feat: implement Iteration 0 foundation (backend + Flutter client)

Backend (Go):
- Project structure with chi router, pgxpool, goose migrations
- JWT auth (access/refresh tokens) with Firebase token verification
- NoopTokenVerifier for local dev without Firebase credentials
- PostgreSQL user repository with atomic profile updates (transactions)
- Mifflin-St Jeor calorie calculation based on profile data
- REST API: POST /auth/login, /auth/refresh, /auth/logout, GET/PUT /profile, GET /health
- Middleware: auth, CORS (localhost wildcard), logging, recovery, request_id
- Unit tests (51 passing) and integration tests (testcontainers)
- Docker Compose setup with postgres healthcheck and graceful shutdown

Flutter client:
- Riverpod state management with GoRouter navigation
- Firebase Auth (email/password + Google sign-in with web popup support)
- Platform-aware API URLs (web/Android/iOS)
- Dio HTTP client with JWT auth interceptor and concurrent refresh handling
- Secure token storage
- Screens: Login, Register, Home (tabs: Menu, Recipes, Products, Profile)
- Unit tests (17 passing)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/internal/auth/firebase.go

@@ -0,0 +1,89 @@
+package auth
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"os"
+
+	firebase "firebase.google.com/go/v4"
+	firebaseAuth "firebase.google.com/go/v4/auth"
+	"google.golang.org/api/option"
+)
+
+// TokenVerifier abstracts Firebase token verification for testability.
+type TokenVerifier interface {
+	VerifyToken(ctx context.Context, idToken string) (uid, email, name, avatarURL string, err error)
+}
+
+type FirebaseAuth struct {
+	client *firebaseAuth.Client
+}
+
+// noopTokenVerifier is used in local development when Firebase credentials are not available.
+// It rejects all tokens with a clear error message.
+type noopTokenVerifier struct{}
+
+func (n *noopTokenVerifier) VerifyToken(_ context.Context, _ string) (uid, email, name, avatarURL string, err error) {
+	return "", "", "", "", fmt.Errorf("Firebase auth is not configured (running in noop mode)")
+}
+
+// NewFirebaseAuthOrNoop tries to initialize Firebase auth from the credentials file.
+// If the file is missing, empty, or not a valid service account, it logs a warning
+// and returns a noop verifier that rejects all tokens.
+func NewFirebaseAuthOrNoop(credentialsFile string) (TokenVerifier, error) {
+	data, err := os.ReadFile(credentialsFile)
+	if err != nil || len(data) == 0 {
+		slog.Warn("firebase credentials not found, running without Firebase auth", "file", credentialsFile)
+		return &noopTokenVerifier{}, nil
+	}
+
+	var creds map[string]interface{}
+	if err := json.Unmarshal(data, &creds); err != nil || creds["type"] == nil {
+		slog.Warn("firebase credentials invalid, running without Firebase auth", "file", credentialsFile)
+		return &noopTokenVerifier{}, nil
+	}
+
+	fa, err := NewFirebaseAuth(credentialsFile)
+	if err != nil {
+		return nil, err
+	}
+	return fa, nil
+}
+
+func NewFirebaseAuth(credentialsFile string) (*FirebaseAuth, error) {
+	opt := option.WithCredentialsFile(credentialsFile)
+	app, err := firebase.NewApp(context.Background(), nil, opt)
+	if err != nil {
+		return nil, err
+	}
+
+	client, err := app.Auth(context.Background())
+	if err != nil {
+		return nil, err
+	}
+
+	return &FirebaseAuth{client: client}, nil
+}
+
+func (f *FirebaseAuth) VerifyToken(ctx context.Context, idToken string) (uid, email, name, avatarURL string, err error) {
+	token, err := f.client.VerifyIDToken(ctx, idToken)
+	if err != nil {
+		return "", "", "", "", err
+	}
+
+	uid = token.UID
+
+	if v, ok := token.Claims["email"].(string); ok {
+		email = v
+	}
+	if v, ok := token.Claims["name"].(string); ok {
+		name = v
+	}
+	if v, ok := token.Claims["picture"].(string); ok {
+		avatarURL = v
+	}
+
+	return uid, email, name, avatarURL, nil
+}

backend/internal/auth/handler.go

@@ -0,0 +1,106 @@
+package auth
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+
+	"github.com/food-ai/backend/internal/middleware"
+)
+
+const maxRequestBodySize = 1 << 20 // 1 MB
+
+type Handler struct {
+	service *Service
+}
+
+func NewHandler(service *Service) *Handler {
+	return &Handler{service: service}
+}
+
+type loginRequest struct {
+	FirebaseToken string `json:"firebase_token"`
+}
+
+type refreshRequest struct {
+	RefreshToken string `json:"refresh_token"`
+}
+
+func (h *Handler) Login(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestBodySize)
+	var req loginRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeErrorJSON(w, http.StatusBadRequest, "invalid request body")
+		return
+	}
+
+	if req.FirebaseToken == "" {
+		writeErrorJSON(w, http.StatusBadRequest, "firebase_token is required")
+		return
+	}
+
+	resp, err := h.service.Login(r.Context(), req.FirebaseToken)
+	if err != nil {
+		writeErrorJSON(w, http.StatusUnauthorized, "authentication failed")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, resp)
+}
+
+func (h *Handler) Refresh(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestBodySize)
+	var req refreshRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeErrorJSON(w, http.StatusBadRequest, "invalid request body")
+		return
+	}
+
+	if req.RefreshToken == "" {
+		writeErrorJSON(w, http.StatusBadRequest, "refresh_token is required")
+		return
+	}
+
+	resp, err := h.service.Refresh(r.Context(), req.RefreshToken)
+	if err != nil {
+		writeErrorJSON(w, http.StatusUnauthorized, "invalid refresh token")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, resp)
+}
+
+func (h *Handler) Logout(w http.ResponseWriter, r *http.Request) {
+	userID := middleware.UserIDFromCtx(r.Context())
+	if userID == "" {
+		writeErrorJSON(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	if err := h.service.Logout(r.Context(), userID); err != nil {
+		writeErrorJSON(w, http.StatusInternalServerError, "logout failed")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+}
+
+type errorResponse struct {
+	Error string `json:"error"`
+}
+
+func writeErrorJSON(w http.ResponseWriter, status int, msg string) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	if err := json.NewEncoder(w).Encode(errorResponse{Error: msg}); err != nil {
+		slog.Error("failed to write error response", "err", err)
+	}
+}
+
+func writeJSON(w http.ResponseWriter, status int, v interface{}) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	if err := json.NewEncoder(w).Encode(v); err != nil {
+		slog.Error("failed to write JSON response", "err", err)
+	}
+}

