feat: implement Iteration 0 foundation (backend + Flutter client)

Backend (Go): - Project structure with chi router, pgxpool, goose migrations - JWT auth (access/refresh tokens) with Firebase token verification - NoopTokenVerifier for local dev without Firebase credentials - PostgreSQL user repository with atomic profile updates (transactions) - Mifflin-St Jeor calorie calculation based on profile data - REST API: POST /auth/login, /auth/refresh, /auth/logout, GET/PUT /profile, GET /health - Middleware: auth, CORS (localhost wildcard), logging, recovery, request_id - Unit tests (51 passing) and integration tests (testcontainers) - Docker Compose setup with postgres healthcheck and graceful shutdown Flutter client: - Riverpod state management with GoRouter navigation - Firebase Auth (email/password + Google sign-in with web popup support) - Platform-aware API URLs (web/Android/iOS) - Dio HTTP client with JWT auth interceptor and concurrent refresh handling - Secure token storage - Screens: Login, Register, Home (tabs: Menu, Recipes, Products, Profile) - Unit tests (17 passing) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 13:14:58 +02:00
commit 24219b611e
140 changed files with 13062 additions and 0 deletions
--- a/backend/internal/user/calories.go
+++ b/backend/internal/user/calories.go
@@ -0,0 +1,51 @@
+package user
+
+import "math"
+
+// Activity level multipliers (Mifflin-St Jeor).
+var activityMultiplier = map[string]float64{
+	"low":      1.375,
+	"moderate": 1.55,
+	"high":     1.725,
+}
+
+// Goal adjustments in kcal.
+var goalAdjustment = map[string]float64{
+	"lose":     -500,
+	"maintain": 0,
+	"gain":     300,
+}
+
+// CalculateDailyCalories computes the daily calorie target using the
+// Mifflin-St Jeor equation. Returns nil if any required parameter is missing.
+func CalculateDailyCalories(heightCM *int, weightKG *float64, age *int, gender, activity, goal *string) *int {
+	if heightCM == nil || weightKG == nil || age == nil || gender == nil || activity == nil || goal == nil {
+		return nil
+	}
+
+	// BMR = 10 * weight(kg) + 6.25 * height(cm) - 5 * age
+	bmr := 10**weightKG + 6.25*float64(*heightCM) - 5*float64(*age)
+
+	switch *gender {
+	case "male":
+		bmr += 5
+	case "female":
+		bmr -= 161
+	default:
+		return nil
+	}
+
+	mult, ok := activityMultiplier[*activity]
+	if !ok {
+		return nil
+	}
+
+	adj, ok := goalAdjustment[*goal]
+	if !ok {
+		return nil
+	}
+
+	tdee := bmr * mult
+	result := int(math.Round(tdee + adj))
+	return &result
+}
--- a/backend/internal/user/calories_test.go
+++ b/backend/internal/user/calories_test.go
@@ -0,0 +1,73 @@
+package user
+
+import (
+	"testing"
+)
+
+func ptr[T any](v T) *T { return &v }
+
+func TestCalculateDailyCalories_MaleMaintain(t *testing.T) {
+	cal := CalculateDailyCalories(ptr(180), ptr(80.0), ptr(30), ptr("male"), ptr("moderate"), ptr("maintain"))
+	if cal == nil {
+		t.Fatal("expected non-nil result")
+	}
+	// BMR = 10*80 + 6.25*180 - 5*30 + 5 = 800 + 1125 - 150 + 5 = 1780
+	// TDEE = 1780 * 1.55 = 2759
+	if *cal != 2759 {
+		t.Errorf("expected 2759, got %d", *cal)
+	}
+}
+
+func TestCalculateDailyCalories_FemaleLose(t *testing.T) {
+	cal := CalculateDailyCalories(ptr(165), ptr(60.0), ptr(25), ptr("female"), ptr("low"), ptr("lose"))
+	if cal == nil {
+		t.Fatal("expected non-nil result")
+	}
+	// BMR = 10*60 + 6.25*165 - 5*25 - 161 = 600 + 1031.25 - 125 - 161 = 1345.25
+	// TDEE = 1345.25 * 1.375 = 1849.72
+	// Goal: -500 = 1349.72 → 1350
+	if *cal != 1350 {
+		t.Errorf("expected 1350, got %d", *cal)
+	}
+}
+
+func TestCalculateDailyCalories_MaleGain(t *testing.T) {
+	cal := CalculateDailyCalories(ptr(175), ptr(70.0), ptr(28), ptr("male"), ptr("high"), ptr("gain"))
+	if cal == nil {
+		t.Fatal("expected non-nil result")
+	}
+	// BMR = 10*70 + 6.25*175 - 5*28 + 5 = 700 + 1093.75 - 140 + 5 = 1658.75
+	// TDEE = 1658.75 * 1.725 = 2861.34
+	// Goal: +300 = 3161.34 → 3161
+	if *cal != 3161 {
+		t.Errorf("expected 3161, got %d", *cal)
+	}
+}
+
+func TestCalculateDailyCalories_NilHeight(t *testing.T) {
+	cal := CalculateDailyCalories(nil, ptr(80.0), ptr(30), ptr("male"), ptr("moderate"), ptr("maintain"))
+	if cal != nil {
+		t.Fatal("expected nil when height is nil")
+	}
+}
+
+func TestCalculateDailyCalories_NilWeight(t *testing.T) {
+	cal := CalculateDailyCalories(ptr(180), nil, ptr(30), ptr("male"), ptr("moderate"), ptr("maintain"))
+	if cal != nil {
