Implement User Registration API endpoint

[arandomogg]

Summary

Implements the user registration endpoint following the strict Controller -> Service -> Model architecture. Passwords are hashed with bcrypt at the model layer, and the password hash is never exposed in any response.

Endpoint

POST /api/v1/auth/register

Request body:

{
  "name": "Ada Lovelace",
  "email": "ada@example.com",
  "password": "sup3rSecret!"
}

Success response (201 Created):

{
  "status": "success",
  "message": "User registered successfully",
  "data": {
    "user": {
      "id": "6a41ad5e9d50a2b2514c3b88",
      "name": "Ada Lovelace",
      "email": "ada@example.com",
      "role": "user",
      "createdAt": "2026-06-28T23:25:18.892Z",
      "updatedAt": "2026-06-28T23:25:18.892Z"
    }
  }
}

Changes

• src/models/User.ts: Mongoose User model with schema validation, a unique email index, a bcrypt pre-save hook (configurable via BCRYPT_ROUNDS), a comparePassword instance method, and a toJSON transform that removes the password hash and __v and exposes id instead of _id.
• src/services/authService.ts: registerUser business logic. Detects duplicate emails (including the unique-index race condition via the 11000 error code) and returns a sanitized user object.
• src/controllers/authController.ts: HTTP controller that validates the body, invokes the service, and returns 201.
• src/validators/authValidator.ts: Strict, strongly-typed validation of the request body.
• src/utils/ApiError.ts and src/utils/asyncHandler.ts: Reusable error type and async wrapper for consistent error handling through the existing global error middleware.
• src/routes/authRoutes.ts / src/routes/index.ts: Mounts the auth router under /api/v1/auth.
• tests/auth.test.ts: Integration tests using an in-memory MongoDB.

Acceptance criteria

• Controller -> Service -> Model layering enforced.
• Data is persisted to and read from MongoDB; no hardcoded or mock data in the request path.
• API is versioned under /api/v1.
• Production-ready: strong typings, schema and request validation, duplicate-email handling, and a password hash that is never returned.

Proof of work

All unit/integration tests pass:

POST /api/v1/auth/register
  v registers a new user and returns sanitized data
  v persists the user with a bcrypt-hashed password
  v rejects a duplicate email with 409
  v rejects an invalid email with 400
  v rejects a weak password with 400
  v rejects a missing name with 400

Test Suites: 2 passed, 2 total
Tests:       7 passed, 7 total

npx tsc (build) and eslint on the changed files both pass cleanly.

Closes #9

[drips-wave]

@arandomogg Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits