bulltrackers-module 1.0.620 → 1.0.621

package/functions/api-v2/helpers/data-fetchers/firestore.js

@@ -22,19 +22,38 @@ const crypto = require('crypto');
  * Fetches data from a user-centric sub-collection.
  * - If `documentName` is provided, returns a SINGLE object.
  * - If `documentName` is missing, returns an ARRAY of all objects in the collection.
+ * 
+ * @param {Object} firestore - Firestore instance
+ * @param {string} userId - User ID
+ * @param {string} collectionName - Collection name
+ * @param {string} dataType - Data type identifier
+ * @param {string} userType - User type (e.g., 'SignedInUsers', 'PopularInvestors')
+ * @param {string|null} documentName - Document name (null for all documents)
+ * @param {string[]} fields - Optional array of field names to select (Firestore projection)
+ * @returns {Promise<Object|Array|null>} Single document, array of documents, or null
  */
-const latestUserCentricSnapshot = async (firestore, userId, collectionName, dataType, userType, documentName) => {
+const latestUserCentricSnapshot = async (firestore, userId, collectionName, dataType, userType, documentName, fields = []) => {
     try {
         const baseRef = firestore.collection(userType).doc(userId).collection(collectionName);
 
         if (documentName) {
             // SCENARIO 1: Single Document
-            const docSnapshot = await baseRef.doc(documentName).get();
+            let docRef = baseRef.doc(documentName);
+            // Apply field selection if fields are specified (Firestore projection)
+            if (fields.length > 0) {
+                docRef = docRef.select(...fields);
+            }
+            const docSnapshot = await docRef.get();
             if (!docSnapshot.exists) return null;
             return { id: docSnapshot.id, ...docSnapshot.data(), dataType };
         } else {
             // SCENARIO 2: All Documents (e.g. Watchlists)
-            const querySnapshot = await baseRef.get();
+            let query = baseRef;
+            // Apply field selection if fields are specified (Firestore projection)
+            // Note: Firestore doesn't support select() on collection queries, only on document references
+            // For collection queries, we'll fetch all fields but could filter in memory if needed
+            // For now, we'll only apply projection to single document queries
+            const querySnapshot = await query.get();
             if (querySnapshot.empty) return [];
             return querySnapshot.docs.map(doc => ({ id: doc.id, ...doc.data(), dataType }));
         }

package/functions/api-v2/index.js

@@ -5,7 +5,19 @@
 
 const express = require('express');
 const cors = require('cors');
+const rateLimit = require('express-rate-limit');
 const createRouter = require('./routes/index.js');
+const errorHandler = require('./middleware/error_handler.js');
+
+/**
+ * Allowed origins for CORS
+ * Production: https://bulltrackers.web.app/
+ * Development: http://172.26.96.1:8000/
+ */
+const allowedOrigins = [
+    'https://bulltrackers.web.app',
+    'http://172.26.96.1:8000'
+];
 
 /**
  * Main pipe: pipe.api.createApiV2App
@@ -15,8 +27,45 @@ function createApiV2App(config, dependencies) {
     const app = express();
     const { logger } = dependencies;
     
-    // Middleware
-    app.use(cors({ origin: true }));
+    // CORS Configuration - Restrict to specific origins
+    app.use(cors({
+        origin: function (origin, callback) {
+            // Allow requests with no origin (mobile apps, Postman, etc.)
+            if (!origin) {
+                return callback(null, true);
+            }
+            if (allowedOrigins.indexOf(origin) !== -1) {
+                callback(null, true);
+            } else {
+                callback(new Error('Not allowed by CORS'));
+            }
+        },
+        credentials: true
+    }));
+    
+    // Rate Limiting
+    // General API limiter for most routes
+    const apiLimiter = rateLimit({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        max: 100, // limit each IP to 100 requests per windowMs
+        message: 'Too many requests from this IP, please try again later.',
+        standardHeaders: true,
+        legacyHeaders: false
+    });
+    
+    // Stricter limiter for sensitive routes (auth/verification)
+    const authLimiter = rateLimit({
+        windowMs: 60 * 60 * 1000, // 1 hour
+        max: 10, // limit each IP to 10 requests per hour
+        message: 'Too many authentication requests from this IP, please try again later.',
+        standardHeaders: true,
+        legacyHeaders: false
+    });
+    
+    // Apply rate limiters
+    app.use('/verification', authLimiter);
+    app.use('/', apiLimiter);
+    
     app.use(express.json());
     
