Add user authentication, RBAC, and improved recruiter dashboard

- JWT-based auth with access tokens (15m) and refresh tokens (7d) - User registration, login, logout, and /auth/me endpoints - Three roles: admin, recruiter, hiring_manager with middleware enforcement - users and refresh_tokens tables with bcrypt password hashing - Login and Register pages with full form validation - Protected routes — unauthenticated users redirect to /login - Dashboard upgraded: real metrics, pipeline overview with progress bars, recent activity feed with 30s polling, and quick-action cards - Dashboard API endpoints: /api/dashboard/metrics, pipeline-summary, recent-activity Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-21 22:06:11 +00:00
parent ede906ed3a
commit c4940e9691
11 changed files with 2036 additions and 84 deletions
--- a/client/package-lock.json
+++ b/client/package-lock.json
--- a/client/package.json
+++ b/client/package.json
@@ -9,28 +9,29 @@
    "preview": "vite preview"
  },
  "dependencies": {
-    "react": "^19.0.0",
-    "react-dom": "^19.0.0",
-    "react-router-dom": "^7.1.0",
-    "class-variance-authority": "^0.7.1",
-    "clsx": "^2.1.1",
-    "tailwind-merge": "^2.6.0",
-    "lucide-react": "^0.469.0",
-    "@radix-ui/react-slot": "^1.1.1",
-    "@radix-ui/react-separator": "^1.1.1",
    "@radix-ui/react-dialog": "^1.1.4",
    "@radix-ui/react-label": "^2.1.1",
    "@radix-ui/react-select": "^2.1.4",
+    "@radix-ui/react-separator": "^1.1.1",
+    "@radix-ui/react-slot": "^1.1.1",
    "@radix-ui/react-tabs": "^1.1.2",
-    "@radix-ui/react-toast": "^1.2.4"
+    "@radix-ui/react-toast": "^1.2.4",
+    "class-variance-authority": "^0.7.1",
+    "clsx": "^2.1.1",
+    "lucide-react": "^0.469.0",
+    "radix-ui": "^1.4.3",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
+    "react-router-dom": "^7.1.0",
+    "tailwind-merge": "^2.6.0"
  },
  "devDependencies": {
+    "@tailwindcss/vite": "^4.0.0",
    "@types/react": "^19.0.0",
    "@types/react-dom": "^19.0.0",
    "@vitejs/plugin-react": "^4.3.4",
-    "typescript": "~5.7.0",
-    "vite": "^6.0.0",
    "tailwindcss": "^4.0.0",
-    "@tailwindcss/vite": "^4.0.0"
+    "typescript": "~5.7.0",
+    "vite": "^6.0.0"
  }
 }
--- a/client/src/App.tsx
+++ b/client/src/App.tsx
@@ -1,42 +1,77 @@
-import { BrowserRouter, Routes, Route, NavLink } from 'react-router-dom'
+import { BrowserRouter, Routes, Route, NavLink, Navigate } from 'react-router-dom'
+import { AuthProvider, useAuth } from '@/lib/auth'
 import HomePage from '@/pages/Home'
 import CandidatesPage from '@/pages/Candidates'
 import JobsPage from '@/pages/Jobs'
 import ScorecardsPage from '@/pages/Scorecards'
+import LoginPage from '@/pages/Login'
+import RegisterPage from '@/pages/Register'
+
+function ProtectedRoute({ children }: { children: React.ReactNode }) {
+  const { user, loading } = useAuth()
+  if (loading) return <div className="min-h-screen flex items-center justify-center text-muted-foreground">Loading...</div>
+  if (!user) return <Navigate to="/login" replace />
+  return <>{children}</>
+}
+
+function Layout() {
+  const { user, logout } = useAuth()
+
+  return (
+    <div className="min-h-screen bg-[#F9FAFB]">
+      <header className="border-b sticky top-0 bg-white z-10 shadow-sm">
+        <div className="container mx-auto flex h-16 items-center justify-between px-4">
+          <div className="flex items-center gap-2">
+            <span className="text-xl font-bold text-[#3B82F6]">HireFlow</span>
+            <span className="text-xs text-muted-foreground bg-muted px-2 py-0.5 rounded-full hidden sm:block">AI Recruitment</span>
+          </div>
+          <nav className="flex items-center gap-1">
+            <NavLink to="/" end className={({ isActive }) =>
+              `px-3 py-2 rounded-md text-sm font-medium transition-colors ${isActive ? 'bg-[#3B82F6] text-white' : 'hover:bg-muted'}`
+            }>Dashboard</NavLink>
+            <NavLink to="/candidates" className={({ isActive }) =>
+              `px-3 py-2 rounded-md text-sm font-medium transition-colors ${isActive ? 'bg-[#3B82F6] text-white' : 'hover:bg-muted'}`
+            }>Candidates</NavLink>
+            <NavLink to="/jobs" className={({ isActive }) =>
+              `px-3 py-2 rounded-md text-sm font-medium transition-colors ${isActive ? 'bg-[#3B82F6] text-white' : 'hover:bg-muted'}`
+            }>Jobs</NavLink>
+            <NavLink to="/scorecards" className={({ isActive }) =>
+              `px-3 py-2 rounded-md text-sm font-medium transition-colors ${isActive ? 'bg-[#3B82F6] text-white' : 'hover:bg-muted'}`
+            }>Scorecards</NavLink>
+          </nav>
+          {user && (
+            <div className="flex items-center gap-3">
+              <div className="hidden sm:block text-right">
+                <p className="text-xs font-medium">{user.email}</p>
+                <p className="text-xs text-muted-foreground capitalize">{user.role.replace('_', ' ')}</p>
+              </div>
+              <button onClick={logout} className="text-xs text-muted-foreground hover:text-foreground px-2 py-1 rounded hover:bg-muted transition-colors">
+                Sign out
+              </button>
+            </div>
+          )}
+        </div>
+      </header>
+      <Routes>
+        <Route path="/" element={<ProtectedRoute><HomePage /></ProtectedRoute>} />
+        <Route path="/candidates" element={<ProtectedRoute><CandidatesPage /></ProtectedRoute>} />
+        <Route path="/jobs" element={<ProtectedRoute><JobsPage /></ProtectedRoute>} />
+        <Route path="/scorecards" element={<ProtectedRoute><ScorecardsPage /></ProtectedRoute>} />
+      </Routes>
+    </div>
+  )
+}

 function App() {
  return (
    <BrowserRouter>
-      <div className="min-h-screen bg-background">
-        <header className="border-b sticky top-0 bg-background z-10">
-          <div className="container mx-auto flex h-16 items-center justify-between px-4">
-            <div className="flex items-center gap-2">
-              <span className="text-xl font-bold text-primary">HireFlow</span>
-              <span className="text-xs text-muted-foreground bg-muted px-2 py-0.5 rounded-full">AI Recruitment</span>
