@underpostnet/underpost 2.97.1 → 2.98.0

package/src/api/document/document.service.js

@@ -4,6 +4,7 @@ import { DocumentDto } from './document.model.js';
 import { uniqueArray } from '../../client/components/core/CommonJs.js';
 import { getBearerToken, verifyJWT } from '../../server/auth.js';
 import { isValidObjectId } from 'mongoose';
+import { FileCleanup } from '../file/file.service.js';
 
 const logger = loggerFactory(import.meta);
 
@@ -30,30 +31,17 @@ const DocumentService = {
     const Document = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.Document;
     /** @type {import('../user/user.model.js').UserModel} */
     const User = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.User;
+    /** @type {import('../file/file.model.js').FileModel} */
+    const File = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.File;
 
     // High-query endpoint for typeahead search
-    // ============================================
-    // OPTIMIZATION GOAL: MAXIMIZE search results with MINIMUM match requirements
     //
     // Security Model:
     // - Unauthenticated users: CAN see public documents (isPublic=true) from publishers (admin/moderator)
     // - Authenticated users: CAN see public documents from publishers + ALL their own documents (public or private)
     // - No user can see private documents from other users
-    //
-    // Search Optimization Strategy:
-    // 1. Case-insensitive matching ($options: 'i') - maximizes matches across case variations
-    // 2. Multi-term search - splits "hello world" into ["hello", "world"] and matches ANY term
-    // 3. Multi-field search - searches BOTH title AND tags array
-    // 4. OR logic - ANY term matching ANY field counts as a match
-    // 5. Minimum length: 1 character - allows maximum user flexibility
-    //
-    // Example: Query "javascript tutorial"
-    //   - Matches documents with title "JavaScript Guide" (term 1, case-insensitive)
-    //   - Matches documents with tag "tutorial" (term 2, tag match)
-    //   - Matches documents with both terms in different fields
-    //
+    // - PANEL FILTER: Only documents with idPanel tag are returned (prevents out-of-panel context results)
     if (req.path.startsWith('/public/high') && req.query['q']) {
-      // Input validation
       const rawQuery = req.query['q'];
       if (!rawQuery || typeof rawQuery !== 'string') {
         throw new Error('Invalid search query');
@@ -69,6 +57,13 @@ const DocumentService = {
         throw new Error('Search query too long (max 100 characters)');
       }
 
+      // Get idPanel filter to prevent out-of-panel context results
+      const idPanel = req.query['idPanel'];
+      if (!idPanel || typeof idPanel !== 'string') {
+        logger.warn('Missing idPanel parameter for high-query search');
+        return { data: [] };
+      }
+
       const publisherUsers = await User.find({ $or: [{ role: 'admin' }, { role: 'moderator' }] });
 
       const token = getBearerToken(req);
@@ -98,19 +93,14 @@ const DocumentService = {
         const queryPayload = {
           isPublic: true,
           userId: { $in: publisherUsers.map((p) => p._id) },
+          tags: { $in: [idPanel] }, // Filter by idPanel to prevent out-of-panel context results (tags is array)
         };
 
-        logger.info('Special "public" search query', {
-          authenticated: !!user,
-          userId: user?._id?.toString(),
-          role: user?.role,
-          limit,
-        });
-
         const data = await Document.find(queryPayload)
           .sort({ createdAt: -1 })
           .limit(limit)
           .select('_id title tags createdAt userId isPublic')
+          .populate(DocumentDto.populate.user())
           .lean();
 