     // Health Check
@@ -28,6 +77,9 @@ function createApiV2App(config, dependencies) {
     const router = createRouter(dependencies);
     app.use('/', router);
     
+    // Error handling middleware (must be after all routes)
+    app.use(errorHandler);
+    
     logger.log('INFO', '[API v2] Routes mounted successfully');
     
     return app;

package/functions/api-v2/middleware/error_handler.js

@@ -0,0 +1,31 @@
+/**
+ * Centralized error handling middleware
+ * Prevents leaking sensitive information (stack traces, internal errors) to clients
+ */
+
+module.exports = (err, req, res, next) => {
+    // Log full error internally for debugging
+    console.error('[Error Handler]', {
+        error: err.message,
+        stack: err.stack,
+        path: req.path,
+        method: req.method,
+        timestamp: new Date().toISOString()
+    });
+
+    // Don't expose internal errors in production
+    const isProduction = process.env.NODE_ENV === 'production';
+    const message = isProduction 
+        ? (err.status === 400 ? err.message : 'Internal Server Error')
+        : err.message;
+
+    // Determine status code
+    const status = err.status || err.statusCode || 500;
+
+    // Send error response
+    res.status(status).json({ 
+        success: false, 
+        error: message,
+        ...(isProduction ? {} : { details: err.errors || undefined })
+    });
+};

package/functions/api-v2/middleware/identity_middleware.js

@@ -17,9 +17,15 @@
  */
 const { isDeveloper, lookupCidByEmail } = require('../helpers/data-fetchers/firestore.js');
 
-// List of public routes that don't require userCid
-// Also includes routes that use Firebase Auth token authentication (like /verification/lookup)
-// And routes that return static/public data (like /alerts/types)
+// List of routes that don't require userCid (CID-agnostic routes)
+// These routes either:
+// - Return public/static data (like /popular-investors/master-list)
+// - Use Firebase Auth token authentication instead of userCid (like /verification/lookup)
+// - Have optional userCid for personalization but work without it (like /popular-investors/profile)
+// 
+// NOTE: Some routes in this list (like /verification/lookup) still require Firebase Auth,
+// but they don't use userCid for identity resolution. The name "PUBLIC_ROUTES" is a bit
+// misleading - consider renaming to "CID_AGNOSTIC_ROUTES" for clarity.
 const PUBLIC_ROUTES = [
     '/watchlists/public',
     '/popular-investors/trending',

package/functions/api-v2/routes/index.js

@@ -1,6 +1,7 @@
 const express = require('express');
 const { resolveUserIdentity } = require('../middleware/identity_middleware.js');
 const { verifyFirebaseToken } = require('../middleware/firebase_auth_middleware.js');
+const { handleSyncRequest } = require('./sync.js');
 
 const notificationRoutes = require('./notifications.js');
 const alertsRoutes = require('./alerts.js'); // <--- NEW
@@ -40,8 +41,6 @@ module.exports = (dependencies) => {
     // Legacy route: /user/:userId/sync -> forwards to sync/request logic
     // This maintains backward compatibility with frontend calls
     router.post('/user/:userId/sync', async (req, res) => {
-        // Import sync handler (need to require it here to get the exported function)
-        const { handleSyncRequest } = require('./sync.js');
         // Set targetId from URL param for the handler
         req.body = req.body || {};
         req.body.targetId = req.params.userId;

package/functions/api-v2/routes/popular_investors.js

@@ -14,13 +14,15 @@ const router = express.Router();
 
