fix: prohibit ename update pictique

[sosweetham]

Description of change

remove client side pictique "name" update code to reduce confusion with ename updation (default name)

Issue Number

closes #247

Type of change

• Fix (a change which fixes an issue)

How the change has been tested

manual

Change checklist

• I have ensured that the CI Checks pass locally
• I have removed any unnecessary logic
• My code is well documented
• I have signed my commits
• My code follows the pattern of the application
• I have self reviewed my code

Summary by CodeRabbit

• New Features

  • Added eName field in account settings displaying your eVault real name (read-only, auto‑synced)
  • Public username field relabeled to "Change your username" and remains editable

• Bug Fixes

  • Profile updates now only send name and avatar to the server
  • Handle/eName is no longer editable from settings to ensure consistent syncing with eVault

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@coodos has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 8 minutes and 56 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 3dcc92e and 48acfcd.

📒 Files selected for processing (1)

• platforms/pictique/src/routes/(protected)/settings/account/username/+page.svelte

📝 Walkthrough

Walkthrough

Client UI now displays a read-only "eName" (synced from eVault) and a separate editable public username; client PATCH payload no longer includes handle. Server APIs and service layer no longer accept or update handle from the request—only name and avatar are applied.

Changes

Cohort / File(s)	Summary
Settings Account Username Page platforms/pictique/src/routes/(protected)/settings/account/username/+page.svelte	Replaced first username input with disabled "eName" field (label + helper text, bound to handle); kept editable public username bound to name; changed client PATCH payload to send only name and avatar (removed sending handle).
User Update Controller platforms/pictique-api/src/controllers/UserController.ts	Removed reading handle from request body; controller now builds update payload from name and avatar only and no longer merges a provided handle or fetches/overwrites handle from req.body.
User Service platforms/pictique-api/src/services/UserService.ts	Updated updateProfile signature to accept only { avatarUrl?: string; name?: string } and removed handling of handle updates in service logic.

Sequence Diagram(s)

sequenceDiagram
  participant Client as Client (UI)
  participant Server as API Server
  participant Service as UserService
  participant DB as Database
  participant eVault as eVault (External)

  rect rgba(200,220,255,0.5)
  Client->>Server: GET /api/users/me
  Server->>Service: fetch current user
  Service->>DB: SELECT user
  DB-->>Service: user { id, name, handle, avatarUrl }
  Service-->>Server: user
  Server-->>Client: user payload (eName = handle)
  end

  rect rgba(200,255,200,0.5)
  Note over eVault,DB: handle/eName is maintained by eVault sync (external)
  end

  rect rgba(255,240,200,0.5)
  Client->>Server: PATCH /api/users { name, avatar }  (no handle)
  Server->>Service: updateProfile(userId, { name, avatarUrl })
  Service->>DB: UPDATE users SET name=?, avatarUrl=? WHERE id=?
  DB-->>Service: updated user
  Service-->>Server: updated user
  Server-->>Client: updated user payload
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Fix/author details #229 — Modifies the same settings/account/username page and related profile-save behavior (related client-side changes around sending handle).

Suggested reviewers

• coodos

Poem

🐰 I nibble tokens, tidy and spry,
eName sits quiet, read-only sky,
Public name hops, free to roam,
Handle stays snug, back in its home,
A tiny change — a tidy byte of sky.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: prohibiting eName updates in Pictique by removing the handle field from client and server code.
Description check	✅ Passed	The description follows the template structure with all required sections completed: change description, issue number, type of change, testing method, and completed checklist.
Linked Issues check	✅ Passed	Changes fully address issue #247 requirements: handle/eName is now prohibited from being updated, and the UI field has been renamed to 'eName' with disabled input.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #247: removing handle from the update payload, disabling the eName field UI, and updating service/controller signatures.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coodos]

eName == w3id == handle in this case, updating the user's real Name is fine, the username aka the UUID is not

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@platforms/pictique-api/src/controllers/UserController.ts`:
- Around line 181-187: If this.userService.findById(userId) can return null and
you must not clobber eVault-synced handle, first guard for a missing user and
return a 404 (or throw) before calling updateProfile; do not include handle:
user?.handle in the payload—only pass fields that should be updated (e.g.,
avatarUrl: avatar ?? user.avatarUrl, name: name ?? user.name) so updateProfile
cannot overwrite a newer handle, or ensure updateProfile explicitly ignores
handle if present; reference the findById call and the updateProfile invocation
in UserController.

🧹 Nitpick comments (1)

platforms/pictique/src/routes/(protected)/settings/account/username/+page.svelte (1)

85-91: Consider readonly instead of disabled for eName.

Disabled fields are not focusable or copyable; readonly keeps the text selectable and improves accessibility while still preventing edits.

Proposed tweak

-		<Input type="text" placeholder="Your eName" bind:value={handle} disabled class="cursor-not-allowed opacity-70" />
+		<Input
+			type="text"
+			placeholder="Your eName"
+			bind:value={handle}
+			readonly
+			aria-readonly="true"
+			class="cursor-not-allowed opacity-70"
+		/>

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid clobbering eName and guard missing user.

If findById returns null, the update may write undefined values. Also, writing handle: user?.handle can overwrite a newer eVault-synced handle between read and update. Prefer a 404 guard and omit handle from the update payload (or ensure the service ignores it).

Proposed fix

-            const user = await this.userService.findById(userId);
+            const user = await this.userService.findById(userId);
+            if (!user) {
+                return res.status(404).json({ error: "User not found" });
+            }

-            // Note: handle is not updatable to preserve eVault sync
+            // Note: handle is not updatable to preserve eVault sync (omit from update payload)
             const updatedUser = await this.userService.updateProfile(userId, {
-                handle: user?.handle,
-                avatarUrl: avatar ?? user?.avatarUrl,
-                name: name ?? user?.name,
+                avatarUrl: avatar ?? user.avatarUrl,
+                name: name ?? user.name,
             });

🤖 Prompt for AI Agents

In `@platforms/pictique-api/src/controllers/UserController.ts` around lines 181 -
187, If this.userService.findById(userId) can return null and you must not
clobber eVault-synced handle, first guard for a missing user and return a 404
(or throw) before calling updateProfile; do not include handle: user?.handle in
the payload—only pass fields that should be updated (e.g., avatarUrl: avatar ??
user.avatarUrl, name: name ?? user.name) so updateProfile cannot overwrite a
newer handle, or ensure updateProfile explicitly ignores handle if present;
reference the findById call and the updateProfile invocation in UserController.