@underpostnet/underpost 2.97.0 → 2.97.5

package/src/api/user/user.model.js

@@ -20,7 +20,28 @@ const UserSchema = new Schema(
     lastLoginDate: { type: Date },
     failedLoginAttempts: { type: Number, default: 0 },
     password: { type: String, trim: true, required: 'Password is required' },
-    username: { type: String, trim: true, unique: true, required: 'Username is required' },
+    username: {
+      type: String,
+      trim: true,
+      unique: true,
+      required: 'Username is required',
+      validate: [
+        {
+          validator: function (username) {
+            // Allow only alphanumeric characters, hyphens, and underscores (URI-safe)
+            return /^[a-zA-Z0-9_-]+$/.test(username);
+          },
+          message: 'Username can only contain letters, numbers, hyphens, and underscores',
+        },
+        {
+          validator: function (username) {
+            // Length validation
+            return username && username.length >= 2 && username.length <= 20;
+          },
+          message: 'Username must be between 2 and 20 characters',
+        },
+      ],
+    },
     role: { type: String, enum: userRoleEnum, default: 'guest' },
     activeSessions: {
       type: [
@@ -60,6 +81,8 @@ const UserSchema = new Schema(
         context: [{ type: String, enum: ['client', 'supplier', 'employee', 'owner'] }],
       },
     ],
+    publicProfile: { type: Boolean, default: false },
+    briefDescription: { type: String, default: 'Uploader' },
   },
   {
     timestamps: true,
@@ -80,6 +103,8 @@ const UserDto = {
         role: 1,
         emailConfirmed: 1,
         profileImageId: 1,
+        publicProfile: 1,
+        briefDescription: 1,
         createdAt: 1,
         updatedAt: 1,
       };
@@ -88,6 +113,18 @@ const UserDto = {
       return { _id: 1 };
     },
   },
+  public: {
+    get: () => {
+      return {
+        _id: 1,
+        username: 1,
+        profileImageId: 1,
+        publicProfile: 1,
+        briefDescription: 1,
+        createdAt: 1,
+      };
+    },
+  },
   auth: {
     payload: (user, jwtid, ip, userAgent, host, path) => {
       const tokenPayload = {

package/src/api/user/user.router.js

@@ -4,8 +4,6 @@ import { loggerFactory } from '../../server/logger.js';
 import { UserController } from './user.controller.js';
 import express from 'express';
 import { DataBaseProvider } from '../../db/DataBaseProvider.js';
-import { FileFactory } from '../file/file.service.js';
-import { s4 } from '../../client/components/core/CommonJs.js';
 
 const logger = loggerFactory(import.meta);
 
@@ -40,12 +38,13 @@ const UserRouter = (options) => {
       console.log(error);
     }
 
-    // default user avatar seed
+    // Cache mailer images
     options.png = {
       buffer: {
         'invalid-token': fs.readFileSync(`./src/client/public/default/assets/mailer/api-user-invalid-token.png`),
         recover: fs.readFileSync(`./src/client/public/default/assets/mailer/api-user-recover.png`),
         check: fs.readFileSync(`./src/client/public/default/assets/mailer/api-user-check.png`),
+        avatar: fs.readFileSync(`./src/client/public/default/assets/mailer/api-user-default-avatar.png`),
       },
       header: (res) => {
         res.set('Cross-Origin-Resource-Policy', 'cross-origin');
@@ -54,52 +53,38 @@ const UserRouter = (options) => {
         res.set('Content-Type', 'image/png');
       },
     };
-
-    try {
-      const models = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models;
-      const name = 'api-user-default-avatar.png';
-      const imageFile = await models.File.findOne({ name });
-      let _id;
-      if (imageFile) {
-        _id = imageFile._id;
-      } else {
-        const file = await new models.File(
-          FileFactory.create(fs.readFileSync(`./src/client/public/default/assets/mailer/${name}`), name),
-        ).save();
-        _id = file._id;
-      }
-      options.getDefaultProfileImageId = async () => {
-        return _id;
-      };
-    } catch (error) {
-      logger.error('Error checking/creating default profile image');
-      console.log(error);
-    }
   })();
 
   router.post(`/mailer/:id`, authMiddleware, async (req, res) => {
-    /*  
+    /*
       #swagger.ignore = true
     */
     return await UserController.post(req, res, options);
   });
 