 
 // GET /popular-investors/master-list
-router.get('/master-list', async (req, res) => {
+router.get('/master-list', async (req, res, next) => {
     try {
         const { db } = req.dependencies;
         const data = await fetchPopularInvestorMasterList(db);
+        // Cache in browser/CDN for 1 hour (public data that doesn't change frequently)
+        res.set('Cache-Control', 'public, max-age=3600');
         res.json({ success: true, count: Object.keys(data).length, data });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 
@@ -33,7 +35,7 @@ router.get('/rankings', async (req, res) => {
         const rankings = await getComputationResults(db, 'PopularInvestorRankings', date);
         res.json({ success: true, data: rankings });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 
@@ -73,24 +75,28 @@ router.post('/:piId/track-view', async (req, res) => {
 });
 
 // GET /popular-investors/trending
-router.get('/trending', async (req, res) => {
+router.get('/trending', async (req, res, next) => {
     try {
         const { db } = req.dependencies;
         const data = await fetchTrendingPopularInvestors(db);
+        // Cache in browser/CDN for 1 hour (public data that doesn't change frequently)
+        res.set('Cache-Control', 'public, max-age=3600');
         res.json({ success: true, count: data.length, data });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 
 // GET /popular-investors/categories
-router.get('/categories', async (req, res) => {
+router.get('/categories', async (req, res, next) => {
     try {
         const { db } = req.dependencies;
         const data = await fetchPopularInvestorCategories(db);
+        // Cache in browser/CDN for 1 hour (public data that doesn't change frequently)
+        res.set('Cache-Control', 'public, max-age=3600');
         res.json({ success: true, data });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 
@@ -104,7 +110,7 @@ router.get('/search', async (req, res) => {
         const results = await searchPopularInvestors(db, query);
         res.json({ success: true, count: results.length, data: results });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 
@@ -160,7 +166,7 @@ router.get('/:piId/profile', async (req, res) => {
             profileType: 'public' // Indicates this is a public PI profile
         });
     } catch (error) {
-        res.status(404).json({ error: error.message });
+        next(error);
     }
 });
 
@@ -201,7 +207,7 @@ router.get('/:piId/analytics', async (req, res) => {
             data: analyticsDoc.data()
         });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 

package/functions/api-v2/routes/reviews.js

@@ -1,21 +1,37 @@
 const express = require('express');
-const { manageReviews } = require('../helpers/data-fetchers/firestore.js');
+const { z } = require('zod');
+const { manageReviews, fetchAllReviewsForPI, checkReviewEligibility } = require('../helpers/data-fetchers/firestore.js');
 
 const router = express.Router();
 
+// Input validation schemas
+const reviewSubmitSchema = z.object({
+    piId: z.string().min(1, 'PI ID is required'),
+    rating: z.number().int().min(1).max(5, 'Rating must be between 1 and 5'),
+    comment: z.string().max(1000, 'Comment must be 1000 characters or less').optional(),
+    username: z.string().optional(),
+    isAnonymous: z.boolean().optional()
+});
+
 // POST /reviews/submit
-router.post('/submit', async (req, res) => {
+router.post('/submit', async (req, res, next) => {
     try {
-        const { db } = req.dependencies;
-        const { piId, rating, comment, username, isAnonymous } = req.body;
+        // Validate inputs immediately
+        const validatedData = reviewSubmitSchema.parse(req.body);
         
-        const result = await manageReviews(db, req.targetUserId, 'submit', { 
-            piId, rating, comment, username, isAnonymous 
-        });
+        const { db } = req.dependencies;
+        const result = await manageReviews(db, req.targetUserId, 'submit', validatedData);
         
         res.json(result);
     } catch (error) {
-        res.status(403).json({ error: error.message });
+        if (error instanceof z.ZodError) {
+            return res.status(400).json({ 
+                success: false,
+                error: 'Invalid input', 
+                details: error.errors 
+            });
+        }
+        next(error); // Pass to error handler middleware
     }
 });
 
