2026-01-04 16:37:35 -05:00
19 changed files with 590 additions and 93 deletions
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@ -26,16 +26,19 @@ mirrormatch/
 │   ├── Navigation.tsx   # Navigation bar (client component)
 │   └── [others]         # Form components, UI components
 ├── lib/                   # Utility libraries and helpers
-│   ├── prisma.ts        # Prisma client singleton
+│   ├── prisma.ts        # Prisma client singleton (lazy initialization)
 │   ├── auth.ts          # NextAuth configuration
 │   ├── email.ts         # Email sending utilities
-│   └── utils.ts         # Helper functions (hashing, etc.)
+│   ├── utils.ts         # Helper functions (hashing, etc.)
 │   └── activity-log.ts  # Activity logging utility
 ├── prisma/                # Database schema and migrations
 │   ├── schema.prisma     # Prisma schema definition
 │   └── seed.ts          # Database seeding script
 ├── types/                 # TypeScript type definitions
 │   └── next-auth.d.ts   # NextAuth type extensions
-└── middleware.ts         # Next.js middleware for route protection
+├── proxy.ts              # Next.js proxy/middleware for route protection (Next.js 16)
 └── lib/
    └── activity-log.ts  # Activity logging utility
 ```
 ## Data Model
@ -153,21 +156,31 @@ model Guess {
 ### Route Protection
-**Location:** `middleware.ts`
+**Location:** `proxy.ts` (Next.js 16 uses `proxy.ts` instead of `middleware.ts`)
 **Public Routes:**
 - `/login`
 - `/api/auth/*` (NextAuth endpoints)
 - `/uploads/*` (uploaded files - legacy, now served via API)
 - `/api/uploads/*` (uploaded files served via API route)
 **Protected Routes:**
 - All other routes require authentication
 - `/admin/*` routes additionally require `role === "ADMIN"`
 **Implementation:**
- Uses NextAuth `withAuth` middleware
+- Uses NextAuth `getToken` from `next-auth/jwt` in Edge runtime
- Checks JWT token on each request
+- Checks JWT token on each request via `proxy.ts`
- Redirects unauthenticated users to `/login`
+- Explicitly specifies cookie name: `__Secure-authjs.session-token`
 - Redirects unauthenticated users to `/login` with `callbackUrl`
 - Redirects non-admin users trying to access admin routes to home
 - Logs all user activity (page visits, API calls)
 **Activity Logging:**
 - All authenticated requests are logged with user info, IP, path, method
 - Unauthenticated access attempts are also logged
 - Photo uploads and guess submissions have dedicated activity logs
 - Logs format: `[ACTIVITY] timestamp | method path | User: email (role) | IP: ip`
 ## Application Flows
@ -219,16 +232,37 @@ model Guess {
 **Flow:**
 1. User navigates to `/upload`
-2. Enters photo URL and answer name
+2. Uploads photo file or enters photo URL and answer name
-3. Form submits to `POST /api/photos`
+3. Form submits to `POST /api/photos/upload` (file upload) or `POST /api/photos` (URL)
 4. API route:
   - Verifies session
-   - Creates Photo record with `uploaderId`, `url`, `answerName`
+   - For file uploads:
     - Validates file type and size (max 10MB)
     - Calculates SHA256 hash for duplicate detection
     - Generates unique filename: `timestamp-randomstring.extension`
     - Saves file to `public/uploads/` directory
     - Sets photo URL to `/api/uploads/[filename]`
   - For URL uploads:
     - Validates URL format
     - Checks for duplicate URLs
     - Uses provided URL directly
   - Creates Photo record with `uploaderId`, `url`, `answerName`, `fileHash`
   - Queries all other users (excluding uploader)
   - Sends email notifications to all other users (async, non-blocking)
   - Logs activity: `[PHOTO_UPLOAD]`
 5. User redirected to photo detail page
-**API Route:** `app/api/photos/route.ts`
+**API Routes:**
 - `app/api/photos/upload/route.ts` - File upload endpoint
 - `app/api/photos/route.ts` - URL upload endpoint (legacy)
 - `app/api/uploads/[filename]/route.ts` - Serves uploaded files
 **File Storage:**
 - Files stored in `public/uploads/` directory
 - Served via `/api/uploads/[filename]` API route
 - Files verified after write to ensure successful save
 - Duplicate detection via SHA256 hash
 **Email:** `lib/email.ts` - `sendNewPhotoEmail()`
 **Page:** `app/upload/page.tsx` (client component)
@ -260,10 +294,13 @@ model Guess {
 4. API route:
   - Verifies session
   - Checks if user already has correct guess (prevent duplicate points)
   - Prevents users from guessing their own photos
   - Normalizes guess text and answer (trim, lowercase)
   - Compares normalized strings
   - Creates Guess record with `correct` boolean
-   - If correct: increments user's points by 1