-            </div>
-            <nav className="flex items-center gap-1">
-              <NavLink to="/" end className={({ isActive }) =>
-                `px-3 py-2 rounded-md text-sm font-medium transition-colors ${isActive ? 'bg-primary text-primary-foreground' : 'hover:bg-muted'}`
-              }>Dashboard</NavLink>
-              <NavLink to="/candidates" className={({ isActive }) =>
-                `px-3 py-2 rounded-md text-sm font-medium transition-colors ${isActive ? 'bg-primary text-primary-foreground' : 'hover:bg-muted'}`
-              }>Candidates</NavLink>
-              <NavLink to="/jobs" className={({ isActive }) =>
-                `px-3 py-2 rounded-md text-sm font-medium transition-colors ${isActive ? 'bg-primary text-primary-foreground' : 'hover:bg-muted'}`
-              }>Jobs</NavLink>
-              <NavLink to="/scorecards" className={({ isActive }) =>
-                `px-3 py-2 rounded-md text-sm font-medium transition-colors ${isActive ? 'bg-primary text-primary-foreground' : 'hover:bg-muted'}`
-              }>Scorecards</NavLink>
-            </nav>
-          </div>
-        </header>
+      <AuthProvider>
        <Routes>
-          <Route path="/" element={<HomePage />} />
-          <Route path="/candidates" element={<CandidatesPage />} />
-          <Route path="/jobs" element={<JobsPage />} />
-          <Route path="/scorecards" element={<ScorecardsPage />} />
+          <Route path="/login" element={<LoginPage />} />
+          <Route path="/register" element={<RegisterPage />} />
+          <Route path="/*" element={<Layout />} />
        </Routes>
-      </div>
+      </AuthProvider>
    </BrowserRouter>
  )
 }
--- a/client/src/components/ui/label.tsx
+++ b/client/src/components/ui/label.tsx
@@ -0,0 +1,22 @@
+import * as React from "react"
+import { Label as LabelPrimitive } from "radix-ui"
+
+import { cn } from "@/lib/utils"
+
+function Label({
+  className,
+  ...props
+}: React.ComponentProps<typeof LabelPrimitive.Root>) {
+  return (
+    <LabelPrimitive.Root
+      data-slot="label"
+      className={cn(
+        "flex items-center gap-2 text-sm leading-none font-medium select-none group-data-[disabled=true]:pointer-events-none group-data-[disabled=true]:opacity-50 peer-disabled:cursor-not-allowed peer-disabled:opacity-50",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+export { Label }
--- a/client/src/lib/auth.tsx
+++ b/client/src/lib/auth.tsx
@@ -0,0 +1,127 @@
+import { createContext, useContext, useState, useEffect, ReactNode } from 'react'
+
+interface User {
+  id: number
+  email: string
+  role: 'admin' | 'recruiter' | 'hiring_manager'
+}
+
+interface AuthContextType {
+  user: User | null
+  accessToken: string | null
+  login: (email: string, password: string) => Promise<void>
+  logout: () => Promise<void>
+  register: (email: string, password: string, role?: string) => Promise<void>
+  loading: boolean
+}
+
+const AuthContext = createContext<AuthContextType | null>(null)
+
+export function AuthProvider({ children }: { children: ReactNode }) {
+  const [user, setUser] = useState<User | null>(null)
+  const [accessToken, setAccessToken] = useState<string | null>(null)
+  const [loading, setLoading] = useState(true)
+
+  useEffect(() => {
+    const token = localStorage.getItem('accessToken')
+    const refreshToken = localStorage.getItem('refreshToken')
+    if (token && refreshToken) {
+      // Verify token by fetching /auth/me
+      fetch('/auth/me', { headers: { Authorization: `Bearer ${token}` } })
+        .then(r => r.json())
+        .then(data => {
+          if (data.id) {
+            setUser(data)
+            setAccessToken(token)
+          } else {
+            // Try refresh
+            return refreshAccessToken(refreshToken)
+          }
+        })
+        .catch(() => {})
+        .finally(() => setLoading(false))
+    } else {
+      setLoading(false)
+    }
+  }, [])
+
+  async function refreshAccessToken(refreshToken: string) {
+    const res = await fetch('/auth/refresh', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ refreshToken })
+    })
+    if (res.ok) {
+      const data = await res.json()
+      setAccessToken(data.accessToken)
+      setUser(data.user)
+      localStorage.setItem('accessToken', data.accessToken)
+    } else {
+      localStorage.removeItem('accessToken')
+      localStorage.removeItem('refreshToken')
+    }
+  }
+
+  async function login(email: string, password: string) {
+    const res = await fetch('/auth/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email, password })
+    })
+    const data = await res.json()
+    if (!res.ok) throw new Error(data.error || 'Login failed')
+    setUser(data.user)
+    setAccessToken(data.accessToken)
+    localStorage.setItem('accessToken', data.accessToken)
+    localStorage.setItem('refreshToken', data.refreshToken)
+  }
+
+  async function logout() {
+    const token = accessToken || localStorage.getItem('accessToken')
+    if (token) {
+      await fetch('/auth/logout', {
+        method: 'POST',
+        headers: { Authorization: `Bearer ${token}` }
+      }).catch(() => {})
+    }
+    setUser(null)
+    setAccessToken(null)
+    localStorage.removeItem('accessToken')
+    localStorage.removeItem('refreshToken')
+  }
+
+  async function register(email: string, password: string, role = 'recruiter') {
+    const res = await fetch('/auth/register', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email, password, role })
+    })
+    const data = await res.json()
+    if (!res.ok) throw new Error(data.error || 'Registration failed')
+  }
+
+  return (
+    <AuthContext.Provider value={{ user, accessToken, login, logout, register, loading }}>
+      {children}
+    </AuthContext.Provider>
+  )
+}
+
+export function useAuth() {
+  const ctx = useContext(AuthContext)
+  if (!ctx) throw new Error('useAuth must be used within AuthProvider')
+  return ctx
+}
+
+// Helper to make authenticated API calls
+export async function authFetch(url: string, options: RequestInit = {}) {
+  const token = localStorage.getItem('accessToken')
+  return fetch(url, {
+    ...options,
+    headers: {