@@ -40,32 +56,44 @@ router.get('/me', async (req, res) => {
             const data = snap.docs.map(d => d.data());
             res.json({ success: true, data });
         }
-    } catch (e) { res.status(500).json({ error: e.message }); }
+    } catch (e) { 
+        next(e); // Pass to error handler middleware
+    }
 });
 
 // GET /reviews/:piId
-router.get('/:piId', async (req, res) => {
+router.get('/:piId', async (req, res, next) => {
     try {
         const { db } = req.dependencies;
         const { piId } = req.params;
-        const { fetchAllReviewsForPI } = require('../helpers/data-fetchers/firestore.js');
+        
+        // Validate piId
+        if (!piId || piId.trim().length === 0) {
+            return res.status(400).json({ error: 'PI ID is required' });
+        }
+        
         const result = await fetchAllReviewsForPI(db, piId);
         res.json({ success: true, ...result });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 
 // GET /reviews/:piId/eligibility
-router.get('/:piId/eligibility', async (req, res) => {
+router.get('/:piId/eligibility', async (req, res, next) => {
     try {
         const { db } = req.dependencies;
         const { piId } = req.params;
-        const { checkReviewEligibility } = require('../helpers/data-fetchers/firestore.js');
+        
+        // Validate piId
+        if (!piId || piId.trim().length === 0) {
+            return res.status(400).json({ error: 'PI ID is required' });
+        }
+        
         const result = await checkReviewEligibility(db, req.targetUserId, piId);
         res.json(result);
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 

package/functions/api-v2/routes/sync.js

@@ -164,13 +164,13 @@ const handleSyncRequest = async (req, res) => {
 router.post('/request', handleSyncRequest);
 
 // GET /sync/status/:targetId
-router.get('/status/:targetId', async (req, res) => {
+router.get('/status/:targetId', async (req, res, next) => {
     try {
         const { db } = req.dependencies;
         const status = await getSyncStatus(db, req.params.targetId);
         res.json({ success: true, data: status });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 

package/functions/api-v2/routes/verification.js

@@ -1,14 +1,29 @@
 const express = require('express');
+const { z } = require('zod');
 const { initiateVerification, finalizeVerification, fetchUserVerificationData, lookupCidByEmail, createEmailLookup } = require('../helpers/data-fetchers/firestore.js');
 const { requireFirebaseAuth } = require('../middleware/firebase_auth_middleware.js');
 
 const router = express.Router();
 
+// Input validation schemas
+const verificationInitSchema = z.object({
+    username: z.string().min(1, 'Username is required').max(100, 'Username too long')
+});
+
+const verificationFinalizeSchema = z.object({
+    username: z.string().min(1, 'Username is required').max(100, 'Username too long')
+});
+
+const updateLookupSchema = z.object({
+    cid: z.string().min(1, 'CID is required'),
+    emails: z.array(z.string().email('Invalid email format')).min(1, 'At least one email is required')
+});
+
 // GET /verification/lookup
 // Server-side email-to-CID lookup (prevents exposing other users' emails to client)
 // Requires Firebase Auth token in Authorization header: "Bearer <token>"
 // Email is extracted from the verified token (secure - cannot be spoofed)
-router.get('/lookup', requireFirebaseAuth, async (req, res) => {
+router.get('/lookup', requireFirebaseAuth, async (req, res, next) => {
     try {
         const { db } = req.dependencies;
         
@@ -34,7 +49,7 @@ router.get('/lookup', requireFirebaseAuth, async (req, res) => {
         }
     } catch (error) {
         console.error('[Verification Lookup] Error:', error);
-        res.status(500).json({ success: false, error: error.message });
+        next(error);
     }
 });
 
