From d03263b743aeb514ae070e75c40b22c8790aeafb Mon Sep 17 00:00:00 2001
From: madeindreams <madeindreams@protonmail.com>
Date: Tue, 23 Dec 2025 17:36:54 -0800
Subject: [PATCH 1/2] QA-2/ email and password on device registration

---
 internal/quantum/http/dto.go      |  3 ++-
 internal/quantum/http/handlers.go | 16 +++++++++++++---
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/internal/quantum/http/dto.go b/internal/quantum/http/dto.go
index 200589a..d8d9fc1 100644
--- a/internal/quantum/http/dto.go
+++ b/internal/quantum/http/dto.go
@@ -28,7 +28,8 @@ type authVerifyResponse struct {
 }
 
 type registerDeviceRequest struct {
-	UserId       string `json:"user_Id"`
+	UserEmail    string `json:"user_email,omitempty"`
+	PasswordB64  string `json:"password_b64,omitempty"`
 	DeviceLabel  string `json:"device_label"`
 	TPMPublicKey string `json:"tpm_public_key"`
 	PQPublicKey  string `json:"pq_public_key"`
diff --git a/internal/quantum/http/handlers.go b/internal/quantum/http/handlers.go
index b476c24..bca6735 100644
--- a/internal/quantum/http/handlers.go
+++ b/internal/quantum/http/handlers.go
@@ -376,20 +376,30 @@ func (h *Handler) RegisterDevice(c *gin.Context) {
 		return
 	}
 
-	if req.UserId == "" || req.DeviceLabel == "" || req.TPMPublicKey == "" || req.PQPublicKey == "" {
+	if req.UserEmail == "" || req.DeviceLabel == "" || req.TPMPublicKey == "" || req.PQPublicKey == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "user_id, device_label, tpm_public_key and pq_public_key are required"})
 		return
 	}
-	u, err := h.repo.GetUserByID(ctx, req.UserId)
+	u, err := h.repo.GetUserByEmail(ctx, req.UserEmail)
 	if err != nil {
 		log.Error("GetUserByEmail", "error", err)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
 	}
 	if u == nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "user not found"})
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Bad request"})
 		return
+	}
 
+	// 3) Verify password
+	ok, err := security.VerifyPassword(u.PasswordHash, req.PasswordB64)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	if !ok {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid credentials"})
+		return
 	}
 
 	d := NewDevice(u.ID, req.DeviceLabel, req.TPMPublicKey, req.PQPublicKey)

From 23ee5899ba8f6c28ba1d7c3eb5f5154b53e69fc7 Mon Sep 17 00:00:00 2001
From: Ian Dorion <admin@madeindreams.ca>
Date: Thu, 8 Jan 2026 19:11:41 -0500
Subject: [PATCH 2/2] Update go.mod

---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 20f5efb..dfa26d8 100644
--- a/go.mod
+++ b/go.mod
@@ -4,6 +4,7 @@ go 1.25.4
 
 require (
 	github.com/cloudflare/circl v1.6.2
+	github.com/gin-contrib/cors v1.7.6
 	github.com/gin-gonic/gin v1.11.0
 	github.com/golang-migrate/migrate/v4 v4.19.1
 	github.com/quantumauth-io/quantum-go-utils v0.0.20
@@ -28,7 +29,6 @@ require (
 	github.com/fatih/structs v1.1.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.11 // indirect
-	github.com/gin-contrib/cors v1.7.6 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-openapi/jsonpointer v0.22.4 // indirect
 	github.com/go-openapi/jsonreference v0.21.4 // indirect