+		t.Fatal("expected nil when weight is nil")
+	}
+}
+
+func TestCalculateDailyCalories_InvalidGender(t *testing.T) {
+	cal := CalculateDailyCalories(ptr(180), ptr(80.0), ptr(30), ptr("other"), ptr("moderate"), ptr("maintain"))
+	if cal != nil {
+		t.Fatal("expected nil for invalid gender")
+	}
+}
+
+func TestCalculateDailyCalories_InvalidActivity(t *testing.T) {
+	cal := CalculateDailyCalories(ptr(180), ptr(80.0), ptr(30), ptr("male"), ptr("extreme"), ptr("maintain"))
+	if cal != nil {
+		t.Fatal("expected nil for invalid activity")
+	}
+}
--- a/backend/internal/user/handler.go
+++ b/backend/internal/user/handler.go
@@ -0,0 +1,78 @@
+package user
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+
+	"github.com/food-ai/backend/internal/middleware"
+)
+
+const maxRequestBodySize = 1 << 20 // 1 MB
+
+type Handler struct {
+	service *Service
+}
+
+func NewHandler(service *Service) *Handler {
+	return &Handler{service: service}
+}
+
+func (h *Handler) Get(w http.ResponseWriter, r *http.Request) {
+	userID := middleware.UserIDFromCtx(r.Context())
+	if userID == "" {
+		writeErrorJSON(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	u, err := h.service.GetProfile(r.Context(), userID)
+	if err != nil {
+		writeErrorJSON(w, http.StatusNotFound, "user not found")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, u)
+}
+
+func (h *Handler) Update(w http.ResponseWriter, r *http.Request) {
+	userID := middleware.UserIDFromCtx(r.Context())
+	if userID == "" {
+		writeErrorJSON(w, http.StatusUnauthorized, "unauthorized")
+		return
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestBodySize)
+	var req UpdateProfileRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeErrorJSON(w, http.StatusBadRequest, "invalid request body")
+		return
+	}
+
+	u, err := h.service.UpdateProfile(r.Context(), userID, req)
+	if err != nil {
+		writeErrorJSON(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusOK, u)
+}
+
+type errorResponse struct {
+	Error string `json:"error"`
+}
+
+func writeErrorJSON(w http.ResponseWriter, status int, msg string) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	if err := json.NewEncoder(w).Encode(errorResponse{Error: msg}); err != nil {
+		slog.Error("failed to write error response", "err", err)
+	}
+}
+
+func writeJSON(w http.ResponseWriter, status int, v interface{}) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	if err := json.NewEncoder(w).Encode(v); err != nil {
+		slog.Error("failed to write JSON response", "err", err)
+	}
+}
--- a/backend/internal/user/mocks/repository.go
+++ b/backend/internal/user/mocks/repository.go
@@ -0,0 +1,46 @@
+package mocks
+
+import (
+	"context"
+	"time"
+
+	"github.com/food-ai/backend/internal/user"
+)
+
+type MockUserRepository struct {
+	UpsertByFirebaseUIDFn func(ctx context.Context, uid, email, name, avatarURL string) (*user.User, error)
+	GetByIDFn             func(ctx context.Context, id string) (*user.User, error)
+	UpdateFn              func(ctx context.Context, id string, req user.UpdateProfileRequest) (*user.User, error)
+	UpdateInTxFn          func(ctx context.Context, id string, profileReq user.UpdateProfileRequest, caloriesReq *user.UpdateProfileRequest) (*user.User, error)
+	SetRefreshTokenFn     func(ctx context.Context, id, token string, expiresAt time.Time) error
+	FindByRefreshTokenFn  func(ctx context.Context, token string) (*user.User, error)
+	ClearRefreshTokenFn   func(ctx context.Context, id string) error
+}
+
+func (m *MockUserRepository) UpsertByFirebaseUID(ctx context.Context, uid, email, name, avatarURL string) (*user.User, error) {
+	return m.UpsertByFirebaseUIDFn(ctx, uid, email, name, avatarURL)
+}
+
+func (m *MockUserRepository) GetByID(ctx context.Context, id string) (*user.User, error) {
+	return m.GetByIDFn(ctx, id)
+}
+
+func (m *MockUserRepository) Update(ctx context.Context, id string, req user.UpdateProfileRequest) (*user.User, error) {
+	return m.UpdateFn(ctx, id, req)
+}
+
+func (m *MockUserRepository) UpdateInTx(ctx context.Context, id string, profileReq user.UpdateProfileRequest, caloriesReq *user.UpdateProfileRequest) (*user.User, error) {
+	return m.UpdateInTxFn(ctx, id, profileReq, caloriesReq)
+}
+
+func (m *MockUserRepository) SetRefreshToken(ctx context.Context, id, token string, expiresAt time.Time) error {
+	return m.SetRefreshTokenFn(ctx, id, token, expiresAt)
+}
+
