bulltrackers-module 1.0.615 → 1.0.617

package/functions/api-v2/helpers/data-fetchers/firestore.js

@@ -1,6 +1,7 @@
 // Firestore helper functions for fetching data from collections
 const { FieldValue } = require('@google-cloud/firestore');
 const { dispatchSyncRequest } = require('../task_engine_helper.js');
+const crypto = require('crypto');
 
 // 1. Fetch latest stored snapshots of user data from a user-centric collection
 
@@ -525,12 +526,48 @@ const fetchUserVerificationData = async (firestore, userId) => {
     }
 };
 
+/**
+ * Hash email for use as document ID in lookup collection
+ * Uses SHA-256 for consistent hashing
+ */
+const hashEmail = (email) => {
+    const normalizedEmail = String(email).toLowerCase().trim();
+    return crypto.createHash('sha256').update(normalizedEmail).digest('hex');
+};
+
+/**
+ * Create or update email-to-CID lookup document for O(1) lookups
+ * This is called when an email is verified or when migration finds a match
+ */
+const createEmailLookup = async (firestore, email, cid) => {
+    try {
+        const hashedEmail = hashEmail(email);
+        const lookupRef = firestore.collection('sys_user_lookup').doc(hashedEmail);
+        
+        await lookupRef.set({
+            cid: Number(cid),
+            emailHash: hashedEmail,
+            createdAt: FieldValue.serverTimestamp(),
+            updatedAt: FieldValue.serverTimestamp(),
+        }, { merge: true });
+        
+        console.log(`[createEmailLookup] Created lookup document for email hash ${hashedEmail} -> CID ${cid}`);
+    } catch (error) {
+        console.error(`[createEmailLookup] Error creating lookup for ${email}:`, error);
+        // Don't throw - lookup creation is non-critical, fallback will work
+    }
+};
+
 /**
  * Lookup CID by email (server-side only for security)
- * Searches through all SignedInUsers verification documents to find matching email
- * Returns only the CID and basic verification status - no email exposure
+ * 
+ * PERFORMANCE: Uses O(1) lookup collection first, falls back to O(N) search if not found
+ * MIGRATION: When fallback finds a match, creates lookup document for future O(1) access
+ * 
+ * NOTE: Multiple Firebase accounts (different UIDs) can access the same CID
+ * if their emails are in the verification document's email array.
  */
-const lookupCidByEmail = async (firestore, userEmail) => {
+const lookupCidByEmail = async (firestore, userEmail, firebaseUid = null) => {
     if (!userEmail) {
         throw new Error('Email is required for lookup');
     }
@@ -538,8 +575,60 @@ const lookupCidByEmail = async (firestore, userEmail) => {
     try {
         // Normalize email for comparison
         const normalizedEmail = String(userEmail).toLowerCase().trim();
+        const hashedEmail = hashEmail(normalizedEmail);
+        
+        // STEP 1: Try O(1) lookup from denormalized collection
+        const lookupRef = firestore.collection('sys_user_lookup').doc(hashedEmail);
+        const lookupDoc = await lookupRef.get();
+        
+        if (lookupDoc.exists) {
+            const lookupData = lookupDoc.data();
+            const cid = lookupData.cid;
+            
+            // Fetch verification data to return full user info
+            const verificationRef = firestore.collection('SignedInUsers').doc(String(cid)).collection('verification').doc('data');
+            const verificationDoc = await verificationRef.get();
+            
+            if (verificationDoc.exists) {
+                const verificationData = verificationDoc.data();
+                
+                // Verify email is still in the verification document (safety check)
+                const emails = Array.isArray(verificationData.email) 
+                    ? verificationData.email 
+                    : (verificationData.email ? [verificationData.email] : []);
+                const normalizedEmails = emails.map(e => String(e).toLowerCase().trim());
+                
+                if (normalizedEmails.includes(normalizedEmail)) {
+                    // Optional: Validate Firebase UID if provided
+                    if (firebaseUid && verificationData.firebaseUids && Array.isArray(verificationData.firebaseUids)) {
+                        if (!verificationData.firebaseUids.includes(firebaseUid)) {
+                            console.warn(`[lookupCidByEmail] Email ${userEmail} matches CID ${cid} but Firebase UID ${firebaseUid} not in firebaseUids array`);
+                        }
+                    }
+                    
+                    // Return result from O(1) lookup
+                    return {
+                        cid: verificationData.etoroCID || Number(cid),
+                        accountSetupComplete: verificationData.accountSetupComplete || false,
+                        etoroUsername: verificationData.etoroUsername,
+                        displayName: verificationData.displayName,
+                        photoURL: verificationData.photoURL,
+                        verifiedAt: verificationData.verifiedAt,
+                        setupCompletedAt: verificationData.setupCompletedAt,
+                    };
+                } else {
+                    // Email not in verification doc - lookup is stale, will fall through to migration
+                    console.warn(`[lookupCidByEmail] Lookup document exists but email ${normalizedEmail} not in verification doc for CID ${cid}`);
+                }
+            }
+        }
+        
+        // STEP 2: Fallback to O(N) search (migration path)
+        // This happens when:
+        // 1. Lookup document doesn't exist yet (new user or not migrated)
+        // 2. Lookup document exists but email not in verification (stale data)
+        console.log(`[lookupCidByEmail] Lookup document not found for ${normalizedEmail}, performing O(N) search (migration)`);
         