         const sanitizedData = data.map((doc) => {
@@ -118,14 +108,28 @@ const DocumentService = {
             ...doc,
             tags: DocumentDto.filterPublicTag(doc.tags),
           };
+          // For unauthenticated users, only include user data if document is public AND creator is publisher
           if (!user || user.role === 'guest') {
-            const { userId, ...rest } = filteredDoc;
-            return rest;
+            const isPublisher = doc.userId && (doc.userId.role === 'admin' || doc.userId.role === 'moderator');
+            if (!doc.isPublic || !isPublisher) {
+              const { userId, ...rest } = filteredDoc;
+              return rest;
+            }
+            // Remove role field from userId before sending to client
+            if (filteredDoc.userId && filteredDoc.userId.role) {
+              const { role, ...userWithoutRole } = filteredDoc.userId;
+              filteredDoc.userId = userWithoutRole;
+            }
+          }
+          // Remove role field from userId before sending to client (authenticated users)
+          if (filteredDoc.userId && filteredDoc.userId.role) {
+            const { role, ...userWithoutRole } = filteredDoc.userId;
+            filteredDoc.userId = userWithoutRole;
           }
           return filteredDoc;
         });
 
-        return { data: sanitizedData };
+        return { data: sanitizedData.map((d) => (d.userId.role = undefined)) };
       }
 
       // OPTIMIZATION: Split search query into individual terms for multi-term matching
@@ -137,21 +141,7 @@ const DocumentService = {
         .map((term) => term.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')); // Escape each term for regex safety
 
       // Build query based on authentication status
-      // ============================================
-      // OPTIMIZED FOR MAXIMUM RESULTS:
-      // - Multi-term search: matches ANY term
-      // - Case-insensitive: $options: 'i' flag
-      // - Multi-field: searches title AND tags
-      // - Minimum match: ANY term in ANY field = result
-      //
-      // Example Query: "javascript react"
-      // Matches:
-      //   ✓ Document with title "JavaScript Tutorial" (term 1 in title)
-      //   ✓ Document with tag "react" (term 2 in tags)
-      //   ✓ Document with title "Learn React JS" (term 2 in title, case-insensitive)
-      //   ✓ Document with tags ["javascript", "tutorial"] (term 1 in tags)
-
-      // Build search conditions for maximum permissiveness
+      // and search conditions for maximum permissiveness
       const buildSearchConditions = () => {
         const conditions = [];
 
@@ -171,14 +161,11 @@ const DocumentService = {
         // Authenticated user can see:
         // 1. ALL their own documents (public AND private - no tag restriction)
         // 2. Public-tagged documents from publishers (admin/moderator only)
-        //
-        // MAXIMUM RESULTS STRATEGY:
-        // - Search by: ANY term matches title OR ANY tag
-        // - Case-insensitive matching
-        // - No minimum match threshold beyond 1 character
+
         const searchConditions = buildSearchConditions();
 
         queryPayload = {
+          tags: { $in: [idPanel] }, // Filter by idPanel to prevent out-of-panel context results (tags is array)
           $or: [
             {
               // Public documents from publishers (admin/moderator)
@@ -196,14 +183,11 @@ const DocumentService = {
         };
       } else {
         // Public/unauthenticated user: ONLY public-tagged documents from publishers (admin/moderator)
-        //
-        // MAXIMUM RESULTS STRATEGY for public users:
-        // - Search by: ANY term matches title OR ANY tag
-        // - Case-insensitive matching
-        // - Still respects security: only public docs from trusted publishers
+
         const searchConditions = buildSearchConditions();
 
         queryPayload = {
+          tags: { $in: [idPanel] }, // Filter by idPanel to prevent out-of-panel context results (tags is array)
           userId: { $in: publisherUsers.map((p) => p._id) },
           isPublic: true,
           $or: searchConditions, // ANY term in title OR tags
@@ -216,36 +200,29 @@ const DocumentService = {
         return { data: [] };
       }
 
-      // Security audit logging
-      logger.info('High-query search (OPTIMIZED FOR MAX RESULTS)', {
-        query: searchQuery.substring(0, 50), // Log only first 50 chars for privacy
-        terms: searchTerms.length, // Number of search terms
-        searchStrategy: 'multi-term OR matching, case-insensitive, title+tags',
-        authenticated: !!user,
-        userId: user?._id?.toString(),
-        role: user?.role,
-        limit,
-        publishersCount: publisherUsers.length,
-        timestamp: new Date().toISOString(),
-      });
-
       const data = await Document.find(queryPayload)
         .sort({ createdAt: -1 })
         .limit(limit)
         .select('_id title tags createdAt userId isPublic')
+        .populate(DocumentDto.populate.user())
         .lean();
 