backend/internal/auth/handler_integration_test.go

@@ -0,0 +1,272 @@
+//go:build integration
+
+package auth
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/food-ai/backend/internal/auth/mocks"
+	"github.com/food-ai/backend/internal/middleware"
+	"github.com/food-ai/backend/internal/testutil"
+	"github.com/food-ai/backend/internal/user"
+	"github.com/go-chi/chi/v5"
+)
+
+// testValidator adapts JWTManager to middleware.AccessTokenValidator for tests.
+type testValidator struct {
+	jm *JWTManager
+}
+
+func (v *testValidator) ValidateAccessToken(tokenStr string) (*middleware.TokenClaims, error) {
+	claims, err := v.jm.ValidateAccessToken(tokenStr)
+	if err != nil {
+		return nil, err
+	}
+	return &middleware.TokenClaims{UserID: claims.UserID, Plan: claims.Plan}, nil
+}
+
+func setupIntegrationTest(t *testing.T) (*chi.Mux, *JWTManager) {
+	t.Helper()
+	pool := testutil.SetupTestDB(t)
+
+	verifier := &mocks.MockTokenVerifier{
+		VerifyTokenFn: func(ctx context.Context, idToken string) (string, string, string, string, error) {
+			return "fb-" + idToken, idToken + "@test.com", "Test User", "", nil
+		},
+	}
+
+	jm := NewJWTManager("test-secret", 15*time.Minute, 720*time.Hour)
+	repo := user.NewRepository(pool)
+	svc := NewService(verifier, repo, jm)
+	handler := NewHandler(svc)
+
+	r := chi.NewRouter()
+	r.Post("/auth/login", handler.Login)
+	r.Post("/auth/refresh", handler.Refresh)
+	r.Group(func(r chi.Router) {
+		r.Use(middleware.Auth(&testValidator{jm: jm}))
+		r.Post("/auth/logout", handler.Logout)
+	})
+
+	return r, jm
+}
+
+func TestIntegration_Login(t *testing.T) {
+	router, _ := setupIntegrationTest(t)
+
+	body := `{"firebase_token":"user1"}`
+	req := httptest.NewRequest("POST", "/auth/login", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+	if rr.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", rr.Code, rr.Body.String())
+	}
+
+	var resp LoginResponse
+	json.NewDecoder(rr.Body).Decode(&resp)
+	if resp.AccessToken == "" {
+		t.Error("expected non-empty access token")
+	}
+	if resp.RefreshToken == "" {
+		t.Error("expected non-empty refresh token")
+	}
+	if resp.User == nil {
+		t.Fatal("expected user in response")
+	}
+}
+
+func TestIntegration_Login_EmptyToken(t *testing.T) {
+	router, _ := setupIntegrationTest(t)
+
+	body := `{"firebase_token":""}`
+	req := httptest.NewRequest("POST", "/auth/login", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+	if rr.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", rr.Code)
+	}
+}
+
+func TestIntegration_Login_InvalidBody(t *testing.T) {
+	router, _ := setupIntegrationTest(t)
+
+	req := httptest.NewRequest("POST", "/auth/login", bytes.NewBufferString("invalid"))
+	req.Header.Set("Content-Type", "application/json")
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+	if rr.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", rr.Code)
+	}
+}
+
+func TestIntegration_Refresh(t *testing.T) {
+	router, _ := setupIntegrationTest(t)
+
+	// First login
+	loginBody := `{"firebase_token":"user2"}`
+	loginReq := httptest.NewRequest("POST", "/auth/login", bytes.NewBufferString(loginBody))
+	loginReq.Header.Set("Content-Type", "application/json")
+	loginRR := httptest.NewRecorder()
+	router.ServeHTTP(loginRR, loginReq)
+
+	var loginResp LoginResponse
+	json.NewDecoder(loginRR.Body).Decode(&loginResp)
+
+	// Then refresh
+	refreshBody, _ := json.Marshal(refreshRequest{RefreshToken: loginResp.RefreshToken})
+	refreshReq := httptest.NewRequest("POST", "/auth/refresh", bytes.NewBuffer(refreshBody))
+	refreshReq.Header.Set("Content-Type", "application/json")
+	refreshRR := httptest.NewRecorder()
+	router.ServeHTTP(refreshRR, refreshReq)
+
+	if refreshRR.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", refreshRR.Code, refreshRR.Body.String())
+	}
+
+	var resp RefreshResponse
+	json.NewDecoder(refreshRR.Body).Decode(&resp)
+	if resp.AccessToken == "" {
+		t.Error("expected non-empty access token")
+	}
+	if resp.RefreshToken == loginResp.RefreshToken {
+		t.Error("expected rotated refresh token")
+	}
+}
+
+func TestIntegration_Refresh_InvalidToken(t *testing.T) {
+	router, _ := setupIntegrationTest(t)
+
+	body := `{"refresh_token":"nonexistent"}`
+	req := httptest.NewRequest("POST", "/auth/refresh", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+	if rr.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", rr.Code)
+	}
+}
+
+func TestIntegration_Refresh_EmptyToken(t *testing.T) {
+	router, _ := setupIntegrationTest(t)
+
+	body := `{"refresh_token":""}`
+	req := httptest.NewRequest("POST", "/auth/refresh", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+	if rr.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", rr.Code)
+	}
+}
+
+func TestIntegration_Logout(t *testing.T) {
+	router, _ := setupIntegrationTest(t)
+
+	// Login first
+	loginBody := `{"firebase_token":"user3"}`
+	loginReq := httptest.NewRequest("POST", "/auth/login", bytes.NewBufferString(loginBody))
+	loginReq.Header.Set("Content-Type", "application/json")
+	loginRR := httptest.NewRecorder()
+	router.ServeHTTP(loginRR, loginReq)
+
+	var loginResp LoginResponse
+	json.NewDecoder(loginRR.Body).Decode(&loginResp)
+
+	// Logout
+	logoutReq := httptest.NewRequest("POST", "/auth/logout", nil)
+	logoutReq.Header.Set("Authorization", "Bearer "+loginResp.AccessToken)
+	logoutRR := httptest.NewRecorder()
+	router.ServeHTTP(logoutRR, logoutReq)
+
+	if logoutRR.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", logoutRR.Code, logoutRR.Body.String())
+	}
+}
+
+func TestIntegration_Logout_NoAuth(t *testing.T) {
+	router, _ := setupIntegrationTest(t)
+
+	req := httptest.NewRequest("POST", "/auth/logout", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+	if rr.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", rr.Code)
+	}
+}
+
+func TestIntegration_RefreshAfterLogout(t *testing.T) {
+	router, _ := setupIntegrationTest(t)
+
+	// Login
+	loginBody := `{"firebase_token":"user4"}`
+	loginReq := httptest.NewRequest("POST", "/auth/login", bytes.NewBufferString(loginBody))
+	loginReq.Header.Set("Content-Type", "application/json")
+	loginRR := httptest.NewRecorder()
+	router.ServeHTTP(loginRR, loginReq)
+
+	var loginResp LoginResponse
+	json.NewDecoder(loginRR.Body).Decode(&loginResp)
+
+	// Logout
+	logoutReq := httptest.NewRequest("POST", "/auth/logout", nil)
+	logoutReq.Header.Set("Authorization", "Bearer "+loginResp.AccessToken)
+	logoutRR := httptest.NewRecorder()
+	router.ServeHTTP(logoutRR, logoutReq)
+
+	// Try to refresh with old token
+	refreshBody, _ := json.Marshal(refreshRequest{RefreshToken: loginResp.RefreshToken})
+	refreshReq := httptest.NewRequest("POST", "/auth/refresh", bytes.NewBuffer(refreshBody))
+	refreshReq.Header.Set("Content-Type", "application/json")
+	refreshRR := httptest.NewRecorder()
+	router.ServeHTTP(refreshRR, refreshReq)
+
+	if refreshRR.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401 after logout, got %d", refreshRR.Code)
+	}
+}
+
+func TestIntegration_OldRefreshTokenInvalid(t *testing.T) {
+	router, _ := setupIntegrationTest(t)
+
+	// Login
+	loginBody := `{"firebase_token":"user5"}`
+	loginReq := httptest.NewRequest("POST", "/auth/login", bytes.NewBufferString(loginBody))
+	loginReq.Header.Set("Content-Type", "application/json")
+	loginRR := httptest.NewRecorder()
+	router.ServeHTTP(loginRR, loginReq)
+
+	var loginResp LoginResponse
+	json.NewDecoder(loginRR.Body).Decode(&loginResp)
+	oldRefreshToken := loginResp.RefreshToken
+
+	// Refresh (rotates token)
+	refreshBody, _ := json.Marshal(refreshRequest{RefreshToken: oldRefreshToken})
+	refreshReq := httptest.NewRequest("POST", "/auth/refresh", bytes.NewBuffer(refreshBody))
+	refreshReq.Header.Set("Content-Type", "application/json")
+	refreshRR := httptest.NewRecorder()
+	router.ServeHTTP(refreshRR, refreshReq)
+
+	// Try old refresh token again
+	oldRefreshReq := httptest.NewRequest("POST", "/auth/refresh", bytes.NewBuffer(refreshBody))
+	oldRefreshReq.Header.Set("Content-Type", "application/json")
+	oldRefreshRR := httptest.NewRecorder()
+	router.ServeHTTP(oldRefreshRR, oldRefreshReq)
+
+	if oldRefreshRR.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401 for old refresh token, got %d", oldRefreshRR.Code)
+	}
+}

backend/internal/auth/jwt.go

@@ -0,0 +1,69 @@
+package auth
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+)
+
+type JWTManager struct {
+	secret          []byte
+	accessDuration  time.Duration
+	refreshDuration time.Duration
+}
+
+type Claims struct {
+	UserID string `json:"user_id"`
+	Plan   string `json:"plan"`
+	jwt.RegisteredClaims
+}
+
+func NewJWTManager(secret string, accessDuration, refreshDuration time.Duration) *JWTManager {
+	return &JWTManager{
+		secret:          []byte(secret),
+		accessDuration:  accessDuration,
+		refreshDuration: refreshDuration,
+	}
+}
+
+func (j *JWTManager) GenerateAccessToken(userID, plan string) (string, error) {
+	claims := Claims{
+		UserID: userID,
+		Plan:   plan,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(j.accessDuration)),
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+		},
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return token.SignedString(j.secret)
+}
+
+func (j *JWTManager) GenerateRefreshToken() (string, time.Time) {
+	token := uuid.NewString()
+	expiresAt := time.Now().Add(j.refreshDuration)
+	return token, expiresAt
+}
+
+func (j *JWTManager) ValidateAccessToken(tokenStr string) (*Claims, error) {
+	token, err := jwt.ParseWithClaims(tokenStr, &Claims{}, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
+		}
+		return j.secret, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	claims, ok := token.Claims.(*Claims)
+	if !ok || !token.Valid {
+		return nil, fmt.Errorf("invalid token")
+	}
+	return claims, nil
+}
+
+func (j *JWTManager) AccessDuration() time.Duration {
+	return j.accessDuration
+}

backend/internal/auth/jwt_test.go

@@ -0,0 +1,86 @@
+package auth
+
+import (
+	"testing"
+	"time"
+)
+
+func TestGenerateAccessToken(t *testing.T) {
+	jm := NewJWTManager("test-secret", 15*time.Minute, 720*time.Hour)
+
+	token, err := jm.GenerateAccessToken("user-123", "free")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if token == "" {
+		t.Fatal("expected non-empty token")
+	}
+}
+
+func TestValidateAccessToken_Valid(t *testing.T) {
+	jm := NewJWTManager("test-secret", 15*time.Minute, 720*time.Hour)
+
+	token, _ := jm.GenerateAccessToken("user-123", "free")
+	claims, err := jm.ValidateAccessToken(token)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if claims.UserID != "user-123" {
+		t.Errorf("expected user_id 'user-123', got %q", claims.UserID)
+	}
+	if claims.Plan != "free" {
+		t.Errorf("expected plan 'free', got %q", claims.Plan)
+	}
+}
+
+func TestValidateAccessToken_Expired(t *testing.T) {
+	jm := NewJWTManager("test-secret", -1*time.Second, 720*time.Hour)
+
+	token, _ := jm.GenerateAccessToken("user-123", "free")
+	_, err := jm.ValidateAccessToken(token)
+	if err == nil {
+		t.Fatal("expected error for expired token")
+	}
+}
+
+func TestValidateAccessToken_WrongSecret(t *testing.T) {
+	jm1 := NewJWTManager("secret-1", 15*time.Minute, 720*time.Hour)
+	jm2 := NewJWTManager("secret-2", 15*time.Minute, 720*time.Hour)
+
+	token, _ := jm1.GenerateAccessToken("user-123", "free")
+	_, err := jm2.ValidateAccessToken(token)
+	if err == nil {
+		t.Fatal("expected error for wrong secret")
+	}
+}
+
+func TestValidateAccessToken_InvalidToken(t *testing.T) {
+	jm := NewJWTManager("test-secret", 15*time.Minute, 720*time.Hour)
+
+	_, err := jm.ValidateAccessToken("invalid-token")
+	if err == nil {
+		t.Fatal("expected error for invalid token")
+	}
+}
+
+func TestGenerateRefreshToken(t *testing.T) {
+	jm := NewJWTManager("test-secret", 15*time.Minute, 720*time.Hour)
+
+	token, expiresAt := jm.GenerateRefreshToken()
+	if token == "" {
+		t.Fatal("expected non-empty refresh token")
+	}
+	if expiresAt.Before(time.Now()) {
+		t.Fatal("expected future expiration time")
+	}
+}
+
+func TestGenerateRefreshToken_Unique(t *testing.T) {
+	jm := NewJWTManager("test-secret", 15*time.Minute, 720*time.Hour)
+
+	token1, _ := jm.GenerateRefreshToken()
+	token2, _ := jm.GenerateRefreshToken()
+	if token1 == token2 {
+		t.Fatal("expected unique refresh tokens")
+	}
+}