-        // Get all SignedInUsers documents
         const signedInUsersSnapshot = await firestore.collection('SignedInUsers').get();
         
         // Search through each CID's verification document
@@ -556,9 +645,24 @@ const lookupCidByEmail = async (firestore, userEmail) => {
                 // Case-insensitive email comparison
                 const normalizedEmails = emails.map(e => String(e).toLowerCase().trim());
                 if (normalizedEmails.includes(normalizedEmail)) {
-                    // Found match - return only CID and verification status (no email)
+                    const cid = verificationData.etoroCID || Number(userDoc.id);
+                    
+                    // Optional: Validate Firebase UID if provided
+                    if (firebaseUid && verificationData.firebaseUids && Array.isArray(verificationData.firebaseUids)) {
+                        if (!verificationData.firebaseUids.includes(firebaseUid)) {
+                            console.warn(`[lookupCidByEmail] Email ${userEmail} matches CID ${cid} but Firebase UID ${firebaseUid} not in firebaseUids array`);
+                        }
+                    }
+                    
+                    // STEP 3: Create lookup document for future O(1) access (migration)
+                    // Create lookup for all emails in the verification document to handle multiple accounts
+                    for (const email of normalizedEmails) {
+                        await createEmailLookup(firestore, email, cid);
+                    }
+                    
+                    // Return result
                     return {
-                        cid: verificationData.etoroCID || Number(userDoc.id),
+                        cid: cid,
                         accountSetupComplete: verificationData.accountSetupComplete || false,
                         etoroUsername: verificationData.etoroUsername,
                         displayName: verificationData.displayName,
@@ -1688,6 +1792,14 @@ const finalizeVerification = async (db, pubsub, userId, username) => {
         accountSetupComplete: false, // Will be set to true by frontend completeAccountSetup
         createdAt: FieldValue.serverTimestamp(),
     }, { merge: true });
+    
+    // 3. Create lookup documents for all emails (O(1) lookup optimization)
+    // This ensures future lookups are fast even if emails are added later
+    for (const email of emails) {
+        if (email) {
+            await createEmailLookup(db, email, realCID);
+        }
+    }
 
     // 4. Trigger Downstream Systems via Task Engine
     if (pubsub) {
@@ -2612,6 +2724,8 @@ module.exports = {
     fetchPopularInvestorMasterList,
     isDeveloper,
     lookupCidByEmail,
+    createEmailLookup,
+    hashEmail,
     manageUserWatchlist,
     fetchUserVerificationData,
     requestPopularInvestorAddition,

