Backend is here. Default admin is created if needed.

server/src/routes/auth.ts

@@ -0,0 +1,50 @@
+import express from 'express';
+import { PrismaClient } from '@prisma/client';
+import jwt from 'jsonwebtoken';
+import bcrypt from 'bcryptjs';
+
+const router = express.Router();
+const prisma = new PrismaClient();
+const JWT_SECRET = process.env.JWT_SECRET || 'secret';
+
+
+
+// Login
+router.post('/login', async (req, res) => {
+    try {
+        const { email, password } = req.body;
+
+        // Admin check (hardcoded for now as per original logic, or we can seed it)
+        // For now, let's stick to DB users, but maybe seed admin if needed.
+        // The original code had hardcoded admin. Let's support that via a special check or just rely on DB.
+        // Let's rely on DB for consistency, but if the user wants the specific admin account, they should register it.
+        // However, to match original behavior, I'll add a check or just let them register 'admin@gymflow.ai'.
+
+        const user = await prisma.user.findUnique({
+            where: { email },
+            include: { profile: true }
+        });
+
+        if (!user) {
+            return res.status(400).json({ error: 'Invalid credentials' });
+        }
+
+        if (user.isBlocked) {
+            return res.status(403).json({ error: 'Account is blocked' });
+        }
+
+        const isMatch = await bcrypt.compare(password, user.password);
+        if (!isMatch) {
+            return res.status(400).json({ error: 'Invalid credentials' });
+        }
+
+        const token = jwt.sign({ userId: user.id, role: user.role }, JWT_SECRET);
+        const { password: _, ...userSafe } = user;
+
+        res.json({ success: true, user: userSafe, token });
+    } catch (error) {
+        res.status(500).json({ error: 'Server error' });
+    }
+});
+
+export default router;