backend/internal/auth/mocks/token_verifier.go

@@ -0,0 +1,11 @@
+package mocks
+
+import "context"
+
+type MockTokenVerifier struct {
+	VerifyTokenFn func(ctx context.Context, idToken string) (uid, email, name, avatarURL string, err error)
+}
+
+func (m *MockTokenVerifier) VerifyToken(ctx context.Context, idToken string) (uid, email, name, avatarURL string, err error) {
+	return m.VerifyTokenFn(ctx, idToken)
+}

backend/internal/auth/service.go

@@ -0,0 +1,91 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/food-ai/backend/internal/user"
+)
+
+type Service struct {
+	tokenVerifier TokenVerifier
+	userRepo      user.UserRepository
+	jwtManager    *JWTManager
+}
+
+func NewService(tokenVerifier TokenVerifier, userRepo user.UserRepository, jwtManager *JWTManager) *Service {
+	return &Service{
+		tokenVerifier: tokenVerifier,
+		userRepo:      userRepo,
+		jwtManager:    jwtManager,
+	}
+}
+
+type LoginResponse struct {
+	AccessToken  string     `json:"access_token"`
+	RefreshToken string     `json:"refresh_token"`
+	ExpiresIn    int        `json:"expires_in"`
+	User         *user.User `json:"user"`
+}
+
+type RefreshResponse struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	ExpiresIn    int    `json:"expires_in"`
+}
+
+func (s *Service) Login(ctx context.Context, firebaseToken string) (*LoginResponse, error) {
+	uid, email, name, avatarURL, err := s.tokenVerifier.VerifyToken(ctx, firebaseToken)
+	if err != nil {
+		return nil, fmt.Errorf("verify firebase token: %w", err)
+	}
+
+	u, err := s.userRepo.UpsertByFirebaseUID(ctx, uid, email, name, avatarURL)
+	if err != nil {
+		return nil, fmt.Errorf("upsert user: %w", err)
+	}
+
+	accessToken, err := s.jwtManager.GenerateAccessToken(u.ID, u.Plan)
+	if err != nil {
+		return nil, fmt.Errorf("generate access token: %w", err)
+	}
+
+	refreshToken, expiresAt := s.jwtManager.GenerateRefreshToken()
+	if err := s.userRepo.SetRefreshToken(ctx, u.ID, refreshToken, expiresAt); err != nil {
+		return nil, fmt.Errorf("set refresh token: %w", err)
+	}
+
+	return &LoginResponse{
+		AccessToken:  accessToken,
+		RefreshToken: refreshToken,
+		ExpiresIn:    int(s.jwtManager.AccessDuration().Seconds()),
+		User:         u,
+	}, nil
+}
+
+func (s *Service) Refresh(ctx context.Context, refreshToken string) (*RefreshResponse, error) {
+	u, err := s.userRepo.FindByRefreshToken(ctx, refreshToken)
+	if err != nil {
+		return nil, fmt.Errorf("invalid refresh token: %w", err)
+	}
+
+	accessToken, err := s.jwtManager.GenerateAccessToken(u.ID, u.Plan)
+	if err != nil {
+		return nil, fmt.Errorf("generate access token: %w", err)
+	}
+
+	newRefreshToken, expiresAt := s.jwtManager.GenerateRefreshToken()
+	if err := s.userRepo.SetRefreshToken(ctx, u.ID, newRefreshToken, expiresAt); err != nil {
+		return nil, fmt.Errorf("set refresh token: %w", err)
+	}
+
+	return &RefreshResponse{
+		AccessToken:  accessToken,
+		RefreshToken: newRefreshToken,
+		ExpiresIn:    int(s.jwtManager.AccessDuration().Seconds()),
+	}, nil
+}
+
+func (s *Service) Logout(ctx context.Context, userID string) error {
+	return s.userRepo.ClearRefreshToken(ctx, userID)
+}

backend/internal/auth/service_test.go

@@ -0,0 +1,213 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/food-ai/backend/internal/auth/mocks"
+	"github.com/food-ai/backend/internal/user"
+	umocks "github.com/food-ai/backend/internal/user/mocks"
+)
+
+func newTestService(verifier *mocks.MockTokenVerifier, repo *umocks.MockUserRepository) *Service {
+	jm := NewJWTManager("test-secret", 15*time.Minute, 720*time.Hour)
+	return NewService(verifier, repo, jm)
+}
+
+func TestLogin_Success(t *testing.T) {
+	verifier := &mocks.MockTokenVerifier{
+		VerifyTokenFn: func(ctx context.Context, idToken string) (string, string, string, string, error) {
+			return "fb-uid", "test@example.com", "Test User", "https://avatar.url", nil
+		},
+	}
+	repo := &umocks.MockUserRepository{
+		UpsertByFirebaseUIDFn: func(ctx context.Context, uid, email, name, avatarURL string) (*user.User, error) {
+			return &user.User{ID: "user-1", Email: email, Name: name, Plan: "free"}, nil
+		},
+		SetRefreshTokenFn: func(ctx context.Context, id, token string, expiresAt time.Time) error {
+			return nil
+		},
+	}
+
+	svc := newTestService(verifier, repo)
+	resp, err := svc.Login(context.Background(), "firebase-token")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if resp.AccessToken == "" {
+		t.Error("expected non-empty access token")
+	}
+	if resp.RefreshToken == "" {
+		t.Error("expected non-empty refresh token")
+	}
+	if resp.User.ID != "user-1" {
+		t.Errorf("expected user ID 'user-1', got %q", resp.User.ID)
+	}
+}
+
+func TestLogin_InvalidFirebaseToken(t *testing.T) {
+	verifier := &mocks.MockTokenVerifier{
+		VerifyTokenFn: func(ctx context.Context, idToken string) (string, string, string, string, error) {
+			return "", "", "", "", fmt.Errorf("invalid token")
+		},
+	}
+	repo := &umocks.MockUserRepository{}
+
+	svc := newTestService(verifier, repo)
+	_, err := svc.Login(context.Background(), "bad-token")
+	if err == nil {
+		t.Fatal("expected error for invalid firebase token")
+	}
+}
+
+func TestLogin_UpsertError(t *testing.T) {
+	verifier := &mocks.MockTokenVerifier{
+		VerifyTokenFn: func(ctx context.Context, idToken string) (string, string, string, string, error) {
+			return "fb-uid", "test@example.com", "Test", "", nil
+		},
+	}
+	repo := &umocks.MockUserRepository{
+		UpsertByFirebaseUIDFn: func(ctx context.Context, uid, email, name, avatarURL string) (*user.User, error) {
+			return nil, fmt.Errorf("db error")
+		},
+	}
+
+	svc := newTestService(verifier, repo)
+	_, err := svc.Login(context.Background(), "token")
+	if err == nil {
+		t.Fatal("expected error for upsert failure")
+	}
+}
+
+func TestLogin_SetRefreshTokenError(t *testing.T) {
+	verifier := &mocks.MockTokenVerifier{
+		VerifyTokenFn: func(ctx context.Context, idToken string) (string, string, string, string, error) {
+			return "fb-uid", "test@example.com", "Test", "", nil
+		},
+	}
+	repo := &umocks.MockUserRepository{
+		UpsertByFirebaseUIDFn: func(ctx context.Context, uid, email, name, avatarURL string) (*user.User, error) {
+			return &user.User{ID: "user-1", Plan: "free"}, nil
+		},
+		SetRefreshTokenFn: func(ctx context.Context, id, token string, expiresAt time.Time) error {
+			return fmt.Errorf("db error")
+		},
+	}
+
+	svc := newTestService(verifier, repo)
+	_, err := svc.Login(context.Background(), "token")
+	if err == nil {
+		t.Fatal("expected error for set refresh token failure")
+	}
+}
+
+func TestRefresh_Success(t *testing.T) {
+	repo := &umocks.MockUserRepository{
+		FindByRefreshTokenFn: func(ctx context.Context, token string) (*user.User, error) {
+			return &user.User{ID: "user-1", Plan: "free"}, nil
+		},
+		SetRefreshTokenFn: func(ctx context.Context, id, token string, expiresAt time.Time) error {
+			return nil
+		},
+	}
+	verifier := &mocks.MockTokenVerifier{}
+
+	svc := newTestService(verifier, repo)
+	resp, err := svc.Refresh(context.Background(), "valid-refresh-token")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if resp.AccessToken == "" {
+		t.Error("expected non-empty access token")
+	}
+	if resp.RefreshToken == "" {
+		t.Error("expected non-empty refresh token")
+	}
+}
+
+func TestRefresh_InvalidToken(t *testing.T) {
+	repo := &umocks.MockUserRepository{
+		FindByRefreshTokenFn: func(ctx context.Context, token string) (*user.User, error) {
+			return nil, fmt.Errorf("not found")
+		},
+	}
+	verifier := &mocks.MockTokenVerifier{}
+
+	svc := newTestService(verifier, repo)
+	_, err := svc.Refresh(context.Background(), "bad-token")
+	if err == nil {
+		t.Fatal("expected error for invalid refresh token")
+	}
+}
+
+func TestRefresh_SetRefreshTokenError(t *testing.T) {
+	repo := &umocks.MockUserRepository{
+		FindByRefreshTokenFn: func(ctx context.Context, token string) (*user.User, error) {
+			return &user.User{ID: "user-1", Plan: "free"}, nil
+		},
+		SetRefreshTokenFn: func(ctx context.Context, id, token string, expiresAt time.Time) error {
+			return fmt.Errorf("db error")
+		},
+	}
+	verifier := &mocks.MockTokenVerifier{}
+
+	svc := newTestService(verifier, repo)
+	_, err := svc.Refresh(context.Background(), "valid-token")
+	if err == nil {
+		t.Fatal("expected error")
+	}
+}
+
+func TestLogout_Success(t *testing.T) {
+	repo := &umocks.MockUserRepository{
+		ClearRefreshTokenFn: func(ctx context.Context, id string) error {
+			return nil
+		},
+	}
+	verifier := &mocks.MockTokenVerifier{}
+
+	svc := newTestService(verifier, repo)
+	err := svc.Logout(context.Background(), "user-1")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func TestLogout_Error(t *testing.T) {
+	repo := &umocks.MockUserRepository{
+		ClearRefreshTokenFn: func(ctx context.Context, id string) error {
+			return fmt.Errorf("db error")
+		},
+	}
+	verifier := &mocks.MockTokenVerifier{}
+
+	svc := newTestService(verifier, repo)
+	err := svc.Logout(context.Background(), "user-1")
+	if err == nil {
+		t.Fatal("expected error")
+	}
+}
+
+func TestLogin_ExpiresIn(t *testing.T) {
+	verifier := &mocks.MockTokenVerifier{
+		VerifyTokenFn: func(ctx context.Context, idToken string) (string, string, string, string, error) {
+			return "fb-uid", "test@example.com", "Test", "", nil
+		},
+	}
+	repo := &umocks.MockUserRepository{
+		UpsertByFirebaseUIDFn: func(ctx context.Context, uid, email, name, avatarURL string) (*user.User, error) {
+			return &user.User{ID: "user-1", Plan: "free"}, nil
+		},
+		SetRefreshTokenFn: func(ctx context.Context, id, token string, expiresAt time.Time) error {
+			return nil
+		},
+	}
+
+	svc := newTestService(verifier, repo)
+	resp, _ := svc.Login(context.Background(), "token")
+	if resp.ExpiresIn != 900 {
+		t.Errorf("expected expires_in 900, got %d", resp.ExpiresIn)
+	}
+}