-      // Sanitize response - remove userId for public users and filter 'public' from tags
+      // Sanitize response - include userId for public documents from publishers, filter 'public' from tags
       const sanitizedData = data.map((doc) => {
         const filteredDoc = {
           ...doc,
           tags: DocumentDto.filterPublicTag(doc.tags),
         };
+        // For unauthenticated users, only include user data if document is public AND creator is publisher
         if (!user || user.role === 'guest') {
-          // Remove userId from response for unauthenticated users
-          const { userId, ...rest } = filteredDoc;
-          return rest;
+          const isPublisher = doc.userId && (doc.userId.role === 'admin' || doc.userId.role === 'moderator');
+          if (!doc.isPublic || !isPublisher) {
+            const { userId, ...rest } = filteredDoc;
+            return rest;
+          }
         }
+        // Remove role field from userId before sending to client (all users)
+        delete filteredDoc.userId.role;
         return filteredDoc;
       });
 
@@ -330,80 +307,133 @@ const DocumentService = {
       } else {
         // Unauthenticated user: only public documents from publishers
         // If 'public' tag requested, it's redundant but handled by isPublic: true
-        queryPayload = {
-          userId: { $in: publisherUsers.map((p) => p._id) },
-          isPublic: true,
-          ...(requestedTags.length > 0 ? { tags: { $all: requestedTags } } : {}),
-        };
+        // When cid is provided, we relax the publisher filter and check in post-processing
+        const cidList = req.query.cid ? req.query.cid.split(',').filter((cid) => isValidObjectId(cid)) : null;
 
-        // Add cid filter if present
-        if (req.query.cid) {
-          queryPayload._id = {
-            $in: req.query.cid.split(',').filter((cid) => isValidObjectId(cid)),
+        if (cidList && cidList.length > 0) {
+          // For cid queries, just filter by public and tags, check publisher in post-processing
+          queryPayload = {
+            _id: { $in: cidList },
+            isPublic: true,
+            ...(requestedTags.length > 0 ? { tags: { $all: requestedTags } } : {}),
+          };
+        } else {
+          // For non-cid queries, filter by publisher at query level
+          queryPayload = {
+            userId: { $in: publisherUsers.map((p) => p._id) },
+            isPublic: true,
+            ...(requestedTags.length > 0 ? { tags: { $all: requestedTags } } : {}),
           };
         }
       }
-      // Security audit logging
-      logger.info('Public tag search', {
-        authenticated: !!user,
-        userId: user?._id?.toString(),
-        role: user?.role,
-        requestedTags,
-        hasPublicTag,
-        hasCidFilter: !!req.query.cid,
-        limit,
-        skip,
-        publishersCount: publisherUsers.length,
-      });
+
       // sort in descending (-1) order by length
       const sort = { createdAt: -1 };
 
+      // Populate user data for authenticated users OR for public documents from publishers
+      // This allows unauthenticated users to see creator profiles on public content
+      const shouldPopulateUser = user && user.role !== 'guest';
+      // Check if query contains public documents (either in $or array or flat query)
+      const hasPublicDocuments =
+        queryPayload.isPublic === true ||
+        queryPayload.$or?.some(
+          (condition) => condition.isPublic === true || (condition.userId && condition.isPublic === true),
+        );
+
       const data = await Document.find(queryPayload)
         .sort(sort)
         .limit(limit)
         .skip(skip)
         .populate(DocumentDto.populate.file())
         .populate(DocumentDto.populate.mdFile())
-        .populate(user && user.role !== 'guest' ? DocumentDto.populate.user() : null);
+        .populate(shouldPopulateUser || hasPublicDocuments ? DocumentDto.populate.user() : null);
 
       const lastDoc = await Document.findOne(queryPayload, '_id').sort({ createdAt: 1 });
       const lastId = lastDoc ? lastDoc._id : null;
 
