adolforeyna/EMI-Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: adolforeyna:0b36db9b3348bb11a499e0dc594e607efb94bea1
Branches Tags
adolforeyna:master adolforeyna:codex/live-captions adolforeyna:codex/sessionchecker-json-unauthorized adolforeyna:codex/universal-chat-room adolforeyna:codex/password-security-plan-comments adolforeyna:codex/fix-502-feed-profile
...
compare: adolforeyna:codex/fix-502-feed-profile
Branches Tags
adolforeyna:master adolforeyna:codex/live-captions adolforeyna:codex/sessionchecker-json-unauthorized adolforeyna:codex/universal-chat-room adolforeyna:codex/password-security-plan-comments adolforeyna:codex/fix-502-feed-profile

2 Commits
0b36db9b33 ... codex/fix-

Author SHA1 Message Date
Adolfo Reyna
ea864b27d4 Harden local/prod cookie policy and Mongo connection settings 2026-02-20 19:25:21 -05:00
Adolfo Reyna
c136d25974 Harden feed/profile routes against invalid IDs and null profiles 2026-02-20 19:09:15 -05:00
7 changed files with 107 additions and 43 deletions
Expand all files Collapse all files

10
config/cookiesOptions.js
View File

@@ -1,8 +1,12 @@
const isProduction = process.env.NODE_ENV === "production";
const forceSecureCookie = process.env.COOKIE_SECURE === "true";
const secure = forceSecureCookie || isProduction;
const cookiesOptions = { const cookiesOptions = {
maxAge: 1000 * 60 * 60 * 24 * 90, // would expire after 30 days maxAge: 1000 * 60 * 60 * 24 * 90, // would expire after 90 days
httpOnly: true, // The cookie only accessible by the web server httpOnly: true, // The cookie only accessible by the web server
sameSite: 'none', // This and secure are required for properly sameSite: secure ? 'none' : 'lax',
secure: true, // manage cockies in cros-domain secure,
}; };
module.exports = { cookiesOptions }; module.exports = { cookiesOptions };

4
config/corsOptions.js
View File

@@ -1,6 +1,10 @@
var corsOptions = { var corsOptions = {
origin: [ origin: [
'http://localhost:8080', 'http://localhost:8080',
'http://localhost:8081',
'http://127.0.0.1:3000',
'http://127.0.0.1:8080',
'http://127.0.0.1:8081',
'http://localhost:3000', 'http://localhost:3000',
"https://social.emmint.com", "https://social.emmint.com",
"https://fellowship.emmint.com", "https://fellowship.emmint.com",

13
dbTools/profile.js
View File

@@ -96,16 +96,18 @@ userDB = (DB) => {
DB.getFriendsFriends = async (profileId, limit = 10) => { DB.getFriendsFriends = async (profileId, limit = 10) => {
const profile = await DB.getProfile(profileId); const profile = await DB.getProfile(profileId);
if (!profile) return []; if (!profile) return [];
let ids = profile.following.map((id) => DB.ObjectID(id)); const following = Array.isArray(profile.following) ? profile.following : [];
let ids = following.filter((id) => DB.ObjectID.isValid(id)).map((id) => DB.ObjectID(id));
let alreadyFollowingMap = {}; let alreadyFollowingMap = {};
alreadyFollowingMap[profileId] = 1; //skip that profile alreadyFollowingMap[profileId] = 1; //skip that profile
profile.following.forEach(id => { following.forEach(id => {
if (!alreadyFollowingMap[id]) alreadyFollowingMap[id] = 1; if (!alreadyFollowingMap[id]) alreadyFollowingMap[id] = 1;
}) })
return DB.profileCols.find({ _id: { $in: ids } }).project({ following: 1 }).limit(limit).toArray().then(profiles => { return DB.profileCols.find({ _id: { $in: ids } }).project({ following: 1 }).limit(limit).toArray().then(profiles => {
let friendsOfFriendsMap = {}; let friendsOfFriendsMap = {};
profiles.forEach(p => { profiles.forEach(p => {
p.following.forEach(followingId => { const related = Array.isArray(p.following) ? p.following : [];
related.forEach(followingId => {
if (alreadyFollowingMap[followingId]) return 0; if (alreadyFollowingMap[followingId]) return 0;
if (!friendsOfFriendsMap[followingId]) friendsOfFriendsMap[followingId] = 0; if (!friendsOfFriendsMap[followingId]) friendsOfFriendsMap[followingId] = 0;
friendsOfFriendsMap[followingId] = friendsOfFriendsMap[followingId] + 1; friendsOfFriendsMap[followingId] = friendsOfFriendsMap[followingId] + 1;
@@ -312,9 +314,10 @@ userDB = (DB) => {
DB.getFollowingGroups = async (profileid) => { DB.getFollowingGroups = async (profileid) => {
const profile = await DB.getProfile(profileid); const profile = await DB.getProfile(profileid);
let ids = []; let ids = [];
for (id in profile.following) { const following = Array.isArray(profile?.following) ? profile.following : [];
for (id in following) {
try { try {
let oId = DB.ObjectID(profile.following[id]); let oId = DB.ObjectID(following[id]);
let checkProfile = await DB.getProfileCache(oId) let checkProfile = await DB.getProfileCache(oId)
if (checkProfile && checkProfile.isGroup && !checkProfile.isChat) { if (checkProfile && checkProfile.isGroup && !checkProfile.isChat) {
ids.push(oId) ids.push(oId)

