Harden feed/profile routes against invalid IDs and null profiles

2026-02-20 19:09:15 -05:00
parent 0b36db9b33
commit c136d25974
4 changed files with 74 additions and 35 deletions
--- a/routes/post.js
+++ b/routes/post.js
@@ -8,7 +8,10 @@ const Notifications = require("./../notifications.js");
 DB.getDB.then((DB) => {

    const getProfileId = (req) => {
-        return DB.ObjectID(req.cookies.profile_id || req.query.profile_id || req.body.profile_id);
+        const rawProfileId = req.cookies.profile_id || req.query.profile_id || req.body.profile_id || req.profileInfo?._id;
+        if (!rawProfileId) return null;
+        if (!DB.ObjectID.isValid(rawProfileId)) return null;
+        return DB.ObjectID(rawProfileId);
    };

    const postBelongToProfile = (post, profileid) => {
@@ -155,12 +158,17 @@ DB.getDB.then((DB) => {
 *                 $ref: '#/components/schemas/Post'
 */
    router.get("/organic", async (req, res) => {
-        const profileid = getProfileId(req);
-        let organicPosts = await DB.getFeed(profileid);
-        //Add non-organic posts
-        const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
-        const posts = mergePosts(organicPosts, nonOrganicPosts);
-        return res.json(posts);
+        try {
+            const profileid = getProfileId(req);
+            if (!profileid) return res.status(400).json([]);
+            let organicPosts = await DB.getFeed(profileid);
+            const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
+            const posts = mergePosts(organicPosts || [], nonOrganicPosts || []);
+            return res.json(posts);
+        } catch (error) {
+            console.error("Error loading organic feed", error);
+            return res.status(500).json([]);
+        }
    });

    /**
@@ -182,12 +190,17 @@ DB.getDB.then((DB) => {
 *                 $ref: '#/components/schemas/Post'
 */
    router.get("/", async (req, res) => {
-        const profileid = getProfileId(req);
-        //Add non-organic posts
-        const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
-        let promotionalPosts = await DB.getPromotionalPosts(profileid);
-        const posts = mergePosts(promotionalPosts, nonOrganicPosts);
-        return res.json(posts);
+        try {
+            const profileid = getProfileId(req);
+            if (!profileid) return res.status(400).json([]);
+            const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
+            let promotionalPosts = await DB.getPromotionalPosts(profileid);
+            const posts = mergePosts(promotionalPosts || [], nonOrganicPosts || []);
+            return res.json(posts);
+        } catch (error) {
+            console.error("Error loading feed", error);
+            return res.status(500).json([]);
+        }
    });

    /**
@@ -980,4 +993,4 @@ DB.getDB.then((DB) => {

 });

-module.exports = router
+module.exports = router