+func (m *MockUserRepository) FindByRefreshToken(ctx context.Context, token string) (*user.User, error) {
+	return m.FindByRefreshTokenFn(ctx, token)
+}
+
+func (m *MockUserRepository) ClearRefreshToken(ctx context.Context, id string) error {
+	return m.ClearRefreshTokenFn(ctx, id)
+}
--- a/backend/internal/user/model.go
+++ b/backend/internal/user/model.go
@@ -0,0 +1,44 @@
+package user
+
+import (
+	"encoding/json"
+	"time"
+)
+
+type User struct {
+	ID            string          `json:"id"`
+	FirebaseUID   string          `json:"-"`
+	Email         string          `json:"email"`
+	Name          string          `json:"name"`
+	AvatarURL     *string         `json:"avatar_url"`
+	HeightCM      *int            `json:"height_cm"`
+	WeightKG      *float64        `json:"weight_kg"`
+	Age           *int            `json:"age"`
+	Gender        *string         `json:"gender"`
+	Activity      *string         `json:"activity"`
+	Goal          *string         `json:"goal"`
+	DailyCalories *int            `json:"daily_calories"`
+	Plan          string          `json:"plan"`
+	Preferences   json.RawMessage `json:"preferences"`
+	CreatedAt     time.Time       `json:"created_at"`
+	UpdatedAt     time.Time       `json:"updated_at"`
+}
+
+type UpdateProfileRequest struct {
+	Name          *string          `json:"name"`
+	HeightCM      *int             `json:"height_cm"`
+	WeightKG      *float64         `json:"weight_kg"`
+	Age           *int             `json:"age"`
+	Gender        *string          `json:"gender"`
+	Activity      *string          `json:"activity"`
+	Goal          *string          `json:"goal"`
+	Preferences   *json.RawMessage `json:"preferences"`
+	DailyCalories *int             `json:"-"` // internal, set by service
+}
+
+// HasBodyParams returns true if any body parameter is being updated
+// that would require recalculation of daily calories.
+func (r *UpdateProfileRequest) HasBodyParams() bool {
+	return r.HeightCM != nil || r.WeightKG != nil || r.Age != nil ||
+		r.Gender != nil || r.Activity != nil || r.Goal != nil
+}
--- a/backend/internal/user/repository.go
+++ b/backend/internal/user/repository.go
@@ -0,0 +1,218 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+)
+
+// UserRepository defines the persistence interface for user data.
+type UserRepository interface {
+	UpsertByFirebaseUID(ctx context.Context, uid, email, name, avatarURL string) (*User, error)
+	GetByID(ctx context.Context, id string) (*User, error)
+	Update(ctx context.Context, id string, req UpdateProfileRequest) (*User, error)
+	UpdateInTx(ctx context.Context, id string, profileReq UpdateProfileRequest, caloriesReq *UpdateProfileRequest) (*User, error)
+	SetRefreshToken(ctx context.Context, id, token string, expiresAt time.Time) error
+	FindByRefreshToken(ctx context.Context, token string) (*User, error)
+	ClearRefreshToken(ctx context.Context, id string) error
+}
+
+type Repository struct {
+	pool *pgxpool.Pool
+}
+
+func NewRepository(pool *pgxpool.Pool) *Repository {
+	return &Repository{pool: pool}
+}
+
+func (r *Repository) UpsertByFirebaseUID(ctx context.Context, uid, email, name, avatarURL string) (*User, error) {
+	var avatarPtr *string
+	if avatarURL != "" {
+		avatarPtr = &avatarURL
+	}
+
+	query := `
+		INSERT INTO users (firebase_uid, email, name, avatar_url)
+		VALUES ($1, $2, $3, $4)
+		ON CONFLICT (firebase_uid) DO UPDATE SET
+			email = EXCLUDED.email,
+			name = CASE WHEN users.name = '' THEN EXCLUDED.name ELSE users.name END,
+			avatar_url = COALESCE(EXCLUDED.avatar_url, users.avatar_url),
+			updated_at = now()
+		RETURNING id, firebase_uid, email, name, avatar_url,
+			height_cm, weight_kg, age, gender, activity, goal, daily_calories,
+			plan, preferences, created_at, updated_at`
+
+	return r.scanUser(r.pool.QueryRow(ctx, query, uid, email, name, avatarPtr))
+}
+
+func (r *Repository) GetByID(ctx context.Context, id string) (*User, error) {
+	query := `
+		SELECT id, firebase_uid, email, name, avatar_url,
+			height_cm, weight_kg, age, gender, activity, goal, daily_calories,
+			plan, preferences, created_at, updated_at
+		FROM users WHERE id = $1`
+
+	return r.scanUser(r.pool.QueryRow(ctx, query, id))
+}
+
+func (r *Repository) Update(ctx context.Context, id string, req UpdateProfileRequest) (*User, error) {
+	query, args := buildUpdateQuery(id, req)
+	if query == "" {
+		return r.GetByID(ctx, id)
+	}
+	return r.scanUser(r.pool.QueryRow(ctx, query, args...))
