Add subcription feature 6

services/auth/app/api/users.py

@@ -238,6 +238,116 @@ async def get_user_by_id(
         )
 
 
+@router.put("/api/v1/auth/users/{user_id}", response_model=UserResponse)
+async def update_user_profile(
+    user_id: str = Path(..., description="User ID"),
+    update_data: UserUpdate = Body(..., description="User profile update data"),
+    current_user = Depends(get_current_user_dep),
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Update user profile information.
+    
+    This endpoint allows users to update their profile information including:
+    - Full name
+    - Phone number  
+    - Language preference
+    - Timezone
+    
+    **Permissions:** Users can update their own profile, admins can update any user's profile
+    """
+    try:
+        # Validate UUID format
+        try:
+            uuid.UUID(user_id)
+        except ValueError:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Invalid user ID format"
+            )
+
+        # Check permissions - user can update their own profile, admins can update any
+        if current_user["user_id"] != user_id:
+            # Check if current user has admin privileges
+            user_role = current_user.get("role", "user")
+            if user_role not in ["admin", "super_admin", "manager"]:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="Insufficient permissions to update this user's profile"
+                )
+
+        # Fetch user from database
+        from app.repositories import UserRepository
+        user_repo = UserRepository(User, db)
+        user = await user_repo.get_by_id(user_id)
+
+        if not user:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=f"User {user_id} not found"
+            )
+
+        # Prepare update data (only include fields that are provided)
+        update_fields = update_data.dict(exclude_unset=True)
+        if not update_fields:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="No update data provided"
+            )
+
+        # Update user
+        updated_user = await user_repo.update(user_id, update_fields)
+
+        logger.info("User profile updated", user_id=user_id, updated_fields=list(update_fields.keys()))
+
+        # Log audit event for user profile update
+        try:
+            # Get tenant_id from current_user or use a placeholder for system-level operations
+            tenant_id_str = current_user.get("tenant_id", "00000000-0000-0000-0000-000000000000")
+            await audit_logger.log_event(
+                db_session=db,
+                tenant_id=tenant_id_str,
+                user_id=current_user["user_id"],
+                action=AuditAction.UPDATE.value,
+                resource_type="user",
+                resource_id=user_id,
+                severity=AuditSeverity.MEDIUM.value,
+                description=f"User {current_user.get('email', current_user['user_id'])} updated profile for user {user.email}",
+                changes={"updated_fields": list(update_fields.keys())},
+                audit_metadata={"updated_data": update_fields},
+                endpoint="/users/{user_id}",
+                method="PUT"
+            )
+        except Exception as audit_error:
+            logger.warning("Failed to log audit event", error=str(audit_error))
+
+        return UserResponse(
+            id=str(updated_user.id),
+            email=updated_user.email,
+            full_name=updated_user.full_name,
+            is_active=updated_user.is_active,
+            is_verified=updated_user.is_verified,
+            phone=updated_user.phone,
+            language=updated_user.language or "es",
+            timezone=updated_user.timezone or "Europe/Madrid",
+            created_at=updated_user.created_at,
+            last_login=updated_user.last_login,
+            role=updated_user.role,
+            tenant_id=None,
+            payment_customer_id=updated_user.payment_customer_id,
+            default_payment_method_id=updated_user.default_payment_method_id
+        )
+
+    except HTTPException:
+        raise
+    except Exception as e:
+        logger.error("Update user profile error", user_id=user_id, error=str(e))
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="Failed to update user profile"
+        )
+
+
 @router.post("/api/v1/auth/users/create-by-owner", response_model=UserResponse)
 async def create_user_by_owner(
     user_data: OwnerUserCreate,
@@ -524,21 +634,20 @@ async def update_user_tenant(
                 detail="User not found"
             )
 
-        # Update user's tenant_id
-        user.tenant_id = uuid.UUID(tenant_id)
-        user.updated_at = datetime.now(timezone.utc)
-
-        await db.commit()
-        await db.refresh(user)
-
-        logger.info("Successfully updated user tenant_id",
-                   user_id=user_id,
-                   tenant_id=tenant_id)
+        # DEPRECATED: User-tenant relationships are now managed by tenant service
+        # This endpoint is kept for backward compatibility but does nothing
+        # The tenant service should manage user-tenant relationships internally
+        
+        logger.warning("DEPRECATED: update_user_tenant endpoint called - user-tenant relationships are now managed by tenant service",
+                      user_id=user_id,
+                      tenant_id=tenant_id)
 
+        # Return success for backward compatibility, but don't actually update anything
         return {
             "success": True,
             "user_id": str(user.id),
-            "tenant_id": str(user.tenant_id)
+            "tenant_id": tenant_id,
+            "message": "User-tenant relationships are now managed by tenant service. This endpoint is deprecated."
         }
 
     except HTTPException: