adolforeyna/EMI-Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: adolforeyna:0b36db9b3348bb11a499e0dc594e607efb94bea1
Branches Tags
adolforeyna:master adolforeyna:codex/live-captions adolforeyna:codex/sessionchecker-json-unauthorized adolforeyna:codex/universal-chat-room adolforeyna:codex/password-security-plan-comments adolforeyna:codex/fix-502-feed-profile
..
compare: adolforeyna:822e2bc0d6e2275f0ab29446d1eed3585f686597
Branches Tags
adolforeyna:master adolforeyna:codex/live-captions adolforeyna:codex/sessionchecker-json-unauthorized adolforeyna:codex/universal-chat-room adolforeyna:codex/password-security-plan-comments adolforeyna:codex/fix-502-feed-profile

3 Commits
0b36db9b33 ... 822e2bc0d6

Author SHA1 Message Date
adolforeyna
822e2bc0d6 Merge pull request 'codex/fix-502-feed-profile' (#1) from codex/fix-502-feed-profile into master 
Reviewed-on: #1
 2026-02-21 00:46:34 +00:00
Adolfo Reyna
ea864b27d4 Harden local/prod cookie policy and Mongo connection settings 2026-02-20 19:25:21 -05:00
Adolfo Reyna
c136d25974 Harden feed/profile routes against invalid IDs and null profiles 2026-02-20 19:09:15 -05:00
7 changed files with 107 additions and 43 deletions
Expand all files Collapse all files

10
config/cookiesOptions.js
View File

@@ -1,8 +1,12 @@
const isProduction = process.env.NODE_ENV === "production";
const forceSecureCookie = process.env.COOKIE_SECURE === "true";
const secure = forceSecureCookie || isProduction;
const cookiesOptions = {
maxAge: 1000 * 60 * 60 * 24 * 90, // would expire after 30 days
maxAge: 1000 * 60 * 60 * 24 * 90, // would expire after 90 days
httpOnly: true, // The cookie only accessible by the web server
sameSite: 'none', // This and secure are required for properly
secure: true, // manage cockies in cros-domain
sameSite: secure ? 'none' : 'lax',
secure,
};
module.exports = { cookiesOptions };

4
config/corsOptions.js
View File

@@ -1,6 +1,10 @@
var corsOptions = {
origin: [
'http://localhost:8080',
'http://localhost:8081',
'http://127.0.0.1:3000',
'http://127.0.0.1:8080',
'http://127.0.0.1:8081',
'http://localhost:3000',
"https://social.emmint.com",
"https://fellowship.emmint.com",

13
dbTools/profile.js
View File

@@ -96,16 +96,18 @@ userDB = (DB) => {
DB.getFriendsFriends = async (profileId, limit = 10) => {
const profile = await DB.getProfile(profileId);
if (!profile) return [];
let ids = profile.following.map((id) => DB.ObjectID(id));
const following = Array.isArray(profile.following) ? profile.following : [];
let ids = following.filter((id) => DB.ObjectID.isValid(id)).map((id) => DB.ObjectID(id));
let alreadyFollowingMap = {};
alreadyFollowingMap[profileId] = 1; //skip that profile
profile.following.forEach(id => {
following.forEach(id => {
if (!alreadyFollowingMap[id]) alreadyFollowingMap[id] = 1;
})
return DB.profileCols.find({ _id: { $in: ids } }).project({ following: 1 }).limit(limit).toArray().then(profiles => {
let friendsOfFriendsMap = {};
profiles.forEach(p => {
p.following.forEach(followingId => {
const related = Array.isArray(p.following) ? p.following : [];
related.forEach(followingId => {
if (alreadyFollowingMap[followingId]) return 0;
if (!friendsOfFriendsMap[followingId]) friendsOfFriendsMap[followingId] = 0;
friendsOfFriendsMap[followingId] = friendsOfFriendsMap[followingId] + 1;
@@ -312,9 +314,10 @@ userDB = (DB) => {
DB.getFollowingGroups = async (profileid) => {
const profile = await DB.getProfile(profileid);
let ids = [];
for (id in profile.following) {
const following = Array.isArray(profile?.following) ? profile.following : [];
for (id in following) {
try {
let oId = DB.ObjectID(profile.following[id]);
let oId = DB.ObjectID(following[id]);
let checkProfile = await DB.getProfileCache(oId)
if (checkProfile && checkProfile.isGroup && !checkProfile.isChat) {
ids.push(oId)

25
middleware/sessionChecker.js
View File

@@ -2,19 +2,30 @@ const { getSessionId, getUserId, getProfileId } = require('../utils/sessionUtils
const { client_logger } = require('../utils/analyticsLogger');
const { cookiesOptions } = require('../config/cookiesOptions');
const MongoDB = require("../mongoDB.js");
const { ObjectId } = require("mongodb");
const sessionChecker = async (req, res, next) => {
const session_id = getSessionId(req);
const user_sid = getUserId(req);
let profile_id = getProfileId(req);
try {
const session_id = getSessionId(req);
const user_sid = getUserId(req);
let profile_id = getProfileId(req);
if (session_id && user_sid) {
DB = await MongoDB.getDB;
if (!session_id || !user_sid) {
return res.redirect('/login');
}
if (!ObjectId.isValid(session_id) || !ObjectId.isValid(user_sid)) {
return res.redirect('/login');
}
const DB = await MongoDB.getDB;
const userInfo = await DB.checkSessionOnDB(session_id, user_sid);
req.userInfo = userInfo;
if (!await DB.getProfileCache(profile_id)) {
const latestProfile = await DB.latestProfile(user_sid);
if (!latestProfile || !latestProfile._id) {
return res.redirect('/login');
}
res.cookie('profile_id', latestProfile._id, cookiesOptions);
profile_id = latestProfile._id;
}
@@ -23,14 +34,14 @@ const sessionChecker = async (req, res, next) => {
if (!userInfo) return res.redirect('/login');
// Log Request
client_logger.capture({
distinctId: user_sid,
event: 'server@' + req.method + '@' + req.originalUrl,
});
next();
} else {
} catch (error) {
console.error("Session checker error", error);
return res.redirect('/login');
}
};