+   - If correct: increments user's points by photo's `points` value
   - If wrong and penalty enabled: deducts penalty points
   - Logs activity: `[GUESS_SUBMIT]` with result
 5. Page refreshes to show feedback
 **API Route:** `app/api/photos/[photoId]/guess/route.ts`
@ -274,6 +311,7 @@ model Guess {
 - Case-insensitive comparison
 - Trims whitespace
 - Exact match required (no fuzzy matching)
 - Points awarded based on photo's `points` field (default: 1)
 ### 7. Leaderboard
--- a/README.md
+++ b/README.md
@ -153,6 +153,26 @@ npm run build
 npm start
 ```
 ### Deployment Notes
 **Important Configuration:**
 - Ensure `NODE_ENV=production` is set in production
 - Set `NEXTAUTH_URL` to your production domain (e.g., `https://yourdomain.com`)
 - Set `AUTH_TRUST_HOST=true` if using reverse proxy
 - Ensure `DATABASE_URL` points to your production database
 - Files are stored in `public/uploads/` directory - ensure this directory persists across deployments
 **File Uploads:**
 - Photos are uploaded to `public/uploads/` directory
 - Files are served via `/api/uploads/[filename]` API route
 - Ensure the uploads directory has proper write permissions
 - Files are stored on the filesystem (not in database)
 **Monitoring Activity:**
 - User activity is logged to console/systemd logs
 - Watch logs in real-time: `sudo journalctl -u app-backend -f | grep -E "\[ACTIVITY\]|\[PHOTO_UPLOAD\]|\[GUESS_SUBMIT\]"`
 - Activity logs include: page visits, photo uploads, guess submissions
 ## Database Commands
 - `npm run db:generate` - Generate Prisma Client
@ -161,6 +181,18 @@ npm start
 - `npm run db:studio` - Open Prisma Studio (database GUI)
 - `npm run db:seed` - Seed database with initial admin user
 ### Querying the Database
 **Get all photo answers:**
 ```bash
 psql "postgresql://user:password@host:5432/database" -c "SELECT \"answerName\" FROM \"Photo\" ORDER BY \"createdAt\" DESC;"
 ```
 **Get answers with uploader info:**
 ```bash
 psql "postgresql://user:password@host:5432/database" -c "SELECT p.\"answerName\", p.url, u.name as uploader, p.\"createdAt\" FROM \"Photo\" p JOIN \"User\" u ON p.\"uploaderId\" = u.id ORDER BY p.\"createdAt\" DESC;"
 ```
 ## Creating the First Admin User
 The seed script automatically creates an admin user. If you need to create one manually:
@ -210,9 +242,12 @@ mirrormatch/
 - View user points and roles
 ### Photo Upload (`/upload`)
- Upload photos via URL
+- Upload photos via file upload or URL
 - Files are stored in `public/uploads/` directory
 - Files are served via `/api/uploads/[filename]` API route
 - Set answer name for guessing
 - Automatically sends email notifications to all other users
 - Duplicate file detection (SHA256 hash)
 ### Photo Guessing (`/photos/[id]`)
 - View photo and uploader info
@ -269,7 +304,20 @@ Set up SMTP credentials in `.env`:
 ### Authentication Issues
 - Verify `NEXTAUTH_SECRET` is set
 - Check `NEXTAUTH_URL` matches your app URL
 - Set `AUTH_TRUST_HOST=true` if using reverse proxy
 - Clear browser cookies if needed
 - Check middleware logs: `sudo journalctl -u app-backend | grep "Middleware"`
 ### Photo Upload Issues
 - Verify `public/uploads/` directory exists and has write permissions
 - Check file upload logs: `sudo journalctl -u app-backend | grep "UPLOAD"`
 - Ensure files are being saved: check `public/uploads/` directory
 - Files are served via `/api/uploads/[filename]` - verify API route is accessible
 ### Build Issues
 - If build fails with `DATABASE_URL not set`, this is expected - Prisma initialization is lazy
 - Ensure all environment variables are set in production
 - Check for TypeScript errors: `npm run type-check`
 ## Documentation
--- a/app/api/debug/session/route.ts
+++ b/app/api/debug/session/route.ts
@ -0,0 +1,76 @@
 import { auth } from "@/lib/auth"
 import { NextResponse } from "next/server"
 import { cookies } from "next/headers"
 export async function GET(request: Request) {
  try {
    const cookieHeader = request.headers.get("cookie") || ""
    // Parse cookies from header first
    const cookieMap: Record<string, string> = {}
    cookieHeader.split(";").forEach(cookie => {
      const [key, value] = cookie.trim().split("=")
      if (key && value) {
        cookieMap[key] = decodeURIComponent(value)
      }
    })
    // Try to get session token from cookies
    const sessionTokenFromHeader = cookieMap["__Secure-authjs.session-token"] || "NOT FOUND"
    // Try to call auth() - this might fail or return null
    let session = null
    let authError = null
    try {
      console.log("Debug endpoint: Calling auth()...")
