Created backend/src/config/constants.js to centralize all magic numbers
and configuration values used throughout the backend codebase.
Changes:
- Created constants.js with organized sections for:
- SECURITY: JWT, rate limiting, password reset
- AUTH: OTP configuration and rate limiting
- SERVER: Port, body limits, startup delays
- MQTT: Connection settings, cache limits
- NOTIFICATIONS: Push settings, quiet hours, batching
- SERIAL: Validation patterns and constraints
- EMAIL: Template settings and defaults
- CRON: Schedule configurations
- STORAGE: Avatar storage settings
- Updated files to use constants:
- index.js: JWT validation, rate limits, startup delays
- routes/auth.js: OTP generation, rate limits, JWT expiry
- services/mqtt.js: Connection timeouts, cache size
- services/notifications.js: Batch size, TTL, quiet hours
- utils/serialValidation.js: Serial number constraints
- Added comprehensive test suite (30 tests) for constants module
- All tests passing (93 total including existing tests)
- Validates reasonable values and consistency between related constants
Benefits:
- Single source of truth for configuration values
- Easier to maintain and update settings
- Better documentation of what each value represents
- Improved code readability by removing hardcoded numbers
- Testable configuration values
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fixed GET /auth/me and POST /auth/verify-otp endpoints to use the correct
beneficiaries table schema. Previously, these endpoints were querying for
fields like email, first_name, last_name, address_street which don't exist
in the actual beneficiaries table, causing empty/incorrect data to be returned.
Changes:
- Updated Supabase queries to fetch correct fields: name, phone, address,
avatar_url, equipment_status, created_at
- Fixed response mapping to use 'name' instead of 'first_name'/'last_name'
- Added proper equipmentStatus and hasDevices calculations
- Removed spread operator that was adding incorrect fields to response
Added comprehensive tests to verify correct schema usage and ensure
beneficiary data is returned with the proper structure.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add custom_name to user_access query in both endpoints
- Compute displayName as customName || originalName
- Include customName, displayName, and originalName in response
- Ensures consistent beneficiary data format across all endpoints
- setWiFi() now throws detailed errors instead of returning false
- Shows specific error messages: "WiFi credentials rejected", timeout etc.
- Added logging throughout BLE WiFi configuration flow
- Fixed WiFi network deduplication (keeps strongest signal)
- Ignore "Operation cancelled" error (normal cleanup behavior)
- BatchSetupProgress shows actual error in hint field
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add verifyOtpLimiter: 5 attempts per 15 minutes per email/IP
- Add requestOtpLimiter: 3 attempts per 15 minutes per email/IP
- Use email as primary key, fallback to IP
- Return JSON error messages for rate limit exceeded
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Monitoring badge: equipment active + subscription active
- Get kit badge: user hasn't ordered equipment yet
- Equipment status badges: ordered, shipped, delivered
- No subscription warning when equipment works but no sub
- Stripe subscription caching in backend (hourly sync)
- BeneficiaryMenu with edit/share/archive/delete actions