-      // Add totalCopyShareLinkCount to each document and filter 'public' from tags
-      const dataWithCounts = data.map((doc) => {
-        const docObj = doc.toObject ? doc.toObject() : doc;
-        return {
-          ...docObj,
-          tags: DocumentDto.filterPublicTag(docObj.tags),
-          totalCopyShareLinkCount: DocumentDto.getTotalCopyShareLinkCount(doc),
-        };
-      });
-
       return {
-        data: dataWithCounts,
+        data: data.map((doc) => {
+          const docObj = doc.toObject ? doc.toObject() : doc;
+          let userInfo = docObj.userId;
+          const isPublisher = userInfo && (userInfo.role === 'admin' || userInfo.role === 'moderator');
+          const isOwnDoc = user && user._id.toString() === docObj.userId._id.toString();
+          if ((!docObj.isPublic || !isPublisher) && !isOwnDoc) userInfo = undefined;
+          return {
+            ...docObj,
+            userId: {
+              ...userInfo,
+              role: undefined,
+              email: undefined,
+            },
+            tags: DocumentDto.filterPublicTag(docObj.tags),
+            totalCopyShareLinkCount: DocumentDto.getTotalCopyShareLinkCount(doc),
+          };
+        }),
         lastId,
       };
     }
 
     switch (req.params.id) {
       default: {
-        const data = await Document.find({
+        // Simple pagination support for FileExplorer
+        const limit = req.query.limit ? parseInt(req.query.limit, 10) : 50;
+        const skip = req.query.skip ? parseInt(req.query.skip, 10) : 0;
+
+        // Search filter parameters
+        const searchTitle = req.query.searchTitle ? req.query.searchTitle.trim() : '';
+        const searchMdFile = req.query.searchMdFile ? req.query.searchMdFile.trim() : '';
+        const searchFile = req.query.searchFile ? req.query.searchFile.trim() : '';
+
+        const query = {
           userId: req.auth.user._id,
           ...(req.params.id ? { _id: req.params.id } : undefined),
-        })
+        };
+
+        // Filter by title
+        if (searchTitle) {
+          const searchRegex = searchTitle.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+          query.title = { $regex: searchRegex, $options: 'i' };
+        }
+
+        // Filter by markdown file name
+        if (searchMdFile) {
+          const searchRegex = searchMdFile.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+          const files = await File.find({ name: { $regex: searchRegex, $options: 'i' } }).select('_id');
+          query.mdFileId = { $in: files.map((f) => f._id) };
+        }
+
+        // Filter by generic file name
+        if (searchFile) {
+          const searchRegex = searchFile.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+          const files = await File.find({ name: { $regex: searchRegex, $options: 'i' } }).select('_id');
+          query.fileId = { $in: files.map((f) => f._id) };
+        }
+
+        // Get total count for pagination
+        const totalCount = await Document.countDocuments(query);
+
+        const data = await Document.find(query)
+          .sort({ createdAt: -1 })
+          .limit(limit)
+          .skip(skip)
           .populate(DocumentDto.populate.file())
           .populate(DocumentDto.populate.mdFile())
           .populate(DocumentDto.populate.user());
 
-        // Add totalCopyShareLinkCount to each document and filter 'public' from tags
-        return data.map((doc) => {
-          const docObj = doc.toObject ? doc.toObject() : doc;
-          return {
-            ...docObj,
-            tags: DocumentDto.filterPublicTag(docObj.tags),
-            totalCopyShareLinkCount: DocumentDto.getTotalCopyShareLinkCount(doc),
-          };
-        });
+        return {
+          data,
+          pagination: {
+            totalCount,
+            limit,
+            skip,
+            hasMore: skip + data.length < totalCount,
+            search: {
+              title: searchTitle,
+              mdFile: searchMdFile,
+              file: searchFile,
+            },
+          },
+        };
       }
     }
   },
@@ -420,15 +450,12 @@ const DocumentService = {
 
         if (document.userId.toString() !== req.auth.user._id) throw new Error('invalid user');
 
