WeightTracker/app/routes/auth.py

from flask import Blueprint, render_template, request, redirect, url_for, session, flash
from werkzeug.security import generate_password_hash, check_password_hash
from app.db import query_one, execute_returning
from app.utils import parse_profile_fields

bp = Blueprint("auth", __name__)


@bp.route("/signup", methods=["GET", "POST"])
def signup():
    if request.method == "POST":
        username = request.form.get("username", "").strip()
        password = request.form.get("password", "")
        fields = parse_profile_fields(request.form)

        # Validation
        if not username or not password:
            flash("Username and password are required.", "error")
            return render_template("signup.html"), 400

        if len(password) < 4:
            flash("Password must be at least 4 characters.", "error")
            return render_template("signup.html"), 400

        # Check if username taken
        existing = query_one("SELECT id FROM users WHERE username = %s", (username,))
        if existing:
            flash("Username already taken.", "error")
            return render_template("signup.html"), 400

        # Create user
        password_hash = generate_password_hash(password)
        user = execute_returning(
            """INSERT INTO users (username, password_hash, display_name, height_cm, age, gender, goal_weight_kg, starting_weight_kg, is_private)
               VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s) RETURNING id""",
            (username, password_hash,
             fields["display_name"] or username,
             fields["height_cm"], fields["age"], fields["gender"],
             fields["goal_weight_kg"], fields["starting_weight_kg"],
             fields["is_private"]),
        )

        session["user_id"] = user["id"]
        flash("Welcome! You're all signed up.", "success")
        return redirect(url_for("dashboard.index"))

    return render_template("signup.html")


@bp.route("/login", methods=["GET", "POST"])
def login():
    if request.method == "POST":
        username = request.form.get("username", "").strip()
        password = request.form.get("password", "")

        user = query_one("SELECT * FROM users WHERE username = %s", (username,))
        if not user or not check_password_hash(user["password_hash"], password):
            flash("Invalid username or password.", "error")
            return render_template("login.html"), 401

        session["user_id"] = user["id"]
        next_url = request.args.get("next", url_for("dashboard.index"))
        return redirect(next_url)

    return render_template("login.html")


@bp.route("/logout")
def logout():
    session.clear()
    flash("You've been logged out.", "info")
    return redirect(url_for("auth.login"))