+}
+
+// buildUpdateQuery constructs a dynamic UPDATE query from the request fields.
+// Returns empty string if there are no fields to update.
+func buildUpdateQuery(id string, req UpdateProfileRequest) (string, []interface{}) {
+	setClauses := []string{}
+	args := []interface{}{}
+	argIdx := 1
+
+	if req.Name != nil {
+		setClauses = append(setClauses, fmt.Sprintf("name = $%d", argIdx))
+		args = append(args, *req.Name)
+		argIdx++
+	}
+	if req.HeightCM != nil {
+		setClauses = append(setClauses, fmt.Sprintf("height_cm = $%d", argIdx))
+		args = append(args, *req.HeightCM)
+		argIdx++
+	}
+	if req.WeightKG != nil {
+		setClauses = append(setClauses, fmt.Sprintf("weight_kg = $%d", argIdx))
+		args = append(args, *req.WeightKG)
+		argIdx++
+	}
+	if req.Age != nil {
+		setClauses = append(setClauses, fmt.Sprintf("age = $%d", argIdx))
+		args = append(args, *req.Age)
+		argIdx++
+	}
+	if req.Gender != nil {
+		setClauses = append(setClauses, fmt.Sprintf("gender = $%d", argIdx))
+		args = append(args, *req.Gender)
+		argIdx++
+	}
+	if req.Activity != nil {
+		setClauses = append(setClauses, fmt.Sprintf("activity = $%d", argIdx))
+		args = append(args, *req.Activity)
+		argIdx++
+	}
+	if req.Goal != nil {
+		setClauses = append(setClauses, fmt.Sprintf("goal = $%d", argIdx))
+		args = append(args, *req.Goal)
+		argIdx++
+	}
+	if req.Preferences != nil {
+		setClauses = append(setClauses, fmt.Sprintf("preferences = $%d", argIdx))
+		args = append(args, string(*req.Preferences))
+		argIdx++
+	}
+	if req.DailyCalories != nil {
+		setClauses = append(setClauses, fmt.Sprintf("daily_calories = $%d", argIdx))
+		args = append(args, *req.DailyCalories)
+		argIdx++
+	}
+
+	if len(setClauses) == 0 {
+		return "", nil
+	}
+
+	setClauses = append(setClauses, "updated_at = now()")
+
+	query := fmt.Sprintf(`
+		UPDATE users SET %s
+		WHERE id = $%d
+		RETURNING id, firebase_uid, email, name, avatar_url,
+			height_cm, weight_kg, age, gender, activity, goal, daily_calories,
+			plan, preferences, created_at, updated_at`,
+		strings.Join(setClauses, ", "), argIdx)
+	args = append(args, id)
+
+	return query, args
+}
+
+func (r *Repository) UpdateInTx(ctx context.Context, id string, profileReq UpdateProfileRequest, caloriesReq *UpdateProfileRequest) (*User, error) {
+	tx, err := r.pool.BeginTx(ctx, pgx.TxOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("begin tx: %w", err)
+	}
+	defer tx.Rollback(ctx)
+
+	// First update: profile fields
+	query, args := buildUpdateQuery(id, profileReq)
+	if query == "" {
+		return nil, fmt.Errorf("no fields to update")
+	}
+	updated, err := r.scanUser(tx.QueryRow(ctx, query, args...))