-        if (document.mdFileId) {
-          const file = await File.findOne({ _id: document.mdFileId });
-          if (file) await File.findByIdAndDelete(document.mdFileId);
-        }
-
-        if (document.fileId) {
-          const file = await File.findOne({ _id: document.fileId });
-          if (file) await File.findByIdAndDelete(document.fileId);
-        }
+        // Clean up all associated files
+        await FileCleanup.deleteDocumentFiles({
+          doc: document,
+          fileFields: ['fileId', 'mdFileId'],
+          File,
+        });
 
         return await Document.findByIdAndDelete(req.params.id);
       }
@@ -445,16 +472,26 @@ const DocumentService = {
         const document = await Document.findOne({ _id: req.params.id });
         if (!document) throw new Error(`Document not found`);
 
-        if (document.mdFileId) {
-          const file = await File.findOne({ _id: document.mdFileId });
-          if (file) await File.findByIdAndDelete(document.mdFileId);
-        }
+        // Clean up old files if they are being replaced
+        await FileCleanup.cleanupReplacedFiles({
+          oldDoc: document,
+          newData: req.body,
+          fileFields: ['fileId', 'mdFileId'],
+          File,
+        });
 
-        if (document.fileId) {
-          const file = await File.findOne({ _id: document.fileId });
-          if (file) await File.findByIdAndDelete(document.fileId);
+        // Update file names if provided
+        if (req.body.mdFileName && document.mdFileId) {
+          await File.findByIdAndUpdate(document.mdFileId, { name: req.body.mdFileName });
+        }
+        if (req.body.fileName && document.fileId) {
+          await File.findByIdAndUpdate(document.fileId, { name: req.body.fileName });
         }
 
+        // Remove file name fields from body as they are not part of Document schema
+        delete req.body.mdFileName;
+        delete req.body.fileName;
+
         // Extract 'public' from tags and set isPublic field on update
         const { isPublic, tags } = DocumentDto.extractPublicFromTags(req.body.tags);
         req.body.isPublic = isPublic;
@@ -468,6 +505,17 @@ const DocumentService = {
     /** @type {import('./document.model.js').DocumentModel} */
     const Document = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.Document;
 
+    if (req.path.includes('/toggle-public')) {
+      const document = await Document.findById(req.params.id);
+      if (!document) throw new Error('Document not found');
+
+      // Toggle the isPublic field
+      document.isPublic = !document.isPublic;
+      await document.save();
+
+      return { _id: document._id, isPublic: document.isPublic };
+    }
+
     if (req.path.includes('/copy-share-link')) {
       const document = await Document.findById(req.params.id);
       if (!document) throw new Error('Document not found');

package/src/api/file/file.model.js

@@ -1,10 +1,23 @@
+/**
+ * File model and schema definitions for MongoDB/Mongoose.
+ * Provides the File schema, model, and Data Transfer Object (DTO) for file operations.
+ *
+ * @module src/api/file/file.model.js
+ * @namespace FileModelServer
+ */
+
 import { Schema, model } from 'mongoose';
 
+/**
+ * Mongoose schema definition for File documents.
+ * @type {Schema}
+ * @memberof FileModelServer
+ */
 const FileSchema = new Schema({
-  name: { type: String },
-  data: { type: Buffer },
+  name: { type: String, required: true },
+  data: { type: Buffer, required: true },
   size: { type: Number },
-  encoding: { type: String },
+  encoding: { type: String, default: 'utf-8' },
   tempFilePath: { type: String },
   truncated: { type: Boolean },
   mimetype: { type: String },
@@ -12,8 +25,103 @@ const FileSchema = new Schema({
   cid: { type: String },
 });
 
+/**
+ * Mongoose model for File documents.
+ * @type {import('mongoose').Model}
+ * @memberof FileModelServer
+ */
 const FileModel = model('File', FileSchema);
 