      session = await auth()
      console.log("Debug endpoint: auth() returned", {
        hasSession: !!session,
        sessionUser: session?.user,
        sessionKeys: session ? Object.keys(session) : []
      })
    } catch (err) {
      authError = err instanceof Error ? err.message : String(err)
      console.error("Debug endpoint: auth() error", authError)
    }
    // Try to get cookie from Next.js cookie store
    let sessionTokenFromStore = "NOT ACCESSIBLE"
    try {
      const cookieStore = await cookies()
      sessionTokenFromStore = cookieStore.get("__Secure-authjs.session-token")?.value || "NOT FOUND"
    } catch {
      // Cookie store might not be accessible in all contexts
    }
    return NextResponse.json({
      hasSession: !!session,
      session: session ? {
        user: session.user,
        expires: session.expires,
      } : null,
      authError,
      cookies: {
        sessionTokenInHeader: sessionTokenFromHeader !== "NOT FOUND",
        sessionTokenInStore: sessionTokenFromStore !== "NOT FOUND" && sessionTokenFromStore !== "NOT ACCESSIBLE",
        sessionTokenPreview: sessionTokenFromHeader !== "NOT FOUND" ? `${sessionTokenFromHeader.substring(0, 30)}...` : "NOT FOUND",
        allCookieKeys: Object.keys(cookieMap),
        cookieHeaderLength: cookieHeader.length,
        cookieHeaderPreview: cookieHeader.substring(0, 200),
      },
      env: {
        hasSecret: !!process.env.NEXTAUTH_SECRET,
        nextAuthUrl: process.env.NEXTAUTH_URL,
        nodeEnv: process.env.NODE_ENV,
        authTrustHost: process.env.AUTH_TRUST_HOST,
        secretLength: process.env.NEXTAUTH_SECRET?.length || 0,
        secretPreview: process.env.NEXTAUTH_SECRET ? `${process.env.NEXTAUTH_SECRET.substring(0, 10)}...` : "missing",
      }
    })
  } catch (error) {
    return NextResponse.json({
      error: error instanceof Error ? error.message : "Unknown error",
      stack: error instanceof Error ? error.stack : undefined
    }, { status: 500 })
  }
 }
--- a/app/api/photos/[photoId]/guess/route.ts
+++ b/app/api/photos/[photoId]/guess/route.ts
@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from "next/server"
 import { auth } from "@/lib/auth"
 import { prisma } from "@/lib/prisma"
 import { normalizeString } from "@/lib/utils"
 import { logActivity } from "@/lib/activity-log"
 export async function POST(
  req: NextRequest,
@ -129,6 +130,21 @@ export async function POST(
      }
    }
    // Log guess activity
    logActivity(
      "GUESS_SUBMIT",
      `/api/photos/${photoId}/guess`,
      "POST",
      session.user,
      {
        photoId,
        guessText: guess.guessText.substring(0, 50), // Truncate for privacy
        correct: isCorrect,
        pointsChange
      },
      req
    )
    return NextResponse.json({ 
      guess, 
      correct: isCorrect,
--- a/app/api/photos/upload-multiple/route.ts
+++ b/app/api/photos/upload-multiple/route.ts
@ -133,7 +133,7 @@ export async function POST(req: NextRequest) {
        const filepath = join(uploadsDir, filename)
        await writeFile(filepath, buffer)
-        photoUrl = `/uploads/${filename}`
+        photoUrl = `/api/uploads/${filename}`
      } else if (url) {
        // Handle URL upload
        photoUrl = url
--- a/app/api/photos/upload/route.ts
+++ b/app/api/photos/upload/route.ts
@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from "next/server"
 import { auth } from "@/lib/auth"
 import { prisma } from "@/lib/prisma"
 import { sendNewPhotoEmail } from "@/lib/email"
 import { logActivity } from "@/lib/activity-log"
 import { writeFile } from "fs/promises"
 import { join } from "path"
 import { existsSync, mkdirSync } from "fs"
@ -85,14 +86,26 @@ export async function POST(req: NextRequest) {
      const uploadsDir = join(process.cwd(), "public", "uploads")
