Merge pull request 'codex/fix-502-feed-profile' (#1 ) from codex/fix-502-feed-profile into master

Reviewed-on: http://192.168.68.119:3000/adolforeyna/EMI-Backend/pulls/1
2026-02-21 00:46:34 +00:00
4 changed files with 93 additions and 291 deletions
@@ -9,48 +9,15 @@ const Notifications = require("../notifications");
 // Object Definitions
 const Post = require("../def/post.js")
 const Profile = require("../def/profile.js");
 const DUMMY_BCRYPT_HASH = '$2b$10$2zQfAaxK0cN13N7V2Q5hAOL3wxY5E9OQj1YxDCEV4VpWw2X2gYd6C';
 const PASSWORD_TOKEN_TTL_MINUTES = parseInt(process.env.PASSWORD_TOKEN_TTL_MINUTES || '20', 10);
 const PASSWORD_TOKEN_PATH = process.env.PASSWORD_TOKEN_PATH || '/token-login';
 const FRONTEND_URL = (process.env.FRONTEND_URL || 'https://social.emmint.com').replace(/\/+$/, '');
 const createPasswordTokenHash = (rawToken) =>
    crypto.createHash('sha256').update(rawToken).digest('hex');
 const createSessionFromUser = async ({ DB, user, req, res }) => {
    const sessionObj = await DB.newSession(user._id);
    res.cookie('user_sid', user._id, cookiesOptions);
    res.cookie('session_id', sessionObj.insertedId, cookiesOptions);
    const latestUpdatedProfile = await DB.latestProfile(user._id);
    if (latestUpdatedProfile && latestUpdatedProfile._id) {
        res.cookie('profile_id', latestUpdatedProfile._id, cookiesOptions);
    }
    client_logger.identify({
        distinctId: user._id,
        properties: {
            name: latestUpdatedProfile?.profile?.firstName || '',
        }
    });
    client_logger.capture({
        distinctId: user._id,
        event: 'server@' + req.method + '@' + req.originalUrl,
    });
    return {
        status: "ok",
        user_sid: user._id,
        session_id: sessionObj.insertedId,
        profile_id: latestUpdatedProfile?._id
    };
 };
 // Function to Singup new users. An user is a combination of a user obj and a profile.
 // When new users are subscribed, they have a single profile, which is the personal one.
 // Other profiles can be link to that user, like groups or courses.
 const signup = async function (req, res) {
-    const username = (req.body.username || "").trim().toLowerCase();
+    const username = req.query.username || req.body.username;
-    const password = req.body.password;
+    const password = req.query.password || req.body.password;
-    const email = (req.body.email || "").trim().toLowerCase();
+    const email = req.query.email || req.body.email;
-    const profile = req.body.profile;
+    const profile = req.query.profile || req.body.profile;
    if (!username || !password || !email) return res.json({ status: "Incomplete information!" });
    // Check if the new user has an invitation.
    const DB = await MongoDB.getDB;
@@ -67,10 +34,12 @@ const signup = async function (req, res) {
    }
    let isUserAlreadyRegistered = await DB.getUser(email);
    if (isUserAlreadyRegistered && isUserAlreadyRegistered._id) return res.json({ status: "This user is already registered" });
    // Hash password to be stored on the DB.
    // TODO: I think this is missing a Salt factor to improve security
    const hashedPassword = await bcrypt.hash(password, 10);
    const newUserObject = await DB.newUser({
-        username,
+        username: username.toLowerCase(),
-        email,
+        email: email.toLowerCase(),
        password: hashedPassword
    });
    // If newUserObject it's an error message, we check by looking toLowerCase function 
@@ -110,23 +79,47 @@ const login = async function (req, res) {
        const userInfo = await DB.checkSessionOnDB(session_id, user_sid);
        if (userInfo) return res.redirect('/');
    }
-    const invalidCredentials = () => res.status(401).json({ status: "Invalid credentials" });
+    const username = req.body.username || req.query.username;
-    const username = (req.body.username || req.body.email || "").trim().toLowerCase();
+    const password = req.body.password || req.query.password || "";
    const password = req.body.password || "";
    if (!username || !password) return invalidCredentials();
    const user = await DB.getUser(username);
    if (!user) {
        client_logger.capture({
            distinctId: 'app_level',
-            event: 'server@' + req.method + '@' + req.originalUrl + '@invalidCredentials',
+            event: 'server@' + req.method + '@' + req.originalUrl + '@userNotFound',
-            properties: { username },
+            properties: {
                username: username,
            }
        });
        return res.json({ status: "user not founded" });
    }
-    const isSamePassword = await bcrypt.compare(password, user?.password || DUMMY_BCRYPT_HASH);
+    // TODO: Also add salt parameter here.
