bulltrackers-module 1.0.614 → 1.0.616

package/functions/api-v2/helpers/data-fetchers/firestore.js

@@ -529,8 +529,11 @@ const fetchUserVerificationData = async (firestore, userId) => {
  * Lookup CID by email (server-side only for security)
  * Searches through all SignedInUsers verification documents to find matching email
  * Returns only the CID and basic verification status - no email exposure
+ * 
+ * NOTE: Multiple Firebase accounts (different UIDs) can access the same CID
+ * if their emails are in the verification document's email array.
  */
-const lookupCidByEmail = async (firestore, userEmail) => {
+const lookupCidByEmail = async (firestore, userEmail, firebaseUid = null) => {
     if (!userEmail) {
         throw new Error('Email is required for lookup');
     }
@@ -556,6 +559,15 @@ const lookupCidByEmail = async (firestore, userEmail) => {
                 // Case-insensitive email comparison
                 const normalizedEmails = emails.map(e => String(e).toLowerCase().trim());
                 if (normalizedEmails.includes(normalizedEmail)) {
+                    // Optional: If Firebase UID is provided, validate it's in the firebaseUids array (if it exists)
+                    // This provides additional security but doesn't block access if UID tracking isn't set up yet
+                    if (firebaseUid && verificationData.firebaseUids && Array.isArray(verificationData.firebaseUids)) {
+                        if (!verificationData.firebaseUids.includes(firebaseUid)) {
+                            // UID not in list - log warning but still allow access (email is the source of truth)
+                            console.warn(`[lookupCidByEmail] Email ${userEmail} matches CID ${userDoc.id} but Firebase UID ${firebaseUid} not in firebaseUids array`);
+                        }
+                    }
+                    
                     // Found match - return only CID and verification status (no email)
                     return {
                         cid: verificationData.etoroCID || Number(userDoc.id),
@@ -1146,21 +1158,73 @@ const fetchNotifications = async (firestore, userId, options = {}) => {
 
 // 12. Mark Notification Read
 const markNotificationRead = async (firestore, userId, notificationIds, markAll = false) => {
-    const batch = firestore.batch();
     const collectionRef = firestore.collection('SignedInUsers').doc(userId).collection('notifications');
+    const MAX_BATCH_SIZE = 500; // Firestore batch limit
+    const batches = [];
+    let currentBatch = firestore.batch();
+    let batchCount = 0;
 
     if (markAll) {
-        const snapshot = await collectionRef.where('read', '==', false).get();
+        // Query all unread notifications with a reasonable limit to prevent timeouts
+        // Process in chunks to avoid overwhelming the system
+        const MAX_NOTIFICATIONS_TO_PROCESS = 1000; // Limit to prevent timeouts
+        const snapshot = await collectionRef.where('read', '==', false).limit(MAX_NOTIFICATIONS_TO_PROCESS).get();
+        console.log(`[markNotificationRead] Marking ${snapshot.size} notifications as read for user ${userId} (limited to ${MAX_NOTIFICATIONS_TO_PROCESS})`);
+        
+        if (snapshot.size === 0) {
+            console.log(`[markNotificationRead] No unread notifications found for user ${userId}`);
+            return;
+        }
+        
         snapshot.docs.forEach(doc => {
-            batch.update(doc.ref, { read: true, readAt: new Date() });
+            currentBatch.update(doc.ref, { read: true, readAt: new Date() });
+            batchCount++;
+            
+            // If batch is full, commit it and start a new one
+            if (batchCount >= MAX_BATCH_SIZE) {
+                batches.push(currentBatch);
+                currentBatch = firestore.batch();
+                batchCount = 0;
+            }
         });
-    } else if (Array.isArray(notificationIds)) {
+        
+        // Add the last batch if it has operations
+        if (batchCount > 0) {
+            batches.push(currentBatch);
+        }
+    } else if (Array.isArray(notificationIds) && notificationIds.length > 0) {
+        // Mark specific notifications
         notificationIds.forEach(id => {
             const ref = collectionRef.doc(id);
-            batch.update(ref, { read: true, readAt: new Date() });
+            currentBatch.update(ref, { read: true, readAt: new Date() });
+            batchCount++;
+            
+            // If batch is full, commit it and start a new one
+            if (batchCount >= MAX_BATCH_SIZE) {
+                batches.push(currentBatch);
+                currentBatch = firestore.batch();
+                batchCount = 0;
+            }
         });
+        
+        // Add the last batch if it has operations
+        if (batchCount > 0) {
+            batches.push(currentBatch);
+        }
+    } else {
+        // No valid operation
+        return;
+    }
+
+    // Commit all batches sequentially to avoid overwhelming Firestore and prevent timeouts
+    if (batches.length > 0) {
+        console.log(`[markNotificationRead] Committing ${batches.length} batch(es) for user ${userId}`);
+        for (let i = 0; i < batches.length; i++) {
+            await batches[i].commit();
+            console.log(`[markNotificationRead] Committed batch ${i + 1}/${batches.length} for user ${userId}`);
+        }
+        console.log(`[markNotificationRead] Successfully marked notifications as read for user ${userId}`);
     }
-    await batch.commit();
 };
 