+	if err != nil {
+		return nil, fmt.Errorf("update profile: %w", err)
+	}
+
+	// Second update: calories (if provided)
+	if caloriesReq != nil {
+		query, args = buildUpdateQuery(id, *caloriesReq)
+		if query != "" {
+			updated, err = r.scanUser(tx.QueryRow(ctx, query, args...))
+			if err != nil {
+				return nil, fmt.Errorf("update calories: %w", err)
+			}
+		}
+	}
+
+	if err := tx.Commit(ctx); err != nil {
+		return nil, fmt.Errorf("commit tx: %w", err)
+	}
+
+	return updated, nil
+}
+
+func (r *Repository) SetRefreshToken(ctx context.Context, id, token string, expiresAt time.Time) error {
+	query := `UPDATE users SET refresh_token = $2, token_expires_at = $3, updated_at = now() WHERE id = $1`
+	_, err := r.pool.Exec(ctx, query, id, token, expiresAt)
+	return err
+}
+
+func (r *Repository) FindByRefreshToken(ctx context.Context, token string) (*User, error) {
+	query := `
+		SELECT id, firebase_uid, email, name, avatar_url,
+			height_cm, weight_kg, age, gender, activity, goal, daily_calories,
+			plan, preferences, created_at, updated_at
+		FROM users
+		WHERE refresh_token = $1 AND token_expires_at > now()`
+
+	return r.scanUser(r.pool.QueryRow(ctx, query, token))
+}
+
+func (r *Repository) ClearRefreshToken(ctx context.Context, id string) error {
+	query := `UPDATE users SET refresh_token = NULL, token_expires_at = NULL, updated_at = now() WHERE id = $1`
+	_, err := r.pool.Exec(ctx, query, id)
+	return err
+}
+
+type scannable interface {
+	Scan(dest ...interface{}) error
+}
+
+func (r *Repository) scanUser(row scannable) (*User, error) {
+	var u User
+	var prefs []byte
+	err := row.Scan(
+		&u.ID, &u.FirebaseUID, &u.Email, &u.Name, &u.AvatarURL,
+		&u.HeightCM, &u.WeightKG, &u.Age, &u.Gender, &u.Activity, &u.Goal, &u.DailyCalories,
+		&u.Plan, &prefs, &u.CreatedAt, &u.UpdatedAt,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("scan user: %w", err)
+	}
+	u.Preferences = json.RawMessage(prefs)
+	return &u, nil
+}
--- a/backend/internal/user/repository_integration_test.go
+++ b/backend/internal/user/repository_integration_test.go
@@ -0,0 +1,209 @@
+//go:build integration
+
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+	"time"
+
+	"github.com/food-ai/backend/internal/testutil"
+)
+
+func TestRepository_UpsertByFirebaseUID_Insert(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	u, err := repo.UpsertByFirebaseUID(ctx, "fb-123", "test@example.com", "Test User", "https://avatar.url")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.FirebaseUID != "fb-123" {
+		t.Errorf("expected fb-123, got %s", u.FirebaseUID)
+	}
+	if u.Email != "test@example.com" {
+		t.Errorf("expected test@example.com, got %s", u.Email)
+	}
+	if u.Plan != "free" {
+		t.Errorf("expected free, got %s", u.Plan)
+	}
+}
+
+func TestRepository_UpsertByFirebaseUID_Update(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	_, _ = repo.UpsertByFirebaseUID(ctx, "fb-123", "old@example.com", "Old Name", "")
+	u, err := repo.UpsertByFirebaseUID(ctx, "fb-123", "new@example.com", "New Name", "https://new-avatar.url")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.Email != "new@example.com" {
+		t.Errorf("expected new email, got %s", u.Email)
+	}
+	// Name should not be overwritten if already set
+	if u.Name != "Old Name" {
+		t.Errorf("expected name to be preserved as 'Old Name', got %s", u.Name)
+	}
+}
+
+func TestRepository_GetByID(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-get", "get@example.com", "Get User", "")
+	u, err := repo.GetByID(ctx, created.ID)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.ID != created.ID {
+		t.Errorf("expected %s, got %s", created.ID, u.ID)
+	}
+}
+
+func TestRepository_GetByID_NotFound(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	_, err := repo.GetByID(ctx, "00000000-0000-0000-0000-000000000000")
+	if err == nil {
+		t.Fatal("expected error for non-existent user")
+	}
+}
+
+func TestRepository_Update(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-upd", "upd@example.com", "Update User", "")
+	height := 180
+	u, err := repo.Update(ctx, created.ID, UpdateProfileRequest{HeightCM: &height})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.HeightCM == nil || *u.HeightCM != 180 {
