Fracverse · anonfedora · Feb 26, 2026 · Feb 20, 2026 · Feb 26, 2026
diff --git a/backend/src/app.rs b/backend/src/app.rs
@@ -56,6 +56,10 @@ pub async fn create_app(
         .route("/register", post(auth::register))
         .route("/refresh", post(auth::refresh_token));
 
+    // -------------------- User --------------------
+    let user_routes = Router::new()
+        .route("/register", post(auth::user_register));
+
     // -------------------- Identity --------------------
     let identity_routes = Router::new()
         .route("/users", post(identity::create_user))
@@ -159,6 +163,7 @@ pub async fn create_app(
     let public_routes = Router::new()
         .nest("/anchor", anchor_routes)
         .nest("/auth", auth_routes)
+        .nest("/user", user_routes)
         .nest("/health", health_routes)
         .merge(metrics_routes);
 

diff --git a/backend/src/http/auth.rs b/backend/src/http/auth.rs
@@ -121,15 +121,12 @@ pub async fn refresh_token(
     State(services): State<Arc<ServiceContainer>>,
     Json(request): Json<RefreshTokenRequest>,
 ) -> Result<Json<AuthResponse>, ApiError> {
-    // Validate the token is specifically a refresh token
     let claims = auth::validate_refresh_token(&request.token, &services.config.jwt.secret)?;
 
-    // Verify user still exists
     if !services.identity.user_exists(&claims.sub).await? {
         return Err(ApiError::Authentication("User not found".to_string()));
     }
 
-    // Generate new token pair
     let token = auth::generate_access_token(
         &claims.sub,
         claims.role,
@@ -153,3 +150,42 @@ pub async fn refresh_token(
         refresh_expires_in: services.config.jwt.refresh_expiration_hours * 3600,
     }))
 }
+
+pub async fn user_register(
+    State(services): State<Arc<ServiceContainer>>,
+    Json(request): Json<RegisterRequest>,
+) -> Result<Json<AuthResponse>, ApiError> {
+    if services.identity.user_exists(&request.user_id).await? {
+        return Err(ApiError::Conflict("User already exists".to_string()));
+    }
+
+    let pin_hash = auth::hash_pin(&request.pin)?;
+
+    let user = services
+        .identity
+        .create_user(request.user_id.clone(), pin_hash)
+        .await?;
+
+    let token = auth::generate_access_token(
+        &user.user_id,
+        user.role,
+        &services.config.jwt.secret,
+        services.config.jwt.expiration_hours,
+    )?;
+
+    let refresh_token = auth::generate_refresh_token(
+        &user.user_id,
+        user.role,
+        &services.config.jwt.secret,
+        services.config.jwt.refresh_expiration_hours,
+    )?;
+
+    Ok(Json(AuthResponse {
+        token,
+        refresh_token,
+        user_id: user.user_id,
+        role: user.role.to_string(),
+        expires_in: services.config.jwt.expiration_hours * 3600,
+        refresh_expires_in: services.config.jwt.refresh_expiration_hours * 3600,
+    }))
+}
diff --git a/backend/src/http/identity.rs b/backend/src/http/identity.rs
@@ -5,7 +5,7 @@ use axum::{
 use serde::{Deserialize, Serialize};
 use std::sync::Arc;
 
-use crate::{api_error::ApiError, middleware::AuthenticatedUser, service::ServiceContainer};
+use crate::{api_error::ApiError, auth, middleware::AuthenticatedUser, service::ServiceContainer};
 
 #[derive(Debug, Deserialize)]
 pub struct CreateUserRequest {
@@ -31,9 +31,10 @@ pub async fn create_user(
     State(services): State<Arc<ServiceContainer>>,
     Json(request): Json<CreateUserRequest>,
 ) -> Result<Json<UserResponse>, ApiError> {
+    let pin_hash = auth::hash_pin(&request.pin)?;
     let user = services
         .identity
-        .create_user(request.user_id, request.pin)
+        .create_user(request.user_id, pin_hash)
         .await?;
 
     Ok(Json(UserResponse {