      if (!existsSync(uploadsDir)) {
        mkdirSync(uploadsDir, { recursive: true })
        console.log(`[UPLOAD] Created uploads directory: ${uploadsDir}`)
      }
      console.log(`[UPLOAD] Using uploads directory: ${uploadsDir} (exists: ${existsSync(uploadsDir)})`)
      // Filename is generated server-side (timestamp + random), safe for path.join
      const filepath = join(uploadsDir, filename)
      await writeFile(filepath, buffer)
      // Verify file was written successfully
      const { access } = await import("fs/promises")
      try {
        await access(filepath)
        console.log(`[UPLOAD] File saved successfully: ${filepath}`)
      } catch (error) {
        console.error(`[UPLOAD] File write verification failed: ${filepath}`, error)
        throw new Error("Failed to save file to disk")
      }
-      // Set URL to the uploaded file
+      // Set URL to the uploaded file - use API route to ensure it's accessible
-      photoUrl = `/uploads/${filename}`
+      photoUrl = `/api/uploads/${filename}`
    } else {
      // Handle URL upload (fallback)
      const url = formData.get("url") as string | null
@ -159,6 +172,21 @@ export async function POST(req: NextRequest) {
      )
    )
    // Log photo upload activity
    logActivity(
      "PHOTO_UPLOAD",
      "/api/photos/upload",
      "POST",
      session.user,
      {
        photoId: photo.id,
        answerName: photo.answerName,
        points: photo.points,
        filename: photoUrl.split("/").pop()
      },
      req
    )
    return NextResponse.json({ photo }, { status: 201 })
  } catch (error) {
    console.error("Error uploading photo:", error)
--- a/app/api/uploads/[filename]/route.ts
+++ b/app/api/uploads/[filename]/route.ts
@ -0,0 +1,58 @@
 import { NextRequest, NextResponse } from "next/server"
 import { readFile } from "fs/promises"
 import { join } from "path"
 import { existsSync } from "fs"
 export async function GET(
  request: NextRequest,
  { params }: { params: Promise<{ filename: string }> }
 ) {
  try {
    const { filename } = await params
    // Sanitize filename - only allow alphanumeric, dots, hyphens
    if (!/^[a-zA-Z0-9._-]+$/.test(filename)) {
      return NextResponse.json({ error: "Invalid filename" }, { status: 400 })
    }
    // Get the uploads directory
    const uploadsDir = join(process.cwd(), "public", "uploads")
    const filepath = join(uploadsDir, filename)
    // Security: ensure file is within uploads directory (prevent path traversal)
    if (!filepath.startsWith(uploadsDir)) {
      return NextResponse.json({ error: "Invalid path" }, { status: 400 })
    }
    // Check if file exists
    if (!existsSync(filepath)) {
      console.error(`[UPLOAD] File not found: ${filepath} (cwd: ${process.cwd()})`)
      return NextResponse.json({ error: "File not found" }, { status: 404 })
    }
    // Read and serve the file
    const fileBuffer = await readFile(filepath)
    // Determine content type from extension
    const ext = filename.split(".").pop()?.toLowerCase()
    const contentType = 
      ext === "jpg" || ext === "jpeg" ? "image/jpeg" :
      ext === "png" ? "image/png" :
      ext === "gif" ? "image/gif" :
      ext === "webp" ? "image/webp" :
      "application/octet-stream"
    return new NextResponse(fileBuffer, {
      headers: {
        "Content-Type": contentType,
        "Cache-Control": "public, max-age=31536000, immutable",
      },
    })
  } catch (error) {
    console.error("[UPLOAD] Error serving file:", error)
    return NextResponse.json(
      { error: "Internal server error" },
      { status: 500 }
    )
  }
 }
--- a/app/global-error.tsx
+++ b/app/global-error.tsx
@ -0,0 +1,34 @@
 "use client"
 // Minimal global error boundary to avoid hook usage on missing providers during prerender.
 // Does not rely on any contexts; renders a simple retry action.
 export default function GlobalError({
  error,
  reset,
 }: {
  error: Error & { digest?: string }
  reset: () => void
 }) {
  return (
    <html>
      <body>
        <main style={{ padding: "2rem", fontFamily: "sans-serif" }}>
          <h1>Something went wrong</h1>
          <p>{error.message || "An unexpected error occurred."}</p>
          {error.digest ? <p>Reference: {error.digest}</p> : null}
          <button
            type="button"
            onClick={reset}
            style={{
              marginTop: "1rem",
              padding: "0.5rem 1rem",
              cursor: "pointer",
            }}
          >
            Try again
          </button>
        </main>
      </body>
    </html>
  )
 }
--- a/app/login/page.tsx
+++ b/app/login/page.tsx
@ -2,10 +2,8 @@
 import { useState } from "react"
 import { signIn } from "next-auth/react"
 import { useRouter } from "next/navigation"
 export default function LoginPage() {
  const router = useRouter()
  const [email, setEmail] = useState("")
  const [password, setPassword] = useState("")
  const [error, setError] = useState("")
@ -23,11 +21,20 @@ export default function LoginPage() {
        redirect: false,
      })
      console.log("Sign in result:", { result, error: result?.error, ok: result?.ok, url: result?.url })
      if (result?.error) {
        setError("Invalid email or password")
      } else if (result?.ok) {
        // Check if there's a callback URL in the query params
        const params = new URLSearchParams(window.location.search)
        const callbackUrl = params.get("callbackUrl") || "/photos"
        console.log("Redirecting to:", callbackUrl)
        // Use window.location.href to force a full page reload
        // This ensures the session cookie is read before middleware checks authentication
        window.location.href = callbackUrl
      } else {
-        router.push("/photos")
+        setError("Login failed. Please try again.")
        router.refresh()
      }
    } catch {
      setError("An error occurred. Please try again.")
--- a/app/photos/page.tsx
+++ b/app/photos/page.tsx
@ -9,11 +9,28 @@ import DeletePhotoButton from "@/components/DeletePhotoButton"
 export const revalidate = 60 // Revalidate every 60 seconds
 export default async function PhotosPage() {
  console.log("PhotosPage: Starting, calling auth()...")
  const session = await auth()
  console.log("PhotosPage: auth() returned", {
    hasSession: !!session,
    sessionType: typeof session,
    sessionUser: session?.user,
    sessionKeys: session ? Object.keys(session) : [],
    sessionString: JSON.stringify(session, null, 2)
  })
  if (!session) {
    console.log("PhotosPage: No session, redirecting to login")
    redirect("/login")
  }
  if (!session.user) {
    console.log("PhotosPage: Session exists but no user, redirecting to login")
    redirect("/login")
  }
  console.log("PhotosPage: Session valid, rendering page")
  // Limit to 50 photos per page for performance
  const photos = await prisma.photo.findMany({
--- a/components/PhotoImage.tsx
+++ b/components/PhotoImage.tsx
@ -5,8 +5,9 @@ import Image from "next/image"
 export default function PhotoImage({ src, alt }: { src: string; alt: string }) {
  // Handle external URLs and local paths
  const isExternal = src.startsWith("http://") || src.startsWith("https://")
  const isLocalUpload = src.startsWith("/uploads/")
-  if (isExternal) {
+  if (isExternal || isLocalUpload) {
    return (
      /* eslint-disable-next-line @next/next/no-img-element */
      <img
@ -31,7 +32,6 @@ export default function PhotoImage({ src, alt }: { src: string; alt: string }) {
      className="object-contain"
      sizes="(max-width: 768px) 100vw, (max-width: 1200px) 50vw, 600px"
      loading="lazy"
      unoptimized={src.startsWith("/uploads/")}
    />
  )
 }
--- a/components/PhotoThumbnail.tsx
+++ b/components/PhotoThumbnail.tsx
@ -5,10 +5,11 @@ import Image from "next/image"
 export default function PhotoThumbnail({ src, alt }: { src: string; alt: string }) {
  // Handle external URLs and local paths
  const isExternal = src.startsWith("http://") || src.startsWith("https://")
  const isLocalUpload = src.startsWith("/uploads/")
  return (
    <div className="w-full h-full relative">
-      {isExternal ? (
+      {isExternal || isLocalUpload ? (
        /* eslint-disable-next-line @next/next/no-img-element */
        <img
          src={src}
@ -28,7 +29,6 @@ export default function PhotoThumbnail({ src, alt }: { src: string; alt: string
          className="object-cover"
          sizes="(max-width: 640px) 100vw, (max-width: 1024px) 50vw, 25vw"
          loading="lazy"
          unoptimized={src.startsWith("/uploads/")}
        />
      )}
    </div>
--- a/env.example
+++ b/env.example