-    if (!user || !isSamePassword) return invalidCredentials();
+    const isSamePassword = await bcrypt.compare(password, user.password);
    if (!isSamePassword) return res.json({ status: "incorrect password" });
    try {
-        return res.json(await createSessionFromUser({ DB, user, req, res }));
+        // Store a new session loging on DB, and use ID as session ID
        const sessionObj = await DB.newSession(user._id);
        // Create coockies with information for Auth
        res.cookie('user_sid', user._id, cookiesOptions);
        res.cookie('session_id', sessionObj.insertedId, cookiesOptions);
        // Chooses the most recent update profile as current active profile
        const latestUpdatedProfile = await DB.latestProfile(user._id);
        res.cookie('profile_id', latestUpdatedProfile._id, cookiesOptions);
        client_logger.identify({
            distinctId: user._id,
            properties: {
                name: latestUpdatedProfile.profile.firstName,
            }
        });
        client_logger.capture({
            distinctId: user._id,
            event: 'server@' + req.method + '@' + req.originalUrl,
        });
        return res.json({
            status: "ok",
            user_sid: user._id,
            session_id: sessionObj.insertedId,
            profile_id: latestUpdatedProfile._id
        });
    } catch (error) {
        console.error(error);
        client_logger.capture({
@@ -158,43 +151,51 @@ const logout = async function (req, res) {
    }
 }
-const resetPassword = async function (req, res) {
+// Util function for generating new random password for users.
-    const DB = await MongoDB.getDB;
+function generatePassword(length = 12) {
    const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+";
    return Array.from(crypto.randomFillSync(new Uint8Array(length)))
        .map((x) => charset[x % charset.length])
        .join("");
 }
-    const genericResetResponse = {
+const resetPassword = async function (req, res) {
-        status: "ok",
+    const session_id = getSessionId(req);
-        details: "If the account exists, check your email for next steps"
+    const user_sid = getUserId(req);
-    };
+    const DB = await MongoDB.getDB;
    if (session_id && user_sid) {
        // Sadly reusing this endpoint to change password to legged in users.
        // TODO: Move change password logic to its own endpoint.
        const userInfo = await DB.checkSessionOnDB(session_id, user_sid);
        if (userInfo) {
            const password = req.body.password;
            const hashedPassword = await bcrypt.hash(password, 10);
            // TODO: Add salt to password here as well.
            DB.resetUserPassword(userInfo.username, hashedPassword);
            return res.json({
                status: "ok",
                details: 'password changed!' // This should be an enum that syncs with clients.
            });
        }
    }
    // Logic for non-logged in users.
-    const username = (req.body.username || req.body.email || "").trim().toLowerCase();
+    const username = req.body.username;
    if (!username) return res.json(genericResetResponse);
    const user = await DB.getUser(username);
-    if (!user) {
+    if (!user) return res.json({ status: "user not founded" });
-        client_logger.capture({
+    const password = generatePassword();
-            distinctId: 'app_level',
+    const hashedPassword = await bcrypt.hash(password, 10);
-            event: 'server@' + req.method + '@' + req.originalUrl + '@resetRequestedUnknownUser',
+    // TODO: Add salt to password here as well.
-            properties: { username }
+    // TODO: We need to limit this to every 2 hours or something like this.
-        });
+    // TODO: Move this template to the Notif file.