+      'Content-Type': 'application/json',
+      ...(token ? { Authorization: `Bearer ${token}` } : {}),
+      ...options.headers
+    }
+  })
+}
--- a/client/src/pages/Home.tsx
+++ b/client/src/pages/Home.tsx
@@ -1,34 +1,87 @@
 import { useEffect, useState } from 'react'
+import { Link } from 'react-router-dom'
 import { Card, CardHeader, CardTitle, CardContent } from '@/components/ui/card'
+import { Button } from '@/components/ui/button'
+import { authFetch } from '@/lib/auth'

-interface Stats {
-  candidates: number
-  jobs: number
-  scorecards: number
-  applications: number
+interface Metrics {
+  totalCandidates: number
+  activeJobs: number
+  totalApplications: number
+  interviewsThisWeek: number
+}
+
+interface PipelineSummary {
+  applied: number
+  screening: number
+  interview: number
+  offer: number
+  hired: number
+}
+
+interface Activity {
+  type: string
+  title: string
+  subtitle: string | null
+  timestamp: string
 }

 export default function HomePage() {
-  const [stats, setStats] = useState<Stats>({ candidates: 0, jobs: 0, scorecards: 0, applications: 0 })
+  const [metrics, setMetrics] = useState<Metrics>({ totalCandidates: 0, activeJobs: 0, totalApplications: 0, interviewsThisWeek: 0 })
+  const [pipeline, setPipeline] = useState<PipelineSummary>({ applied: 0, screening: 0, interview: 0, offer: 0, hired: 0 })
+  const [activities, setActivities] = useState<Activity[]>([])

  useEffect(() => {
-    fetch('/api/stats').then(r => r.json()).then(setStats).catch(() => {})
+    const load = () => {
+      authFetch('/api/dashboard/metrics').then(r => r.json()).then(setMetrics).catch(() => {})
+      authFetch('/api/dashboard/pipeline-summary').then(r => r.json()).then(setPipeline).catch(() => {})
+      authFetch('/api/dashboard/recent-activity').then(r => r.json()).then(d => setActivities(d.activities || [])).catch(() => {})
+    }
+    load()
+    const interval = setInterval(load, 30000)
+    return () => clearInterval(interval)
  }, [])

+  const pipelineStages = [
+    { key: 'applied', label: 'Applied', color: 'bg-gray-100 text-gray-700' },
+    { key: 'screening', label: 'Screening', color: 'bg-blue-100 text-blue-700' },
+    { key: 'interview', label: 'Interview', color: 'bg-yellow-100 text-yellow-700' },
+    { key: 'offer', label: 'Offer', color: 'bg-purple-100 text-purple-700' },
+    { key: 'hired', label: 'Hired', color: 'bg-green-100 text-green-700' },
+  ]
+
+  const activityTypeLabel: Record<string, string> = {
+    candidate_added: 'New Candidate',
+    job_posted: 'Job Posted',
+    application: 'Application'
+  }
+
  return (
    <div className="container mx-auto px-4 py-8">
-      <div className="mb-8">
+      <div className="flex flex-col sm:flex-row sm:items-center sm:justify-between mb-8 gap-4">
+        <div>
          <h1 className="text-3xl font-bold">Dashboard</h1>
-        <p className="text-muted-foreground mt-1">AI-powered recruitment platform for Nordic agencies</p>
+          <p className="text-muted-foreground mt-1">Your recruitment activity at a glance</p>
+        </div>
+        <div className="flex gap-2">
+          <Link to="/jobs">
+            <Button className="bg-[#3B82F6] hover:bg-blue-600 text-white">Post a Job</Button>
+          </Link>
+          <Link to="/candidates">
+            <Button variant="outline">Add Candidate</Button>
+          </Link>
+        </div>
      </div>

+      {/* Metrics */}
      <div className="grid gap-4 sm:grid-cols-2 lg:grid-cols-4 mb-8">
        <Card>
          <CardHeader className="pb-2">
            <CardTitle className="text-sm font-medium text-muted-foreground">Total Candidates</CardTitle>
          </CardHeader>
          <CardContent>
-            <div className="text-3xl font-bold">{stats.candidates}</div>
+            <div className="text-3xl font-bold text-[#3B82F6]">{metrics.totalCandidates}</div>
+            <p className="text-xs text-muted-foreground mt-1">In your database</p>
          </CardContent>
        </Card>
        <Card>
@@ -36,7 +89,8 @@ export default function HomePage() {
            <CardTitle className="text-sm font-medium text-muted-foreground">Active Jobs</CardTitle>
          </CardHeader>
          <CardContent>
-            <div className="text-3xl font-bold">{stats.jobs}</div>
+            <div className="text-3xl font-bold text-[#3B82F6]">{metrics.activeJobs}</div>
+            <p className="text-xs text-muted-foreground mt-1">Currently posted</p>
          </CardContent>
        </Card>
        <Card>
@@ -44,51 +98,108 @@ export default function HomePage() {
            <CardTitle className="text-sm font-medium text-muted-foreground">Applications</CardTitle>
          </CardHeader>
          <CardContent>
-            <div className="text-3xl font-bold">{stats.applications}</div>
+            <div className="text-3xl font-bold text-[#3B82F6]">{metrics.totalApplications}</div>
+            <p className="text-xs text-muted-foreground mt-1">Total received</p>
          </CardContent>
        </Card>
        <Card>
          <CardHeader className="pb-2">
-            <CardTitle className="text-sm font-medium text-muted-foreground">Scorecards</CardTitle>
+            <CardTitle className="text-sm font-medium text-muted-foreground">Interviews This Week</CardTitle>
          </CardHeader>
          <CardContent>
-            <div className="text-3xl font-bold">{stats.scorecards}</div>
+            <div className="text-3xl font-bold text-[#3B82F6]">{metrics.interviewsThisWeek}</div>
+            <p className="text-xs text-muted-foreground mt-1">Scorecards submitted</p>
          </CardContent>
        </Card>
      </div>

-      <div className="grid gap-6 md:grid-cols-3">
+      <div className="grid gap-6 lg:grid-cols-2 mb-6">
+        {/* Pipeline Overview */}
        <Card>
          <CardHeader>
-            <CardTitle>AI CV Parsing</CardTitle>
+            <CardTitle>Pipeline Overview</CardTitle>
          </CardHeader>
          <CardContent>
-            <p className="text-sm text-muted-foreground mb-3">
-              Upload CVs and automatically extract candidate information — skills, experience, education — using AI parsing.