@ -4,6 +4,7 @@ DATABASE_URL="postgresql://user:password@localhost:5432/mirrormatch?schema=publi
 # NextAuth
 NEXTAUTH_URL="http://localhost:3000"
 NEXTAUTH_SECRET="your-secret-key-here-generate-with-openssl-rand-base64-32"
 AUTH_TRUST_HOST=true
 # Email Configuration (for production)
 SMTP_HOST="smtp.example.com"
--- a/lib/activity-log.ts
+++ b/lib/activity-log.ts
@ -0,0 +1,52 @@
 /**
 * Activity logging utility for tracking user actions
 */
 export interface ActivityLog {
  timestamp: string
  userId?: string
  userEmail?: string
  userRole?: string
  action: string
  path: string
  method: string
  ip?: string
  details?: Record<string, unknown>
 }
 export function logActivity(
  action: string,
  path: string,
  method: string,
  user?: { id: string; email: string; role: string } | null,
  details?: Record<string, unknown>,
  request?: Request
 ) {
  const timestamp = new Date().toISOString()
  const ip = request?.headers.get("x-forwarded-for") || 
             request?.headers.get("x-real-ip") || 
             "unknown"
  const log: ActivityLog = {
    timestamp,
    userId: user?.id,
    userEmail: user?.email,
    userRole: user?.role,
    action,
    path,
    method,
    ip: ip.split(",")[0].trim(), // Get first IP if multiple
    details
  }
  // Format: [ACTION] timestamp | method path | User: email (role) | IP: ip | Details: {...}
  const userInfo = user 
    ? `${user.email} (${user.role})` 
    : "UNAUTHENTICATED"
  const detailsStr = details ? ` | Details: ${JSON.stringify(details)}` : ""
  console.log(`[${action}] ${timestamp} | ${method} ${path} | User: ${userInfo} | IP: ${ip.split(",")[0].trim()}${detailsStr}`)
  return log
 }
--- a/lib/auth.ts
+++ b/lib/auth.ts
@ -3,7 +3,14 @@ import Credentials from "next-auth/providers/credentials"
 import { prisma } from "./prisma"
 import bcrypt from "bcryptjs"
 const nextAuthSecret = process.env.NEXTAUTH_SECRET
 if (!nextAuthSecret) {
  throw new Error("NEXTAUTH_SECRET is not set. Define it to enable authentication.")
 }
 export const { handlers, auth, signIn, signOut } = NextAuth({
  trustHost: true,
  debug: process.env.NODE_ENV !== "production",
  providers: [
    Credentials({
      name: "Credentials",
@ -12,33 +19,38 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
        password: { label: "Password", type: "password" }
      },
      async authorize(credentials) {
-        if (!credentials?.email || !credentials?.password) {
+        try {
          if (!credentials?.email || !credentials?.password) {
            return null
          }
          const email = credentials.email as string
          const password = credentials.password as string
          const user = await prisma.user.findUnique({
            where: { email }
          })
          if (!user || !user.passwordHash) {
            return null
          }
          const isValid = await bcrypt.compare(password, user.passwordHash)
          if (!isValid) {
            return null
          }
          return {
            id: user.id,
            email: user.email,
            name: user.name,
            role: user.role,
          }
        } catch (err) {
          console.error("Auth authorize error:", err)
          return null
        }
        const email = credentials.email as string
        const password = credentials.password as string
        const user = await prisma.user.findUnique({
          where: { email }
        })
        if (!user || !user.passwordHash) {
          return null
        }
        const isValid = await bcrypt.compare(password, user.passwordHash)
        if (!isValid) {
          return null
        }
        return {
          id: user.id,
          email: user.email,
          name: user.name,
          role: user.role,
        }
      }
    })
  ],
@ -47,14 +59,61 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
      if (user) {
        token.id = user.id
        token.role = (user as { role: string }).role
        token.email = user.email
        token.name = user.name
        console.log("JWT callback: user added to token", { userId: user.id, email: user.email })
      } else {
        console.log("JWT callback: no user, token exists", { 
          hasToken: !!token,
          tokenKeys: token ? Object.keys(token) : [],
          tokenId: token?.id,
          tokenEmail: token?.email,
          tokenName: token?.name,
          tokenRole: token?.role
        })
      }
      return token
    },
    async session({ session, token }) {
-      if (session.user) {
+      console.log("Session callback: called", {
-        session.user.id = token.id as string
+        hasToken: !!token,
-        session.user.role = token.role as string
+        hasSession: !!session,
        tokenId: token?.id,
        tokenEmail: token?.email,
        stackTrace: new Error().stack?.split('\n').slice(1, 4).join('\n')