25
middleware/sessionChecker.js
View File

@@ -2,19 +2,30 @@ const { getSessionId, getUserId, getProfileId } = require('../utils/sessionUtils
const { client_logger } = require('../utils/analyticsLogger'); const { client_logger } = require('../utils/analyticsLogger');
const { cookiesOptions } = require('../config/cookiesOptions'); const { cookiesOptions } = require('../config/cookiesOptions');
const MongoDB = require("../mongoDB.js"); const MongoDB = require("../mongoDB.js");
const { ObjectId } = require("mongodb");
const sessionChecker = async (req, res, next) => { const sessionChecker = async (req, res, next) => {
const session_id = getSessionId(req); try {
const user_sid = getUserId(req); const session_id = getSessionId(req);
let profile_id = getProfileId(req); const user_sid = getUserId(req);
let profile_id = getProfileId(req);
if (session_id && user_sid) { if (!session_id || !user_sid) {
DB = await MongoDB.getDB; return res.redirect('/login');
}
if (!ObjectId.isValid(session_id) || !ObjectId.isValid(user_sid)) {
return res.redirect('/login');
}
const DB = await MongoDB.getDB;
const userInfo = await DB.checkSessionOnDB(session_id, user_sid); const userInfo = await DB.checkSessionOnDB(session_id, user_sid);
req.userInfo = userInfo; req.userInfo = userInfo;
if (!await DB.getProfileCache(profile_id)) { if (!await DB.getProfileCache(profile_id)) {
const latestProfile = await DB.latestProfile(user_sid); const latestProfile = await DB.latestProfile(user_sid);
if (!latestProfile || !latestProfile._id) {
return res.redirect('/login');
}
res.cookie('profile_id', latestProfile._id, cookiesOptions); res.cookie('profile_id', latestProfile._id, cookiesOptions);
profile_id = latestProfile._id; profile_id = latestProfile._id;
} }
@@ -23,14 +34,14 @@ const sessionChecker = async (req, res, next) => {
if (!userInfo) return res.redirect('/login'); if (!userInfo) return res.redirect('/login');
// Log Request
client_logger.capture({ client_logger.capture({
distinctId: user_sid, distinctId: user_sid,
event: 'server@' + req.method + '@' + req.originalUrl, event: 'server@' + req.method + '@' + req.originalUrl,
}); });
next(); next();
} else { } catch (error) {
console.error("Session checker error", error);
return res.redirect('/login'); return res.redirect('/login');
} }
}; };

21
mongoDB.js
View File

@@ -11,16 +11,33 @@ const paymentDB = require("./dbTools/payments.js");
const songsDB = require("./dbTools/songs.js"); const songsDB = require("./dbTools/songs.js");
console.log("Connecting to MongoDB..."); console.log("Connecting to MongoDB...");
const nodeMajorVersion = parseInt((process.versions.node || "0").split(".")[0], 10);
if (nodeMajorVersion >= 22) {
console.warn("Warning: mongodb@3.x is not fully tested on Node.js 22+. Prefer Node.js 20 LTS for local stability.");
}
const mongoConnectOptions = {
useNewUrlParser: true,
useUnifiedTopology: true,
serverSelectionTimeoutMS: 10000,
connectTimeoutMS: 10000,
socketTimeoutMS: 45000,
keepAlive: true,
};
const getDB = new Promise((resolve, reject) => { const getDB = new Promise((resolve, reject) => {
const DB = {ObjectID: mongo.ObjectID}; const DB = {ObjectID: mongo.ObjectID};
MongoClient.connect(mongoUrl, function(err, db) { MongoClient.connect(mongoUrl, mongoConnectOptions, function(err, db) {
if (err) return reject(err); if (err) return reject(err);
console.log("Connected to DB!"); console.log("Connected to DB!");
DB.db = db; DB.db = db;
DB.ObjectID = ObjectID; DB.ObjectID = ObjectID;
DB.db.on("close", () => console.error("MongoDB connection closed"));
DB.db.on("reconnect", () => console.log("MongoDB reconnected"));
DB.db.on("error", (error) => console.error("MongoDB connection error", error));
DB.usersCol = db.db(DBName).collection("users"); DB.usersCol = db.db(DBName).collection("users");
DB.tokensCol = db.db(DBName).collection("tokens"); DB.tokensCol = db.db(DBName).collection("tokens");
DB.invitationCol = db.db(DBName).collection("invitation"); DB.invitationCol = db.db(DBName).collection("invitation");
@@ -31,7 +48,7 @@ const getDB = new Promise((resolve, reject) => {
const doc = await DB.tokensCol.findOne({"_id":temp_id}); const doc = await DB.tokensCol.findOne({"_id":temp_id});
if(doc && doc.uid == user_sid){ if(doc && doc.uid == user_sid){
const userMongoId = new mongo.ObjectID(user_sid); const userMongoId = new mongo.ObjectID(user_sid);
const userInfo = await DB.usersCol.findOne({"_id": userMongoId}, {fields: {password: 0}}); const userInfo = await DB.usersCol.findOne({"_id": userMongoId}, {projection: {password: 0}});
return userInfo; return userInfo;
} }
return false; return false;

