bulltrackers-module 1.0.616 → 1.0.618

package/functions/api-v2/helpers/data-fetchers/firestore.js

@@ -1,6 +1,7 @@
 // Firestore helper functions for fetching data from collections
 const { FieldValue } = require('@google-cloud/firestore');
 const { dispatchSyncRequest } = require('../task_engine_helper.js');
+const crypto = require('crypto');
 
 // 1. Fetch latest stored snapshots of user data from a user-centric collection
 
@@ -525,10 +526,43 @@ const fetchUserVerificationData = async (firestore, userId) => {
     }
 };
 
+/**
+ * Hash email for use as document ID in lookup collection
+ * Uses SHA-256 for consistent hashing
+ */
+const hashEmail = (email) => {
+    const normalizedEmail = String(email).toLowerCase().trim();
+    return crypto.createHash('sha256').update(normalizedEmail).digest('hex');
+};
+
+/**
+ * Create or update email-to-CID lookup document for O(1) lookups
+ * This is called when an email is verified or when migration finds a match
+ */
+const createEmailLookup = async (firestore, email, cid) => {
+    try {
+        const hashedEmail = hashEmail(email);
+        const lookupRef = firestore.collection('sys_user_lookup').doc(hashedEmail);
+        
+        await lookupRef.set({
+            cid: Number(cid),
+            emailHash: hashedEmail,
+            createdAt: FieldValue.serverTimestamp(),
+            updatedAt: FieldValue.serverTimestamp(),
+        }, { merge: true });
+        
+        console.log(`[createEmailLookup] Created lookup document for email hash ${hashedEmail} -> CID ${cid}`);
+    } catch (error) {
+        console.error(`[createEmailLookup] Error creating lookup for ${email}:`, error);
+        // Don't throw - lookup creation is non-critical, fallback will work
+    }
+};
+
 /**
  * Lookup CID by email (server-side only for security)
- * Searches through all SignedInUsers verification documents to find matching email
- * Returns only the CID and basic verification status - no email exposure
+ * 
+ * PERFORMANCE: Uses O(1) lookup collection first, falls back to O(N) search if not found
+ * MIGRATION: When fallback finds a match, creates lookup document for future O(1) access
  * 
  * NOTE: Multiple Firebase accounts (different UIDs) can access the same CID
  * if their emails are in the verification document's email array.
@@ -541,8 +575,60 @@ const lookupCidByEmail = async (firestore, userEmail, firebaseUid = null) => {
     try {
         // Normalize email for comparison
         const normalizedEmail = String(userEmail).toLowerCase().trim();
+        const hashedEmail = hashEmail(normalizedEmail);
+        
+        // STEP 1: Try O(1) lookup from denormalized collection
+        const lookupRef = firestore.collection('sys_user_lookup').doc(hashedEmail);
+        const lookupDoc = await lookupRef.get();
+        
+        if (lookupDoc.exists) {
+            const lookupData = lookupDoc.data();
+            const cid = lookupData.cid;
+            
+            // Fetch verification data to return full user info
+            const verificationRef = firestore.collection('SignedInUsers').doc(String(cid)).collection('verification').doc('data');
+            const verificationDoc = await verificationRef.get();
+            
+            if (verificationDoc.exists) {
+                const verificationData = verificationDoc.data();
+                
+                // Verify email is still in the verification document (safety check)
+                const emails = Array.isArray(verificationData.email) 
+                    ? verificationData.email 
+                    : (verificationData.email ? [verificationData.email] : []);
+                const normalizedEmails = emails.map(e => String(e).toLowerCase().trim());
+                
+                if (normalizedEmails.includes(normalizedEmail)) {
+                    // Optional: Validate Firebase UID if provided
+                    if (firebaseUid && verificationData.firebaseUids && Array.isArray(verificationData.firebaseUids)) {
+                        if (!verificationData.firebaseUids.includes(firebaseUid)) {
+                            console.warn(`[lookupCidByEmail] Email ${userEmail} matches CID ${cid} but Firebase UID ${firebaseUid} not in firebaseUids array`);
+                        }
+                    }
+                    
+                    // Return result from O(1) lookup
+                    return {
+                        cid: verificationData.etoroCID || Number(cid),
+                        accountSetupComplete: verificationData.accountSetupComplete || false,
+                        etoroUsername: verificationData.etoroUsername,
+                        displayName: verificationData.displayName,
+                        photoURL: verificationData.photoURL,
+                        verifiedAt: verificationData.verifiedAt,
+                        setupCompletedAt: verificationData.setupCompletedAt,
+                    };
+                } else {
+                    // Email not in verification doc - lookup is stale, will fall through to migration
+                    console.warn(`[lookupCidByEmail] Lookup document exists but email ${normalizedEmail} not in verification doc for CID ${cid}`);
+                }
+            }
+        }
+        
+        // STEP 2: Fallback to O(N) search (migration path)
+        // This happens when:
+        // 1. Lookup document doesn't exist yet (new user or not migrated)
+        // 2. Lookup document exists but email not in verification (stale data)
+        console.log(`[lookupCidByEmail] Lookup document not found for ${normalizedEmail}, performing O(N) search (migration)`);
         