+		t.Errorf("expected height 180, got %v", u.HeightCM)
+	}
+}
+
+func TestRepository_Update_MultipleFields(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-multi", "multi@example.com", "Multi User", "")
+	height := 175
+	weight := 70.5
+	age := 25
+	gender := "male"
+	activity := "moderate"
+	goal := "maintain"
+	u, err := repo.Update(ctx, created.ID, UpdateProfileRequest{
+		HeightCM: &height,
+		WeightKG: &weight,
+		Age:      &age,
+		Gender:   &gender,
+		Activity: &activity,
+		Goal:     &goal,
+	})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.HeightCM == nil || *u.HeightCM != 175 {
+		t.Errorf("expected 175, got %v", u.HeightCM)
+	}
+	if u.WeightKG == nil || *u.WeightKG != 70.5 {
+		t.Errorf("expected 70.5, got %v", u.WeightKG)
+	}
+}
+
+func TestRepository_Update_Preferences(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-prefs", "prefs@example.com", "Prefs User", "")
+	prefs := json.RawMessage(`{"cuisines":["russian","asian"]}`)
+	u, err := repo.Update(ctx, created.ID, UpdateProfileRequest{Preferences: &prefs})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	var p map[string]interface{}
+	json.Unmarshal(u.Preferences, &p)
+	if p["cuisines"] == nil {
+		t.Error("expected cuisines in preferences")
+	}
+}
+
+func TestRepository_SetAndFindRefreshToken(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-token", "token@example.com", "Token User", "")
+	err := repo.SetRefreshToken(ctx, created.ID, "refresh-token-123", time.Now().Add(24*time.Hour))
+	if err != nil {
+		t.Fatalf("unexpected error setting token: %v", err)
+	}
+
+	u, err := repo.FindByRefreshToken(ctx, "refresh-token-123")
+	if err != nil {
+		t.Fatalf("unexpected error finding by token: %v", err)
+	}
+	if u.ID != created.ID {
+		t.Errorf("expected %s, got %s", created.ID, u.ID)
+	}
+}
+
+func TestRepository_FindByRefreshToken_Expired(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-expired", "expired@example.com", "Expired User", "")
+	_ = repo.SetRefreshToken(ctx, created.ID, "expired-token", time.Now().Add(-1*time.Hour))
+
+	_, err := repo.FindByRefreshToken(ctx, "expired-token")
+	if err == nil {
+		t.Fatal("expected error for expired token")
+	}
+}
+
+func TestRepository_ClearRefreshToken(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-clear", "clear@example.com", "Clear User", "")
+	_ = repo.SetRefreshToken(ctx, created.ID, "token-to-clear", time.Now().Add(24*time.Hour))
+	err := repo.ClearRefreshToken(ctx, created.ID)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	_, err = repo.FindByRefreshToken(ctx, "token-to-clear")
+	if err == nil {
+		t.Fatal("expected error after clearing token")
+	}
+}
+
+func TestRepository_Update_NoFields(t *testing.T) {
+	pool := testutil.SetupTestDB(t)
+	repo := NewRepository(pool)
+	ctx := context.Background()
+
+	created, _ := repo.UpsertByFirebaseUID(ctx, "fb-noop", "noop@example.com", "Noop User", "")
+	u, err := repo.Update(ctx, created.ID, UpdateProfileRequest{})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.ID != created.ID {
+		t.Errorf("expected %s, got %s", created.ID, u.ID)
+	}
+}
--- a/backend/internal/user/service.go
+++ b/backend/internal/user/service.go
@@ -0,0 +1,117 @@
+package user
+
+import (
+	"context"
+	"fmt"
+)
+
+type Service struct {
+	repo UserRepository
+}
+
+func NewService(repo UserRepository) *Service {
+	return &Service{repo: repo}
+}
+
+func (s *Service) GetProfile(ctx context.Context, userID string) (*User, error) {
+	return s.repo.GetByID(ctx, userID)
+}
+
+func (s *Service) UpdateProfile(ctx context.Context, userID string, req UpdateProfileRequest) (*User, error) {
+	if err := validateProfileRequest(req); err != nil {
+		return nil, err
+	}
+
+	if !req.HasBodyParams() {
+		updated, err := s.repo.Update(ctx, userID, req)
+		if err != nil {
+			return nil, fmt.Errorf("update profile: %w", err)
+		}
+		return updated, nil
+	}
+
+	// Need to update profile + recalculate calories in a single transaction.
+	// First, get current user to merge with incoming fields for calorie calculation.