21
mongoDB.js
View File

@@ -11,16 +11,33 @@ const paymentDB = require("./dbTools/payments.js");
const songsDB = require("./dbTools/songs.js");
console.log("Connecting to MongoDB...");
const nodeMajorVersion = parseInt((process.versions.node || "0").split(".")[0], 10);
if (nodeMajorVersion >= 22) {
console.warn("Warning: mongodb@3.x is not fully tested on Node.js 22+. Prefer Node.js 20 LTS for local stability.");
}
const mongoConnectOptions = {
useNewUrlParser: true,
useUnifiedTopology: true,
serverSelectionTimeoutMS: 10000,
connectTimeoutMS: 10000,
socketTimeoutMS: 45000,
keepAlive: true,
};
const getDB = new Promise((resolve, reject) => {
const DB = {ObjectID: mongo.ObjectID};
MongoClient.connect(mongoUrl, function(err, db) {
MongoClient.connect(mongoUrl, mongoConnectOptions, function(err, db) {
if (err) return reject(err);
console.log("Connected to DB!");
DB.db = db;
DB.ObjectID = ObjectID;
DB.db.on("close", () => console.error("MongoDB connection closed"));
DB.db.on("reconnect", () => console.log("MongoDB reconnected"));
DB.db.on("error", (error) => console.error("MongoDB connection error", error));
DB.usersCol = db.db(DBName).collection("users");
DB.tokensCol = db.db(DBName).collection("tokens");
DB.invitationCol = db.db(DBName).collection("invitation");
@@ -31,7 +48,7 @@ const getDB = new Promise((resolve, reject) => {
const doc = await DB.tokensCol.findOne({"_id":temp_id});
if(doc && doc.uid == user_sid){
const userMongoId = new mongo.ObjectID(user_sid);
const userInfo = await DB.usersCol.findOne({"_id": userMongoId}, {fields: {password: 0}});
const userInfo = await DB.usersCol.findOne({"_id": userMongoId}, {projection: {password: 0}});
return userInfo;
}
return false;

39
routes/post.js
View File

@@ -8,7 +8,10 @@ const Notifications = require("./../notifications.js");
DB.getDB.then((DB) => {
const getProfileId = (req) => {
return DB.ObjectID(req.cookies.profile_id || req.query.profile_id || req.body.profile_id);
const rawProfileId = req.cookies.profile_id || req.query.profile_id || req.body.profile_id || req.profileInfo?._id;
if (!rawProfileId) return null;
if (!DB.ObjectID.isValid(rawProfileId)) return null;
return DB.ObjectID(rawProfileId);
};
const postBelongToProfile = (post, profileid) => {
@@ -155,12 +158,17 @@ DB.getDB.then((DB) => {
* $ref: '#/components/schemas/Post'
*/
router.get("/organic", async (req, res) => {
const profileid = getProfileId(req);
let organicPosts = await DB.getFeed(profileid);
//Add non-organic posts
const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
const posts = mergePosts(organicPosts, nonOrganicPosts);
return res.json(posts);
try {
const profileid = getProfileId(req);
if (!profileid) return res.status(400).json([]);
let organicPosts = await DB.getFeed(profileid);
const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
const posts = mergePosts(organicPosts || [], nonOrganicPosts || []);
return res.json(posts);
} catch (error) {
console.error("Error loading organic feed", error);
return res.status(500).json([]);
}
});
/**
@@ -182,12 +190,17 @@ DB.getDB.then((DB) => {
* $ref: '#/components/schemas/Post'
*/
router.get("/", async (req, res) => {
const profileid = getProfileId(req);
//Add non-organic posts
const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
let promotionalPosts = await DB.getPromotionalPosts(profileid);
const posts = mergePosts(promotionalPosts, nonOrganicPosts);
return res.json(posts);
try {
const profileid = getProfileId(req);
if (!profileid) return res.status(400).json([]);
const nonOrganicPosts = await generateNonOrganicPosts(req, profileid);
let promotionalPosts = await DB.getPromotionalPosts(profileid);
const posts = mergePosts(promotionalPosts || [], nonOrganicPosts || []);
return res.json(posts);
} catch (error) {
console.error("Error loading feed", error);
return res.status(500).json([]);
}
});
/**

24
routes/profile.js
View File

@@ -795,12 +795,24 @@ DB.getDB.then((DB) => {
* $ref: '#/components/schemas/Profile'
*/
router.get("/:id", async (req, res) => {
let profileId = req.params.id;
let profile = await DB.getProfile(profileId);
return res.json({
status: "ok",
...profile
});
try {
let profileId = req.params.id;
let profile = await DB.getProfile(profileId);
if (!profile || !profile._id) {
return res.status(404).json({
status: "Profile not found",
});
}
return res.json({
status: "ok",
...profile
});
} catch (error) {
console.error("Error loading profile", error);
return res.status(500).json({
status: "Internal server error"
});
}
});
/**