-        return res.json(genericResetResponse);
+    DB.resetUserPassword(username, hashedPassword);
-    }
+    Notifications.sendEmail(username, "Your new credentials",
    const rawToken = crypto.randomBytes(32).toString('hex');
    const tokenHash = createPasswordTokenHash(rawToken);
    const expiresAt = new Date(Date.now() + PASSWORD_TOKEN_TTL_MINUTES * 60 * 1000);
    const tokenStored = await DB.createPasswordLoginToken(user._id, tokenHash, expiresAt);
    if (!tokenStored) {
        return res.json(genericResetResponse);
    }
    const loginUrl = `${FRONTEND_URL}${PASSWORD_TOKEN_PATH}?token=${rawToken}`;
    Notifications.sendEmail(username, "Your secure sign-in link",
        `
-<p>Hello,</p>
+<p> Hello,</p>
-<p>Use this one-time sign-in link to access your account:</p>
+<p> This is your new password: ${password}</p>
-<p><a href="${loginUrl}">${loginUrl}</a></p>
+<p><a href="https://social.emmint.com/">Log in</a></p>
 <p>This link expires in ${PASSWORD_TOKEN_TTL_MINUTES} minutes and can only be used once.</p>
 <p>If you did not request this, you can ignore this email.</p>
 <p>Blessings</p>
 <p>Emmanuel International Ministries</p>
-`);
+`)
    client_logger.capture({
        distinctId: user._id,
        event: 'server@' + req.method + '@' + req.originalUrl,
@@ -202,30 +203,10 @@ const resetPassword = async function (req, res) {
            username: username,
        }
    });
-    return res.json(genericResetResponse);
+    return res.json({
-}
+        status: "ok",
-
+        details: 'Check your email for new password' // Enum of details?
-const loginWithPasswordToken = async function (req, res) {
+    });
    const DB = await MongoDB.getDB;
    const token = (req.body.token || "").trim();
    if (!token || token.length < 32) {
        return res.status(401).json({ status: "Invalid or expired token" });
    }
    const tokenHash = createPasswordTokenHash(token);
    const tokenDoc = await DB.consumePasswordLoginToken(tokenHash);
    if (!tokenDoc || !tokenDoc.userId) {
        return res.status(401).json({ status: "Invalid or expired token" });
    }
    const user = await DB.getUserById(tokenDoc.userId);
    if (!user || !user._id) {
        return res.status(401).json({ status: "Invalid or expired token" });
    }
    try {
        return res.json(await createSessionFromUser({ DB, user, req, res }));
    } catch (error) {
        console.error("Token login error", error);
        return res.status(500).json({ status: "Internal server error" });
    }
 }
@@ -234,5 +215,4 @@ module.exports = {
    login,
    logout,
    resetPassword,
-    loginWithPasswordToken,
+}
 }
@@ -9,7 +9,6 @@ require('dotenv').config();
 const express = require('express');
 const app = express();
 const port = process.env.PORT || 3000;
 app.set('trust proxy', true);
 // -- Accept request from other origins
 const cors = require('cors');
 const { corsOptions } = require('./config/corsOptions');
@@ -35,11 +34,11 @@ const limiter = rateLimit({
        return ip.includes(":") ? ip.split(":")[0] : ip; // Remove port if present
    }
 });
 app.set('trust proxy', true);
 app.use(limiter);
 // Authentication
-const { signup, login, logout, resetPassword, loginWithPasswordToken } = require('./auth/authEmail.js');
+const { signup, login, logout, resetPassword } = require('./auth/authEmail.js');
 const { authRateLimiter } = require('./middleware/authRateLimiter');
 /**
 * @swagger
 * /signup:
@@ -72,7 +71,7 @@ const { authRateLimiter } = require('./middleware/authRateLimiter');
 *       400:
 *         description: Bad request.
 */
-app.post('/signup', signup);
+app.route('/signup').get(signup).post(signup);
 /**
 * @swagger
 * /login:
@@ -105,7 +104,7 @@ app.post('/signup', signup);
 *       401:
 *         description: Invalid credentials.