+	current, err := s.repo.GetByID(ctx, userID)
+	if err != nil {
+		return nil, fmt.Errorf("get user: %w", err)
+	}
+
+	// Merge current values with request to compute calories
+	height := current.HeightCM
+	if req.HeightCM != nil {
+		height = req.HeightCM
+	}
+	weight := current.WeightKG
+	if req.WeightKG != nil {
+		weight = req.WeightKG
+	}
+	age := current.Age
+	if req.Age != nil {
+		age = req.Age
+	}
+	gender := current.Gender
+	if req.Gender != nil {
+		gender = req.Gender
+	}
+	activity := current.Activity
+	if req.Activity != nil {
+		activity = req.Activity
+	}
+	goal := current.Goal
+	if req.Goal != nil {
+		goal = req.Goal
+	}
+
+	calories := CalculateDailyCalories(height, weight, age, gender, activity, goal)
+
+	var calReq *UpdateProfileRequest
+	if calories != nil {
+		calReq = &UpdateProfileRequest{DailyCalories: calories}
+	}
+
+	updated, err := s.repo.UpdateInTx(ctx, userID, req, calReq)
+	if err != nil {
+		return nil, fmt.Errorf("update profile: %w", err)
+	}
+
+	return updated, nil
+}
+
+func validateProfileRequest(req UpdateProfileRequest) error {
+	if req.HeightCM != nil {
+		if *req.HeightCM < 100 || *req.HeightCM > 250 {
+			return fmt.Errorf("height_cm must be between 100 and 250")
+		}
+	}
+	if req.WeightKG != nil {
+		if *req.WeightKG < 30 || *req.WeightKG > 300 {
+			return fmt.Errorf("weight_kg must be between 30 and 300")
+		}
+	}
+	if req.Age != nil {
+		if *req.Age < 10 || *req.Age > 120 {
+			return fmt.Errorf("age must be between 10 and 120")
+		}
+	}
+	if req.Gender != nil {
+		if *req.Gender != "male" && *req.Gender != "female" {
+			return fmt.Errorf("gender must be 'male' or 'female'")
+		}
+	}
+	if req.Activity != nil {
+		switch *req.Activity {
+		case "low", "moderate", "high":
+		default:
+			return fmt.Errorf("activity must be 'low', 'moderate', or 'high'")
+		}
+	}
+	if req.Goal != nil {
+		switch *req.Goal {
+		case "lose", "maintain", "gain":
+		default:
+			return fmt.Errorf("goal must be 'lose', 'maintain', or 'gain'")
+		}
+	}
+	return nil
+}
--- a/backend/internal/user/service_test.go
+++ b/backend/internal/user/service_test.go
@@ -0,0 +1,247 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"testing"
+	"time"
+)
+
+func ptrStr(s string) *string     { return &s }
+func ptrInt(i int) *int           { return &i }
+func ptrFloat(f float64) *float64 { return &f }
+
+// mockUserRepo is an in-package mock to avoid import cycles.
+type mockUserRepo struct {
+	getByIDFn             func(ctx context.Context, id string) (*User, error)
+	updateFn              func(ctx context.Context, id string, req UpdateProfileRequest) (*User, error)
+	updateInTxFn          func(ctx context.Context, id string, profileReq UpdateProfileRequest, caloriesReq *UpdateProfileRequest) (*User, error)
+	upsertByFirebaseUIDFn func(ctx context.Context, uid, email, name, avatarURL string) (*User, error)
+	setRefreshTokenFn     func(ctx context.Context, id, token string, expiresAt time.Time) error
+	findByRefreshTokenFn  func(ctx context.Context, token string) (*User, error)
+	clearRefreshTokenFn   func(ctx context.Context, id string) error
+}
+
+func (m *mockUserRepo) UpsertByFirebaseUID(ctx context.Context, uid, email, name, avatarURL string) (*User, error) {
+	return m.upsertByFirebaseUIDFn(ctx, uid, email, name, avatarURL)
+}
+func (m *mockUserRepo) GetByID(ctx context.Context, id string) (*User, error) {
+	return m.getByIDFn(ctx, id)
+}
+func (m *mockUserRepo) Update(ctx context.Context, id string, req UpdateProfileRequest) (*User, error) {
+	return m.updateFn(ctx, id, req)
+}
+func (m *mockUserRepo) UpdateInTx(ctx context.Context, id string, profileReq UpdateProfileRequest, caloriesReq *UpdateProfileRequest) (*User, error) {
+	return m.updateInTxFn(ctx, id, profileReq, caloriesReq)
+}
+func (m *mockUserRepo) SetRefreshToken(ctx context.Context, id, token string, expiresAt time.Time) error {
+	return m.setRefreshTokenFn(ctx, id, token, expiresAt)
+}
+func (m *mockUserRepo) FindByRefreshToken(ctx context.Context, token string) (*User, error) {
+	return m.findByRefreshTokenFn(ctx, token)
+}
+func (m *mockUserRepo) ClearRefreshToken(ctx context.Context, id string) error {
+	return m.clearRefreshTokenFn(ctx, id)
+}
+
+func TestGetProfile_Success(t *testing.T) {
+	repo := &mockUserRepo{
+		getByIDFn: func(ctx context.Context, id string) (*User, error) {
+			return &User{ID: id, Email: "test@example.com", Plan: "free"}, nil
+		},
+	}
+	svc := NewService(repo)
+
