feat: add check-in progress photos (front, back, side)

[zeusal]

Resolves #229. Add the ability to upload and track progress photos from the check-in screen, with three fixed angle slots (front, back, side) per day, plus the backend storage, retrieval, and security hardening.

Frontend:

• New CheckInPhotos UI on the check-in screen with front/back/side slots (upload / replace / remove) and en/es translations.

Backend:

• New check_in_photos table, routes, service, schemas, and upload middleware.
• Photos stored under uploads/check-in/<userId>/<date>/<type>.<ext>; only the relative path is persisted, so records stay portable across deployments.
• Uploads validated by real image magic bytes (not the spoofable mime type or filename), buffered in memory, and written to a temp file that is atomically promoted only after the DB commit, so a failed insert never orphans a file and a same-name replace never clobbers a valid photo.
• Photos served through an authenticated, ownership-checked route (RLS-scoped) with X-Content-Type-Options: nosniff; direct static access to /uploads/check-in is blocked.
• RLS: enable row-level security and add the per-user diary policy for check_in_photos (previously RLS was enabled with no policy, so every insert was denied).
• DB: point check_in_photos.user_id at public."user" (Better Auth), matching check_in_measurements; uploads failed with a foreign key violation for users absent from the legacy auth.users table. Add the prerequisite PRIMARY KEY on check_in_measurements so the photos foreign key target is valid.

Tip

Help us review and merge your PR faster!
Please ensure you have completed the Checklist below.
For Frontend changes, please run pnpm run validate to check for any errors.
PRs that include tests and clear screenshots are highly preferred!
Note: AI-generated descriptions must be manually edited for conciseness. Do not paste raw AI summaries.

Description

What problem does this PR solve?
(Keep it concise. 1–2 sentences.)

How did you implement the solution?
(Brief technical approach.)

Linked Issue

Linked Issue: Closes #229

How to Test

1. Check out this branch and start the server (pnpm start in SparkyFitnessServer/).
   The new migrations apply automatically on boot (check_in_measurements PK →
   check_in_photos table → FK repoint to public."user"), and RLS policies are
   re-applied, so an existing DB is upgraded in place.
2. Start the frontend (pnpm dev in SparkyFitnessFrontend/) and log in.
3. Navigate to Check-In and find the new Progress Photos section.
4. Upload a Front, Back, and Side photo. Verify each shows a preview,
   can be replaced, and persists after reloading the page / reopening the date.
5. Verify files land under SparkyFitnessServer/uploads/check-in/<userId>/<date>/.
6. Verify a non-image (e.g. a renamed .txt → .jpg) is rejected on upload.
7. (Multi-user) Log in as a second user, add photos for the same date, and confirm
   each user only sees their own — photos are served by id through an
   ownership/RLS-checked route, and /uploads/check-in is not publicly served.

PR Type

• Issue (bug fix)
• New Feature
• Refactor
• Documentation

Checklist

All PRs:

• [MANDATORY - ALL] Integrity & License: I certify this is my own work, free of malicious code, and I agree to the License terms.

New features only:

• [MANDATORY for new feature] Alignment: I have raised a GitHub issue and it was reviewed/approved by maintainers or it was approved on Discord.

Frontend changes (SparkyFitnessFrontend/):

• [MANDATORY for Frontend changes] Quality: I have run pnpm run validate and it passes.
• [MANDATORY for Frontend changes] Translations: I have only updated the English (en) translation file.

Backend changes (SparkyFitnessServer/):

• [MANDATORY for Backend changes] Code Quality: I have run typecheck, lint, and tests. New files use TypeScript, new endpoints have Zod schemas, and new endpoints include tests.
• [MANDATORY for Backend changes] Database Security: I have updated rls_policies.sql for any new user-specific tables.

UI changes (components, screens, pages):

• [MANDATORY for UI changes] Screenshots: I have attached Before/After screenshots below.

Mobile changes (SparkyFitnessMobile/):

• [MANDATORY for Mobile changes] Tested on device or emulator: N/A — no mobile changes.

Screenshots

Before (upstream main)	After (this PR)
---

Notes for Reviewers

Optional — use this for anything that doesn't fit above: known tradeoffs, areas you'd like specific feedback on, qustions you have or context that helps reviewers.

[github-actions]

PR Validation Results

Change Detection

• 🖥️ Frontend changes detected
• ⚙️ Backend changes detected
• 🌐 en translation file modified
• 🗄️ rls_policies.sql modified

✅ All checks passed. Thank you!

