feat: BHV prototype with auth, uploads, and UI

[Sahil-u07]

This PR introduces a complete, working BHV prototype to demonstrate the intended system flow and architecture.

What this prototype includes

This prototype demonstrates the core BHV experience:

• Basic authentication flow (signup and login)
• Image upload with short narratives
• Local-first image storage
• Personal gallery view to revisit past entries
• Simple admin view to inspect users and content
• Clean, calm, and responsive UI focused on usability

The system is intentionally kept minimal to reflect the “simple and stupid architecture that works” philosophy discussed in the BHV threads.

Feedback welcome

I’d appreciate feedback on:

• Whether this flow aligns with BHV’s original intent

This is a proof-of-concept prototype created for architectural exploration.

[gemini-code-assist]

Summary of Changes

Hello @Sahil-u07, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request delivers a comprehensive, functional prototype for the Behavioral Health Vault (BHV) application. It establishes a robust backend API using Flask for secure user authentication, image uploads with descriptive narratives, and administrative controls. Concurrently, a modern and responsive frontend built with React, Vite, and Tailwind CSS provides a seamless user experience, allowing users to manage their entries and administrators to oversee the system. The prototype aims to demonstrate the core architectural flow and key features of the BHV system, emphasizing a minimal yet effective design.

Highlights

• Full-Stack Prototype Implementation: This pull request introduces a complete, working prototype for the Behavioral Health Vault (BHV) application, encompassing both a Flask-based backend API and a React-based frontend UI.
• Authentication System: A robust authentication flow has been implemented, including user signup and login with email/password, password hashing using Flask-Bcrypt, and secure session management via JSON Web Tokens (JWT).
• Image Upload and Gallery: Users can now upload images along with short textual narratives. These entries are stored locally and are viewable in a personal gallery, demonstrating the core content management functionality.
• Admin Functionality: An administrative interface has been added, allowing privileged users to inspect user and content statistics, search and manage user accounts, and delete images, providing essential oversight capabilities.
• Modern Frontend Architecture: The frontend is built with React, Vite, and Tailwind CSS, providing a clean, responsive, and user-friendly interface for all application features, from landing pages to user dashboards and content management.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces an impressive full-stack prototype for the BHV application, covering core features like authentication, image uploads, and a functional UI. The structure is well-organized. My review focuses on several critical security vulnerabilities in the backend concerning authentication, authorization, and data privacy that should be addressed. I've also provided feedback on potential bugs, such as orphaned file handling, and suggestions to improve code maintainability and correctness in both the frontend and backend.

[gemini-code-assist]

The /file/<filename> endpoint, which serves image files, lacks any authentication or authorization checks. This means that anyone with a link to an image can view it. Given the sensitive nature of a behavioral health application, this is a critical privacy and security vulnerability. This endpoint must be protected with @token_required and should verify that the current user has permission to view the requested image.

Suggested change

	@images_bp.route('/file/<filename>', methods=['GET'])
	def get_image_file(filename):
	return send_from_directory(current_app.config['UPLOAD_FOLDER'], filename)
	@images_bp.route('/file/<filename>', methods=['GET'])
	@token_required
	def get_image_file(current_user, filename):
	image = Image.query.filter_by(filename=filename).first_or_404()
	if image.user_id != current_user.id and not current_user.is_admin:
	return jsonify({'message': 'Permission denied'}), 403
	return send_from_directory(current_app.config['UPLOAD_FOLDER'], filename)

[gemini-code-assist]

Hardcoding admin user creation based on a specific email address is a critical security vulnerability. Anyone who knows this email (admin@bhv.com) can sign up and gain administrative privileges. Admin users should be created through a secure, out-of-band mechanism, such as a CLI command.

Suggested change

	is_admin = data.get('email') == 'admin@bhv.com'
	is_admin = False

[gemini-code-assist]

The SECRET_KEY has a weak, hardcoded default value committed to the repository. This is a critical security vulnerability if the application is deployed to production with this key, as it would allow attackers to forge authentication tokens. Secret keys should never be stored in version control.

Suggested change

	SECRET_KEY = os.environ.get('SECRET_KEY') or 'dev-secret-key-change-in-prod'
	SECRET_KEY = os.environ.get('SECRET_KEY')

[gemini-code-assist]

This logic allows any authenticated user to view images of any other user by passing a user_id. For a behavioral health application, exposing all user content by default is a significant privacy risk. Access should be restricted by default.

I suggest modifying the logic so that regular users can only see their own images, while admins can view any user's images. If no user_id is provided, it should default to showing only the current user's images unless they are an admin.

Suggested change

	if user_id:
	if user_id == 'me':
	query = query.filter_by(user_id=current_user.id)
	else:
	query = query.filter_by(user_id=user_id)
	if user_id:
	if user_id == 'me' or int(user_id) == current_user.id:
	query = query.filter_by(user_id=current_user.id)
	elif current_user.is_admin:
	query = query.filter_by(user_id=user_id)
	else:
	return jsonify({'message': 'Permission denied to view this user\'s images'}), 403
	elif not current_user.is_admin:
	# Default to current user's images if not an admin
	query = query.filter_by(user_id=current_user.id)

[gemini-code-assist]

Catching a generic Exception is too broad. It can mask underlying issues with token validation, such as bugs in your code or specific JWT errors (like an expired token). This makes debugging difficult and could hide security-related problems.

Suggested change

	except Exception as e:
	return jsonify({'message': 'Token is invalid', 'error': str(e)}), 401
	except jwt.ExpiredSignatureError:
	return jsonify({'message': 'Token has expired'}), 401
	except jwt.InvalidTokenError:
	return jsonify({'message': 'Token is invalid'}), 401

[gemini-code-assist]

This file implements a manual database migration by executing raw SQL. This approach is brittle and not easily scalable. For instance, it relies on string matching in an error message to check if a column exists, which can break with different database versions or drivers.