-        // Get all SignedInUsers documents
         const signedInUsersSnapshot = await firestore.collection('SignedInUsers').get();
         
         // Search through each CID's verification document
@@ -559,18 +645,24 @@ const lookupCidByEmail = async (firestore, userEmail, firebaseUid = null) => {
                 // Case-insensitive email comparison
                 const normalizedEmails = emails.map(e => String(e).toLowerCase().trim());
                 if (normalizedEmails.includes(normalizedEmail)) {
-                    // Optional: If Firebase UID is provided, validate it's in the firebaseUids array (if it exists)
-                    // This provides additional security but doesn't block access if UID tracking isn't set up yet
+                    const cid = verificationData.etoroCID || Number(userDoc.id);
+                    
+                    // Optional: Validate Firebase UID if provided
                     if (firebaseUid && verificationData.firebaseUids && Array.isArray(verificationData.firebaseUids)) {
                         if (!verificationData.firebaseUids.includes(firebaseUid)) {
-                            // UID not in list - log warning but still allow access (email is the source of truth)
-                            console.warn(`[lookupCidByEmail] Email ${userEmail} matches CID ${userDoc.id} but Firebase UID ${firebaseUid} not in firebaseUids array`);
+                            console.warn(`[lookupCidByEmail] Email ${userEmail} matches CID ${cid} but Firebase UID ${firebaseUid} not in firebaseUids array`);
                         }
                     }
                     
-                    // Found match - return only CID and verification status (no email)
+                    // STEP 3: Create lookup document for future O(1) access (migration)
+                    // Create lookup for all emails in the verification document to handle multiple accounts
+                    for (const email of normalizedEmails) {
+                        await createEmailLookup(firestore, email, cid);
+                    }
+                    
+                    // Return result
                     return {
-                        cid: verificationData.etoroCID || Number(userDoc.id),
+                        cid: cid,
                         accountSetupComplete: verificationData.accountSetupComplete || false,
                         etoroUsername: verificationData.etoroUsername,
                         displayName: verificationData.displayName,
@@ -1700,6 +1792,14 @@ const finalizeVerification = async (db, pubsub, userId, username) => {
         accountSetupComplete: false, // Will be set to true by frontend completeAccountSetup
         createdAt: FieldValue.serverTimestamp(),
     }, { merge: true });
+    
+    // 3. Create lookup documents for all emails (O(1) lookup optimization)
+    // This ensures future lookups are fast even if emails are added later
+    for (const email of emails) {
+        if (email) {
+            await createEmailLookup(db, email, realCID);
+        }
+    }
 
     // 4. Trigger Downstream Systems via Task Engine
     if (pubsub) {
@@ -2624,6 +2724,8 @@ module.exports = {
     fetchPopularInvestorMasterList,
     isDeveloper,
     lookupCidByEmail,
+    createEmailLookup,
+    hashEmail,
     manageUserWatchlist,
     fetchUserVerificationData,
     requestPopularInvestorAddition,

package/functions/api-v2/middleware/identity_middleware.js

@@ -104,6 +104,15 @@ const resolveUserIdentity = async (req, res, next) => {
         // 1. Identify the requested user ID (from params/headers/body)
         const requestedUserId = req.query.userCid || req.body.userCid || req.headers['x-user-cid'];
         
+        // SECURITY: For private routes, require Firebase Auth to prevent IDOR attacks
+        if (!isPublic && !authenticatedUserCid && !hasFirebaseAuth) {
+            // Private route without authentication - reject immediately
+            console.warn(`[Identity] Security violation: Private route ${req.path} accessed without Firebase Auth`);
+            return res.status(401).json({ 
+                error: "Authentication required. Please provide a valid Firebase ID token in the Authorization header." 
+            });
+        }
+        
         // For public routes, userCid is optional
         if (!requestedUserId && !isPublic && !hasFirebaseAuth) {
             return res.status(400).json({ error: "Missing user identification (userCid)" });
@@ -150,24 +159,30 @@ const resolveUserIdentity = async (req, res, next) => {
             req.targetUserId = authenticatedUserCid;
             req.isImpersonating = false;
         } else if (requestedUserId) {
-            // No Firebase Auth but CID provided - legacy behavior (for backward compatibility)
-            // WARNING: This is less secure but may be needed for some legacy clients
-            // Consider requiring Firebase Auth for all authenticated routes
+            // SECURITY FIX: Legacy mode only allowed for public routes
+            // For private routes, Firebase Auth is REQUIRED to prevent IDOR attacks
             if (!isPublic) {
-                console.warn(`[Identity] No Firebase Auth but CID ${requestedUserId} provided - using legacy mode`);
+                // Private route without authentication - reject the request
+                console.warn(`[Identity] Security violation: Private route accessed without Firebase Auth. Requested CID: ${requestedUserId}`);
+                return res.status(401).json({ 
+                    error: "Authentication required. Please provide a valid Firebase ID token in the Authorization header." 
+                });
             }
+            
+            // Legacy mode only for public routes (backward compatibility)
+            // Public routes don't expose sensitive data, so this is acceptable
             req.actualUserId = requestedUserId;
             req.targetUserId = requestedUserId;
             req.isImpersonating = false;
             