+  router.get(`/assets/:id`, async (req, res) => {
+    /*
+      #swagger.ignore = true
+    */
+    return await UserController.get(req, res, options);
+  });
+
   router.get(`/mailer/:id`, async (req, res) => {
-    /*  
+    /*
       #swagger.ignore = true
     */
     return await UserController.get(req, res, options);
   });
 
   router.get(`/email/:email`, authMiddleware, async (req, res) => {
-    /*  
+    /*
       #swagger.ignore = true
     */
     return await UserController.get(req, res, options);
   });
 
   router.post(`/:id`, async (req, res) => {
-    /*  
+    /*
       #swagger.ignore = true
     */
     return await UserController.post(req, res, options);
@@ -125,11 +110,11 @@ const UserRouter = (options) => {
           'application/json': {
               schema: {
                   $ref: '#/components/schemas/userLogInRequest'
-              }  
+              }
           }
       }
     }
-    
+
     #swagger.responses[200] = {
       description: 'User created successfully',
       content: {
@@ -137,9 +122,9 @@ const UserRouter = (options) => {
               schema: {
                 $ref: '#/components/schemas/userResponse'
               }
-          }           
+          }
       }
-    }   
+    }
 
     #swagger.responses[400] = {
       description: 'Bad request. Please check the input data',
@@ -148,9 +133,9 @@ const UserRouter = (options) => {
               schema: {
                 $ref: '#/components/schemas/userBadRequestResponse'
               }
-          }           
+          }
       }
-    } 
+    }
   */
 
   // #swagger.end
@@ -174,11 +159,11 @@ const UserRouter = (options) => {
             'application/json': {
                 schema: {
                     $ref: '#/components/schemas/userRequest'
-                }  
+                }
             }
         }
       }
-      
+
       #swagger.responses[200] = {
         description: 'User created successfully',
         content: {
@@ -186,9 +171,9 @@ const UserRouter = (options) => {
                 schema: {
                   $ref: '#/components/schemas/userResponse'
                 }
-            }           
+            }
         }
-      }   
+      }
 
       #swagger.responses[400] = {
         description: 'Bad request. Please check the input data',
@@ -197,20 +182,63 @@ const UserRouter = (options) => {
                 schema: {
                   $ref: '#/components/schemas/userBadRequestResponse'
                 }
-            }           
+            }
         }
-      } 
+      }
     */
     return await UserController.post(req, res, options);
   });
 
   router.get(`/recover/:id`, async (req, res) => {
-    /*  
+    /*
       #swagger.ignore = true
     */
     return await UserController.get(req, res, options);
   });
 
+  router.get(`/u/:username`, async (req, res) => {
+    /*
+      #swagger.auto = false
+      #swagger.tags = ['user']
+      #swagger.summary = 'Get public user profile'
+      #swagger.description = 'This endpoint gets public user profile data by username (no auth required)'
+      #swagger.path = '/user/u/{username}'
+      #swagger.method = 'get'
+      #swagger.produces = ['application/json']
+      #swagger.consumes = ['application/json']
+
+      #swagger.parameters['username'] = {
+          in: 'path',
+          description: 'User username',
+          required: true,
+          type: 'string'
+      }
+
+      #swagger.responses[200] = {
+        description: 'get public user profile successfully',
+        content: {
+            'application/json': {
+                schema: {
+                  $ref: '#/components/schemas/userPublicResponse'
+                }
+            }
+        }
+      }
+
+      #swagger.responses[400] = {
+        description: 'Bad request. Please check the input data',
+        content: {
+            'application/json': {
+                schema: {
+                  $ref: '#/components/schemas/userBadRequestResponse'
+                }
+            }
+        }
+      }
+    */
+    return await UserController.get(req, res, options);
+  });
+
   router.get(`/:id`, authMiddleware, async (req, res) => {
     /*
       #swagger.auto = false
@@ -223,7 +251,7 @@ const UserRouter = (options) => {
       #swagger.consumes = ['application/json']
       #swagger.security = [{
         'bearerAuth': []
-      }] 
+      }]
 