package/functions/api-v2/middleware/identity_middleware.js

@@ -2,6 +2,12 @@
  * Middleware to resolve the effective user ID, handling Developer Impersonation.
  * Sets req.targetUserId, req.isImpersonating, and req.actualUserId.
  * 
+ * SECURITY: This middleware validates that the authenticated Firebase user owns the requested CID.
+ * It prevents IDOR (Insecure Direct Object Reference) attacks by:
+ * 1. Looking up the CID associated with the Firebase authenticated user's email
+ * 2. Forcing req.targetUserId to be the authenticated user's CID (unless developer impersonation)
+ * 3. Ignoring any userCid provided in headers/query/body if it doesn't match the authenticated user
+ * 
  * Public routes (that don't require authentication):
  * - /watchlists/public
  * - /popular-investors/trending
@@ -9,7 +15,7 @@
  * - /popular-investors/master-list
  * - /popular-investors/search
  */
-const { isDeveloper } = require('../helpers/data-fetchers/firestore.js'); // Using your provided helper
+const { isDeveloper, lookupCidByEmail } = require('../helpers/data-fetchers/firestore.js');
 
 // List of public routes that don't require userCid
 // Also includes routes that use Firebase Auth token authentication (like /verification/lookup)
@@ -60,6 +66,12 @@ const isPublicRoute = (path, originalUrl) => {
 
 const resolveUserIdentity = async (req, res, next) => {
     try {
+        const db = req.app.locals?.db || req.dependencies?.db;
+        if (!db) {
+            console.error('[IdentityMiddleware] Database not available');
+            return res.status(500).json({ error: "Internal server error" });
+        }
+
         // Check if this is a public route (check both path and originalUrl for Express routing)
         const isPublic = isPublicRoute(req.path, req.originalUrl);
         
@@ -68,45 +80,118 @@ const resolveUserIdentity = async (req, res, next) => {
         const hasFirebaseAuth = req.headers.authorization && 
                                 req.headers.authorization.startsWith('Bearer ');
         
-        // 1. Identify the actual authenticated user (from Auth middleware or params)
-        const actualUserId = req.query.userCid || req.body.userCid || req.headers['x-user-cid'];
+        // SECURITY FIX: If Firebase Auth is present, validate the user owns the requested CID
+        // NOTE: Multiple Firebase accounts (different UIDs) can access the same CID
+        // if their emails are in the verification document's email array
+        let authenticatedUserCid = null;
+        if (req.firebaseUser && req.firebaseUser.email) {
+            try {
+                // Look up the CID associated with the authenticated Firebase user's email
+                // Pass Firebase UID for optional validation (email is the source of truth)
+                const userData = await lookupCidByEmail(db, req.firebaseUser.email, req.firebaseUser.uid);
+                if (userData && userData.cid) {
+                    authenticatedUserCid = String(userData.cid);
+                    console.log(`[Identity] Authenticated user ${req.firebaseUser.email} (UID: ${req.firebaseUser.uid}) owns CID ${authenticatedUserCid}`);
+                } else {
+                    console.warn(`[Identity] No CID found for authenticated user ${req.firebaseUser.email}`);
+                }
+            } catch (error) {
+                console.error(`[Identity] Error looking up CID for ${req.firebaseUser.email}:`, error);
+                // Continue - will fail validation below if CID is required
+            }
+        }
+
+        // 1. Identify the requested user ID (from params/headers/body)
+        const requestedUserId = req.query.userCid || req.body.userCid || req.headers['x-user-cid'];
+        
+        // SECURITY: For private routes, require Firebase Auth to prevent IDOR attacks
+        if (!isPublic && !authenticatedUserCid && !hasFirebaseAuth) {
+            // Private route without authentication - reject immediately
+            console.warn(`[Identity] Security violation: Private route ${req.path} accessed without Firebase Auth`);
+            return res.status(401).json({ 
+                error: "Authentication required. Please provide a valid Firebase ID token in the Authorization header." 
+            });
+        }
         
-        // For public routes or Firebase Auth routes, userCid is optional
-        if (!actualUserId && !isPublic && !hasFirebaseAuth) {
+        // For public routes, userCid is optional
+        if (!requestedUserId && !isPublic && !hasFirebaseAuth) {
             return res.status(400).json({ error: "Missing user identification (userCid)" });
         }
 