[gemini-code-assist]

Code Review

This pull request introduces a progress photos feature to the check-in flow, allowing users to upload, replace, and delete front, back, and side photos. The changes span both the frontend (React components, React Query hooks, and translation updates) and the backend (Express routes, multer middleware with magic-byte image validation, Zod schemas, database migrations, and RLS policies). The review feedback highlights a critical timezone-related bug in checkInPhotoService.ts where formatting database DATE values using toISOString().split('T')[0] can cause day shifts, and recommends using a shared date utility library instead.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[CodeWithCJ]

merge the three migration sql into a single file. and also attach some screenshots in the AFTER section of the PR desc

[zeusal]

merge the three migration sql into a single file. and also attach some screenshots in the AFTER section of the PR desc

I have tried to do it, can you verify again please.

[CodeWithCJ]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a progress photos feature (front, back, and side) for check-ins, including frontend components, a custom hook, backend routes, services, database migrations, and RLS policies. The code review identifies a high-severity security vulnerability (IDOR/Authorization Bypass) where Row-Level Security could be bypassed, allowing unauthorized access to private photos. Additionally, the feedback highlights performance concerns regarding synchronous file system operations blocking the Node.js event loop, and suggests frontend optimizations using useMemo to prevent unnecessary map re-creations on every render.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Import useMemo from 'react' to support the memoization of the photo map.

Suggested change

	import { useRef, useCallback } from 'react';
	import { useRef, useCallback, useMemo } from 'react';

[CodeWithCJ]

Take a look at gemini comments. some times it could also be false positive.

[CodeWithCJ]

@apedley could you review this.

[zeusal]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a progress photo upload feature for check-ins, including frontend UI components, React Query hooks, backend API routes, database migrations, and magic-byte image validation. Feedback on the changes suggests using the standard apiCall wrapper instead of direct fetch in the frontend, deriving file extensions from validated magic bytes rather than trusting client-provided filenames, and removing the redundant check_in_measurement_id column to avoid data inconsistency. Additionally, it is recommended to remove capture="environment" to allow gallery uploads, add WebP support to the allowed image signatures, increase the photo_type column length for future-proofing, and replace any types with proper Express types in the route handler.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Using any for req and res disables TypeScript's type safety and requires disabling the eslint rule. Type them properly using express.Request and express.Response to maintain type safety.

Suggested change

	async (req: any, res: any) => {
	if (!req.file) {
	async (req: express.Request & { file?: Express.Multer.File; userId?: string }, res: express.Response) => {

[zeusal]

/gemini review

[gemini-code-assist]

Code Review

This pull request implements a progress photos feature for check-ins, allowing users to upload, view, and delete front, back, and side photos. It includes frontend UI components, React Query hooks, and backend support with a database migration, RLS policies, secure image validation, and file system persistence. The review feedback suggests several improvements: expanding the database photo_type column length for future extensibility, removing a redundant index, logging instead of throwing file deletion errors to avoid unnecessary 500 responses, adding client-side file size validation, and disabling all photo slots during an active upload to prevent concurrent upload race conditions.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[zeusal]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a progress photo upload feature (front, back, and side views) to track physique over time. On the frontend, it adds translation keys, an API service, a custom React Query hook, and a CheckInPhotos UI component. On the backend, it implements a database migration with RLS policies, a secure multer upload middleware with magic-byte validation, and routes/services to handle photo management securely. The review feedback highlights several improvement opportunities: handling potential transmission errors in res.sendFile with a callback, verifying file existence on disk before serving, and exposing/utilizing the deletion loading state (isDeleting) in the frontend hook and components to prevent concurrent conflicting operations.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[zeusal]

Hi @CodeWithCJ I'm trying to put all of Gemini's suggestions into practice, but if you think the code is fine, I'll stop asking the bot.

[CodeWithCJ]

@apedley will review and provide his feedback today or tomorrow.

[apedley]

1. Looks like upload directory is harcoded in the service. It's set to SparkyFitnessServer/uploads when it should respect SPARKY_FITNESS_CUSTOM_UPLOADS_DIRECTORY
2. Schema backup file is not updated all the way. Missing the constraints on check_in_photos
3. UI Wise, can you make it much smaller if there are no images? It's a lot to scroll by for users who don't use the feature

[zeusal]

1. Looks like upload directory is harcoded in the service. It's set to SparkyFitnessServer/uploads when it should respect SPARKY_FITNESS_CUSTOM_UPLOADS_DIRECTORY
2. Schema backup file is not updated all the way. Missing the constraints on check_in_photos
3. UI Wise, can you make it much smaller if there are no images? It's a lot to scroll by for users who don't use the feature

Hi, as far as the user interface is concerned, I have two option: one of them is a drop-down menu

And second one:

Which one do you prefer?

[apedley]

First one looks good, thanks!

[zeusal]

First one looks good, thanks!

The first one is already push to branch