feat: add server-side encryption for address and phone

backend/src/routes/profile.js

@@ -0,0 +1,19 @@
+import { Router } from 'express';
+import { z } from 'zod';
+import { pool } from '../db/connection.js';
+import { requireAuth } from '../middleware/auth.js';
+import { encryptText } from '../services/encryption.js';
+
+const router = Router();
+
+router.post('/phone', requireAuth, async (req, res) => {
+  const parsed = z.object({ phone: z.string().min(6).max(40) }).safeParse(req.body);
+  if (!parsed.success) return res.status(400).json({ error: parsed.error.flatten() });
+
+  const encryptedPhone = encryptText(parsed.data.phone);
+  await pool.query('UPDATE users SET phone_encrypted = ? WHERE id = ?', [encryptedPhone, req.user.userId]);
+
+  res.json({ status: 'updated' });
+});
+
+export default router;