For a more robust and maintainable solution, consider using a database migration tool like Alembic, which integrates well with Flask and SQLAlchemy via the Flask-Migrate extension. It allows you to manage schema changes with version-controlled migration scripts.

[gemini-code-assist]

The ProtectedRoute component is wrapped around each protected route individually. This is repetitive and can be simplified using a layout route, which is a feature of react-router-dom v6. This will make your routing configuration cleaner and easier to maintain.

Suggested change

	<Route
	path="/dashboard"
	element={
	<ProtectedRoute>
	<Dashboard />
	</ProtectedRoute>
	}
	/>
	<Route
	path="/upload"
	element={
	<ProtectedRoute>
	<Upload />
	</ProtectedRoute>
	}
	/>
	<Route
	path="/gallery"
	element={
	<ProtectedRoute>
	<Gallery />
	</ProtectedRoute>
	}
	/>
	<Route
	path="/profile"
	element={
	<ProtectedRoute>
	<Profile />
	</ProtectedRoute>
	}
	/>
	<Route
	path="/admin"
	element={
	<ProtectedRoute>
	<AdminDashboard />
	</ProtectedRoute>
	}
	/>
	<Route element={<ProtectedRoute />}>
	<Route path="/dashboard" element={<Dashboard />} />
	<Route path="/upload" element={<Upload />} />
	<Route path="/gallery" element={<Gallery />} />
	<Route path="/profile" element={<Profile />} />
	<Route path="/admin" element={<AdminDashboard />} />
	</Route>

[gemini-code-assist]

The baseURL for the API is hardcoded. This makes it difficult to switch between development and production environments. It's better to use environment variables for this configuration. In a Vite project, you can create a .env file and access variables prefixed with VITE_.

  baseURL: import.meta.env.VITE_API_BASE_URL || 'http://localhost:5000',

[gemini-code-assist]

URL.createObjectURL() creates a reference to a file that stays in memory until the document is unloaded. In a single-page application, this can lead to memory leaks if not handled properly. You should revoke the object URL when the component unmounts or when a new file is selected to free up memory. You can do this using URL.revokeObjectURL() in a useEffect cleanup function.

[gemini-code-assist]

You are manually setting the Content-Type header to multipart/form-data. This is unnecessary and can cause issues, because the browser needs to add the boundary parameter to this header, which your manual setting prevents. When you pass a FormData object to Axios, it correctly sets the Content-Type header automatically.

      await api.post('/images/upload', formData);

[Copilot]

Pull request overview

This PR introduces a complete BHV (Behavioral Health Vault) prototype implementing a mental wellness journal application with image uploads, user authentication, and admin capabilities.

Changes:

• Complete React frontend with authentication, image upload, gallery, and admin dashboard
• Flask REST API backend with JWT authentication, SQLite database, and file storage
• User management system with admin privileges and role-based access control

Reviewed changes

Copilot reviewed 36 out of 40 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
backend/app.py	Flask application initialization with CORS and blueprint registration
backend/models.py	SQLAlchemy models for User and Image entities
backend/routes/auth.py	Authentication endpoints for signup/login with JWT tokens
backend/routes/images.py	Image upload and retrieval endpoints
backend/routes/admin.py	Admin-only endpoints for user/image management
backend/middleware.py	JWT token validation decorator
backend/config.py	Application configuration with database and upload settings
frontend/src/pages/*	React pages for landing, auth, dashboard, upload, gallery, profile, admin
frontend/src/components/*	Reusable Button, Input, Navbar, and ProtectedRoute components
frontend/src/api/client.js	Axios HTTP client with JWT token interceptor
frontend/package.json	Frontend dependencies including React 19, Tailwind CSS, Vite

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Hardcoded localhost URL will break in production. The base URL should be configurable through environment variables (e.g., import.meta.env.VITE_API_URL).

Suggested change

	const api = axios.create({
	baseURL: 'http://localhost:5000',
	const API_BASE_URL =
	typeof import.meta !== 'undefined' &&
	import.meta.env &&
	import.meta.env.VITE_API_URL
	? import.meta.env.VITE_API_URL
	: 'http://localhost:5000';
	const api = axios.create({
	baseURL: API_BASE_URL,

[Copilot]

Hardcoded localhost URLs in image sources will fail in production. These should use the same configurable API base URL as the client.

[Copilot]

Hardcoded localhost URL in image source. This should use a configurable API base URL.

[Copilot]

Weak default secret key is a critical security vulnerability. In production, this default should never be used. Consider failing fast if SECRET_KEY is not explicitly set in production environments.

Suggested change

	class Config:
	SECRET_KEY = os.environ.get('SECRET_KEY') or 'dev-secret-key-change-in-prod'
	_SECRET_KEY = os.environ.get('SECRET_KEY')
	if not _SECRET_KEY:
	# In production, SECRET_KEY must be explicitly set and must not fall back to a default value.
	if os.environ.get('FLASK_ENV') == 'production' or os.environ.get('ENV') == 'production':
	raise RuntimeError("SECRET_KEY environment variable must be set in production")
	_SECRET_KEY = 'dev-secret-key-change-in-prod'
	class Config:
	SECRET_KEY = _SECRET_KEY

[Copilot]

Deleted image files are not removed from the filesystem. When an image is deleted from the database, the corresponding file in the upload folder should also be deleted to prevent orphaned files from accumulating.

[Copilot]

Unused import Shield.

[Copilot]

Unused variable loading.

[Copilot]

Unused import Clock.

[Copilot]

Unused import UploadIcon.

[Copilot]

Unused variable error.