Fix jwt-token

server/routes/management.js

@@ -8,7 +8,7 @@ const router = express.Router();
 const jwt = require('jsonwebtoken');
 const bcrypt = require('bcryptjs'); // Fixed: use bcryptjs instead of bcrypt
 const { Op } = require('sequelize'); // Add Sequelize operators
-const { Tenant, User } = require('../models');
+const { Tenant, User, ManagementUser } = require('../models');
 
 // Management-specific authentication middleware - NO shared auth with tenants
 const requireManagementAuth = (req, res, next) => {
@@ -56,20 +56,10 @@ router.post('/auth/login', async (req, res) => {
   try {
     const { username, password } = req.body;
     
-    // Hardcoded management users for now (should be in separate DB table)
-    const MANAGEMENT_USERS = {
-      'admin': {
-        password: await bcrypt.hash('admin123', 10), // Change this!
-        role: 'super_admin'
-      },
-      'platform_admin': {
-        password: await bcrypt.hash('platform123', 10), // Change this!
-        role: 'platform_admin'
-      }
-    };
+    // Use ManagementUser model instead of hardcoded users
+    const managementUser = await ManagementUser.findByCredentials(username, password);
     
-    const managementUser = MANAGEMENT_USERS[username];
-    if (!managementUser || !await bcrypt.compare(password, managementUser.password)) {
+    if (!managementUser) {
       return res.status(401).json({
         success: false,
         message: 'Invalid management credentials'
@@ -78,8 +68,8 @@ router.post('/auth/login', async (req, res) => {
     
     const MANAGEMENT_SECRET = process.env.MANAGEMENT_JWT_SECRET || 'mgmt-super-secret-change-in-production';
     const token = jwt.sign({
-      userId: username,
-      username: username,
+      userId: managementUser.id,
+      username: managementUser.username,
       role: managementUser.role,
       isManagement: true
     }, MANAGEMENT_SECRET, { expiresIn: '8h' });
@@ -88,7 +78,11 @@ router.post('/auth/login', async (req, res) => {
       success: true,
       token,
       user: {
-        username,
+        id: managementUser.id,
+        username: managementUser.username,
+        email: managementUser.email,
+        first_name: managementUser.first_name,
+        last_name: managementUser.last_name,
         role: managementUser.role
       }
     });
@@ -506,14 +500,14 @@ router.post('/tenants/:tenantId/users', async (req, res) => {
     // Create user with tenant association
     const user = await User.create({
       ...userData,
-      password: hashedPassword,
+      password_hash: hashedPassword, // Use correct field name
       tenant_id: tenantId,
       created_by: req.managementUser.username
     });
     
-    // Remove password from response
+    // Remove password_hash from response
     const userResponse = user.toJSON();
-    delete userResponse.password;
+    delete userResponse.password_hash;
     
     console.log(`Management: Admin ${req.managementUser.username} created user ${userData.username} in tenant ${tenant.name}`);
     
@@ -563,14 +557,15 @@ router.put('/tenants/:tenantId/users/:userId', async (req, res) => {
     // Hash password if provided
     if (updates.password) {
       const bcrypt = require('bcryptjs');
-      updates.password = await bcrypt.hash(updates.password, 10);
+      updates.password_hash = await bcrypt.hash(updates.password, 10);
+      delete updates.password; // Remove plain password
     }
     
     await user.update(updates);
     
-    // Remove password from response
+    // Remove password_hash from response
     const userResponse = user.toJSON();
-    delete userResponse.password;
+    delete userResponse.password_hash;
     
     console.log(`Management: Admin ${req.managementUser.username} updated user ${user.username} in tenant ${user.tenant.name}`);
     
@@ -686,7 +681,7 @@ router.get('/tenants/:tenantId/users', async (req, res) => {
     
     const users = await User.findAndCountAll({
       where: whereClause,
-      attributes: { exclude: ['password'] },
+      attributes: { exclude: ['password_hash'] }, // Exclude password_hash, not password
       limit: Math.min(parseInt(limit), 100),
       offset: parseInt(offset),
       order: [['created_at', 'DESC']]