+	u, err := svc.GetProfile(context.Background(), "user-1")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.ID != "user-1" {
+		t.Errorf("expected user-1, got %s", u.ID)
+	}
+}
+
+func TestGetProfile_NotFound(t *testing.T) {
+	repo := &mockUserRepo{
+		getByIDFn: func(ctx context.Context, id string) (*User, error) {
+			return nil, fmt.Errorf("not found")
+		},
+	}
+	svc := NewService(repo)
+
+	_, err := svc.GetProfile(context.Background(), "nonexistent")
+	if err == nil {
+		t.Fatal("expected error")
+	}
+}
+
+func TestUpdateProfile_NameOnly(t *testing.T) {
+	repo := &mockUserRepo{
+		updateFn: func(ctx context.Context, id string, req UpdateProfileRequest) (*User, error) {
+			return &User{ID: id, Name: *req.Name, Plan: "free"}, nil
+		},
+	}
+	svc := NewService(repo)
+
+	u, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Name: ptrStr("New Name")})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.Name != "New Name" {
+		t.Errorf("expected 'New Name', got %q", u.Name)
+	}
+}
+
+func TestUpdateProfile_WithCaloriesRecalculation(t *testing.T) {
+	profileReq := UpdateProfileRequest{
+		HeightCM: ptrInt(180),
+		WeightKG: ptrFloat(80),
+		Age:      ptrInt(30),
+		Gender:   ptrStr("male"),
+		Activity: ptrStr("moderate"),
+		Goal:     ptrStr("maintain"),
+	}
+	finalUser := &User{
+		ID:            "user-1",
+		HeightCM:      ptrInt(180),
+		WeightKG:      ptrFloat(80),
+		Age:           ptrInt(30),
+		Gender:        ptrStr("male"),
+		Activity:      ptrStr("moderate"),
+		Goal:          ptrStr("maintain"),
+		DailyCalories: ptrInt(2759),
+		Plan:          "free",
+	}
+
+	repo := &mockUserRepo{
+		// Service calls GetByID first to merge current values for calorie calculation
+		getByIDFn: func(ctx context.Context, id string) (*User, error) {
+			return &User{ID: id, Plan: "free"}, nil
+		},
+		updateInTxFn: func(ctx context.Context, id string, pReq UpdateProfileRequest, cReq *UpdateProfileRequest) (*User, error) {
+			if cReq == nil {
+				t.Error("expected caloriesReq to be non-nil")
+			} else if *cReq.DailyCalories != 2759 {
+				t.Errorf("expected calories 2759, got %d", *cReq.DailyCalories)
+			}
+			return finalUser, nil
+		},
+	}
+	svc := NewService(repo)
+
+	u, err := svc.UpdateProfile(context.Background(), "user-1", profileReq)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if u.DailyCalories == nil {
+		t.Fatal("expected daily_calories to be set")
+	}
+	if *u.DailyCalories != 2759 {
+		t.Errorf("expected 2759, got %d", *u.DailyCalories)
+	}
+}
+
+func TestUpdateProfile_InvalidHeight_TooLow(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{HeightCM: ptrInt(50)})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidHeight_TooHigh(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{HeightCM: ptrInt(300)})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidWeight_TooLow(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{WeightKG: ptrFloat(10)})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidWeight_TooHigh(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{WeightKG: ptrFloat(400)})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidAge_TooLow(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Age: ptrInt(5)})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidAge_TooHigh(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Age: ptrInt(150)})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidGender(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Gender: ptrStr("other")})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidActivity(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Activity: ptrStr("extreme")})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_InvalidGoal(t *testing.T) {
+	svc := NewService(&mockUserRepo{})
+
+	_, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Goal: ptrStr("bulk")})
+	if err == nil {
+		t.Fatal("expected validation error")
+	}
+}
+
+func TestUpdateProfile_Preferences(t *testing.T) {
+	prefs := json.RawMessage(`{"cuisines":["russian"]}`)
+	repo := &mockUserRepo{
+		updateFn: func(ctx context.Context, id string, req UpdateProfileRequest) (*User, error) {
+			return &User{
+				ID:          id,
+				Plan:        "free",
+				Preferences: *req.Preferences,
+				UpdatedAt:   time.Now(),
+			}, nil
+		},
+	}
+	svc := NewService(repo)
+
+	u, err := svc.UpdateProfile(context.Background(), "user-1", UpdateProfileRequest{Preferences: &prefs})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if string(u.Preferences) != `{"cuisines":["russian"]}` {
+		t.Errorf("unexpected preferences: %s", u.Preferences)
+	}
+}