 

package/functions/api-v2/middleware/identity_middleware.js

@@ -2,6 +2,12 @@
  * Middleware to resolve the effective user ID, handling Developer Impersonation.
  * Sets req.targetUserId, req.isImpersonating, and req.actualUserId.
  * 
+ * SECURITY: This middleware validates that the authenticated Firebase user owns the requested CID.
+ * It prevents IDOR (Insecure Direct Object Reference) attacks by:
+ * 1. Looking up the CID associated with the Firebase authenticated user's email
+ * 2. Forcing req.targetUserId to be the authenticated user's CID (unless developer impersonation)
+ * 3. Ignoring any userCid provided in headers/query/body if it doesn't match the authenticated user
+ * 
  * Public routes (that don't require authentication):
  * - /watchlists/public
  * - /popular-investors/trending
@@ -9,7 +15,7 @@
  * - /popular-investors/master-list
  * - /popular-investors/search
  */
-const { isDeveloper } = require('../helpers/data-fetchers/firestore.js'); // Using your provided helper
+const { isDeveloper, lookupCidByEmail } = require('../helpers/data-fetchers/firestore.js');
 
 // List of public routes that don't require userCid
 // Also includes routes that use Firebase Auth token authentication (like /verification/lookup)
@@ -60,6 +66,12 @@ const isPublicRoute = (path, originalUrl) => {
 
 const resolveUserIdentity = async (req, res, next) => {
     try {
+        const db = req.app.locals?.db || req.dependencies?.db;
+        if (!db) {
+            console.error('[IdentityMiddleware] Database not available');
+            return res.status(500).json({ error: "Internal server error" });
+        }
+
         // Check if this is a public route (check both path and originalUrl for Express routing)
         const isPublic = isPublicRoute(req.path, req.originalUrl);
         
@@ -68,45 +80,103 @@ const resolveUserIdentity = async (req, res, next) => {
         const hasFirebaseAuth = req.headers.authorization && 
                                 req.headers.authorization.startsWith('Bearer ');
         
-        // 1. Identify the actual authenticated user (from Auth middleware or params)
-        const actualUserId = req.query.userCid || req.body.userCid || req.headers['x-user-cid'];
+        // SECURITY FIX: If Firebase Auth is present, validate the user owns the requested CID
+        // NOTE: Multiple Firebase accounts (different UIDs) can access the same CID
+        // if their emails are in the verification document's email array
+        let authenticatedUserCid = null;
+        if (req.firebaseUser && req.firebaseUser.email) {
+            try {
+                // Look up the CID associated with the authenticated Firebase user's email
+                // Pass Firebase UID for optional validation (email is the source of truth)
+                const userData = await lookupCidByEmail(db, req.firebaseUser.email, req.firebaseUser.uid);
+                if (userData && userData.cid) {
+                    authenticatedUserCid = String(userData.cid);
+                    console.log(`[Identity] Authenticated user ${req.firebaseUser.email} (UID: ${req.firebaseUser.uid}) owns CID ${authenticatedUserCid}`);
+                } else {
+                    console.warn(`[Identity] No CID found for authenticated user ${req.firebaseUser.email}`);
+                }
+            } catch (error) {
+                console.error(`[Identity] Error looking up CID for ${req.firebaseUser.email}:`, error);
+                // Continue - will fail validation below if CID is required
+            }
+        }
+
+        // 1. Identify the requested user ID (from params/headers/body)
+        const requestedUserId = req.query.userCid || req.body.userCid || req.headers['x-user-cid'];
         
-        // For public routes or Firebase Auth routes, userCid is optional
-        if (!actualUserId && !isPublic && !hasFirebaseAuth) {
+        // For public routes, userCid is optional
+        if (!requestedUserId && !isPublic && !hasFirebaseAuth) {
             return res.status(400).json({ error: "Missing user identification (userCid)" });
         }
 
-        // If no user ID provided and it's a public route or uses Firebase Auth, skip identity resolution
-        if (!actualUserId && (isPublic || hasFirebaseAuth)) {
+        // If no user ID provided and it's a public route, skip identity resolution
+        if (!requestedUserId && isPublic) {
             req.actualUserId = null;
             req.targetUserId = null;
             req.isImpersonating = false;
             return next();
         }
 