       #swagger.parameters['id'] = {
           in: 'path',
@@ -239,9 +267,9 @@ const UserRouter = (options) => {
                 schema: {
                   $ref: '#/components/schemas/userGetResponse'
                 }
-            }           
+            }
         }
-      }   
+      }
 
       #swagger.responses[400] = {
         description: 'Bad request. Please check the input data',
@@ -250,26 +278,26 @@ const UserRouter = (options) => {
                 schema: {
                   $ref: '#/components/schemas/userBadRequestResponse'
                 }
-            }           
+            }
         }
-      } 
+      }
     */
     return await UserController.get(req, res, options);
   });
   router.get(`/`, authMiddleware, async (req, res) => {
-    /*  
+    /*
       #swagger.ignore = true
     */
     return await UserController.get(req, res, options);
   });
   router.put(`/recover/:id`, async (req, res) => {
-    /*  
+    /*
       #swagger.ignore = true
     */
     return await UserController.put(req, res, options);
   });
   router.put(`/profile-image/:id`, authMiddleware, async (req, res) => {
-    /*  
+    /*
       #swagger.ignore = true
     */
     return await UserController.put(req, res, options);
@@ -286,8 +314,8 @@ const UserRouter = (options) => {
       #swagger.consumes = ['application/json']
       #swagger.security = [{
         'bearerAuth': []
-      }] 
-      
+      }]
+
       #swagger.parameters['id'] = {
           in: 'path',
           description: 'User ID',
@@ -303,7 +331,7 @@ const UserRouter = (options) => {
             'application/json': {
                 schema: {
                   $ref: '#/components/schemas/userRequest'
-                }  
+                }
             }
         }
       }
@@ -315,9 +343,9 @@ const UserRouter = (options) => {
                 schema: {
                   $ref: '#/components/schemas/userUpdateResponse'
                 }
-            }           
+            }
         }
-      }   
+      }
 
       #swagger.responses[400] = {
         description: 'Bad request. Please check the input data',
@@ -326,14 +354,14 @@ const UserRouter = (options) => {
                 schema: {
                   $ref: '#/components/schemas/userBadRequestResponse'
                 }
-            }           
+            }
         }
-      } 
+      }
     */
     return await UserController.put(req, res, options);
   });
   router.put(`/`, authMiddleware, async (req, res) => {
-    /*  
+    /*
       #swagger.ignore = true
     */
     return await UserController.put(req, res, options);
@@ -351,7 +379,7 @@ const UserRouter = (options) => {
       #swagger.consumes = ['application/json']
       #swagger.security = [{
         'bearerAuth': []
-      }] 
+      }]
 
       #swagger.parameters['id'] = {
           in: 'path',
@@ -367,9 +395,9 @@ const UserRouter = (options) => {
                 schema: {
                   $ref: '#/components/schemas/userGetResponse'
                 }
-            }           
+            }
         }
-      }   
+      }
 
       #swagger.responses[400] = {
         description: 'Bad request. Please check the input data',
@@ -378,20 +406,25 @@ const UserRouter = (options) => {
                 schema: {
                   $ref: '#/components/schemas/userBadRequestResponse'
                 }
-            }           
+            }
         }
-      } 
+      }
     */
     return await UserController.delete(req, res, options);
   });
 
   router.delete(`/`, authMiddleware, async (req, res) => {
-    /*  
+    /*
       #swagger.ignore = true
     */
     return await UserController.delete(req, res, options);
   });
 