backend/internal/config/config.go

@@ -0,0 +1,31 @@
+package config
+
+import (
+	"time"
+
+	"github.com/kelseyhightower/envconfig"
+)
+
+type Config struct {
+	Port        int    `envconfig:"PORT" default:"8080"`
+	DatabaseURL string `envconfig:"DATABASE_URL" required:"true"`
+
+	// Firebase
+	FirebaseCredentialsFile string `envconfig:"FIREBASE_CREDENTIALS_FILE" required:"true"`
+
+	// JWT
+	JWTSecret          string        `envconfig:"JWT_SECRET" required:"true"`
+	JWTAccessDuration  time.Duration `envconfig:"JWT_ACCESS_DURATION" default:"15m"`
+	JWTRefreshDuration time.Duration `envconfig:"JWT_REFRESH_DURATION" default:"720h"`
+
+	// CORS
+	AllowedOrigins []string `envconfig:"ALLOWED_ORIGINS" default:"http://localhost:3000"`
+}
+
+func Load() (*Config, error) {
+	var cfg Config
+	if err := envconfig.Process("", &cfg); err != nil {
+		return nil, err
+	}
+	return &cfg, nil
+}

backend/internal/database/postgres.go

@@ -0,0 +1,32 @@
+package database
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/jackc/pgx/v5/pgxpool"
+)
+
+func NewPool(ctx context.Context, databaseURL string) (*pgxpool.Pool, error) {
+	config, err := pgxpool.ParseConfig(databaseURL)
+	if err != nil {
+		return nil, fmt.Errorf("parse config: %w", err)
+	}
+
+	config.MaxConns = 20
+	config.MinConns = 5
+	config.MaxConnLifetime = 30 * time.Minute
+	config.MaxConnIdleTime = 5 * time.Minute
+
+	pool, err := pgxpool.NewWithConfig(ctx, config)
+	if err != nil {
+		return nil, fmt.Errorf("create pool: %w", err)
+	}
+
+	if err := pool.Ping(ctx); err != nil {
+		return nil, fmt.Errorf("ping: %w", err)
+	}
+
+	return pool, nil
+}

backend/internal/middleware/auth.go

@@ -0,0 +1,56 @@
+package middleware
+
+import (
+	"context"
+	"net/http"
+	"strings"
+)
+
+const (
+	userIDKey   contextKey = "user_id"
+	userPlanKey contextKey = "user_plan"
+)
+
+// TokenClaims represents the result of validating an access token.
+type TokenClaims struct {
+	UserID string
+	Plan   string
+}
+
+// AccessTokenValidator validates JWT access tokens.
+type AccessTokenValidator interface {
+	ValidateAccessToken(tokenStr string) (*TokenClaims, error)
+}
+
+func Auth(validator AccessTokenValidator) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			header := r.Header.Get("Authorization")
+			if !strings.HasPrefix(header, "Bearer ") {
+				http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized)
+				return
+			}
+
+			tokenStr := strings.TrimPrefix(header, "Bearer ")
+			claims, err := validator.ValidateAccessToken(tokenStr)
+			if err != nil {
+				http.Error(w, `{"error":"invalid token"}`, http.StatusUnauthorized)
+				return
+			}
+
+			ctx := context.WithValue(r.Context(), userIDKey, claims.UserID)
+			ctx = context.WithValue(ctx, userPlanKey, claims.Plan)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+
+func UserIDFromCtx(ctx context.Context) string {
+	id, _ := ctx.Value(userIDKey).(string)
+	return id
+}
+
+func UserPlanFromCtx(ctx context.Context) string {
+	plan, _ := ctx.Value(userPlanKey).(string)
+	return plan
+}

backend/internal/middleware/auth_test.go

@@ -0,0 +1,192 @@
+package middleware
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+// testJWTClaims mirrors auth.Claims for test token generation without importing auth.
+type testJWTClaims struct {
+	UserID string `json:"user_id"`
+	Plan   string `json:"plan"`
+	jwt.RegisteredClaims
+}
+
+func generateTestToken(secret string, userID, plan string, duration time.Duration) string {
+	claims := testJWTClaims{
+		UserID: userID,
+		Plan:   plan,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(duration)),
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+		},
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	s, _ := token.SignedString([]byte(secret))
+	return s
+}
+
+// testValidator implements AccessTokenValidator for tests.
+type testAccessValidator struct {
+	secret string
+}
+
+func (v *testAccessValidator) ValidateAccessToken(tokenStr string) (*TokenClaims, error) {
+	token, err := jwt.ParseWithClaims(tokenStr, &testJWTClaims{}, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method")
+		}
+		return []byte(v.secret), nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	claims, ok := token.Claims.(*testJWTClaims)
+	if !ok || !token.Valid {
+		return nil, fmt.Errorf("invalid token")
+	}
+	return &TokenClaims{UserID: claims.UserID, Plan: claims.Plan}, nil
+}
+
+// failingValidator always returns an error.
+type failingValidator struct{}
+
+func (v *failingValidator) ValidateAccessToken(tokenStr string) (*TokenClaims, error) {
+	return nil, fmt.Errorf("invalid token")
+}
+
+func TestAuth_ValidToken(t *testing.T) {
+	validator := &testAccessValidator{secret: "test-secret"}
+	token := generateTestToken("test-secret", "user-1", "free", 15*time.Minute)
+
+	handler := Auth(validator)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		userID := UserIDFromCtx(r.Context())
+		if userID != "user-1" {
+			t.Errorf("expected user-1, got %s", userID)
+		}
+		plan := UserPlanFromCtx(r.Context())
+		if plan != "free" {
+			t.Errorf("expected free, got %s", plan)
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+	if rr.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", rr.Code)
+	}
+}
+
+func TestAuth_MissingHeader(t *testing.T) {
+	validator := &testAccessValidator{secret: "test-secret"}
+
+	handler := Auth(validator)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Error("handler should not be called")
+	}))
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+	if rr.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", rr.Code)
+	}
+}
+
+func TestAuth_InvalidBearerFormat(t *testing.T) {
+	validator := &testAccessValidator{secret: "test-secret"}
+
+	handler := Auth(validator)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Error("handler should not be called")
+	}))
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("Authorization", "Basic abc123")
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+	if rr.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", rr.Code)
+	}
+}
+
+func TestAuth_ExpiredToken(t *testing.T) {
+	validator := &testAccessValidator{secret: "test-secret"}
+	token := generateTestToken("test-secret", "user-1", "free", -1*time.Second)
+
+	handler := Auth(validator)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Error("handler should not be called")
+	}))
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+	if rr.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", rr.Code)
+	}
+}
+
+func TestAuth_InvalidToken(t *testing.T) {
+	validator := &testAccessValidator{secret: "test-secret"}
+
+	handler := Auth(validator)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Error("handler should not be called")
+	}))
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("Authorization", "Bearer invalid-token")
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+	if rr.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", rr.Code)
+	}
+}
+
+func TestAuth_PaidPlan(t *testing.T) {
+	validator := &testAccessValidator{secret: "test-secret"}
+	token := generateTestToken("test-secret", "user-1", "paid", 15*time.Minute)
+
+	handler := Auth(validator)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		plan := UserPlanFromCtx(r.Context())
+		if plan != "paid" {
+			t.Errorf("expected paid, got %s", plan)
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+	if rr.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", rr.Code)
+	}
+}
+
+func TestAuth_EmptyBearer(t *testing.T) {
+	handler := Auth(&failingValidator{})(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Error("handler should not be called")
+	}))
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("Authorization", "Bearer ")
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+	if rr.Code != http.StatusUnauthorized {
+		t.Errorf("expected 401, got %d", rr.Code)
+	}
+}

backend/internal/middleware/cors.go

@@ -0,0 +1,18 @@
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/go-chi/cors"
+)
+
+func CORS(allowedOrigins []string) func(http.Handler) http.Handler {
+	return cors.Handler(cors.Options{
+		AllowedOrigins:   allowedOrigins,
+		AllowedMethods:   []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
+		AllowedHeaders:   []string{"Authorization", "Content-Type", "X-Request-ID"},
+		ExposedHeaders:   []string{"X-Request-ID"},
+		AllowCredentials: true,
+		MaxAge:           300,
+	})
+}

backend/internal/middleware/logging.go

@@ -0,0 +1,34 @@
+package middleware
+
+import (
+	"log/slog"
+	"net/http"
+	"time"
+)
+
+type responseWriter struct {
+	http.ResponseWriter
+	statusCode int
+}
+
+func (rw *responseWriter) WriteHeader(code int) {
+	rw.statusCode = code
+	rw.ResponseWriter.WriteHeader(code)
+}
+
+func Logging(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		start := time.Now()
+		ww := &responseWriter{ResponseWriter: w, statusCode: http.StatusOK}
+
+		next.ServeHTTP(ww, r)
+
+		slog.Info("request",
+			"method", r.Method,
+			"path", r.URL.Path,
+			"status", ww.statusCode,
+			"duration_ms", time.Since(start).Milliseconds(),
+			"request_id", RequestIDFromCtx(r.Context()),
+		)
+	})
+}

backend/internal/middleware/recovery.go

@@ -0,0 +1,23 @@
+package middleware
+
+import (
+	"log/slog"
+	"net/http"
+	"runtime/debug"
+)
+
+func Recovery(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		defer func() {
+			if err := recover(); err != nil {
+				slog.Error("panic recovered",
+					"error", err,
+					"stack", string(debug.Stack()),
+					"request_id", RequestIDFromCtx(r.Context()),
+				)
+				http.Error(w, `{"error":"internal server error"}`, http.StatusInternalServerError)
+			}
+		}()
+		next.ServeHTTP(w, r)
+	})
+}