      })
      // Always ensure session.user exists when token exists
      if (token && (token.id || token.email)) {
        session.user = {
          ...session.user,
          id: token.id as string,
          email: (token.email as string) || session.user?.email || "",
          name: (token.name as string) || session.user?.name || "",
          role: token.role as string,
        }
        console.log("Session callback: session created", { 
          userId: token.id, 
          email: token.email,
          hasUser: !!session.user,
          userKeys: session.user ? Object.keys(session.user) : [],
          userRole: token.role,
          sessionUser: session.user,
          sessionExpires: session.expires,
          fullSession: JSON.stringify(session, null, 2)
        })
      } else {
        console.warn("Session callback: token missing or invalid", { 
          hasToken: !!token,
          tokenKeys: token ? Object.keys(token) : [],
          hasSession: !!session,
          sessionKeys: session ? Object.keys(session) : [],
          sessionUser: session?.user,
          tokenId: token?.id,
          tokenEmail: token?.email
        })
        // Return session even if token is invalid - NextAuth will handle validation
      }
      // Explicitly return session to ensure it's returned
      return session
    }
  },
@ -63,6 +122,18 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
  },
  session: {
    strategy: "jwt",
    maxAge: 30 * 24 * 60 * 60, // 30 days
  },
-  secret: process.env.NEXTAUTH_SECRET,
+  cookies: {
    sessionToken: {
      name: `__Secure-authjs.session-token`,
      options: {
        httpOnly: true,
        sameSite: "lax",
        path: "/",
        secure: true, // Always secure in production (HTTPS required)
      },
    },
  },
  secret: nextAuthSecret,
 })
--- a/lib/prisma.ts
+++ b/lib/prisma.ts
@ -6,41 +6,61 @@ const globalForPrisma = globalThis as unknown as {
  prisma: PrismaClient | undefined
 }
-const connectionString = process.env.DATABASE_URL
+// Lazy initialization function - only initializes when prisma is first accessed
-
+function getPrismaClient(): PrismaClient {
-if (!connectionString) {
+  if (globalForPrisma.prisma) {
-  throw new Error('DATABASE_URL environment variable is not set')
+    return globalForPrisma.prisma
 }
 // Handle Prisma Postgres URLs (prisma+postgres://) vs standard PostgreSQL URLs
 let pool: Pool
 if (connectionString.startsWith('prisma+postgres://')) {
  // For Prisma managed Postgres, extract the actual postgres URL from the API key
  try {
    const urlMatch = connectionString.match(/api_key=([^"&]+)/)
    if (urlMatch) {
      const apiKey = decodeURIComponent(urlMatch[1])
      const decoded = JSON.parse(Buffer.from(apiKey, 'base64').toString())
      if (decoded.databaseUrl) {
        pool = new Pool({ connectionString: decoded.databaseUrl })
      } else if (decoded.shadowDatabaseUrl) {
        pool = new Pool({ connectionString: decoded.shadowDatabaseUrl })
      } else {
        throw new Error('Could not extract database URL from Prisma Postgres connection string')
      }
    } else {
      throw new Error('Invalid Prisma Postgres connection string format')
    }
  } catch (error) {
    console.error('Error parsing Prisma Postgres URL:', error)
    throw new Error('Failed to parse Prisma Postgres connection string. Consider using a standard PostgreSQL connection string.')
  }
-} else {
+
-  // Standard PostgreSQL connection
+  const connectionString = process.env.DATABASE_URL
-  pool = new Pool({ connectionString })
+
  if (!connectionString) {
    throw new Error('DATABASE_URL environment variable is not set')
  }
  // Handle Prisma Postgres URLs (prisma+postgres://) vs standard PostgreSQL URLs
  let pool: Pool
  if (connectionString.startsWith('prisma+postgres://')) {
    // For Prisma managed Postgres, extract the actual postgres URL from the API key
    try {
      const urlMatch = connectionString.match(/api_key=([^"&]+)/)
      if (urlMatch) {
        const apiKey = decodeURIComponent(urlMatch[1])
        const decoded = JSON.parse(Buffer.from(apiKey, 'base64').toString())
        if (decoded.databaseUrl) {
          pool = new Pool({ connectionString: decoded.databaseUrl })
        } else if (decoded.shadowDatabaseUrl) {
          pool = new Pool({ connectionString: decoded.shadowDatabaseUrl })
        } else {
          throw new Error('Could not extract database URL from Prisma Postgres connection string')
        }
      } else {
        throw new Error('Invalid Prisma Postgres connection string format')
      }
    } catch (error) {
      console.error('Error parsing Prisma Postgres URL:', error)
      throw new Error('Failed to parse Prisma Postgres connection string. Consider using a standard PostgreSQL connection string.')