-            </p>
-            <a href="/candidates" className="text-sm font-medium text-primary hover:underline">Go to Candidates →</a>
+            {pipeline.applied + pipeline.screening + pipeline.interview + pipeline.offer + pipeline.hired === 0 ? (
+              <div className="text-center py-8 text-muted-foreground">
+                <p className="text-sm">No candidates in pipeline yet.</p>
+                <Link to="/candidates" className="text-[#3B82F6] text-sm hover:underline mt-2 inline-block">Add your first candidate →</Link>
+              </div>
+            ) : (
+              <div className="space-y-3">
+                {pipelineStages.map(stage => (
+                  <div key={stage.key} className="flex items-center gap-3">
+                    <span className={`text-xs font-medium px-2 py-1 rounded-full w-24 text-center ${stage.color}`}>{stage.label}</span>
+                    <div className="flex-1 bg-gray-100 rounded-full h-2">
+                      <div
+                        className="bg-[#3B82F6] h-2 rounded-full transition-all"
+                        style={{ width: `${Math.min(100, (pipeline[stage.key as keyof PipelineSummary] / Math.max(1, metrics.totalApplications)) * 100)}%` }}
+                      />
+                    </div>
+                    <span className="text-sm font-medium w-8 text-right">{pipeline[stage.key as keyof PipelineSummary]}</span>
+                  </div>
+                ))}
+              </div>
+            )}
          </CardContent>
        </Card>
+
+        {/* Recent Activity */}
        <Card>
          <CardHeader>
-            <CardTitle>Multi-Channel Job Posting</CardTitle>
+            <CardTitle>Recent Activity</CardTitle>
          </CardHeader>
          <CardContent>
-            <p className="text-sm text-muted-foreground mb-3">
-              Post jobs to LinkedIn, Indeed, Arbetsförmedlingen, and your company career page with a single click.
-            </p>
-            <a href="/jobs" className="text-sm font-medium text-primary hover:underline">Go to Jobs →</a>
+            {activities.length === 0 ? (
+              <div className="text-center py-8 text-muted-foreground">
+                <p className="text-sm">No activity yet. Start by posting a job or adding a candidate.</p>
+              </div>
+            ) : (
+              <div className="space-y-3">
+                {activities.map((activity, i) => (
+                  <div key={i} className="flex items-start gap-3 py-2 border-b last:border-0">
+                    <div className="flex-1 min-w-0">
+                      <p className="text-sm font-medium truncate">{activity.title}</p>
+                      <p className="text-xs text-muted-foreground">{activityTypeLabel[activity.type] || activity.type}{activity.subtitle ? ` — ${activity.subtitle}` : ''}</p>
+                    </div>
+                    <span className="text-xs text-muted-foreground whitespace-nowrap">
+                      {new Date(activity.timestamp).toLocaleDateString()}
+                    </span>
+                  </div>
+                ))}
+              </div>
+            )}
          </CardContent>
        </Card>
-        <Card>
-          <CardHeader>
-            <CardTitle>Collaborative Scorecards</CardTitle>
-          </CardHeader>
-          <CardContent>
-            <p className="text-sm text-muted-foreground mb-3">
-              Multiple interviewers score candidates using standardized criteria for consistent, unbiased evaluations.
-            </p>
-            <a href="/scorecards" className="text-sm font-medium text-primary hover:underline">Go to Scorecards →</a>
+      </div>
+
+      {/* Quick Actions */}
+      <div className="grid gap-4 sm:grid-cols-3">
+        <Card className="hover:shadow-md transition-shadow cursor-pointer">
+          <CardContent className="pt-6">
+            <Link to="/jobs" className="block">
+              <div className="text-2xl mb-2">💼</div>
+              <h3 className="font-semibold">Post a Job</h3>
+              <p className="text-sm text-muted-foreground mt-1">Publish to LinkedIn, Indeed, and more</p>
+            </Link>
+          </CardContent>
+        </Card>
+        <Card className="hover:shadow-md transition-shadow cursor-pointer">
+          <CardContent className="pt-6">
+            <Link to="/candidates" className="block">
+              <div className="text-2xl mb-2">👤</div>
+              <h3 className="font-semibold">Add Candidate</h3>
+              <p className="text-sm text-muted-foreground mt-1">Upload CV or enter details manually</p>
+            </Link>
+          </CardContent>
+        </Card>
+        <Card className="hover:shadow-md transition-shadow cursor-pointer">
+          <CardContent className="pt-6">
+            <Link to="/scorecards" className="block">
+              <div className="text-2xl mb-2">📋</div>
+              <h3 className="font-semibold">Create Scorecard</h3>
+              <p className="text-sm text-muted-foreground mt-1">Evaluate and compare candidates</p>
+            </Link>
          </CardContent>
        </Card>
      </div>
--- a/client/src/pages/Login.tsx
+++ b/client/src/pages/Login.tsx
@@ -0,0 +1,86 @@
+import { useState } from 'react'
+import { useNavigate, Link } from 'react-router-dom'
+import { useAuth } from '@/lib/auth'
+import { Card, CardHeader, CardTitle, CardContent, CardFooter } from '@/components/ui/card'
+import { Button } from '@/components/ui/button'
+import { Input } from '@/components/ui/input'
+import { Label } from '@/components/ui/label'
+
+export default function LoginPage() {
+  const { login } = useAuth()
+  const navigate = useNavigate()
+  const [email, setEmail] = useState('')
+  const [password, setPassword] = useState('')
+  const [error, setError] = useState('')
+  const [loading, setLoading] = useState(false)
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault()
+    setError('')
+    setLoading(true)
+    try {
+      await login(email, password)
+      navigate('/')
+    } catch (err: any) {
+      setError(err.message)
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  return (
+    <div className="min-h-screen bg-[#F9FAFB] flex items-center justify-center p-4">
+      <div className="w-full max-w-md">
+        <div className="text-center mb-8">
+          <h1 className="text-3xl font-bold text-[#3B82F6]">HireFlow</h1>
+          <p className="text-sm text-gray-500 mt-1">AI Recruitment Platform</p>
+        </div>
+        <Card>
+          <CardHeader>
+            <CardTitle className="text-xl">Sign in to your account</CardTitle>
+          </CardHeader>
+          <form onSubmit={handleSubmit}>
+            <CardContent className="space-y-4">
+              {error && (
+                <div className="bg-red-50 border border-red-200 text-red-700 px-4 py-3 rounded-md text-sm">
+                  {error}