-            // Check for developer impersonation (legacy mode)
+            // Check for developer impersonation (legacy mode - only for public routes)
             const impersonateId = req.headers['x-impersonate-cid'] || req.query.impersonateCid;
             if (impersonateId && impersonateId !== requestedUserId) {
                 const isDev = await isDeveloper(db, requestedUserId);
                 if (isDev) {
                     req.targetUserId = impersonateId;
                     req.isImpersonating = true;
-                    console.log(`[Identity] Dev ${requestedUserId} is impersonating ${impersonateId}`);
+                    console.log(`[Identity] Dev ${requestedUserId} is impersonating ${impersonateId} (public route)`);
                 } else {
                     console.warn(`[Identity] Unauthorized impersonation attempt by ${requestedUserId}`);
                 }

package/functions/api-v2/routes/verification.js

@@ -1,5 +1,5 @@
 const express = require('express');
-const { initiateVerification, finalizeVerification, fetchUserVerificationData, lookupCidByEmail } = require('../helpers/data-fetchers/firestore.js');
+const { initiateVerification, finalizeVerification, fetchUserVerificationData, lookupCidByEmail, createEmailLookup } = require('../helpers/data-fetchers/firestore.js');
 const { requireFirebaseAuth } = require('../middleware/firebase_auth_middleware.js');
 
 const router = express.Router();
@@ -79,4 +79,57 @@ router.post('/finalize', async (req, res) => {
     }
 });
 
+// POST /verification/update-lookup
+// Updates email-to-CID lookup documents when emails are added to verification
+// Called by frontend after updating verification document with new emails
+// This ensures O(1) lookups work immediately without waiting for migration
+router.post('/update-lookup', requireFirebaseAuth, async (req, res) => {
+    try {
+        const { db } = req.dependencies;
+        const { cid, emails } = req.body;
+        
+        if (!cid || !Array.isArray(emails) || emails.length === 0) {
+            return res.status(400).json({ 
+                success: false, 
+                error: 'CID and emails array are required' 
+            });
+        }
+        
+        // Verify the authenticated user owns this CID
+        const userEmail = req.firebaseUser?.email;
+        if (userEmail) {
+            const userData = await lookupCidByEmail(db, userEmail);
+            if (!userData || String(userData.cid) !== String(cid)) {
+                return res.status(403).json({ 
+                    success: false, 
+                    error: 'Unauthorized: You can only update lookup for your own CID' 
+                });
+            }
+        }
+        
+        // Create lookup documents for all emails
+        const results = [];
+        for (const email of emails) {
+            if (email) {
+                try {
+                    await createEmailLookup(db, email, cid);
+                    results.push({ email, success: true });
+                } catch (error) {
+                    console.error(`[update-lookup] Failed to create lookup for ${email}:`, error);
+                    results.push({ email, success: false, error: error.message });
+                }
+            }
+        }
+        
+        res.json({ 
+            success: true, 
+            message: `Updated ${results.filter(r => r.success).length} lookup document(s)`,
+            results 
+        });
+    } catch (error) {
+        console.error('[Verification Update Lookup] Error:', error);
+        res.status(500).json({ success: false, error: error.message });
+    }
+});
+
 module.exports = router;

package/functions/api-v2/routes/watchlists.js

@@ -35,6 +35,14 @@ router.post('/auto-generate', async (req, res) => {
     }
 });
 
+// GET /watchlists/public - Must be before /:id route to avoid route conflict
+router.get('/public', async (req, res) => {
+    try {
+        const data = await fetchPublicWatchlists(req.dependencies.db, req.query.limit, req.query.offset);
+        res.json({ success: true, data });
+    } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
 // GET /watchlists/:id (Rec 12)
 router.get('/:id', async (req, res) => {
     try {
@@ -86,13 +94,6 @@ router.post('/manage', async (req, res) => {
 });
 
 // Public & Copy Routes (Existing)
-router.get('/public', async (req, res) => {
-    try {
-        const data = await fetchPublicWatchlists(req.dependencies.db, req.query.limit, req.query.offset);
-        res.json({ success: true, data });
-    } catch (e) { res.status(500).json({ error: e.message }); }
-});
-
 router.post('/:id/publish', async (req, res) => {
     try {
         const result = await publishWatchlistVersion(req.dependencies.db, req.targetUserId, req.params.id);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bulltrackers-module",
-  "version": "1.0.616",
+  "version": "1.0.618",
   "description": "Helper Functions for Bulltrackers.",
   "main": "index.js",
   "files": [