSync()
isUserLoggedIn.value = true
authenticateParent(false)
expect(isParentAuthenticated.value).toBe(true)
const logoutEvent = new StorageEvent('storage', {
key: 'authSyncEvent',
newValue: JSON.stringify({ type: 'logout', at: Date.now() }),
})
window.dispatchEvent(logoutEvent)
await nextTick()
expect(isUserLoggedIn.value).toBe(false)
expect(isParentAuthenticated.value).toBe(false)
})
it('exits parent mode on cross-tab parent_logout storage event', async () => {
initAuthSync()
authenticateParent(false)
expect(isParentAuthenticated.value).toBe(true)
// Simulate being on a /parent route in this tab
locationStub.pathname = '/parent'
const parentLogoutEvent = new StorageEvent('storage', {
key: 'authSyncEvent',
newValue: JSON.stringify({ type: 'parent_logout', at: Date.now() }),
})
window.dispatchEvent(parentLogoutEvent)
await nextTick()
expect(isParentAuthenticated.value).toBe(false)
expect(locationStub.href).toBe('/child')
// Reset for other tests
locationStub.pathname = '/'
})
})

165
frontend/vue-app/src/stores/__tests__/auth.expiry.spec.ts Normal file
View File

@@ -0,0 +1,165 @@
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
import {
isParentAuthenticated,
isParentPersistent,
parentAuthExpiresAt,
authenticateParent,
logoutParent,
loginUser,
} from '../auth'
// Stub window.location
const locationStub = { href: '', pathname: '/', assign: vi.fn(), replace: vi.fn(), reload: vi.fn() }
Object.defineProperty(window, 'location', { value: locationStub, writable: true })
// Build a stateful localStorage stub and register it via vi.stubGlobal so it is
// visible to auth.ts's module scope (not just the test file's scope).
function makeLocalStorageStub() {
const store: Record<string, string> = {}
return {
getItem: (key: string) => store[key] ?? null,
setItem: (key: string, value: string) => {
store[key] = value
},
removeItem: (key: string) => {
delete store[key]
},
clear: () => {
for (const k of Object.keys(store)) delete store[k]
},
_store: store,
}
}
const localStorageStub = makeLocalStorageStub()
vi.stubGlobal('localStorage', localStorageStub)
describe('auth store - parent mode expiry', () => {
beforeEach(() => {
vi.useFakeTimers()
localStorageStub.clear()
logoutParent()
})
afterEach(() => {
logoutParent()
vi.useRealTimers()
})
describe('non-persistent mode', () => {
it('authenticateParent(false) sets isParentAuthenticated to true', () => {
authenticateParent(false)
expect(isParentAuthenticated.value).toBe(true)
expect(isParentPersistent.value).toBe(false)
})
it('non-persistent auth does not set isParentPersistent', () => {
authenticateParent(false)
expect(isParentPersistent.value).toBe(false)
expect(parentAuthExpiresAt.value).not.toBeNull()
// Confirm the expiry is ~1 minute, not 2 days
expect(parentAuthExpiresAt.value!).toBeLessThan(Date.now() + 172_800_000)
})
it('isParentAuthenticated becomes false after 1 minute (watcher fires)', () => {
authenticateParent(false)
expect(isParentAuthenticated.value).toBe(true)
// Advance 60s: watcher fires every 15s, at t=60000 Date.now() >= expiresAt
vi.advanceTimersByTime(60_001)
expect(isParentAuthenticated.value).toBe(false)
})
it('isParentAuthenticated is still true just before 1 minute', () => {
authenticateParent(false)
vi.advanceTimersByTime(59_999)
// Watcher last fired at t=45000, next fires at t=60000 — hasn't expired yet
expect(isParentAuthenticated.value).toBe(true)
})
})
describe('persistent mode', () => {
it('authenticateParent(true) sets isParentAuthenticated to true', () => {
authenticateParent(true)
expect(isParentAuthenticated.value).toBe(true)
expect(isParentPersistent.value).toBe(true)
})
it('writes expiresAt to localStorage for persistent auth — parentAuthExpiresAt is set to ~2 days', () => {
const before = Date.now()
authenticateParent(true)
const after = Date.now()
// Verify the expiry ref is populated and within the 2-day window
expect(parentAuthExpiresAt.value).not.toBeNull()
expect(parentAuthExpiresAt.value!).toBeGreaterThanOrEqual(before + 172_800_000)
expect(parentAuthExpiresAt.value!).toBeLessThanOrEqual(after + 172_800_000)
})
it('isParentAuthenticated becomes false after 2 days (watcher fires)', () => {
authenticateParent(true)
expect(isParentAuthenticated.value).toBe(true)
vi.advanceTimersByTime(172_800_001)
expect(isParentAuthenticated.value).toBe(false)
})
it('isParentAuthenticated is still true just before 2 days', () => {
authenticateParent(true)
// Advance to just before expiry; watcher last fired at t=172_785_000
vi.advanceTimersByTime(172_784_999)
expect(isParentAuthenticated.value).toBe(true)
})
})
describe('logoutParent()', () => {
it('clears isParentAuthenticated and isParentPersistent', () => {
authenticateParent(true)
expect(isParentAuthenticated.value).toBe(true)
logoutParent()
expect(isParentAuthenticated.value).toBe(false)
expect(isParentPersistent.value).toBe(false)
})
it('removing auth clears expiresAt and persistent flag', () => {
authenticateParent(true)
expect(parentAuthExpiresAt.value).not.toBeNull()
logoutParent()
expect(parentAuthExpiresAt.value).toBeNull()
expect(isParentPersistent.value).toBe(false)
})
it('clears parentAuthExpiresAt', () => {
authenticateParent(false)
logoutParent()
expect(parentAuthExpiresAt.value).toBeNull()
})
})
describe('loginUser()', () => {
it('loginUser() clears parent auth entirely', () => {
authenticateParent(true)
expect(isParentAuthenticated.value).toBe(true)
loginUser()
expect(isParentAuthenticated.value).toBe(false)
expect(isParentPersistent.value).toBe(false)
expect(parentAuthExpiresAt.value).toBeNull()
})
})
describe('localStorage restore on init', () => {
it('expired localStorage entry is cleaned up when checked', () => {
// Simulate a stored entry that is already expired
const expired = Date.now() - 1000
localStorage.setItem('parentAuth', JSON.stringify({ expiresAt: expired }))
// Mirroring the init logic in auth.ts: read, check, remove if stale
const stored = localStorage.getItem('parentAuth')
if (stored) {
const parsed = JSON.parse(stored) as { expiresAt: number }
if (!parsed.expiresAt || Date.now() >= parsed.expiresAt) {
localStorage.removeItem('parentAuth')
}
}
expect(localStorage.getItem('parentAuth')).toBeNull()
})
})
})

Some files were not shown because too many files have changed in this diff Show More