    }
  } else {
    // Standard PostgreSQL connection
    pool = new Pool({ connectionString })
  }
  const adapter = new PrismaPg(pool)
  const prisma = new PrismaClient({ adapter })
  if (process.env.NODE_ENV !== 'production') {
    globalForPrisma.prisma = prisma
  }
  return prisma
 }
-const adapter = new PrismaPg(pool)
+// Export a proxy that lazily initializes Prisma on first access
-export const prisma = globalForPrisma.prisma ?? new PrismaClient({ adapter })
+export const prisma = new Proxy({} as PrismaClient, {
-
+  get(_target, prop) {
-if (process.env.NODE_ENV !== 'production') globalForPrisma.prisma = prisma
+    const client = getPrismaClient()
    const value = client[prop as keyof PrismaClient]
    return typeof value === 'function' ? value.bind(client) : value
  }
 })
--- a/package.json
+++ b/package.json
@ -21,6 +21,7 @@
    "db:seed": "tsx prisma/seed.ts"
  },
  "dependencies": {
    "@tailwindcss/postcss": "^4",
    "@prisma/adapter-pg": "^7.2.0",
    "@prisma/client": "^7.2.0",
    "bcryptjs": "^3.0.3",
@ -33,7 +34,6 @@
    "react-dom": "19.2.3"
  },
  "devDependencies": {
    "@tailwindcss/postcss": "^4",
    "@testing-library/jest-dom": "^6.9.1",
    "@testing-library/react": "^16.3.1",
    "@testing-library/user-event": "^14.6.1",
--- a/proxy.ts
+++ b/proxy.ts
@ -6,15 +6,35 @@ export async function proxy(request: NextRequest) {
  const pathname = request.nextUrl.pathname
  // Public routes - allow access
-  if (pathname === "/login" || pathname.startsWith("/api/auth")) {
+  if (pathname === "/login" || pathname.startsWith("/api/auth") || pathname.startsWith("/uploads")) {
    return NextResponse.next()
  }
  // Get token (works in Edge runtime)
  // Explicitly specify the cookie name to match NextAuth config
  const cookieName = "__Secure-authjs.session-token"
  const token = await getToken({ 
    req: request,
-    secret: process.env.NEXTAUTH_SECRET 
+    secret: process.env.NEXTAUTH_SECRET,
    cookieName: cookieName
  })
  // User activity logging - track all page visits and API calls
  const timestamp = new Date().toISOString()
  const userAgent = request.headers.get("user-agent") || "unknown"
  const ip = request.headers.get("x-forwarded-for") || 
             request.headers.get("x-real-ip") || 
             "unknown"
  const referer = request.headers.get("referer") || "direct"
  const method = request.method
  if (token) {
    // Log authenticated user activity
    console.log(`[ACTIVITY] ${timestamp} | ${method} ${pathname} | User: ${token.email} (${token.role}) | IP: ${ip} | Referer: ${referer}`)
  } else {
    // Log unauthenticated access attempts
    console.log(`[ACTIVITY] ${timestamp} | ${method} ${pathname} | User: UNAUTHENTICATED | IP: ${ip} | Referer: ${referer} | UA: ${userAgent.substring(0, 100)}`)
  }
  // Protected routes - require authentication
  if (!token) {
@ -42,8 +62,9 @@ export const config = {
     * - _next/rsc (RSC payload requests)
     * - _next/webpack (webpack chunks)
     * - favicon.ico (favicon file)
-     * - public folder
+     * - uploads/ (uploaded files)
     * - public folder files (images, etc.)
     */
-    "/((?!_next/static|_next/image|_next/rsc|_next/webpack|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
+    "/((?!_next/static|_next/image|_next/rsc|_next/webpack|favicon.ico|uploads|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
  ],
 }
--- a/watch-activity.sh
+++ b/watch-activity.sh
@ -0,0 +1,10 @@
 #!/bin/bash
 # Watch user activity logs in real-time
 # Usage: ./watch-activity.sh
 echo "Watching user activity logs..."
 echo "Press Ctrl+C to stop"
 echo ""
 # Watch for activity logs (ACTIVITY, PHOTO_UPLOAD, GUESS_SUBMIT)
 sudo journalctl -u app-backend -f | grep -E "\[ACTIVITY\]|\[PHOTO_UPLOAD\]|\[GUESS_SUBMIT\]"