backend/internal/middleware/recovery_test.go

@@ -0,0 +1,49 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestRecovery_NoPanic(t *testing.T) {
+	handler := Recovery(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+	if rr.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", rr.Code)
+	}
+}
+
+func TestRecovery_CatchesPanic(t *testing.T) {
+	handler := Recovery(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		panic("test panic")
+	}))
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+	if rr.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500, got %d", rr.Code)
+	}
+}
+
+func TestRecovery_CatchesPanicWithError(t *testing.T) {
+	handler := Recovery(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		panic(42)
+	}))
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+	if rr.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500, got %d", rr.Code)
+	}
+}

backend/internal/middleware/request_id.go

@@ -0,0 +1,29 @@
+package middleware
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/google/uuid"
+)
+
+type contextKey string
+
+const requestIDKey contextKey = "request_id"
+
+func RequestID(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		id := r.Header.Get("X-Request-ID")
+		if id == "" {
+			id = uuid.NewString()
+		}
+		ctx := context.WithValue(r.Context(), requestIDKey, id)
+		w.Header().Set("X-Request-ID", id)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+func RequestIDFromCtx(ctx context.Context) string {
+	id, _ := ctx.Value(requestIDKey).(string)
+	return id
+}

backend/internal/middleware/request_id_test.go

@@ -0,0 +1,59 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestRequestID_GeneratesNew(t *testing.T) {
+	handler := RequestID(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		id := RequestIDFromCtx(r.Context())
+		if id == "" {
+			t.Error("expected non-empty request ID in context")
+		}
+	}))
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+	if rr.Header().Get("X-Request-ID") == "" {
+		t.Error("expected X-Request-ID in response header")
+	}
+}
+
+func TestRequestID_PreservesExisting(t *testing.T) {
+	handler := RequestID(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		id := RequestIDFromCtx(r.Context())
+		if id != "existing-id" {
+			t.Errorf("expected 'existing-id', got %q", id)
+		}
+	}))
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("X-Request-ID", "existing-id")
+	rr := httptest.NewRecorder()
+
+	handler.ServeHTTP(rr, req)
+	if rr.Header().Get("X-Request-ID") != "existing-id" {
+		t.Error("expected preserved X-Request-ID")
+	}
+}
+
+func TestRequestID_UniquePerRequest(t *testing.T) {
+	var ids []string
+	handler := RequestID(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ids = append(ids, RequestIDFromCtx(r.Context()))
+	}))
+
+	for i := 0; i < 3; i++ {
+		req := httptest.NewRequest("GET", "/", nil)
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)
+	}
+
+	if ids[0] == ids[1] || ids[1] == ids[2] {
+		t.Error("expected unique IDs for each request")
+	}
+}

backend/internal/server/server.go

@@ -0,0 +1,61 @@
+package server
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/food-ai/backend/internal/auth"
+	"github.com/food-ai/backend/internal/middleware"
+	"github.com/food-ai/backend/internal/user"
+	"github.com/go-chi/chi/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+)
+
+func NewRouter(
+	pool *pgxpool.Pool,
+	authHandler *auth.Handler,
+	userHandler *user.Handler,
+	authMiddleware func(http.Handler) http.Handler,
+	allowedOrigins []string,
+) *chi.Mux {
+	r := chi.NewRouter()
+
+	// Global middleware
+	r.Use(middleware.RequestID)
+	r.Use(middleware.Logging)
+	r.Use(middleware.Recovery)
+	r.Use(middleware.CORS(allowedOrigins))
+
+	// Public
+	r.Get("/health", healthCheck(pool))
+	r.Route("/auth", func(r chi.Router) {
+		r.Post("/login", authHandler.Login)
+		r.Post("/refresh", authHandler.Refresh)
+		r.Post("/logout", authHandler.Logout)
+	})
+
+	// Protected
+	r.Group(func(r chi.Router) {
+		r.Use(authMiddleware)
+		r.Get("/profile", userHandler.Get)
+		r.Put("/profile", userHandler.Update)
+	})
+
+	return r
+}
+
+func healthCheck(pool *pgxpool.Pool) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		dbStatus := "connected"
+		if err := pool.Ping(r.Context()); err != nil {
+			dbStatus = "disconnected"
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(map[string]string{
+			"status":  "ok",
+			"version": "0.1.0",
+			"db":      dbStatus,
+		})
+	}
+}

backend/internal/testutil/postgres.go

@@ -0,0 +1,77 @@
+package testutil
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"testing"
+
+	"github.com/jackc/pgx/v5/pgxpool"
+	_ "github.com/jackc/pgx/v5/stdlib"
+	"github.com/pressly/goose/v3"
+	"github.com/testcontainers/testcontainers-go"
+	"github.com/testcontainers/testcontainers-go/wait"
+)
+
+func SetupTestDB(t *testing.T) *pgxpool.Pool {
+	t.Helper()
+	ctx := context.Background()
+
+	container, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
+		ContainerRequest: testcontainers.ContainerRequest{
+			Image:        "postgres:16-alpine",
+			ExposedPorts: []string{"5432/tcp"},
+			Env: map[string]string{
+				"POSTGRES_DB":       "test_db",
+				"POSTGRES_USER":     "test_user",
+				"POSTGRES_PASSWORD": "test_pass",
+			},
+			WaitingFor: wait.ForListeningPort("5432/tcp"),
+		},
+		Started: true,
+	})
+	if err != nil {
+		t.Fatalf("failed to start container: %v", err)
+	}
+
+	t.Cleanup(func() {
+		container.Terminate(ctx)
+	})
+
+	host, err := container.Host(ctx)
+	if err != nil {
+		t.Fatalf("failed to get host: %v", err)
+	}
+
+	port, err := container.MappedPort(ctx, "5432")
+	if err != nil {
+		t.Fatalf("failed to get port: %v", err)
+	}
+
+	dsn := fmt.Sprintf("postgres://test_user:test_pass@%s:%s/test_db?sslmode=disable", host, port.Port())
+
+	// Run migrations with goose
+	db, err := sql.Open("pgx", dsn)
+	if err != nil {
+		t.Fatalf("failed to open db for migrations: %v", err)
+	}
+	defer db.Close()
+
+	if err := goose.Up(db, "../../../migrations"); err != nil {
+		// Try relative path from different test locations
+		if err2 := goose.Up(db, "../../migrations"); err2 != nil {
+			t.Fatalf("failed to run migrations: %v (also tried: %v)", err, err2)
+		}
+	}
+
+	pool, err := pgxpool.New(ctx, dsn)
+	if err != nil {
+		t.Fatalf("failed to create pool: %v", err)
+	}
+
+	t.Cleanup(func() {
+		pool.Close()
+	})
+
+	return pool
+}

backend/internal/user/calories.go

@@ -0,0 +1,51 @@
+package user
+
+import "math"
+
+// Activity level multipliers (Mifflin-St Jeor).
+var activityMultiplier = map[string]float64{
+	"low":      1.375,
+	"moderate": 1.55,
+	"high":     1.725,
+}
+
+// Goal adjustments in kcal.
+var goalAdjustment = map[string]float64{
+	"lose":     -500,
+	"maintain": 0,
+	"gain":     300,
+}
+
+// CalculateDailyCalories computes the daily calorie target using the
+// Mifflin-St Jeor equation. Returns nil if any required parameter is missing.
+func CalculateDailyCalories(heightCM *int, weightKG *float64, age *int, gender, activity, goal *string) *int {
+	if heightCM == nil || weightKG == nil || age == nil || gender == nil || activity == nil || goal == nil {
+		return nil
+	}
+
+	// BMR = 10 * weight(kg) + 6.25 * height(cm) - 5 * age
+	bmr := 10**weightKG + 6.25*float64(*heightCM) - 5*float64(*age)
+
+	switch *gender {
+	case "male":
+		bmr += 5
+	case "female":
+		bmr -= 161
+	default:
+		return nil
+	}
+
+	mult, ok := activityMultiplier[*activity]
+	if !ok {
+		return nil
+	}
+
+	adj, ok := goalAdjustment[*goal]
+	if !ok {
+		return nil
+	}
+
+	tdee := bmr * mult
+	result := int(math.Round(tdee + adj))
+	return &result
+}

backend/internal/user/calories_test.go

@@ -0,0 +1,73 @@
+package user
+
+import (
+	"testing"
+)
+
+func ptr[T any](v T) *T { return &v }
+
+func TestCalculateDailyCalories_MaleMaintain(t *testing.T) {
+	cal := CalculateDailyCalories(ptr(180), ptr(80.0), ptr(30), ptr("male"), ptr("moderate"), ptr("maintain"))
+	if cal == nil {
+		t.Fatal("expected non-nil result")
+	}
+	// BMR = 10*80 + 6.25*180 - 5*30 + 5 = 800 + 1125 - 150 + 5 = 1780
+	// TDEE = 1780 * 1.55 = 2759
+	if *cal != 2759 {
+		t.Errorf("expected 2759, got %d", *cal)
+	}
+}
+
+func TestCalculateDailyCalories_FemaleLose(t *testing.T) {
+	cal := CalculateDailyCalories(ptr(165), ptr(60.0), ptr(25), ptr("female"), ptr("low"), ptr("lose"))
+	if cal == nil {
+		t.Fatal("expected non-nil result")
+	}
+	// BMR = 10*60 + 6.25*165 - 5*25 - 161 = 600 + 1031.25 - 125 - 161 = 1345.25
+	// TDEE = 1345.25 * 1.375 = 1849.72
+	// Goal: -500 = 1349.72 → 1350
+	if *cal != 1350 {
+		t.Errorf("expected 1350, got %d", *cal)
+	}
+}
+
+func TestCalculateDailyCalories_MaleGain(t *testing.T) {
+	cal := CalculateDailyCalories(ptr(175), ptr(70.0), ptr(28), ptr("male"), ptr("high"), ptr("gain"))
+	if cal == nil {
+		t.Fatal("expected non-nil result")
+	}
+	// BMR = 10*70 + 6.25*175 - 5*28 + 5 = 700 + 1093.75 - 140 + 5 = 1658.75
+	// TDEE = 1658.75 * 1.725 = 2861.34
+	// Goal: +300 = 3161.34 → 3161
+	if *cal != 3161 {
+		t.Errorf("expected 3161, got %d", *cal)
+	}
+}
+
+func TestCalculateDailyCalories_NilHeight(t *testing.T) {
+	cal := CalculateDailyCalories(nil, ptr(80.0), ptr(30), ptr("male"), ptr("moderate"), ptr("maintain"))
+	if cal != nil {
+		t.Fatal("expected nil when height is nil")
+	}
+}
+
+func TestCalculateDailyCalories_NilWeight(t *testing.T) {
+	cal := CalculateDailyCalories(ptr(180), nil, ptr(30), ptr("male"), ptr("moderate"), ptr("maintain"))
+	if cal != nil {
+		t.Fatal("expected nil when weight is nil")
+	}
+}
+
+func TestCalculateDailyCalories_InvalidGender(t *testing.T) {
+	cal := CalculateDailyCalories(ptr(180), ptr(80.0), ptr(30), ptr("other"), ptr("moderate"), ptr("maintain"))
+	if cal != nil {
+		t.Fatal("expected nil for invalid gender")
+	}
+}
+
+func TestCalculateDailyCalories_InvalidActivity(t *testing.T) {
+	cal := CalculateDailyCalories(ptr(180), ptr(80.0), ptr(30), ptr("male"), ptr("extreme"), ptr("maintain"))
+	if cal != nil {
+		t.Fatal("expected nil for invalid activity")
+	}
+}