+  // Username public profile redirect
+  options.app.get(`${options.path === '/' ? '' : options.path}/u/:username`, async (req, res, next) =>
+    res.redirect(`${options.path === '/' ? '' : options.path}/u?cid=${req.params.username}`),
+  );
+
   return router;
 };
 

package/src/api/user/user.service.js

@@ -1,4 +1,5 @@
 import { loggerFactory } from '../../server/logger.js';
+import { DataQuery } from '../../server/data-query.js';
 import {
   hashPassword,
   verifyPassword,
@@ -17,9 +18,10 @@ import { CoreWsEmit } from '../../ws/core/core.ws.emit.js';
 import { CoreWsMailerChannel } from '../../ws/core/channels/core.ws.mailer.js';
 import validator from 'validator';
 import { DataBaseProvider } from '../../db/DataBaseProvider.js';
-import { FileFactory } from '../file/file.service.js';
+import { FileFactory, FileCleanup } from '../file/file.service.js';
 import { UserDto } from './user.model.js';
 import { selectDtoFactory, ValkeyAPI } from '../../server/valkey.js';
+import { timer } from '../../client/components/core/CommonJs.js';
 
 const logger = loggerFactory(import.meta);
 
@@ -36,7 +38,11 @@ const UserService = {
         email: req.body.email,
       });
 
-      if (!user) throw new Error('Email address does not exist');
+      // Simulate success even if email doesn't exist to prevent email enumeration attacks
+      if (!user) {
+        await timer(3000);
+        return { message: 'email send successfully' };
+      }
 
       const token = jwtSign({ email: req.body.email }, options, 15);
       const payloadToken = jwtSign({ email: req.body.email }, options, 15);
@@ -136,19 +142,23 @@ const UserService = {
           const { _id } = user;
           const validPassword = await verifyPassword(req.body.password, user.password);
           if (validPassword === true) {
-            if (!user.profileImageId)
-              await User.findByIdAndUpdate(
-                user._id,
-                { profileImageId: await options.getDefaultProfileImageId(File) },
-                {
-                  runValidators: true,
-                },
-              );
             {
               if (getMinutesRemaining() <= 0 || user.failedLoginAttempts >= 0) {
                 const user = await User.findOne({
                   _id,
                 }).select(UserDto.select.get());
+
+                // Check if profileImageId exists, if not set to null explicitly
+                if (!user.profileImageId) {
+                  user.profileImageId = null;
+                } else {
+                  const fileExists = await File.findById(user.profileImageId);
+                  if (!fileExists) {
+                    await User.findByIdAndUpdate(_id, { profileImageId: null }, { runValidators: true });
+                    user.profileImageId = null;
+                  }
+                }
+
                 await User.findByIdAndUpdate(
                   _id,
                   { lastLoginDate: new Date(), failedLoginAttempts: 0 },
@@ -176,15 +186,18 @@ const UserService = {
                   runValidators: true,
                 },
               );
-              setTimeout(async () => {
-                await User.findByIdAndUpdate(
-                  _id,
-                  { failedLoginAttempts: 0 },
-                  {
-                    runValidators: true,
-                  },
-                );
-              }, 60 * 1000 * 15);
+              setTimeout(
+                async () => {
+                  await User.findByIdAndUpdate(
+                    _id,
+                    { failedLoginAttempts: 0 },
+                    {
+                      runValidators: true,
+                    },
+                  );
+                },
+                60 * 1000 * 15,
+              );
               throw new Error(`Account locked. Please try again in: 15 min.`);
             } else if (user.failedLoginAttempts < 0 && getMinutesRemaining() > 0) {
               throw new Error(accountLocketMessage());
@@ -225,9 +238,8 @@ const UserService = {
         };
       }
 
-      default: {
-        return await createUserAndSession(req, res, User, File, options);
-      }
+      default:
+        return await createUserAndSession(req, res, User, options);
     }
   },
   get: async (req, res, options) => {
@@ -237,6 +249,26 @@ const UserService = {
     /** @type {import('../file/file.model.js').FileModel} */
     const File = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.File;
 