-        // 2. Check for Impersonation Request (Headers or Query)
-        const impersonateId = req.headers['x-impersonate-cid'] || req.query.impersonateCid;
-
-        req.actualUserId = actualUserId;
-        req.targetUserId = actualUserId; // Default to actual
-        req.isImpersonating = false;
-
-        // 3. specific logic for Developers
-        if (impersonateId && impersonateId !== actualUserId) {
-            // Verify if the ACTUAL user is a developer
-            // We pass the db instance from dependencies (assuming standard express injection)
-            const db = req.app.locals.db || req.dependencies.db; 
-            const isDev = await isDeveloper(db, actualUserId);
-
-            if (isDev) {
-                req.targetUserId = impersonateId;
-                req.isImpersonating = true;
-                console.log(`[Identity] Dev ${actualUserId} is impersonating ${impersonateId}`);
-            } else {
-                // Fail silently or warn? For security, maybe just ignore or strict fail.
-                // Ignoring ensures they just see their own data.
-                console.warn(`[Identity] Unauthorized impersonation attempt by ${actualUserId}`);
+        // SECURITY FIX: If Firebase Auth is present, enforce ownership
+        // The authenticated user can only access their own CID (unless developer impersonation)
+        if (authenticatedUserCid) {
+            // If a CID was requested but doesn't match the authenticated user's CID, reject (unless developer impersonation)
+            if (requestedUserId && requestedUserId !== authenticatedUserCid) {
+                // Check if this is a developer impersonation request
+                const impersonateId = req.headers['x-impersonate-cid'] || req.query.impersonateCid;
+                
+                if (impersonateId && impersonateId === requestedUserId) {
+                    // This is an explicit impersonation request - verify developer status
+                    const isDev = await isDeveloper(db, authenticatedUserCid);
+                    if (isDev) {
+                        req.actualUserId = authenticatedUserCid;
+                        req.targetUserId = impersonateId;
+                        req.isImpersonating = true;
+                        console.log(`[Identity] Dev ${authenticatedUserCid} is impersonating ${impersonateId}`);
+                        return next();
+                    } else {
+                        console.warn(`[Identity] Unauthorized impersonation attempt by ${authenticatedUserCid}`);
+                        return res.status(403).json({ error: "Unauthorized: Developer privileges required for impersonation" });
+                    }
+                } else {
+                    // User is trying to access another user's CID without impersonation header
+                    console.warn(`[Identity] Security violation: User ${authenticatedUserCid} attempted to access CID ${requestedUserId}`);
+                    return res.status(403).json({ error: "Unauthorized: You can only access your own data" });
+                }
+            }
+            
+            // Authenticated user owns the requested CID (or no CID requested) - use authenticated CID
+            req.actualUserId = authenticatedUserCid;
+            req.targetUserId = authenticatedUserCid;
+            req.isImpersonating = false;
+        } else if (requestedUserId) {
+            // No Firebase Auth but CID provided - legacy behavior (for backward compatibility)
+            // WARNING: This is less secure but may be needed for some legacy clients
+            // Consider requiring Firebase Auth for all authenticated routes
+            if (!isPublic) {
+                console.warn(`[Identity] No Firebase Auth but CID ${requestedUserId} provided - using legacy mode`);
+            }
+            req.actualUserId = requestedUserId;
+            req.targetUserId = requestedUserId;
+            req.isImpersonating = false;
+            
+            // Check for developer impersonation (legacy mode)
+            const impersonateId = req.headers['x-impersonate-cid'] || req.query.impersonateCid;
+            if (impersonateId && impersonateId !== requestedUserId) {
+                const isDev = await isDeveloper(db, requestedUserId);
+                if (isDev) {
+                    req.targetUserId = impersonateId;
+                    req.isImpersonating = true;
+                    console.log(`[Identity] Dev ${requestedUserId} is impersonating ${impersonateId}`);
+                } else {
+                    console.warn(`[Identity] Unauthorized impersonation attempt by ${requestedUserId}`);
+                }
             }
+        } else {
+            // No CID and not public - this shouldn't happen due to check above, but handle gracefully
+            req.actualUserId = null;
+            req.targetUserId = null;
+            req.isImpersonating = false;
         }
 
         next();

package/functions/api-v2/routes/index.js

@@ -1,5 +1,6 @@
 const express = require('express');
 const { resolveUserIdentity } = require('../middleware/identity_middleware.js');
+const { verifyFirebaseToken } = require('../middleware/firebase_auth_middleware.js');
 
 const notificationRoutes = require('./notifications.js');
 const alertsRoutes = require('./alerts.js'); // <--- NEW
@@ -19,6 +20,11 @@ module.exports = (dependencies) => {
         next();
     });
 
+    // SECURITY: Verify Firebase Auth token first (if present)
+    // This allows identity_middleware to validate CID ownership
+    router.use(verifyFirebaseToken);
+    
+    // Then resolve user identity with CID ownership validation
     router.use(resolveUserIdentity);
 
     router.use('/notifications', notificationRoutes);

package/functions/api-v2/routes/notifications.js

@@ -27,10 +27,14 @@ router.post('/mark-read', async (req, res) => {
         const { db } = req.dependencies;
         const { notificationIds, markAll } = req.body; // Array of IDs or boolean flag
         
+        console.log(`[notifications/mark-read] Request for user ${req.targetUserId}, markAll: ${markAll}, notificationIds: ${notificationIds?.length || 0}`);
+        
+        // Execute the operation with a reasonable timeout
         await markNotificationRead(db, req.targetUserId, notificationIds, markAll);
         
         res.json({ success: true });
     } catch (error) {
+        console.error(`[notifications/mark-read] Error for user ${req.targetUserId}:`, error.message, error.stack);
         res.status(500).json({ error: error.message });
     }
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bulltrackers-module",
-  "version": "1.0.614",
+  "version": "1.0.616",
   "description": "Helper Functions for Bulltrackers.",
   "main": "index.js",
   "files": [