fix: migrate remaining controllers from Auth0 sub to UUID identity (refs #220)

16 controllers still used request.user.sub (Auth0 ID) instead of request.userContext.userId (UUID) after the user_id column migration, causing 500 errors on all authenticated endpoints including dashboard. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 11:38:46 -06:00
parent 28165e4f4a
commit dd3b58e061
16 changed files with 177 additions and 169 deletions
--- a/backend/src/features/auth/api/auth.controller.ts
+++ b/backend/src/features/auth/api/auth.controller.ts
@@ -110,17 +110,17 @@ export class AuthController {
   */
  async getVerifyStatus(request: FastifyRequest, reply: FastifyReply) {
    try {
-      const userId = (request as any).user.sub;
+      const auth0Sub = (request as any).user.sub;

-      const result = await this.authService.getVerifyStatus(userId);
+      const result = await this.authService.getVerifyStatus(auth0Sub);

-      logger.info('Verification status checked', { userId, emailVerified: result.emailVerified });
+      logger.info('Verification status checked', { userId: request.userContext?.userId, emailVerified: result.emailVerified });

      return reply.code(200).send(result);
    } catch (error: any) {
      logger.error('Failed to get verification status', {
        error,
-        userId: (request as any).user?.sub,
+        userId: request.userContext?.userId,
      });

      return reply.code(500).send({
@@ -137,17 +137,17 @@ export class AuthController {
   */
  async resendVerification(request: FastifyRequest, reply: FastifyReply) {
    try {
-      const userId = (request as any).user.sub;
+      const auth0Sub = (request as any).user.sub;

-      const result = await this.authService.resendVerification(userId);
+      const result = await this.authService.resendVerification(auth0Sub);

-      logger.info('Verification email resent', { userId });
+      logger.info('Verification email resent', { userId: request.userContext?.userId });

      return reply.code(200).send(result);
    } catch (error: any) {
      logger.error('Failed to resend verification email', {
        error,
-        userId: (request as any).user?.sub,
+        userId: request.userContext?.userId,
      });

      return reply.code(500).send({
@@ -199,23 +199,26 @@ export class AuthController {
   */
  async getUserStatus(request: FastifyRequest, reply: FastifyReply) {
    try {
-      const userId = (request as any).user.sub;
+      const auth0Sub = (request as any).user.sub;
+      const userId = request.userContext?.userId;

-      const result = await this.authService.getUserStatus(userId);
+      const result = await this.authService.getUserStatus(auth0Sub);

      // Log login event to audit trail (called once per Auth0 callback)
      const ipAddress = this.getClientIp(request);
-      await auditLogService.info(
-        'auth',
-        userId,
-        'User login',
-        'user',
-        userId,
-        { ipAddress }
-      ).catch(err => logger.error('Failed to log login audit event', { error: err }));
+      if (userId) {
+        await auditLogService.info(
+          'auth',
+          userId,
+          'User login',
+          'user',
+          userId,
+          { ipAddress }
+        ).catch(err => logger.error('Failed to log login audit event', { error: err }));
+      }

      logger.info('User status retrieved', {
-        userId: userId.substring(0, 8) + '...',
+        userId: userId?.substring(0, 8) + '...',
        emailVerified: result.emailVerified,
        onboardingCompleted: result.onboardingCompleted,
      });
@@ -224,7 +227,7 @@ export class AuthController {
    } catch (error: any) {
      logger.error('Failed to get user status', {
        error,
-        userId: (request as any).user?.sub,
+        userId: request.userContext?.userId,
      });

      return reply.code(500).send({
@@ -241,12 +244,12 @@ export class AuthController {
   */
  async getSecurityStatus(request: FastifyRequest, reply: FastifyReply) {
    try {
-      const userId = (request as any).user.sub;
+      const auth0Sub = (request as any).user.sub;

-      const result = await this.authService.getSecurityStatus(userId);
+      const result = await this.authService.getSecurityStatus(auth0Sub);

      logger.info('Security status retrieved', {
-        userId: userId.substring(0, 8) + '...',
+        userId: request.userContext?.userId,
        emailVerified: result.emailVerified,
      });

@@ -254,7 +257,7 @@ export class AuthController {
    } catch (error: any) {
      logger.error('Failed to get security status', {
        error,
-        userId: (request as any).user?.sub,
+        userId: request.userContext?.userId,
      });

      return reply.code(500).send({
@@ -271,28 +274,31 @@ export class AuthController {
   */
  async requestPasswordReset(request: FastifyRequest, reply: FastifyReply) {
    try {
-      const userId = (request as any).user.sub;
+      const auth0Sub = (request as any).user.sub;
+      const userId = request.userContext?.userId;

-      const result = await this.authService.requestPasswordReset(userId);
+      const result = await this.authService.requestPasswordReset(auth0Sub);

      logger.info('Password reset email requested', {
-        userId: userId.substring(0, 8) + '...',
+        userId: userId?.substring(0, 8) + '...',
      });

      // Log password reset request to unified audit log
-      await auditLogService.info(
-        'auth',
-        userId,
-        'Password reset requested',
-        'user',
-        userId
-      ).catch(err => logger.error('Failed to log password reset audit event', { error: err }));
+      if (userId) {
+        await auditLogService.info(
+          'auth',
+          userId,
+          'Password reset requested',
+          'user',
+          userId
+        ).catch(err => logger.error('Failed to log password reset audit event', { error: err }));
+      }

      return reply.code(200).send(result);
    } catch (error: any) {
      logger.error('Failed to request password reset', {
        error,
-        userId: (request as any).user?.sub,
+        userId: request.userContext?.userId,
      });

      return reply.code(500).send({
@@ -312,21 +318,23 @@ export class AuthController {
   */
  async trackLogout(request: FastifyRequest, reply: FastifyReply) {
    try {
-      const userId = (request as any).user.sub;
+      const userId = request.userContext?.userId;
      const ipAddress = this.getClientIp(request);

      // Log logout event to audit trail
-      await auditLogService.info(
-        'auth',
-        userId,
-        'User logout',
-        'user',
-        userId,
-        { ipAddress }
-      ).catch(err => logger.error('Failed to log logout audit event', { error: err }));
+      if (userId) {
+        await auditLogService.info(
+          'auth',
+          userId,
+          'User logout',
+          'user',
+          userId,
+          { ipAddress }
+        ).catch(err => logger.error('Failed to log logout audit event', { error: err }));
+      }

      logger.info('User logout tracked', {
-        userId: userId.substring(0, 8) + '...',
+        userId: userId?.substring(0, 8) + '...',
      });

      return reply.code(200).send({ success: true });
@@ -334,7 +342,7 @@ export class AuthController {
      // Don't block logout on audit failure - always return success
      logger.error('Failed to track logout', {
        error,
-        userId: (request as any).user?.sub,
+        userId: request.userContext?.userId,
      });

      return reply.code(200).send({ success: true });