+                </div>
+              )}
+              <div className="space-y-2">
+                <Label htmlFor="email">Email</Label>
+                <Input
+                  id="email"
+                  type="email"
+                  placeholder="you@company.com"
+                  value={email}
+                  onChange={e => setEmail(e.target.value)}
+                  required
+                />
+              </div>
+              <div className="space-y-2">
+                <Label htmlFor="password">Password</Label>
+                <Input
+                  id="password"
+                  type="password"
+                  placeholder="••••••••"
+                  value={password}
+                  onChange={e => setPassword(e.target.value)}
+                  required
+                />
+              </div>
+            </CardContent>
+            <CardFooter className="flex flex-col gap-3">
+              <Button type="submit" className="w-full bg-[#3B82F6] hover:bg-blue-600" disabled={loading}>
+                {loading ? 'Signing in...' : 'Sign In'}
+              </Button>
+              <p className="text-sm text-center text-gray-500">
+                No account yet?{' '}
+                <Link to="/register" className="text-[#3B82F6] hover:underline font-medium">Register</Link>
+              </p>
+            </CardFooter>
+          </form>
+        </Card>
+      </div>
+    </div>
+  )
+}
--- a/client/src/pages/Register.tsx
+++ b/client/src/pages/Register.tsx
@@ -0,0 +1,89 @@
+import { useState } from 'react'
+import { useNavigate, Link } from 'react-router-dom'
+import { useAuth } from '@/lib/auth'
+import { Card, CardHeader, CardTitle, CardContent, CardFooter } from '@/components/ui/card'
+import { Button } from '@/components/ui/button'
+import { Input } from '@/components/ui/input'
+import { Label } from '@/components/ui/label'
+
+export default function RegisterPage() {
+  const { register } = useAuth()
+  const navigate = useNavigate()
+  const [email, setEmail] = useState('')
+  const [password, setPassword] = useState('')
+  const [confirmPassword, setConfirmPassword] = useState('')
+  const [role, setRole] = useState('recruiter')
+  const [error, setError] = useState('')
+  const [loading, setLoading] = useState(false)
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault()
+    setError('')
+    if (password !== confirmPassword) { setError('Passwords do not match'); return }
+    if (password.length < 8) { setError('Password must be at least 8 characters'); return }
+    setLoading(true)
+    try {
+      await register(email, password, role)
+      navigate('/login?registered=1')
+    } catch (err: any) {
+      setError(err.message)
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  return (
+    <div className="min-h-screen bg-[#F9FAFB] flex items-center justify-center p-4">
+      <div className="w-full max-w-md">
+        <div className="text-center mb-8">
+          <h1 className="text-3xl font-bold text-[#3B82F6]">HireFlow</h1>
+          <p className="text-sm text-gray-500 mt-1">AI Recruitment Platform</p>
+        </div>
+        <Card>
+          <CardHeader>
+            <CardTitle className="text-xl">Create your account</CardTitle>
+          </CardHeader>
+          <form onSubmit={handleSubmit}>
+            <CardContent className="space-y-4">
+              {error && (
+                <div className="bg-red-50 border border-red-200 text-red-700 px-4 py-3 rounded-md text-sm">
+                  {error}
+                </div>
+              )}
+              <div className="space-y-2">
+                <Label htmlFor="email">Work Email</Label>
+                <Input id="email" type="email" placeholder="you@company.com" value={email} onChange={e => setEmail(e.target.value)} required />
+              </div>
+              <div className="space-y-2">
+                <Label htmlFor="role">Role</Label>
+                <select id="role" value={role} onChange={e => setRole(e.target.value)}
+                  className="w-full border border-input rounded-md px-3 py-2 text-sm bg-background">
+                  <option value="recruiter">Recruiter</option>
+                  <option value="hiring_manager">Hiring Manager</option>
+                  <option value="admin">Admin</option>
+                </select>
+              </div>
+              <div className="space-y-2">
+                <Label htmlFor="password">Password</Label>
+                <Input id="password" type="password" placeholder="Min. 8 characters" value={password} onChange={e => setPassword(e.target.value)} required />
+              </div>
+              <div className="space-y-2">
+                <Label htmlFor="confirmPassword">Confirm Password</Label>
+                <Input id="confirmPassword" type="password" placeholder="Repeat password" value={confirmPassword} onChange={e => setConfirmPassword(e.target.value)} required />
+              </div>
+            </CardContent>
+            <CardFooter className="flex flex-col gap-3">
+              <Button type="submit" className="w-full bg-[#3B82F6] hover:bg-blue-600" disabled={loading}>
+                {loading ? 'Creating account...' : 'Create Account'}
+              </Button>
+              <p className="text-sm text-center text-gray-500">
+                Already have an account?{' '}
+                <Link to="/login" className="text-[#3B82F6] hover:underline font-medium">Sign in</Link>
+              </p>
+            </CardFooter>
+          </form>
+        </Card>
+      </div>
+    </div>
+  )
+}
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,8 +9,11 @@
      "version": "1.0.0",
      "hasInstallScript": true,
      "dependencies": {
+        "bcryptjs": "^3.0.3",
        "cors": "^2.8.5",
        "express": "^4.18.2",
+        "jsonwebtoken": "^9.0.3",
+        "multer": "^1.4.5-lts.1",
        "pg": "^8.11.3",
        "redis": "^4.6.12"
      },
@@ -141,6 +144,11 @@
        "node": ">= 8"
      }
    },
+    "node_modules/append-field": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/append-field/-/append-field-1.0.0.tgz",
+      "integrity": "sha512-klpgFSWLW1ZEs8svjfb7g4qWY0YS5imI82dTg+QahUvJ8YqAY0P10Uk8tTyh9ZGuYEZEMaeJYCF5BFuX552hsw=="
+    },
    "node_modules/array-flatten": {
      "version": "1.1.1",
      "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
@@ -154,6 +162,14 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/bcryptjs": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-3.0.3.tgz",
+      "integrity": "sha512-GlF5wPWnSa/X5LKM1o0wz0suXIINz1iHRLvTS+sLyi7XPbe5ycmYI3DlZqVGZZtDgl4DmasFg7gOB3JYbphV5g==",
+      "bin": {
+        "bcrypt": "bin/bcrypt"
+      }
+    },
    "node_modules/binary-extensions": {
      "version": "2.3.0",
      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
@@ -215,6 +231,27 @@
        "node": ">=8"
      }
    },