-        // If no user ID provided and it's a public route or uses Firebase Auth, skip identity resolution
-        if (!actualUserId && (isPublic || hasFirebaseAuth)) {
+        // If no user ID provided and it's a public route, skip identity resolution
+        if (!requestedUserId && isPublic) {
             req.actualUserId = null;
             req.targetUserId = null;
             req.isImpersonating = false;
             return next();
         }
 
-        // 2. Check for Impersonation Request (Headers or Query)
-        const impersonateId = req.headers['x-impersonate-cid'] || req.query.impersonateCid;
-
-        req.actualUserId = actualUserId;
-        req.targetUserId = actualUserId; // Default to actual
-        req.isImpersonating = false;
-
-        // 3. specific logic for Developers
-        if (impersonateId && impersonateId !== actualUserId) {
-            // Verify if the ACTUAL user is a developer
-            // We pass the db instance from dependencies (assuming standard express injection)
-            const db = req.app.locals.db || req.dependencies.db; 
-            const isDev = await isDeveloper(db, actualUserId);
-
-            if (isDev) {
-                req.targetUserId = impersonateId;
-                req.isImpersonating = true;
-                console.log(`[Identity] Dev ${actualUserId} is impersonating ${impersonateId}`);
-            } else {
-                // Fail silently or warn? For security, maybe just ignore or strict fail.
-                // Ignoring ensures they just see their own data.
-                console.warn(`[Identity] Unauthorized impersonation attempt by ${actualUserId}`);
+        // SECURITY FIX: If Firebase Auth is present, enforce ownership
+        // The authenticated user can only access their own CID (unless developer impersonation)
+        if (authenticatedUserCid) {
+            // If a CID was requested but doesn't match the authenticated user's CID, reject (unless developer impersonation)
+            if (requestedUserId && requestedUserId !== authenticatedUserCid) {
+                // Check if this is a developer impersonation request
+                const impersonateId = req.headers['x-impersonate-cid'] || req.query.impersonateCid;
+                
+                if (impersonateId && impersonateId === requestedUserId) {
+                    // This is an explicit impersonation request - verify developer status
+                    const isDev = await isDeveloper(db, authenticatedUserCid);
+                    if (isDev) {
+                        req.actualUserId = authenticatedUserCid;
+                        req.targetUserId = impersonateId;
+                        req.isImpersonating = true;
+                        console.log(`[Identity] Dev ${authenticatedUserCid} is impersonating ${impersonateId}`);
+                        return next();
+                    } else {
+                        console.warn(`[Identity] Unauthorized impersonation attempt by ${authenticatedUserCid}`);
+                        return res.status(403).json({ error: "Unauthorized: Developer privileges required for impersonation" });
+                    }
+                } else {
+                    // User is trying to access another user's CID without impersonation header
+                    console.warn(`[Identity] Security violation: User ${authenticatedUserCid} attempted to access CID ${requestedUserId}`);
+                    return res.status(403).json({ error: "Unauthorized: You can only access your own data" });
+                }
             }
+            
+            // Authenticated user owns the requested CID (or no CID requested) - use authenticated CID
+            req.actualUserId = authenticatedUserCid;
+            req.targetUserId = authenticatedUserCid;
+            req.isImpersonating = false;
+        } else if (requestedUserId) {
+            // SECURITY FIX: Legacy mode only allowed for public routes
+            // For private routes, Firebase Auth is REQUIRED to prevent IDOR attacks
+            if (!isPublic) {
+                // Private route without authentication - reject the request
+                console.warn(`[Identity] Security violation: Private route accessed without Firebase Auth. Requested CID: ${requestedUserId}`);
+                return res.status(401).json({ 
+                    error: "Authentication required. Please provide a valid Firebase ID token in the Authorization header." 
+                });
+            }
+            
+            // Legacy mode only for public routes (backward compatibility)
+            // Public routes don't expose sensitive data, so this is acceptable
+            req.actualUserId = requestedUserId;
+            req.targetUserId = requestedUserId;
+            req.isImpersonating = false;
+            
+            // Check for developer impersonation (legacy mode - only for public routes)
+            const impersonateId = req.headers['x-impersonate-cid'] || req.query.impersonateCid;
+            if (impersonateId && impersonateId !== requestedUserId) {
+                const isDev = await isDeveloper(db, requestedUserId);
+                if (isDev) {
+                    req.targetUserId = impersonateId;
+                    req.isImpersonating = true;
+                    console.log(`[Identity] Dev ${requestedUserId} is impersonating ${impersonateId} (public route)`);
+                } else {
+                    console.warn(`[Identity] Unauthorized impersonation attempt by ${requestedUserId}`);
+                }
+            }
+        } else {
+            // No CID and not public - this shouldn't happen due to check above, but handle gracefully
+            req.actualUserId = null;
+            req.targetUserId = null;
+            req.isImpersonating = false;
         }
 