 */
-app.post('/login', authRateLimiter('login'), login);
+app.route('/login').get(login).post(login);
 /**
 * @swagger
 * /logout:
@@ -128,7 +127,7 @@ app.get('/logout', logout);
 * @swagger
 * /resetPassword:
 *   post:
- *     summary: Sends a one-time sign-in link if the account exists
+ *     summary: Resets a user's password
 *     tags: [Auth]
 *     requestBody:
 *       required: true
@@ -153,29 +152,7 @@ app.get('/logout', logout);
 *       400:
 *         description: Bad request.
 */
-app.route('/resetPassword').post(authRateLimiter('reset'), resetPassword);
+app.route('/resetPassword').post(resetPassword);
 /**
 * @swagger
 * /password/token-login:
 *   post:
 *     summary: Consumes a one-time password token and starts a session
 *     tags: [Auth]
 *     requestBody:
 *       required: true
 *       content:
 *         application/json:
 *           schema:
 *             type: object
 *             properties:
 *               token:
 *                 type: string
 *     responses:
 *       200:
 *         description: Logged in with one-time token
 *       401:
 *         description: Invalid or expired token
 */
 app.post('/password/token-login', authRateLimiter('token'), loginWithPasswordToken);
 // Routes
 const profileRoute = require('./routes/profile.js');
@@ -509,4 +486,4 @@ DB.getDB.then((DB) => {
 });
 // Export the app for testing purposes
-module.exports = { app, mongoDB: DB };
+module.exports = { app, mongoDB: DB };
@@ -1,116 +0,0 @@
 const crypto = require('crypto');
 const { client_logger } = require('../utils/analyticsLogger');
 const AUTH_ATTEMPT_WINDOW_MS = Math.max(60 * 1000, parseInt(process.env.AUTH_ATTEMPT_WINDOW_MS || `${15 * 60 * 1000}`, 10));
 const AUTH_ATTEMPT_MAX = Math.max(1, parseInt(process.env.AUTH_ATTEMPT_MAX || '5', 10));
 const AUTH_BLOCK_BASE_MS = Math.max(30 * 1000, parseInt(process.env.AUTH_BLOCK_BASE_MS || `${5 * 60 * 1000}`, 10));
 const AUTH_BLOCK_MAX_MS = Math.max(AUTH_BLOCK_BASE_MS, parseInt(process.env.AUTH_BLOCK_MAX_MS || `${60 * 60 * 1000}`, 10));
 const limiterStore = new Map();
 let lastPruneAt = 0;
 const getClientIp = (req) => {
    const forwarded = req.headers['x-forwarded-for']?.split(',')[0]?.trim();
    const rawIp = forwarded || req.ip || req.connection?.remoteAddress || 'unknown';
    return rawIp.replace('::ffff:', '');
 };
 const hashValue = (value) =>
    crypto.createHash('sha256').update(String(value)).digest('hex').slice(0, 16);
 const getIdentity = (req, mode) => {
    if (mode === 'token') {
        const token = (req.body?.token || '').trim();
        return token ? `token:${hashValue(token)}` : 'token:anonymous';
    }
    const username = (req.body?.username || req.body?.email || '').trim().toLowerCase();
    return username ? `acct:${hashValue(username)}` : 'acct:anonymous';
 };
 const getLimiterKey = (req, mode) => `${mode}:${getIdentity(req, mode)}:ip:${getClientIp(req)}`;
 const getOrInitRecord = (key, now) => {
    const existing = limiterStore.get(key);
    if (existing) {
        return existing;
    }
    const record = {
        count: 0,
        windowStartedAt: now,
        blockedUntil: 0,
        blockLevel: 0,
    };
    limiterStore.set(key, record);
    return record;
 };
 const computeBlockMs = (blockLevel) =>
    Math.min(AUTH_BLOCK_BASE_MS * (2 ** Math.max(0, blockLevel - 1)), AUTH_BLOCK_MAX_MS);
 const authRateLimiter = (mode) => (req, res, next) => {
    const now = Date.now();
    if (now - lastPruneAt > 5 * 60 * 1000) {
        for (const [storeKey, storeValue] of limiterStore.entries()) {
            const isWindowExpired = now - storeValue.windowStartedAt > AUTH_ATTEMPT_WINDOW_MS;
            const isNotBlocked = storeValue.blockedUntil <= now;
            if (isWindowExpired && isNotBlocked) {
                limiterStore.delete(storeKey);
            }
        }
        lastPruneAt = now;
    }
    const key = getLimiterKey(req, mode);