+    "node_modules/buffer-equal-constant-time": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz",
+      "integrity": "sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA=="
+    },
+    "node_modules/buffer-from": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.2.tgz",
+      "integrity": "sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ=="
+    },
+    "node_modules/busboy": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/busboy/-/busboy-1.6.0.tgz",
+      "integrity": "sha512-8SFQbg/0hQ9xy3UNTB0YEnsNBbWfhf7RtnzpL7TkBiTBRfrQ9Fxcnz7VJsleJpyp6rVLvXiuORqjlHi5q+PYuA==",
+      "dependencies": {
+        "streamsearch": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=10.16.0"
+      }
+    },
    "node_modules/bytes": {
      "version": "3.1.2",
      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
@@ -359,6 +396,20 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/concat-stream": {
+      "version": "1.6.2",
+      "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.2.tgz",
+      "integrity": "sha512-27HBghJxjiZtIk3Ycvn/4kbJk/1uZuJFfuPEns6LaEvpvG1f0hTea8lilrouyo9mVc2GWdcEZ8OLoGmSADlrCw==",
+      "engines": [
+        "node >= 0.8"
+      ],
+      "dependencies": {
+        "buffer-from": "^1.0.0",
+        "inherits": "^2.0.3",
+        "readable-stream": "^2.2.2",
+        "typedarray": "^0.0.6"
+      }
+    },
    "node_modules/concurrently": {
      "version": "8.2.2",
      "resolved": "https://registry.npmjs.org/concurrently/-/concurrently-8.2.2.tgz",
@@ -423,6 +474,11 @@
      "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==",
      "license": "MIT"
    },
+    "node_modules/core-util-is": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz",
+      "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ=="
+    },
    "node_modules/cors": {
      "version": "2.8.6",
      "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.6.tgz",
@@ -499,6 +555,14 @@
        "node": ">= 0.4"
      }
    },
+    "node_modules/ecdsa-sig-formatter": {
+      "version": "1.0.11",
+      "resolved": "https://registry.npmjs.org/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.11.tgz",
+      "integrity": "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==",
+      "dependencies": {
+        "safe-buffer": "^5.0.1"
+      }
+    },
    "node_modules/ee-first": {
      "version": "1.1.1",
      "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
@@ -920,6 +984,56 @@
        "node": ">=0.12.0"
      }
    },
+    "node_modules/isarray": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz",
+      "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ=="
+    },
+    "node_modules/jsonwebtoken": {
+      "version": "9.0.3",
+      "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-9.0.3.tgz",
+      "integrity": "sha512-MT/xP0CrubFRNLNKvxJ2BYfy53Zkm++5bX9dtuPbqAeQpTVe0MQTFhao8+Cp//EmJp244xt6Drw/GVEGCUj40g==",
+      "dependencies": {
+        "jws": "^4.0.1",
+        "lodash.includes": "^4.3.0",
+        "lodash.isboolean": "^3.0.3",
+        "lodash.isinteger": "^4.0.4",
+        "lodash.isnumber": "^3.0.3",
+        "lodash.isplainobject": "^4.0.6",
+        "lodash.isstring": "^4.0.1",
+        "lodash.once": "^4.0.0",
+        "ms": "^2.1.1",
+        "semver": "^7.5.4"
+      },
+      "engines": {
+        "node": ">=12",
+        "npm": ">=6"
+      }
+    },
+    "node_modules/jsonwebtoken/node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="
+    },
+    "node_modules/jwa": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/jwa/-/jwa-2.0.1.tgz",
+      "integrity": "sha512-hRF04fqJIP8Abbkq5NKGN0Bbr3JxlQ+qhZufXVr0DvujKy93ZCbXZMHDL4EOtodSbCWxOqR8MS1tXA5hwqCXDg==",
+      "dependencies": {
+        "buffer-equal-constant-time": "^1.0.1",
+        "ecdsa-sig-formatter": "1.0.11",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/jws": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.1.tgz",
+      "integrity": "sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA==",
+      "dependencies": {
+        "jwa": "^2.0.1",
+        "safe-buffer": "^5.0.1"
+      }
+    },
    "node_modules/lodash": {
      "version": "4.17.23",
      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
@@ -927,6 +1041,41 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/lodash.includes": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/lodash.includes/-/lodash.includes-4.3.0.tgz",
+      "integrity": "sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w=="
+    },
+    "node_modules/lodash.isboolean": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz",
+      "integrity": "sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg=="
+    },
+    "node_modules/lodash.isinteger": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/lodash.isinteger/-/lodash.isinteger-4.0.4.tgz",
+      "integrity": "sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA=="
+    },
+    "node_modules/lodash.isnumber": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/lodash.isnumber/-/lodash.isnumber-3.0.3.tgz",
+      "integrity": "sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw=="
+    },
+    "node_modules/lodash.isplainobject": {
+      "version": "4.0.6",
+      "resolved": "https://registry.npmjs.org/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz",
+      "integrity": "sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA=="
+    },
+    "node_modules/lodash.isstring": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/lodash.isstring/-/lodash.isstring-4.0.1.tgz",
+      "integrity": "sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw=="
+    },
+    "node_modules/lodash.once": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/lodash.once/-/lodash.once-4.1.1.tgz",
+      "integrity": "sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg=="
+    },
    "node_modules/math-intrinsics": {
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
@@ -1009,12 +1158,49 @@
        "node": "*"
      }
    },
+    "node_modules/minimist": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz",
+      "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/mkdirp": {
+      "version": "0.5.6",
+      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz",
+      "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==",
+      "dependencies": {
+        "minimist": "^1.2.6"
+      },
+      "bin": {
+        "mkdirp": "bin/cmd.js"
+      }
+    },
    "node_modules/ms": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
      "license": "MIT"
    },
+    "node_modules/multer": {
+      "version": "1.4.5-lts.2",
+      "resolved": "https://registry.npmjs.org/multer/-/multer-1.4.5-lts.2.tgz",
+      "integrity": "sha512-VzGiVigcG9zUAoCNU+xShztrlr1auZOlurXynNvO9GiWD1/mTBbUljOKY+qMeazBqXgRnjzeEgJI/wyjJUHg9A==",
+      "deprecated": "Multer 1.x is impacted by a number of vulnerabilities, which have been patched in 2.x. You should upgrade to the latest 2.x version.",