+/**
+ * Provider schema alias for File schema.
+ * Used for database provider compatibility.
+ * @type {Schema}
+ * @memberof FileModelServer
+ */
 const ProviderSchema = FileSchema;
 
-export { FileSchema, FileModel, ProviderSchema };
+/**
+ * File Data Transfer Object (DTO) for the model layer.
+ * Provides core transformation methods for file documents including metadata extraction,
+ * full document conversion, and filename normalization utilities.
+ * @namespace FileModelServer.FileModelDto
+ * @memberof FileModelServer
+ */
+const FileModelDto = {
+  /**
+   * Returns file metadata only (no buffer data).
+   * Used for list responses and API integration.
+   * @function toMetadata
+   * @memberof FileModelServer.FileModelDto
+   * @param {Object} file - File document from database.
+   * @returns {Object|null} File metadata object, or null if file is falsy.
+   */
+  toMetadata: (file) => {
+    if (!file) return null;
+    return {
+      _id: file._id,
+      name: file.name || '',
+      mimetype: file.mimetype || 'application/octet-stream',
+      size: file.size || 0,
+      md5: file.md5 || '',
+      cid: file.cid || '',
+      createdAt: file.createdAt,
+      updatedAt: file.updatedAt,
+    };
+  },
+
+  /**
+   * Returns file with complete data.
+   * Used only when explicitly requested (e.g., file/blob endpoint).
+   * @function toFull
+   * @memberof FileModelServer.FileModelDto
+   * @param {Object} file - File document from database.
+   * @returns {Object|null} Complete file object with buffer data, or null if file is falsy.
+   */
+  toFull: (file) => {
+    if (!file) return null;
+    return {
+      _id: file._id,
+      name: file.name || '',
+      mimetype: file.mimetype || 'application/octet-stream',
+      size: file.size || 0,
+      md5: file.md5 || '',
+      cid: file.cid || '',
+      data: file.data,
+      encoding: file.encoding || 'utf-8',
+      createdAt: file.createdAt,
+      updatedAt: file.updatedAt,
+    };
+  },
+
+  /**
+   * Transforms array of files to metadata only.
+   * @function toMetadataArray
+   * @memberof FileModelServer.FileModelDto
+   * @param {Array} files - Array of file documents.
+   * @returns {Array} Array of file metadata objects.
+   */
+  toMetadataArray: (files) => {
+    if (!Array.isArray(files)) return [];
+    return files.map((file) => FileModelDto.toMetadata(file));
+  },
+
+  /**
+   * Ensures UTF-8 encoding for filenames.
+   * Fixes issues with special characters (e.g., ñ, é, ü).
+   * @function normalizeFilename
+   * @memberof FileModelServer.FileModelDto
+   * @param {string} filename - Raw filename from upload.
+   * @returns {string} UTF-8 encoded filename.
+   */
+  normalizeFilename: (filename) => {
+    if (!filename) return '';
+    // Ensure string and normalize to UTF-8
+    let normalized = String(filename);
+    // Replace any incorrectly encoded sequences
+    normalized = Buffer.from(normalized, 'utf8').toString('utf8');
+    return normalized;
+  },
+};
+
+export { FileSchema, FileModel, ProviderSchema, FileModelDto };

package/src/api/file/file.ref.json

@@ -0,0 +1,42 @@
+[
+  {
+    "api": "company",
+    "model": {
+      "logo": true
+    }
+  },
+  {
+    "api": "cyberia-biome",
+    "model": {
+      "fileId": true,
+      "topLevelColorFileId": true
+    }
+  },
+  {
+    "api": "cyberia-tile",
+    "model": {
+      "fileId": true
+    }
+  },
+  {
+    "api": "cyberia-world",
+    "model": {
+      "adjacentFace": {
+        "fileId": true
+      }
+    }
+  },
+  {
+    "api": "document",
+    "model": {
+      "fileId": true,
+      "mdFileId": true
+    }
+  },
+  {
+    "api": "user",
+    "model": {
+      "profileImageId": true
+    }
+  }
+]