From 216dd754a932e1532eea7a8261aa56ec84a30a33 Mon Sep 17 00:00:00 2001
From: Alexander Borg <borg@servernet.se>
Date: Tue, 16 Sep 2025 21:21:16 +0200
Subject: [PATCH] Fix jwt-token

---
 server/routes/auth.js | 46 ++++++++++++++++++++++++++++++++++++++++++-
 server/routes/user.js |  4 ++--
 2 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/server/routes/auth.js b/server/routes/auth.js
index 4068ab4..7cc0bf0 100644
--- a/server/routes/auth.js
+++ b/server/routes/auth.js
@@ -12,6 +12,50 @@ const MultiTenantAuth = require('../middleware/multi-tenant-auth');
 const SAMLAuth = require('../middleware/saml-auth');
 const OAuthAuth = require('../middleware/oauth-auth');
 const LDAPAuth = require('../middleware/ldap-auth');
+const { validateRequest } = require('../middleware/validation');
+const Joi = require('joi');
+
+// Registration validation schema (same as in user.js)
+const registerSchema = Joi.object({
+  username: Joi.string()
+    .min(3)
+    .max(50)
+    .pattern(/^[a-zA-Z0-9._-]+$/)
+    .required()
+    .messages({
+      'string.pattern.base': 'Username can only contain letters, numbers, dots, underscores, and hyphens'
+    }),
+  email: Joi.string()
+    .email()
+    .required()
+    .max(255),
+  password: Joi.string()
+    .min(8)
+    .max(100)
+    .pattern(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)/)
+    .required()
+    .messages({
+      'string.pattern.base': 'Password must contain at least one lowercase letter, one uppercase letter, and one number'
+    }),
+  first_name: Joi.string()
+    .max(100)
+    .optional()
+    .allow(''),
+  last_name: Joi.string()
+    .max(100)
+    .optional()
+    .allow(''),
+  phone_number: Joi.string()
+    .pattern(/^[\+]?[1-9][\d]{0,15}$/)
+    .optional()
+    .allow('')
+    .messages({
+      'string.pattern.base': 'Please enter a valid phone number'
+    }),
+  role: Joi.string()
+    .valid('viewer') // Only allow viewer role for self-registration
+    .default('viewer')
+});
 
 // Initialize multi-tenant auth
 const multiAuth = new MultiTenantAuth();
@@ -208,7 +252,7 @@ router.post('/login', async (req, res, next) => {
  * POST /auth/register
  * Universal registration endpoint that routes to appropriate provider
  */
-router.post('/register', async (req, res, next) => {
+router.post('/register', validateRequest(registerSchema), async (req, res, next) => {
   try {
     // Determine tenant
     const tenantId = await multiAuth.determineTenant(req);
diff --git a/server/routes/user.js b/server/routes/user.js
index c7822d7..ae654b7 100644
--- a/server/routes/user.js
+++ b/server/routes/user.js
@@ -140,7 +140,7 @@ async function registerLocal(req, res) {
       console.log('❌ Registration BLOCKED - Registration disabled for tenant:', tenantId);
       return res.status(403).json({
         success: false,
-        message: 'Registration is not enabled for this tenant. Please contact your administrator.'
+        message: 'Registration not allowed for this tenant'
       });
     }
     
@@ -172,7 +172,7 @@ async function registerLocal(req, res) {
     
     if (existingUser) {
       console.log('❌ Registration BLOCKED - User already exists in tenant');
-      return res.status(409).json({
+      return res.status(400).json({
         success: false,
         message: 'Username or email already exists'
       });