Skip to main content

Overview

The User struct represents a user account in the system. It is stored in the MongoDB users collection and includes authentication credentials, profile information, and metadata.

User Struct Definition

type User struct {
    ID          string    `json:"id" bson:"_id"`
    Email       string    `json:"email" bson:"email"`
    Phone       string    `json:"phone" bson:"phone"`
    Password    []byte    `json:"password" bson:"password"`
    Role        string    `json:"role" bson:"role"`
    Status      string    `json:"status" bson:"status"`
    AccountType string    `json:"account_type" bson:"account_type"`
    CreatedAt   time.Time `json:"created_at" bson:"created_at"`
    UpdatedAt   time.Time `json:"updated_at" bson:"updated_at"`
}
Source: backend/users/model.go:12-22

Fields

ID

ID
string
required
Unique user identifier (UUID v4 format)
  • JSON key: id
  • MongoDB field: _id
  • Format: UUID v4 (e.g., a1b2c3d4-e5f6-7890-abcd-ef1234567890)
  • Generated: Automatically during registration using uuid.New().String()

Email

Email
string
required
User’s email address (unique)
  • JSON key: email
  • MongoDB field: email
  • Constraints: Must be unique across all users
  • Used for: Login authentication, account identification

Phone

Phone
string
User’s phone number
  • JSON key: phone
  • MongoDB field: phone
  • Format: No specific format enforced in model
  • Used for: Alternative lookup method

Password

Password
[]byte
required
Hashed password (bcrypt)
  • JSON key: password
  • MongoDB field: password
  • Storage: bcrypt hash with cost factor 14
  • Security: Never stored in plain text, never returned in API responses
Password should never be included in API responses. Always exclude this field when serializing user data.

Role

Role
string
User’s role for authorization
  • JSON key: role
  • MongoDB field: role
  • Common values: admin, user, moderator (not enforced by model)
  • Default: Not set during registration

Status

Status
string
required
User account status
  • JSON key: status
  • MongoDB field: status
  • Valid values:
    • pending: Newly registered, awaiting verification
    • active: Account is active and can log in
    • Custom statuses: suspended, banned, etc.
  • Default: "pending" for new registrations
  • Login requirement: Must be "active" to log in

AccountType

AccountType
string
Type of user account
  • JSON key: account_type
  • MongoDB field: account_type
  • Common values: free, premium, enterprise (not enforced by model)
  • Default: Not set during registration

CreatedAt

CreatedAt
time.Time
required
Account creation timestamp
  • JSON key: created_at
  • MongoDB field: created_at
  • Format: Go time.Time, serialized as RFC3339 in JSON
  • Set: Automatically during registration using time.Now()

UpdatedAt

UpdatedAt
time.Time
Last update timestamp
  • JSON key: updated_at
  • MongoDB field: updated_at
  • Format: Go time.Time, serialized as RFC3339 in JSON
  • Set: Should be updated on user modifications (not automatically handled)

Struct Tags

Each field includes multiple struct tags for different frameworks:
  • json: Field name in JSON serialization
  • bson: Field name in MongoDB documents
  • query: Query parameter binding (Echo framework)
  • form: Form data binding (Echo framework)
  • param: URL parameter binding (Echo framework)

MongoDB Collection

Users are stored in the users collection with the following characteristics:
  • Database: Default database from MONGODB_URI
  • Collection name: users
  • Primary key: _id (maps to User.ID)
  • Indexes: Email should be unique (enforce at database level)

Example User Document

In Go

user := users.User{
    ID:        "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    Email:     "[email protected]",
    Phone:     "+1234567890",
    Password:  []byte("$2a$14$..."), // bcrypt hash
    Role:      "user",
    Status:    "active",
    AccountType: "free",
    CreatedAt: time.Now(),
    UpdatedAt: time.Now(),
}

In MongoDB

{
  "_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "email": "[email protected]",
  "phone": "+1234567890",
  "password": "<binary-bcrypt-hash>",
  "role": "user",
  "status": "active",
  "account_type": "free",
  "created_at": "2026-03-04T10:30:00Z",
  "updated_at": "2026-03-04T10:30:00Z"
}

In JSON API Response

Always exclude the password field from API responses.
{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "email": "[email protected]",
  "phone": "+1234567890",
  "role": "user",
  "status": "active",
  "account_type": "free",
  "created_at": "2026-03-04T10:30:00Z",
  "updated_at": "2026-03-04T10:30:00Z"
}

User Creation Defaults

When a user registers, the following defaults are applied:
FieldDefault Value
IDuuid.New().String()
EmailUser provided
PhoneNot set
Passwordbcrypt hash of user’s password
RoleNot set
Status"pending"
AccountTypeNot set
CreatedAttime.Now()
UpdatedAtNot set
Source: backend/auth/controller.go:30-48

Validation

The model itself does not include validation tags. Validation should be performed at the handler level:
  • Email: Check format, uniqueness
  • Password: Minimum length, complexity requirements
  • Phone: Format validation if required
  • Status: Validate against allowed values

Security Best Practices

  1. Password Handling
    • Always hash passwords with bcrypt before storing
    • Never return password in API responses
    • Use cost factor 14 or higher
  2. Email Privacy
    • Consider email visibility in public profiles
    • Implement email change verification
  3. Status Enforcement
    • Check status before allowing login
    • Implement status change audit logs
  4. Phone Verification
    • Verify phone numbers before allowing phone-based operations
    • Implement OTP for phone changes

Build docs developers (and LLMs) love

Get started for freeTalk to us