39
routes/post.js
View File

@@ -8,7 +8,10 @@ const Notifications = require("./../notifications.js");
DB.getDB.then((DB) => { DB.getDB.then((DB) => {
const getProfileId = (req) => { const getProfileId = (req) => {
return DB.ObjectID(req.cookies.profile_id || req.query.profile_id || req.body.profile_id); const rawProfileId = req.cookies.profile_id || req.query.profile_id || req.body.profile_id || req.profileInfo?._id;
if (!rawProfileId) return null;
if (!DB.ObjectID.isValid(rawProfileId)) return null;
return DB.ObjectID(rawProfileId);
}; };
const postBelongToProfile = (post, profileid) => { const postBelongToProfile = (post, profileid) => {
@@ -155,12 +158,17 @@ DB.getDB.then((DB) => {
* $ref: '#/components/schemas/Post' * $ref: '#/components/schemas/Post'
*/ */
router.get("/organic", async (req, res) => { router.get("/organic", async (req, res) => {
const profileid = getProfileId(req); try {
let organicPosts = await DB.getFeed(profileid); const profileid = getProfileId(req);
//Add non-organic posts if (!profileid) return res.status(400).json([]);
const nonOrganicPosts = await generateNonOrganicPosts(req, profileid); let organicPosts = await DB.getFeed(profileid);
const posts = mergePosts(organicPosts, nonOrganicPosts); const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
return res.json(posts); const posts = mergePosts(organicPosts || [], nonOrganicPosts || []);
return res.json(posts);
} catch (error) {
console.error("Error loading organic feed", error);
return res.status(500).json([]);
}
}); });
/** /**
@@ -182,12 +190,17 @@ DB.getDB.then((DB) => {
* $ref: '#/components/schemas/Post' * $ref: '#/components/schemas/Post'
*/ */
router.get("/", async (req, res) => { router.get("/", async (req, res) => {
const profileid = getProfileId(req); try {
//Add non-organic posts const profileid = getProfileId(req);
const nonOrganicPosts = await generateNonOrganicPosts(req, profileid); if (!profileid) return res.status(400).json([]);
let promotionalPosts = await DB.getPromotionalPosts(profileid); const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
const posts = mergePosts(promotionalPosts, nonOrganicPosts); let promotionalPosts = await DB.getPromotionalPosts(profileid);
return res.json(posts); const posts = mergePosts(promotionalPosts || [], nonOrganicPosts || []);
return res.json(posts);
} catch (error) {
console.error("Error loading feed", error);
return res.status(500).json([]);
}
}); });
/** /**

24
routes/profile.js
View File

@@ -795,12 +795,24 @@ DB.getDB.then((DB) => {
* $ref: '#/components/schemas/Profile' * $ref: '#/components/schemas/Profile'
*/ */
router.get("/:id", async (req, res) => { router.get("/:id", async (req, res) => {
let profileId = req.params.id; try {
let profile = await DB.getProfile(profileId); let profileId = req.params.id;
return res.json({ let profile = await DB.getProfile(profileId);
status: "ok", if (!profile || !profile._id) {
...profile return res.status(404).json({
}); status: "Profile not found",
});
}
return res.json({
status: "ok",
...profile
});
} catch (error) {
console.error("Error loading profile", error);
return res.status(500).json({
status: "Internal server error"
});
}
}); });
/** /**