+      "dependencies": {
+        "append-field": "^1.0.0",
+        "busboy": "^1.0.0",
+        "concat-stream": "^1.5.2",
+        "mkdirp": "^0.5.4",
+        "object-assign": "^4.1.1",
+        "type-is": "^1.6.4",
+        "xtend": "^4.0.0"
+      },
+      "engines": {
+        "node": ">= 6.0.0"
+      }
+    },
    "node_modules/negotiator": {
      "version": "0.6.3",
      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
@@ -1300,6 +1486,11 @@
        "node": ">=0.10.0"
      }
    },
+    "node_modules/process-nextick-args": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz",
+      "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag=="
+    },
    "node_modules/proxy-addr": {
      "version": "2.0.7",
      "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
@@ -1359,6 +1550,25 @@
        "node": ">= 0.8"
      }
    },
+    "node_modules/readable-stream": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz",
+      "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==",
+      "dependencies": {
+        "core-util-is": "~1.0.0",
+        "inherits": "~2.0.3",
+        "isarray": "~1.0.0",
+        "process-nextick-args": "~2.0.0",
+        "safe-buffer": "~5.1.1",
+        "string_decoder": "~1.1.1",
+        "util-deprecate": "~1.0.1"
+      }
+    },
+    "node_modules/readable-stream/node_modules/safe-buffer": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
+      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
+    },
    "node_modules/readdirp": {
      "version": "3.6.0",
      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz",
@@ -1439,7 +1649,6 @@
      "version": "7.7.4",
      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
      "integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==",
-      "dev": true,
      "license": "ISC",
      "bin": {
        "semver": "bin/semver.js"
@@ -1621,6 +1830,27 @@
        "node": ">= 0.8"
      }
    },
+    "node_modules/streamsearch": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/streamsearch/-/streamsearch-1.1.0.tgz",
+      "integrity": "sha512-Mcc5wHehp9aXz1ax6bZUyY5afg9u2rv5cqQI3mRrYkGC8rW2hM02jWuwjtL++LS5qinSyhj2QfLyNsuc+VsExg==",
+      "engines": {
+        "node": ">=10.0.0"
+      }
+    },
+    "node_modules/string_decoder": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
+      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
+      "dependencies": {
+        "safe-buffer": "~5.1.0"
+      }
+    },
+    "node_modules/string_decoder/node_modules/safe-buffer": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
+      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
+    },
    "node_modules/string-width": {
      "version": "4.2.3",
      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
@@ -1727,6 +1957,11 @@
        "node": ">= 0.6"
      }
    },
+    "node_modules/typedarray": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz",
+      "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA=="
+    },
    "node_modules/undefsafe": {
      "version": "2.0.5",
      "resolved": "https://registry.npmjs.org/undefsafe/-/undefsafe-2.0.5.tgz",
@@ -1743,6 +1978,11 @@
        "node": ">= 0.8"
      }
    },
+    "node_modules/util-deprecate": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
+      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="
+    },
    "node_modules/utils-merge": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
--- a/package.json
+++ b/package.json
@@ -13,14 +13,16 @@
    "dev:client": "cd client && npm run dev"
  },
  "dependencies": {
-    "express": "^4.18.2",
-    "pg": "^8.11.3",
-    "redis": "^4.6.12",
+    "bcryptjs": "^3.0.3",
    "cors": "^2.8.5",
-    "multer": "^1.4.5-lts.1"
+    "express": "^4.18.2",
+    "jsonwebtoken": "^9.0.3",
+    "multer": "^1.4.5-lts.1",
+    "pg": "^8.11.3",
+    "redis": "^4.6.12"
  },
  "devDependencies": {
-    "nodemon": "^3.0.2",
-    "concurrently": "^8.2.2"
+    "concurrently": "^8.2.2",
+    "nodemon": "^3.0.2"
  }
 }
--- a/server.js
+++ b/server.js
@@ -4,9 +4,14 @@ const redis = require('redis');
 const path = require('path');
 const multer = require('multer');
 const upload = multer({ storage: multer.memoryStorage(), limits: { fileSize: 10 * 1024 * 1024 } });
+const jwt = require('jsonwebtoken');
+const bcryptjs = require('bcryptjs');
+const bcrypt = bcryptjs;

 const app = express();
 const PORT = process.env.PORT || 3000;
+const JWT_SECRET = process.env.JWT_SECRET || 'hireflow-secret-key-change-in-production';
+const JWT_REFRESH_SECRET = process.env.JWT_REFRESH_SECRET || 'hireflow-refresh-secret-change-in-production';

 app.use(express.json());

@@ -83,6 +88,27 @@ async function initDb() {
        created_at TIMESTAMP DEFAULT NOW(),
        UNIQUE(job_id, candidate_id)
      );
+
+      CREATE TABLE IF NOT EXISTS users (
+        id SERIAL PRIMARY KEY,
+        email VARCHAR(255) UNIQUE NOT NULL,
+        password_hash VARCHAR(255) NOT NULL,
+        role VARCHAR(50) NOT NULL DEFAULT 'recruiter',
+        agency_id INTEGER,
+        is_active BOOLEAN DEFAULT true,
+        created_at TIMESTAMP DEFAULT NOW(),
+        updated_at TIMESTAMP DEFAULT NOW(),
+        deleted_at TIMESTAMP
+      );
+
+      CREATE TABLE IF NOT EXISTS refresh_tokens (
+        id SERIAL PRIMARY KEY,
+        user_id INTEGER REFERENCES users(id),
+        token_hash VARCHAR(255) NOT NULL,
+        expires_at TIMESTAMP NOT NULL,
+        revoked_at TIMESTAMP,
+        created_at TIMESTAMP DEFAULT NOW()
+      );
    `);
    console.log('Database schema initialized');
  } catch (err) {
@@ -136,6 +162,187 @@ function parseCV(text) {
  };
 }

+// Auth middleware
+function authenticateToken(req, res, next) {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+  if (!token) return res.status(401).json({ error: 'Access token required' });
+  try {
+    const user = jwt.verify(token, JWT_SECRET);
+    req.user = user;
+    next();
+  } catch (err) {
+    return res.status(401).json({ error: 'Invalid or expired token' });
+  }
+}
+
+function requireRole(...roles) {
+  return (req, res, next) => {
+    if (!req.user || !roles.includes(req.user.role)) {
+      return res.status(403).json({ error: 'Insufficient permissions' });
+    }
+    next();
+  };
+}
+
+// POST /auth/register
+app.post('/auth/register', async (req, res) => {
+  try {
+    const { email, password, role } = req.body;
+    if (!email || !password) return res.status(400).json({ error: 'Email and password required' });
+    const allowedRoles = ['admin', 'recruiter', 'hiring_manager'];
+    const userRole = allowedRoles.includes(role) ? role : 'recruiter';
+    const passwordHash = await bcrypt.hash(password, 12);
+    const result = await pool.query(
+      'INSERT INTO users (email, password_hash, role) VALUES ($1, $2, $3) RETURNING id, email, role, created_at',
