# API Endpoint Issues - Fixes Required ## Version: 1.0.0 ## Date: Current ## Status: Critical - Blocking User Registration Flow --- ## 🔴 Critical Issues ### 1. Apple Auth Endpoint - 500 Server Error **Endpoint:** `POST /auth/apple` **Current Behavior:** - Returns 500 server error when called with valid payload **Expected Payload (Client Sending):** ```json { "identity_token": "eyJraWQiOiJIdlZJNkVzWlhKIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwczovL2FwcGxlaWQuYXBwbGUuY29tIiwiYXVkIjoiY29tLm5hZmVzIiwiZXhwIjoxNzY4MTE1NDUyLCJpYXQiOjE3NjgwMjkwNTIsInN1YiI6IjAwMDA4MS5hMzBjMDIwNGQ2YWQ0NDY5YmE4NTZlMTU2NjM0ODE3Yi4xMTE5IiwiY19oYXNoIjoiTVBjcHVoZURZVlZfMG4tang0TmpJQSIsImVtYWlsIjoibWFoZGlzYWdocm91bjZAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF1dGhfdGltZSI6MTc2ODAyOTA1Miwibm9uY2Vfc3VwcG9ydGVkIjp0cnVlfQ.TmOFI-tUrfxJN8mWHgUKFzrA5xZPMqWHpBEQaRXZ7kROb-PIr_CZbi8cTojCj8ZrK0zvqrll0zE-2M8zxbkrL1Du5MYF1nZ674P094aKF1HSlPBcQnp-z49RFDytgOFpiHjmoxA92a8rv6ONFAIHd4NWYb7EhWHXn9E5J6xJMk9sW26nCeHRn35hAAP4Km3hqyCm8w0_bRyDu--wphzyAU8gGF6rcTjSHVwffdsrb9bvhyzq1AViBd1biGqqmHDr16mHGedPi-LMzA2VVYOPbat_Zw_yFY8EC1470ILL65TyM5B29yGT9sWH4QxKtgYczKThHS4OJzgt_pKGiE_4wg", "full_name": "KzI8lE D5aHmw", "language": "ar" } ``` **Expected Response:** ```json { "success": true, "message": "Authentication successful", "data": { "access_token": "...", "refresh_token": "...", "user_id": "...", "requires_account_completion": true/false } } ``` **Current Response:** - 500 Internal Server Error **Client Status:** ✅ Working correctly - sending all required fields --- ### 2. Link Account Endpoint - 500 Server Error **Endpoint:** `POST /auth/link-account` **Current Behavior:** - Returns 500 server error when called with valid payload - Password field is being sent but shouldn't be required at this stage **Context:** - User enters ONLY email in first registration step - API returns 409 with `requires_provider_linking: true` - Client shows account linking sheet - User selects Google/Apple to link account - Client sends provider token (id_token for Google, identity_token for Apple) **Expected Payload (Client Sending):** ```json { "provider_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...", // Google id_token OR Apple identity_token "linking_intent_token": "abc123...", "password": null, // Not required - user hasn't set password yet "full_name": "aB3xY9 mK7pQ2" // For Apple auth only } ``` **Expected Response:** ```json { "success": true, "message": "Account linked successfully", "data": { "access_token": "...", "refresh_token": "...", "requires_account_completion": true } } ``` **Current Response:** - 500 Internal Server Error **Issue:** - Password shouldn't be required at this stage (user only entered email) - Password should be set during profile completion step **Recommendation:** - Option A: Remove password requirement from link-account endpoint - Option B: Create new endpoint `/auth/check-account-linking` to verify if account needs linking before requiring password **Client Status:** ✅ Working correctly - sending provider_token based on provider type --- ### 3. Get Profile Endpoint - Error Instead of Success **Endpoint:** `GET /auth/profile` **Current Behavior:** - Returns error when profile needs completion - Used at app startup to check if user needs to complete profile **Use Case:** - User verifies OTP and gets tokens - App calls `/auth/profile` to check completion status - If profile incomplete, should guide user to complete profile screen - User might have stopped mid-way, so some data might exist (like email) **Current Response (Incorrect):** ```json { "success": false, "message": { "key": "ACCOUNT_COMPLETION_REQUIRED", "value": "ACCOUNT_COMPLETION_REQUIRED" }, "data": { "requires_account_completion": true } } ``` **Expected Response (Correct):** ```json { "success": true, "message": { "key": "ACCOUNT_COMPLETION_REQUIRED", "value": "Account completion required" }, "data": { "id": "user-uuid", "email": "user@example.com", // Already exists - user entered it "name": null, // Doesn't exist yet "country": null, // Doesn't exist yet "mobile_country_code": null, "mobile_number": null, "gender": null, "avatar": null, "role": "user", "language": "ar", "profile_completed_at": null, // Indicates completion needed "requires_account_completion": true } } ``` **Why This Matters:** - App uses this endpoint at startup to check if user needs to complete profile - If user stopped mid-way, we need existing data (like email) to pre-fill the form - Returning error prevents app from navigating to complete profile screen - Should return 200 with success:true and existing data **Client Status:** ✅ Updated to handle 200 response with requires_account_completion --- ### 4. Google Auth - User Disabled Error **Endpoint:** `POST /auth/google` **Current Behavior:** - Shows "user disabled" error when creating account the second time - First time works, second time fails **Expected Payload (Client Sending):** ```json { "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...", "language": "ar" // or "en" } ``` **Expected Response:** ```json { "success": true, "message": "Authentication successful", "data": { "access_token": "...", "refresh_token": "...", "user_id": "...", "requires_account_completion": true/false } } ``` **Current Response (Second Time):** - Error: "User disabled" or similar **Issue:** - Account might be getting disabled after first registration - Or duplicate account detection is incorrectly flagging as disabled **Client Status:** ✅ Working correctly - sending valid id_token