backend/internal/user/handler.go

@@ -0,0 +1,78 @@
+package user
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+
+	"github.com/food-ai/backend/internal/middleware"
+)
+
+const maxRequestBodySize = 1 << 20 // 1 MB
+
+type Handler struct {
+	service *Service
+}
+
+func NewHandler(service *Service) *Handler {
+	return &Handler{service: service}
+}
+
+func (h *Handler) Get(w http.ResponseWriter, r *http.Request) {
+	userID := middleware.UserIDFromCtx(r.Context())
+	if userID == "" {
+		writeErrorJSON(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	u, err := h.service.GetProfile(r.Context(), userID)
+	if err != nil {
+		writeErrorJSON(w, http.StatusNotFound, "user not found")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, u)
+}
+
+func (h *Handler) Update(w http.ResponseWriter, r *http.Request) {
+	userID := middleware.UserIDFromCtx(r.Context())
+	if userID == "" {
+		writeErrorJSON(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestBodySize)
+	var req UpdateProfileRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeErrorJSON(w, http.StatusBadRequest, "invalid request body")
+		return
+	}
+
+	u, err := h.service.UpdateProfile(r.Context(), userID, req)
+	if err != nil {
+		writeErrorJSON(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, u)
+}
+
+type errorResponse struct {
+	Error string `json:"error"`
+}
+
+func writeErrorJSON(w http.ResponseWriter, status int, msg string) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	if err := json.NewEncoder(w).Encode(errorResponse{Error: msg}); err != nil {
+		slog.Error("failed to write error response", "err", err)
+	}
+}
+
+func writeJSON(w http.ResponseWriter, status int, v interface{}) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	if err := json.NewEncoder(w).Encode(v); err != nil {
+		slog.Error("failed to write JSON response", "err", err)
+	}
+}

backend/internal/user/mocks/repository.go

@@ -0,0 +1,46 @@
+package mocks
+
+import (
+	"context"
+	"time"
+
+	"github.com/food-ai/backend/internal/user"
+)
+
+type MockUserRepository struct {
+	UpsertByFirebaseUIDFn func(ctx context.Context, uid, email, name, avatarURL string) (*user.User, error)
+	GetByIDFn             func(ctx context.Context, id string) (*user.User, error)
+	UpdateFn              func(ctx context.Context, id string, req user.UpdateProfileRequest) (*user.User, error)
+	UpdateInTxFn          func(ctx context.Context, id string, profileReq user.UpdateProfileRequest, caloriesReq *user.UpdateProfileRequest) (*user.User, error)
+	SetRefreshTokenFn     func(ctx context.Context, id, token string, expiresAt time.Time) error
+	FindByRefreshTokenFn  func(ctx context.Context, token string) (*user.User, error)
+	ClearRefreshTokenFn   func(ctx context.Context, id string) error
+}
+
+func (m *MockUserRepository) UpsertByFirebaseUID(ctx context.Context, uid, email, name, avatarURL string) (*user.User, error) {
+	return m.UpsertByFirebaseUIDFn(ctx, uid, email, name, avatarURL)
+}
+
+func (m *MockUserRepository) GetByID(ctx context.Context, id string) (*user.User, error) {
+	return m.GetByIDFn(ctx, id)
+}
+
+func (m *MockUserRepository) Update(ctx context.Context, id string, req user.UpdateProfileRequest) (*user.User, error) {
+	return m.UpdateFn(ctx, id, req)
+}
+
+func (m *MockUserRepository) UpdateInTx(ctx context.Context, id string, profileReq user.UpdateProfileRequest, caloriesReq *user.UpdateProfileRequest) (*user.User, error) {
+	return m.UpdateInTxFn(ctx, id, profileReq, caloriesReq)
+}
+
+func (m *MockUserRepository) SetRefreshToken(ctx context.Context, id, token string, expiresAt time.Time) error {
+	return m.SetRefreshTokenFn(ctx, id, token, expiresAt)
+}
+
+func (m *MockUserRepository) FindByRefreshToken(ctx context.Context, token string) (*user.User, error) {
+	return m.FindByRefreshTokenFn(ctx, token)
+}
+
+func (m *MockUserRepository) ClearRefreshToken(ctx context.Context, id string) error {
+	return m.ClearRefreshTokenFn(ctx, id)
+}

backend/internal/user/model.go

@@ -0,0 +1,44 @@
+package user
+
+import (
+	"encoding/json"
+	"time"
+)
+
+type User struct {
+	ID            string          `json:"id"`
+	FirebaseUID   string          `json:"-"`
+	Email         string          `json:"email"`
+	Name          string          `json:"name"`
+	AvatarURL     *string         `json:"avatar_url"`
+	HeightCM      *int            `json:"height_cm"`
+	WeightKG      *float64        `json:"weight_kg"`
+	Age           *int            `json:"age"`
+	Gender        *string         `json:"gender"`
+	Activity      *string         `json:"activity"`
+	Goal          *string         `json:"goal"`
+	DailyCalories *int            `json:"daily_calories"`
+	Plan          string          `json:"plan"`
+	Preferences   json.RawMessage `json:"preferences"`
+	CreatedAt     time.Time       `json:"created_at"`
+	UpdatedAt     time.Time       `json:"updated_at"`
+}
+
+type UpdateProfileRequest struct {
+	Name          *string          `json:"name"`
+	HeightCM      *int             `json:"height_cm"`
+	WeightKG      *float64         `json:"weight_kg"`
+	Age           *int             `json:"age"`
+	Gender        *string          `json:"gender"`
+	Activity      *string          `json:"activity"`
+	Goal          *string          `json:"goal"`
+	Preferences   *json.RawMessage `json:"preferences"`
+	DailyCalories *int             `json:"-"` // internal, set by service
+}
+
+// HasBodyParams returns true if any body parameter is being updated
+// that would require recalculation of daily calories.
+func (r *UpdateProfileRequest) HasBodyParams() bool {
+	return r.HeightCM != nil || r.WeightKG != nil || r.Age != nil ||
+		r.Gender != nil || r.Activity != nil || r.Goal != nil
+}