+    if (req.path.startsWith('/u/')) {
+      // First lookup user by username
+      const userByUsername = await User.findOne({
+        username: req.params.username,
+      });
+      if (!userByUsername) throw new Error('User not found');
+      if (!userByUsername.publicProfile) throw new Error('Public profile is private');
+
+      // Then fetch complete public data by ID
+      const user = await User.findOne({
+        _id: userByUsername._id,
+      }).select(UserDto.public.get());
+      return user;
+    }
+
+    if (req.path.startsWith('/assets')) {
+      options.png.header(res);
+      return options.png.buffer[req.params.id];
+    }
+
     if (req.path.startsWith('/email')) {
       return await User.findOne({
         email: req.params.email,
@@ -303,12 +335,16 @@ const UserService = {
     switch (req.params.id) {
       case 'all': {
         if (req.auth.user.role === 'admin') {
-          const page = parseInt(req.query.page) || 1;
-          const limit = parseInt(req.query.limit) || 10;
-          const skip = (page - 1) * limit;
+          // Use DataQuery.parse for filtering, sorting, and pagination
+          const { query, sort, skip, limit, page } = DataQuery.parse(req.query);
 
-          const data = await User.find().select(UserDto.select.get()).skip(skip).limit(limit);
-          const total = await User.countDocuments();
+          // Apply default sort if no sort was specified
+          const finalSort = Object.keys(sort).length > 0 ? sort : { updatedAt: -1 };
+
+          const [data, total] = await Promise.all([
+            User.find(query).select(UserDto.select.get()).sort(finalSort).skip(skip).limit(limit),
+            User.countDocuments(query),
+          ]);
 
           return {
             data,
@@ -332,18 +368,6 @@ const UserService = {
 
         if (!user) throw new Error('user not found');
 
-        const file = await File.findOne({ _id: user.profileImageId });
-
-        if (!file && !(await ValkeyAPI.getValkeyObject(options, req.auth.user.email))) {
-          await User.findByIdAndUpdate(
-            user._id,
-            { profileImageId: await options.getDefaultProfileImageId(File) },
-            {
-              runValidators: true,
-            },
-          );
-        }
-
         const guestUser = await ValkeyAPI.getValkeyObject(options, req.auth.user.email);
         if (guestUser)
           return {
@@ -426,8 +450,18 @@ const UserService = {
         _id,
       });
       if (!user) throw new Error(`User not found`);
-      if (user.profileImageId) await File.findByIdAndDelete(user.profileImageId);
+
       const [imageFile] = await FileFactory.upload(req, File);
+
+      // Clean up old profile image if being replaced
+      if (user.profileImageId && imageFile) {
+        await FileCleanup.cleanupReplacedFiles({
+          oldDoc: user,
+          newData: { profileImageId: imageFile._id.toString() },
+          fileFields: ['profileImageId'],
+          File,
+        });
+      }
       if (!imageFile) throw new Error('invalid file');
       await User.findByIdAndUpdate(
         _id,
@@ -479,14 +513,13 @@ const UserService = {
             const _id = req.auth.user._id;
             if (_id !== req.params.id) throw new Error(`Invalid token user id`);
             const user = await User.findOne({ _id });
-            await User.findByIdAndUpdate(
-              _id,
-              {
-                email: req.body.email && !user.emailConfirmed ? req.body.email : user.email,
-                username: req.body.username,
-              },
-              { runValidators: true },
-            );
+            const updateData = {
+              email: req.body.email && !user.emailConfirmed ? req.body.email : user.email,
+              username: req.body.username,
+            };
+            if (req.body.publicProfile !== undefined) updateData.publicProfile = req.body.publicProfile;
+            if (req.body.briefDescription !== undefined) updateData.briefDescription = req.body.briefDescription;
+            await User.findByIdAndUpdate(_id, updateData, { runValidators: true });
             return await User.findOne({
               _id,
             }).select(UserDto.select.get());