         next();

package/functions/api-v2/routes/index.js

@@ -1,5 +1,6 @@
 const express = require('express');
 const { resolveUserIdentity } = require('../middleware/identity_middleware.js');
+const { verifyFirebaseToken } = require('../middleware/firebase_auth_middleware.js');
 
 const notificationRoutes = require('./notifications.js');
 const alertsRoutes = require('./alerts.js'); // <--- NEW
@@ -19,6 +20,11 @@ module.exports = (dependencies) => {
         next();
     });
 
+    // SECURITY: Verify Firebase Auth token first (if present)
+    // This allows identity_middleware to validate CID ownership
+    router.use(verifyFirebaseToken);
+    
+    // Then resolve user identity with CID ownership validation
     router.use(resolveUserIdentity);
 
     router.use('/notifications', notificationRoutes);

package/functions/api-v2/routes/verification.js

@@ -1,5 +1,5 @@
 const express = require('express');
-const { initiateVerification, finalizeVerification, fetchUserVerificationData, lookupCidByEmail } = require('../helpers/data-fetchers/firestore.js');
+const { initiateVerification, finalizeVerification, fetchUserVerificationData, lookupCidByEmail, createEmailLookup } = require('../helpers/data-fetchers/firestore.js');
 const { requireFirebaseAuth } = require('../middleware/firebase_auth_middleware.js');
 
 const router = express.Router();
@@ -79,4 +79,57 @@ router.post('/finalize', async (req, res) => {
     }
 });
 
+// POST /verification/update-lookup
+// Updates email-to-CID lookup documents when emails are added to verification
+// Called by frontend after updating verification document with new emails
+// This ensures O(1) lookups work immediately without waiting for migration
+router.post('/update-lookup', requireFirebaseAuth, async (req, res) => {
+    try {
+        const { db } = req.dependencies;
+        const { cid, emails } = req.body;
+        
+        if (!cid || !Array.isArray(emails) || emails.length === 0) {
+            return res.status(400).json({ 
+                success: false, 
+                error: 'CID and emails array are required' 
+            });
+        }
+        
+        // Verify the authenticated user owns this CID
+        const userEmail = req.firebaseUser?.email;
+        if (userEmail) {
+            const userData = await lookupCidByEmail(db, userEmail);
+            if (!userData || String(userData.cid) !== String(cid)) {
+                return res.status(403).json({ 
+                    success: false, 
+                    error: 'Unauthorized: You can only update lookup for your own CID' 
+                });
+            }
+        }
+        
+        // Create lookup documents for all emails
+        const results = [];
+        for (const email of emails) {
+            if (email) {
+                try {
+                    await createEmailLookup(db, email, cid);
+                    results.push({ email, success: true });
+                } catch (error) {
+                    console.error(`[update-lookup] Failed to create lookup for ${email}:`, error);
+                    results.push({ email, success: false, error: error.message });
+                }
+            }
+        }
+        
+        res.json({ 
+            success: true, 
+            message: `Updated ${results.filter(r => r.success).length} lookup document(s)`,
+            results 
+        });
+    } catch (error) {
+        console.error('[Verification Update Lookup] Error:', error);
+        res.status(500).json({ success: false, error: error.message });
+    }
+});
+
 module.exports = router;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bulltrackers-module",
-  "version": "1.0.615",
+  "version": "1.0.617",
   "description": "Helper Functions for Bulltrackers.",
   "main": "index.js",
   "files": [