Harden feed/profile routes against invalid IDs and null profiles

routes/post.js

@@ -8,7 +8,10 @@ const Notifications = require("./../notifications.js");
 DB.getDB.then((DB) => {
 
     const getProfileId = (req) => {
-        return DB.ObjectID(req.cookies.profile_id || req.query.profile_id || req.body.profile_id);
+        const rawProfileId = req.cookies.profile_id || req.query.profile_id || req.body.profile_id || req.profileInfo?._id;
+        if (!rawProfileId) return null;
+        if (!DB.ObjectID.isValid(rawProfileId)) return null;
+        return DB.ObjectID(rawProfileId);
     };
 
     const postBelongToProfile = (post, profileid) => {
@@ -155,12 +158,17 @@ DB.getDB.then((DB) => {
  *                 $ref: '#/components/schemas/Post'
  */
     router.get("/organic", async (req, res) => {
-        const profileid = getProfileId(req);
-        let organicPosts = await DB.getFeed(profileid);
-        //Add non-organic posts
-        const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
-        const posts = mergePosts(organicPosts, nonOrganicPosts);
-        return res.json(posts);
+        try {
+            const profileid = getProfileId(req);
+            if (!profileid) return res.status(400).json([]);
+            let organicPosts = await DB.getFeed(profileid);
+            const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
+            const posts = mergePosts(organicPosts || [], nonOrganicPosts || []);
+            return res.json(posts);
+        } catch (error) {
+            console.error("Error loading organic feed", error);
+            return res.status(500).json([]);
+        }
     });
 
     /**
@@ -182,12 +190,17 @@ DB.getDB.then((DB) => {
  *                 $ref: '#/components/schemas/Post'
  */
     router.get("/", async (req, res) => {
-        const profileid = getProfileId(req);
-        //Add non-organic posts
-        const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
-        let promotionalPosts = await DB.getPromotionalPosts(profileid);
-        const posts = mergePosts(promotionalPosts, nonOrganicPosts);
-        return res.json(posts);
+        try {
+            const profileid = getProfileId(req);
+            if (!profileid) return res.status(400).json([]);
+            const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
+            let promotionalPosts = await DB.getPromotionalPosts(profileid);
+            const posts = mergePosts(promotionalPosts || [], nonOrganicPosts || []);
+            return res.json(posts);
+        } catch (error) {
+            console.error("Error loading feed", error);
+            return res.status(500).json([]);
+        }
     });
 
     /**
@@ -980,4 +993,4 @@ DB.getDB.then((DB) => {
 
 });
 
-module.exports = router
+module.exports = router

routes/profile.js

@@ -795,12 +795,24 @@ DB.getDB.then((DB) => {
  *               $ref: '#/components/schemas/Profile'
  */
     router.get("/:id", async (req, res) => {
-        let profileId = req.params.id;
-        let profile = await DB.getProfile(profileId);
-        return res.json({
-            status: "ok",
-            ...profile
-        });
+        try {
+            let profileId = req.params.id;
+            let profile = await DB.getProfile(profileId);
+            if (!profile || !profile._id) {
+                return res.status(404).json({
+                    status: "Profile not found",
+                });
+            }
+            return res.json({
+                status: "ok",
+                ...profile
+            });
+        } catch (error) {
+            console.error("Error loading profile", error);
+            return res.status(500).json({
+                status: "Internal server error"
+            });
+        }
     });
 
     /**
@@ -913,4 +925,4 @@ DB.getDB.then((DB) => {
 
 });
 
-module.exports = router
+module.exports = router