+      [email.toLowerCase(), passwordHash, userRole]
+    );
+    res.status(201).json({ success: true, user: result.rows[0] });
+  } catch (err) {
+    if (err.code === '23505') return res.status(409).json({ error: 'Email already registered' });
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// POST /auth/login
+app.post('/auth/login', async (req, res) => {
+  try {
+    const { email, password } = req.body;
+    if (!email || !password) return res.status(400).json({ error: 'Email and password required' });
+    const result = await pool.query('SELECT * FROM users WHERE email = $1 AND deleted_at IS NULL', [email.toLowerCase()]);
+    if (!result.rows.length) return res.status(401).json({ error: 'Invalid credentials' });
+    const user = result.rows[0];
+    if (!user.is_active) return res.status(401).json({ error: 'Account is disabled' });
+    const valid = await bcrypt.compare(password, user.password_hash);
+    if (!valid) return res.status(401).json({ error: 'Invalid credentials' });
+    const accessToken = jwt.sign({ id: user.id, email: user.email, role: user.role }, JWT_SECRET, { expiresIn: '15m' });
+    const refreshToken = jwt.sign({ id: user.id }, JWT_REFRESH_SECRET, { expiresIn: '7d' });
+    const refreshHash = await bcrypt.hash(refreshToken, 10);
+    const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
+    await pool.query('INSERT INTO refresh_tokens (user_id, token_hash, expires_at) VALUES ($1, $2, $3)', [user.id, refreshHash, expiresAt]);
+    res.json({ success: true, accessToken, refreshToken, user: { id: user.id, email: user.email, role: user.role } });
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// POST /auth/refresh
+app.post('/auth/refresh', async (req, res) => {
+  try {
+    const { refreshToken } = req.body;
+    if (!refreshToken) return res.status(401).json({ error: 'Refresh token required' });
+    let payload;
+    try { payload = jwt.verify(refreshToken, JWT_REFRESH_SECRET); } catch { return res.status(401).json({ error: 'Invalid refresh token' }); }
+    const tokens = await pool.query('SELECT * FROM refresh_tokens WHERE user_id = $1 AND revoked_at IS NULL AND expires_at > NOW()', [payload.id]);
+    let validToken = null;
+    for (const t of tokens.rows) {
+      if (await bcrypt.compare(refreshToken, t.token_hash)) { validToken = t; break; }
+    }
+    if (!validToken) return res.status(401).json({ error: 'Invalid or expired refresh token' });
+    const user = await pool.query('SELECT id, email, role FROM users WHERE id = $1 AND is_active = true AND deleted_at IS NULL', [payload.id]);
+    if (!user.rows.length) return res.status(401).json({ error: 'User not found' });
+    const accessToken = jwt.sign({ id: user.rows[0].id, email: user.rows[0].email, role: user.rows[0].role }, JWT_SECRET, { expiresIn: '15m' });
+    res.json({ success: true, accessToken, user: user.rows[0] });
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// POST /auth/logout
+app.post('/auth/logout', authenticateToken, async (req, res) => {
+  try {
+    await pool.query('UPDATE refresh_tokens SET revoked_at = NOW() WHERE user_id = $1 AND revoked_at IS NULL', [req.user.id]);
+    res.json({ success: true });
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// GET /auth/me
+app.get('/auth/me', authenticateToken, async (req, res) => {
+  try {
+    const result = await pool.query('SELECT id, email, role, agency_id, is_active, created_at FROM users WHERE id = $1 AND deleted_at IS NULL', [req.user.id]);
+    if (!result.rows.length) return res.status(404).json({ error: 'User not found' });
+    res.json(result.rows[0]);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// GET /api/users (admin only)
+app.get('/api/users', authenticateToken, requireRole('admin'), async (req, res) => {
+  try {
+    const result = await pool.query('SELECT id, email, role, agency_id, is_active, created_at FROM users WHERE deleted_at IS NULL ORDER BY created_at DESC');
+    res.json({ users: result.rows });
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// PATCH /api/users/:id/role (admin only)
+app.patch('/api/users/:id/role', authenticateToken, requireRole('admin'), async (req, res) => {
+  try {
+    const { role } = req.body;
+    const allowedRoles = ['admin', 'recruiter', 'hiring_manager'];
+    if (!allowedRoles.includes(role)) return res.status(400).json({ error: 'Invalid role' });
+    const result = await pool.query('UPDATE users SET role = $1, updated_at = NOW() WHERE id = $2 AND deleted_at IS NULL RETURNING id, email, role', [role, req.params.id]);
+    if (!result.rows.length) return res.status(404).json({ error: 'User not found' });
+    res.json({ success: true, user: result.rows[0] });
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+// Add dashboard endpoints
+app.get('/api/dashboard/metrics', authenticateToken, async (req, res) => {
+  try {
+    const [candidates, jobs, applications, interviews] = await Promise.all([
+      pool.query('SELECT COUNT(*) FROM candidates'),
+      pool.query("SELECT COUNT(*) FROM jobs WHERE status = 'posted'"),
+      pool.query('SELECT COUNT(*) FROM job_applications'),
+      pool.query("SELECT COUNT(*) FROM scorecards WHERE created_at >= NOW() - INTERVAL '7 days'"),
+    ]);
+    res.json({
+      totalCandidates: parseInt(candidates.rows[0].count),
+      activeJobs: parseInt(jobs.rows[0].count),
+      totalApplications: parseInt(applications.rows[0].count),
+      interviewsThisWeek: parseInt(interviews.rows[0].count),
+    });
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+app.get('/api/dashboard/pipeline-summary', authenticateToken, async (req, res) => {
+  try {
+    const result = await pool.query('SELECT stage, COUNT(*) as count FROM job_applications GROUP BY stage');
+    const stages = { applied: 0, screening: 0, interview: 0, offer: 0, hired: 0 };
+    result.rows.forEach(r => { if (stages.hasOwnProperty(r.stage)) stages[r.stage] = parseInt(r.count); });
+    res.json(stages);
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
+app.get('/api/dashboard/recent-activity', authenticateToken, async (req, res) => {
+  try {
+    const result = await pool.query(`
+      SELECT 'candidate_added' as type, c.name as title, c.email as subtitle, c.created_at as timestamp
+      FROM candidates c
+      UNION ALL
+      SELECT 'job_posted' as type, j.title, j.location as subtitle, j.created_at as timestamp
+      FROM jobs j
+      UNION ALL
+      SELECT 'application' as type, c.name as title, jo.title as subtitle, ja.created_at as timestamp
+      FROM job_applications ja JOIN candidates c ON ja.candidate_id = c.id JOIN jobs jo ON ja.job_id = jo.id
+      ORDER BY timestamp DESC LIMIT 10
+    `);
+    res.json({ activities: result.rows });
+  } catch (err) {
+    res.status(500).json({ error: err.message });
+  }
+});
+
 // Health check
 app.get('/health', async (req, res) => {
  try {