backend/internal/user/repository.go

@@ -0,0 +1,218 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+)
+
+// UserRepository defines the persistence interface for user data.
+type UserRepository interface {
+	UpsertByFirebaseUID(ctx context.Context, uid, email, name, avatarURL string) (*User, error)
+	GetByID(ctx context.Context, id string) (*User, error)
+	Update(ctx context.Context, id string, req UpdateProfileRequest) (*User, error)
+	UpdateInTx(ctx context.Context, id string, profileReq UpdateProfileRequest, caloriesReq *UpdateProfileRequest) (*User, error)
+	SetRefreshToken(ctx context.Context, id, token string, expiresAt time.Time) error
+	FindByRefreshToken(ctx context.Context, token string) (*User, error)
+	ClearRefreshToken(ctx context.Context, id string) error
+}
+
+type Repository struct {
+	pool *pgxpool.Pool
+}
+
+func NewRepository(pool *pgxpool.Pool) *Repository {
+	return &Repository{pool: pool}
+}
+
+func (r *Repository) UpsertByFirebaseUID(ctx context.Context, uid, email, name, avatarURL string) (*User, error) {
+	var avatarPtr *string
+	if avatarURL != "" {
+		avatarPtr = &avatarURL
+	}
+
+	query := `
+		INSERT INTO users (firebase_uid, email, name, avatar_url)
+		VALUES ($1, $2, $3, $4)
+		ON CONFLICT (firebase_uid) DO UPDATE SET
+			email = EXCLUDED.email,
+			name = CASE WHEN users.name = '' THEN EXCLUDED.name ELSE users.name END,
+			avatar_url = COALESCE(EXCLUDED.avatar_url, users.avatar_url),
+			updated_at = now()
+		RETURNING id, firebase_uid, email, name, avatar_url,
+			height_cm, weight_kg, age, gender, activity, goal, daily_calories,
+			plan, preferences, created_at, updated_at`
+
+	return r.scanUser(r.pool.QueryRow(ctx, query, uid, email, name, avatarPtr))
+}
+
+func (r *Repository) GetByID(ctx context.Context, id string) (*User, error) {
+	query := `
+		SELECT id, firebase_uid, email, name, avatar_url,
+			height_cm, weight_kg, age, gender, activity, goal, daily_calories,
+			plan, preferences, created_at, updated_at
+		FROM users WHERE id = $1`
+
+	return r.scanUser(r.pool.QueryRow(ctx, query, id))
+}
+
+func (r *Repository) Update(ctx context.Context, id string, req UpdateProfileRequest) (*User, error) {
+	query, args := buildUpdateQuery(id, req)
+	if query == "" {
+		return r.GetByID(ctx, id)
+	}
+	return r.scanUser(r.pool.QueryRow(ctx, query, args...))
+}
+
+// buildUpdateQuery constructs a dynamic UPDATE query from the request fields.
+// Returns empty string if there are no fields to update.
+func buildUpdateQuery(id string, req UpdateProfileRequest) (string, []interface{}) {
+	setClauses := []string{}
+	args := []interface{}{}
+	argIdx := 1
+
+	if req.Name != nil {
+		setClauses = append(setClauses, fmt.Sprintf("name = $%d", argIdx))
+		args = append(args, *req.Name)
+		argIdx++
+	}
+	if req.HeightCM != nil {
+		setClauses = append(setClauses, fmt.Sprintf("height_cm = $%d", argIdx))
+		args = append(args, *req.HeightCM)
+		argIdx++
+	}
+	if req.WeightKG != nil {
+		setClauses = append(setClauses, fmt.Sprintf("weight_kg = $%d", argIdx))
+		args = append(args, *req.WeightKG)
+		argIdx++
+	}
+	if req.Age != nil {
+		setClauses = append(setClauses, fmt.Sprintf("age = $%d", argIdx))
+		args = append(args, *req.Age)
+		argIdx++
+	}
+	if req.Gender != nil {
+		setClauses = append(setClauses, fmt.Sprintf("gender = $%d", argIdx))
+		args = append(args, *req.Gender)
+		argIdx++
+	}
+	if req.Activity != nil {
+		setClauses = append(setClauses, fmt.Sprintf("activity = $%d", argIdx))
+		args = append(args, *req.Activity)
+		argIdx++
+	}
+	if req.Goal != nil {
+		setClauses = append(setClauses, fmt.Sprintf("goal = $%d", argIdx))
+		args = append(args, *req.Goal)
+		argIdx++
+	}
+	if req.Preferences != nil {
+		setClauses = append(setClauses, fmt.Sprintf("preferences = $%d", argIdx))
+		args = append(args, string(*req.Preferences))
+		argIdx++
+	}
+	if req.DailyCalories != nil {
+		setClauses = append(setClauses, fmt.Sprintf("daily_calories = $%d", argIdx))
+		args = append(args, *req.DailyCalories)
+		argIdx++
+	}
+
+	if len(setClauses) == 0 {
+		return "", nil
+	}
+
+	setClauses = append(setClauses, "updated_at = now()")
+
+	query := fmt.Sprintf(`
+		UPDATE users SET %s
+		WHERE id = $%d
+		RETURNING id, firebase_uid, email, name, avatar_url,
+			height_cm, weight_kg, age, gender, activity, goal, daily_calories,
+			plan, preferences, created_at, updated_at`,
+		strings.Join(setClauses, ", "), argIdx)
+	args = append(args, id)
+
+	return query, args
+}
+
+func (r *Repository) UpdateInTx(ctx context.Context, id string, profileReq UpdateProfileRequest, caloriesReq *UpdateProfileRequest) (*User, error) {
+	tx, err := r.pool.BeginTx(ctx, pgx.TxOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("begin tx: %w", err)
+	}
+	defer tx.Rollback(ctx)
+
+	// First update: profile fields
+	query, args := buildUpdateQuery(id, profileReq)
+	if query == "" {
+		return nil, fmt.Errorf("no fields to update")
+	}
+	updated, err := r.scanUser(tx.QueryRow(ctx, query, args...))
+	if err != nil {
+		return nil, fmt.Errorf("update profile: %w", err)
+	}
+
+	// Second update: calories (if provided)
+	if caloriesReq != nil {
+		query, args = buildUpdateQuery(id, *caloriesReq)
+		if query != "" {
+			updated, err = r.scanUser(tx.QueryRow(ctx, query, args...))
+			if err != nil {
+				return nil, fmt.Errorf("update calories: %w", err)
+			}
+		}
+	}
+
+	if err := tx.Commit(ctx); err != nil {
+		return nil, fmt.Errorf("commit tx: %w", err)
+	}
+
+	return updated, nil
+}
+
+func (r *Repository) SetRefreshToken(ctx context.Context, id, token string, expiresAt time.Time) error {
+	query := `UPDATE users SET refresh_token = $2, token_expires_at = $3, updated_at = now() WHERE id = $1`
+	_, err := r.pool.Exec(ctx, query, id, token, expiresAt)
+	return err
+}
+
+func (r *Repository) FindByRefreshToken(ctx context.Context, token string) (*User, error) {
+	query := `
+		SELECT id, firebase_uid, email, name, avatar_url,
+			height_cm, weight_kg, age, gender, activity, goal, daily_calories,
+			plan, preferences, created_at, updated_at
+		FROM users
+		WHERE refresh_token = $1 AND token_expires_at > now()`
+
+	return r.scanUser(r.pool.QueryRow(ctx, query, token))
+}
+
+func (r *Repository) ClearRefreshToken(ctx context.Context, id string) error {
+	query := `UPDATE users SET refresh_token = NULL, token_expires_at = NULL, updated_at = now() WHERE id = $1`
+	_, err := r.pool.Exec(ctx, query, id)
+	return err
+}
+
+type scannable interface {
+	Scan(dest ...interface{}) error
+}
+
+func (r *Repository) scanUser(row scannable) (*User, error) {
+	var u User
+	var prefs []byte
+	err := row.Scan(
+		&u.ID, &u.FirebaseUID, &u.Email, &u.Name, &u.AvatarURL,
+		&u.HeightCM, &u.WeightKG, &u.Age, &u.Gender, &u.Activity, &u.Goal, &u.DailyCalories,
+		&u.Plan, &prefs, &u.CreatedAt, &u.UpdatedAt,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("scan user: %w", err)
+	}
+	u.Preferences = json.RawMessage(prefs)
+	return &u, nil
+}

backend/internal/user/repository_integration_test.go

@@ -0,0 +1,209 @@
+//go:build integration
+
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+	"time"
+
+	"github.com/food-ai/backend/internal/testutil"
+)
+
+func TestRepository_UpsertByFirebaseUID_Insert(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	u, err := repo.UpsertByFirebaseUID(ctx, "fb-123", "test@example.com", "Test User", "https://avatar.url")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.FirebaseUID != "fb-123" {
+		t.Errorf("expected fb-123, got %s", u.FirebaseUID)
+	}
+	if u.Email != "test@example.com" {
+		t.Errorf("expected test@example.com, got %s", u.Email)
+	}
+	if u.Plan != "free" {
+		t.Errorf("expected free, got %s", u.Plan)
+	}
+}
+
+func TestRepository_UpsertByFirebaseUID_Update(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	_, _ = repo.UpsertByFirebaseUID(ctx, "fb-123", "old@example.com", "Old Name", "")
+	u, err := repo.UpsertByFirebaseUID(ctx, "fb-123", "new@example.com", "New Name", "https://new-avatar.url")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.Email != "new@example.com" {
+		t.Errorf("expected new email, got %s", u.Email)
+	}
+	// Name should not be overwritten if already set
+	if u.Name != "Old Name" {
+		t.Errorf("expected name to be preserved as 'Old Name', got %s", u.Name)
+	}
+}
+
+func TestRepository_GetByID(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-get", "get@example.com", "Get User", "")
+	u, err := repo.GetByID(ctx, created.ID)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.ID != created.ID {
+		t.Errorf("expected %s, got %s", created.ID, u.ID)
+	}
+}
+
+func TestRepository_GetByID_NotFound(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	_, err := repo.GetByID(ctx, "00000000-0000-0000-0000-000000000000")
+	if err == nil {
+		t.Fatal("expected error for non-existent user")
+	}
+}
+
+func TestRepository_Update(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-upd", "upd@example.com", "Update User", "")
+	height := 180
+	u, err := repo.Update(ctx, created.ID, UpdateProfileRequest{HeightCM: &height})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.HeightCM == nil || *u.HeightCM != 180 {
+		t.Errorf("expected height 180, got %v", u.HeightCM)
+	}
+}
+
+func TestRepository_Update_MultipleFields(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-multi", "multi@example.com", "Multi User", "")
+	height := 175
+	weight := 70.5
+	age := 25
+	gender := "male"
+	activity := "moderate"
+	goal := "maintain"
+	u, err := repo.Update(ctx, created.ID, UpdateProfileRequest{
+		HeightCM: &height,
+		WeightKG: &weight,
+		Age:      &age,
+		Gender:   &gender,
+		Activity: &activity,
+		Goal:     &goal,
+	})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.HeightCM == nil || *u.HeightCM != 175 {
+		t.Errorf("expected 175, got %v", u.HeightCM)
+	}
+	if u.WeightKG == nil || *u.WeightKG != 70.5 {
+		t.Errorf("expected 70.5, got %v", u.WeightKG)
+	}
+}
+
+func TestRepository_Update_Preferences(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-prefs", "prefs@example.com", "Prefs User", "")
+	prefs := json.RawMessage(`{"cuisines":["russian","asian"]}`)
+	u, err := repo.Update(ctx, created.ID, UpdateProfileRequest{Preferences: &prefs})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	var p map[string]interface{}
+	json.Unmarshal(u.Preferences, &p)
+	if p["cuisines"] == nil {
+		t.Error("expected cuisines in preferences")
+	}
+}
+
+func TestRepository_SetAndFindRefreshToken(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-token", "token@example.com", "Token User", "")
+	err := repo.SetRefreshToken(ctx, created.ID, "refresh-token-123", time.Now().Add(24*time.Hour))
+	if err != nil {
+		t.Fatalf("unexpected error setting token: %v", err)
+	}
+
+	u, err := repo.FindByRefreshToken(ctx, "refresh-token-123")
+	if err != nil {
+		t.Fatalf("unexpected error finding by token: %v", err)
+	}
+	if u.ID != created.ID {
+		t.Errorf("expected %s, got %s", created.ID, u.ID)
+	}
+}
+
+func TestRepository_FindByRefreshToken_Expired(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-expired", "expired@example.com", "Expired User", "")
+	_ = repo.SetRefreshToken(ctx, created.ID, "expired-token", time.Now().Add(-1*time.Hour))
+
+	_, err := repo.FindByRefreshToken(ctx, "expired-token")
+	if err == nil {
+		t.Fatal("expected error for expired token")
+	}
+}
+
+func TestRepository_ClearRefreshToken(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-clear", "clear@example.com", "Clear User", "")
+	_ = repo.SetRefreshToken(ctx, created.ID, "token-to-clear", time.Now().Add(24*time.Hour))
+	err := repo.ClearRefreshToken(ctx, created.ID)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	_, err = repo.FindByRefreshToken(ctx, "token-to-clear")
+	if err == nil {
+		t.Fatal("expected error after clearing token")
+	}
+}
+
+func TestRepository_Update_NoFields(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-noop", "noop@example.com", "Noop User", "")
+	u, err := repo.Update(ctx, created.ID, UpdateProfileRequest{})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.ID != created.ID {
+		t.Errorf("expected %s, got %s", created.ID, u.ID)
+	}
+}