    const record = getOrInitRecord(key, now);
    if (now - record.windowStartedAt > AUTH_ATTEMPT_WINDOW_MS) {
        record.count = 0;
        record.windowStartedAt = now;
    }
    if (record.blockedUntil > now) {
        const retryAfterSec = Math.ceil((record.blockedUntil - now) / 1000);
        res.set('Retry-After', retryAfterSec.toString());
        client_logger.capture({
            distinctId: 'app_level',
            event: 'security@auth@rate_limited',
            properties: {
                route: req.originalUrl,
                method: req.method,
                mode,
                keyHash: hashValue(key),
                retryAfterSec,
                blockLevel: record.blockLevel,
            }
        });
        return res.status(429).json({ status: 'Too many attempts. Please try again later.' });
    }
    record.count += 1;
    if (record.count > AUTH_ATTEMPT_MAX) {
        record.blockLevel += 1;
        const blockMs = computeBlockMs(record.blockLevel);
        record.blockedUntil = now + blockMs;
        record.count = 0;
        record.windowStartedAt = now;
        res.set('Retry-After', Math.ceil(blockMs / 1000).toString());
        client_logger.capture({
            distinctId: 'app_level',
            event: 'security@auth@rate_limited',
            properties: {
                route: req.originalUrl,
                method: req.method,
                mode,
                keyHash: hashValue(key),
                retryAfterSec: Math.ceil(blockMs / 1000),
                blockLevel: record.blockLevel,
            }
        });
        return res.status(429).json({ status: 'Too many attempts. Please try again later.' });
    }
    return next();
 };
 module.exports = {
    authRateLimiter,
 };
@@ -41,9 +41,6 @@ const getDB = new Promise((resolve, reject) => {
        DB.usersCol = db.db(DBName).collection("users");
        DB.tokensCol = db.db(DBName).collection("tokens");
        DB.invitationCol = db.db(DBName).collection("invitation");
        DB.passwordLoginTokensCol = db.db(DBName).collection("password_login_tokens");
        DB.passwordLoginTokensCol.createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 }).catch(console.error);
        DB.passwordLoginTokensCol.createIndex({ tokenHash: 1 }, { unique: true }).catch(console.error);
        DB.checkSessionOnDB = async (session_id, user_sid)=>{
            const temp_id = new mongo.ObjectID(session_id);
@@ -81,42 +78,6 @@ const getDB = new Promise((resolve, reject) => {
            return DB.usersCol.findOne({ _id });
        }
        DB.createPasswordLoginToken = async (userId, tokenHash, expiresAt) => {
            const userObjectId = mongo.ObjectID.isValid(userId) ? new mongo.ObjectID(userId) : userId;
            const tokenDoc = {
                userId: userObjectId,
                tokenHash,
                createdAt: new Date(),
                expiresAt,
                usedAt: null,
            };
            return DB.passwordLoginTokensCol.insertOne(tokenDoc).catch((err) => {
                console.log(err);
                return false;
            });
        };
        DB.consumePasswordLoginToken = async (tokenHash) => {
            const now = new Date();
            const result = await DB.passwordLoginTokensCol.findOneAndUpdate(
                {
                    tokenHash,
                    usedAt: null,
                    expiresAt: { $gt: now }
                },
                {
                    $set: { usedAt: now }
                },
                {
                    returnOriginal: false
                }
            ).catch((err) => {
                console.log(err);
                return false;
            });
            return result?.value || null;
        };
        let usernamesCache = {}
        DB.getUsernameByIdCache = async (userid)=>{
            if(!userid) return {};