backend/internal/user/service.go

@@ -0,0 +1,117 @@
+package user
+
+import (
+	"context"
+	"fmt"
+)
+
+type Service struct {
+	repo UserRepository
+}
+
+func NewService(repo UserRepository) *Service {
+	return &Service{repo: repo}
+}
+
+func (s *Service) GetProfile(ctx context.Context, userID string) (*User, error) {
+	return s.repo.GetByID(ctx, userID)
+}
+
+func (s *Service) UpdateProfile(ctx context.Context, userID string, req UpdateProfileRequest) (*User, error) {
+	if err := validateProfileRequest(req); err != nil {
+		return nil, err
+	}
+
+	if !req.HasBodyParams() {
+		updated, err := s.repo.Update(ctx, userID, req)
+		if err != nil {
+			return nil, fmt.Errorf("update profile: %w", err)
+		}
+		return updated, nil
+	}
+
+	// Need to update profile + recalculate calories in a single transaction.
+	// First, get current user to merge with incoming fields for calorie calculation.
+	current, err := s.repo.GetByID(ctx, userID)
+	if err != nil {
+		return nil, fmt.Errorf("get user: %w", err)
+	}
+
+	// Merge current values with request to compute calories
+	height := current.HeightCM
+	if req.HeightCM != nil {
+		height = req.HeightCM
+	}
+	weight := current.WeightKG
+	if req.WeightKG != nil {
+		weight = req.WeightKG
+	}
+	age := current.Age
+	if req.Age != nil {
+		age = req.Age
+	}
+	gender := current.Gender
+	if req.Gender != nil {
+		gender = req.Gender
+	}
+	activity := current.Activity
+	if req.Activity != nil {
+		activity = req.Activity
+	}
+	goal := current.Goal
+	if req.Goal != nil {
+		goal = req.Goal
+	}
+
+	calories := CalculateDailyCalories(height, weight, age, gender, activity, goal)
+
+	var calReq *UpdateProfileRequest
+	if calories != nil {
+		calReq = &UpdateProfileRequest{DailyCalories: calories}
+	}
+
+	updated, err := s.repo.UpdateInTx(ctx, userID, req, calReq)
+	if err != nil {
+		return nil, fmt.Errorf("update profile: %w", err)
+	}
+
+	return updated, nil
+}
+
+func validateProfileRequest(req UpdateProfileRequest) error {
+	if req.HeightCM != nil {
+		if *req.HeightCM < 100 || *req.HeightCM > 250 {
+			return fmt.Errorf("height_cm must be between 100 and 250")
+		}
+	}
+	if req.WeightKG != nil {
+		if *req.WeightKG < 30 || *req.WeightKG > 300 {
+			return fmt.Errorf("weight_kg must be between 30 and 300")
+		}
+	}
+	if req.Age != nil {
+		if *req.Age < 10 || *req.Age > 120 {
+			return fmt.Errorf("age must be between 10 and 120")
+		}
+	}
+	if req.Gender != nil {
+		if *req.Gender != "male" && *req.Gender != "female" {
+			return fmt.Errorf("gender must be 'male' or 'female'")
+		}
+	}
+	if req.Activity != nil {
+		switch *req.Activity {
+		case "low", "moderate", "high":
+		default:
+			return fmt.Errorf("activity must be 'low', 'moderate', or 'high'")
+		}
+	}
+	if req.Goal != nil {
+		switch *req.Goal {
+		case "lose", "maintain", "gain":
+		default:
+			return fmt.Errorf("goal must be 'lose', 'maintain', or 'gain'")
+		}
+	}
+	return nil
+}

backend/internal/user/service_test.go

@@ -0,0 +1,247 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"testing"
+	"time"
+)
+
+func ptrStr(s string) *string     { return &s }
+func ptrInt(i int) *int           { return &i }
+func ptrFloat(f float64) *float64 { return &f }
+
+// mockUserRepo is an in-package mock to avoid import cycles.
+type mockUserRepo struct {
+	getByIDFn             func(ctx context.Context, id string) (*User, error)
+	updateFn              func(ctx context.Context, id string, req UpdateProfileRequest) (*User, error)
+	updateInTxFn          func(ctx context.Context, id string, profileReq UpdateProfileRequest, caloriesReq *UpdateProfileRequest) (*User, error)
+	upsertByFirebaseUIDFn func(ctx context.Context, uid, email, name, avatarURL string) (*User, error)
+	setRefreshTokenFn     func(ctx context.Context, id, token string, expiresAt time.Time) error
+	findByRefreshTokenFn  func(ctx context.Context, token string) (*User, error)
+	clearRefreshTokenFn   func(ctx context.Context, id string) error
+}
+
+func (m *mockUserRepo) UpsertByFirebaseUID(ctx context.Context, uid, email, name, avatarURL string) (*User, error) {
+	return m.upsertByFirebaseUIDFn(ctx, uid, email, name, avatarURL)
+}
+func (m *mockUserRepo) GetByID(ctx context.Context, id string) (*User, error) {
+	return m.getByIDFn(ctx, id)
+}
+func (m *mockUserRepo) Update(ctx context.Context, id string, req UpdateProfileRequest) (*User, error) {
+	return m.updateFn(ctx, id, req)
+}
+func (m *mockUserRepo) UpdateInTx(ctx context.Context, id string, profileReq UpdateProfileRequest, caloriesReq *UpdateProfileRequest) (*User, error) {
+	return m.updateInTxFn(ctx, id, profileReq, caloriesReq)
+}
+func (m *mockUserRepo) SetRefreshToken(ctx context.Context, id, token string, expiresAt time.Time) error {
+	return m.setRefreshTokenFn(ctx, id, token, expiresAt)
+}
+func (m *mockUserRepo) FindByRefreshToken(ctx context.Context, token string) (*User, error) {
+	return m.findByRefreshTokenFn(ctx, token)
+}
+func (m *mockUserRepo) ClearRefreshToken(ctx context.Context, id string) error {
+	return m.clearRefreshTokenFn(ctx, id)
+}
+
+func TestGetProfile_Success(t *testing.T) {
+	repo := &mockUserRepo{
+		getByIDFn: func(ctx context.Context, id string) (*User, error) {
+			return &User{ID: id, Email: "test@example.com", Plan: "free"}, nil
+		},
+	}
+	svc := NewService(repo)
+
+	u, err := svc.GetProfile(context.Background(), "user-1")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.ID != "user-1" {
+		t.Errorf("expected user-1, got %s", u.ID)
+	}
+}
+
+func TestGetProfile_NotFound(t *testing.T) {
+	repo := &mockUserRepo{
+		getByIDFn: func(ctx context.Context, id string) (*User, error) {
+			return nil, fmt.Errorf("not found")
+		},
+	}
+	svc := NewService(repo)
+
+	_, err := svc.GetProfile(context.Background(), "nonexistent")
+	if err == nil {
+		t.Fatal("expected error")
+	}
+}
+
+func TestUpdateProfile_NameOnly(t *testing.T) {
+	repo := &mockUserRepo{
+		updateFn: func(ctx context.Context, id string, req UpdateProfileRequest) (*User, error) {
+			return &User{ID: id, Name: *req.Name, Plan: "free"}, nil
+		},
+	}
+	svc := NewService(repo)
+
+	u, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Name: ptrStr("New Name")})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.Name != "New Name" {
+		t.Errorf("expected 'New Name', got %q", u.Name)
+	}
+}
+
+func TestUpdateProfile_WithCaloriesRecalculation(t *testing.T) {
+	profileReq := UpdateProfileRequest{
+		HeightCM: ptrInt(180),
+		WeightKG: ptrFloat(80),
+		Age:      ptrInt(30),
+		Gender:   ptrStr("male"),
+		Activity: ptrStr("moderate"),
+		Goal:     ptrStr("maintain"),
+	}
+	finalUser := &User{
+		ID:            "user-1",
+		HeightCM:      ptrInt(180),
+		WeightKG:      ptrFloat(80),
+		Age:           ptrInt(30),
+		Gender:        ptrStr("male"),
+		Activity:      ptrStr("moderate"),
+		Goal:          ptrStr("maintain"),
+		DailyCalories: ptrInt(2759),
+		Plan:          "free",
+	}
+
+	repo := &mockUserRepo{
+		// Service calls GetByID first to merge current values for calorie calculation
+		getByIDFn: func(ctx context.Context, id string) (*User, error) {
+			return &User{ID: id, Plan: "free"}, nil
+		},
+		updateInTxFn: func(ctx context.Context, id string, pReq UpdateProfileRequest, cReq *UpdateProfileRequest) (*User, error) {
+			if cReq == nil {
+				t.Error("expected caloriesReq to be non-nil")
+			} else if *cReq.DailyCalories != 2759 {
+				t.Errorf("expected calories 2759, got %d", *cReq.DailyCalories)
+			}
+			return finalUser, nil
+		},
+	}
+	svc := NewService(repo)
+
+	u, err := svc.UpdateProfile(context.Background(), "user-1", profileReq)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.DailyCalories == nil {
+		t.Fatal("expected daily_calories to be set")
+	}
+	if *u.DailyCalories != 2759 {
+		t.Errorf("expected 2759, got %d", *u.DailyCalories)
+	}
+}
+
+func TestUpdateProfile_InvalidHeight_TooLow(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{HeightCM: ptrInt(50)})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidHeight_TooHigh(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{HeightCM: ptrInt(300)})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidWeight_TooLow(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{WeightKG: ptrFloat(10)})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidWeight_TooHigh(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{WeightKG: ptrFloat(400)})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidAge_TooLow(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Age: ptrInt(5)})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidAge_TooHigh(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Age: ptrInt(150)})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidGender(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Gender: ptrStr("other")})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidActivity(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Activity: ptrStr("extreme")})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidGoal(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Goal: ptrStr("bulk")})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_Preferences(t *testing.T) {
+	prefs := json.RawMessage(`{"cuisines":["russian"]}`)
+	repo := &mockUserRepo{
+		updateFn: func(ctx context.Context, id string, req UpdateProfileRequest) (*User, error) {
+			return &User{
+				ID:          id,
+				Plan:        "free",
+				Preferences: *req.Preferences,
+				UpdatedAt:   time.Now(),
+			}, nil
+		},
+	}
+	svc := NewService(repo)
+
+	u, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Preferences: &prefs})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if string(u.Preferences) != `{"cuisines":["russian"]}` {
+		t.Errorf("unexpected preferences: %s", u.Preferences)
+	}
+}