@@ -45,37 +60,53 @@ router.get('/status', async (req, res) => {
         const data = await fetchUserVerificationData(db, req.targetUserId);
         res.json({ success: true, data });
     } catch (error) {
+        // Status endpoint returns 200 even on error (user might not be verified)
         res.status(200).json({ success: false, message: "Not Verified", error: error.message });
     }
 });
 
 // POST /verification/init
 // Generates OTP for a specific username
-router.post('/init', async (req, res) => {
+router.post('/init', async (req, res, next) => {
     try {
+        // Validate inputs immediately
+        const validatedData = verificationInitSchema.parse(req.body);
+        
         const { db } = req.dependencies;
-        const { username } = req.body; // Logic requires username to key the request
-        const result = await initiateVerification(db, username);
+        const result = await initiateVerification(db, validatedData.username);
         res.json(result);
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        if (error instanceof z.ZodError) {
+            return res.status(400).json({ 
+                success: false,
+                error: 'Invalid input', 
+                details: error.errors 
+            });
+        }
+        next(error);
     }
 });
 
 // POST /verification/finalize
 // Checks Bio -> Verifies User -> Triggers Sync
-router.post('/finalize', async (req, res) => {
+router.post('/finalize', async (req, res, next) => {
     try {
+        // Validate inputs immediately
+        const validatedData = verificationFinalizeSchema.parse(req.body);
+        
         const { db, pubsub } = req.dependencies;
-        const { username } = req.body; 
-
-        if (!username) return res.status(400).json({ error: "Username required" });
-
         // Pass req.targetUserId if available, but the logic primarily uses username/realCID
-        const result = await finalizeVerification(db, pubsub, req.targetUserId, username);
+        const result = await finalizeVerification(db, pubsub, req.targetUserId, validatedData.username);
         res.json(result);
     } catch (error) {
-        res.status(400).json({ success: false, error: error.message });
+        if (error instanceof z.ZodError) {
+            return res.status(400).json({ 
+                success: false,
+                error: 'Invalid input', 
+                details: error.errors 
+            });
+        }
+        next(error);
     }
 });
 
@@ -83,23 +114,18 @@ router.post('/finalize', async (req, res) => {
 // Updates email-to-CID lookup documents when emails are added to verification
 // Called by frontend after updating verification document with new emails
 // This ensures O(1) lookups work immediately without waiting for migration
-router.post('/update-lookup', requireFirebaseAuth, async (req, res) => {
+router.post('/update-lookup', requireFirebaseAuth, async (req, res, next) => {
     try {
-        const { db } = req.dependencies;
-        const { cid, emails } = req.body;
+        // Validate inputs immediately
+        const validatedData = updateLookupSchema.parse(req.body);
         
-        if (!cid || !Array.isArray(emails) || emails.length === 0) {
-            return res.status(400).json({ 
-                success: false, 
-                error: 'CID and emails array are required' 
-            });
-        }
+        const { db } = req.dependencies;
         
         // Verify the authenticated user owns this CID
         const userEmail = req.firebaseUser?.email;
         if (userEmail) {
             const userData = await lookupCidByEmail(db, userEmail);
-            if (!userData || String(userData.cid) !== String(cid)) {
+            if (!userData || String(userData.cid) !== String(validatedData.cid)) {
                 return res.status(403).json({ 
                     success: false, 
                     error: 'Unauthorized: You can only update lookup for your own CID' 
@@ -109,10 +135,10 @@ router.post('/update-lookup', requireFirebaseAuth, async (req, res) => {
         
         // Create lookup documents for all emails
         const results = [];
-        for (const email of emails) {
+        for (const email of validatedData.emails) {
             if (email) {
                 try {
-                    await createEmailLookup(db, email, cid);
+                    await createEmailLookup(db, email, validatedData.cid);
                     results.push({ email, success: true });
                 } catch (error) {
                     console.error(`[update-lookup] Failed to create lookup for ${email}:`, error);
@@ -127,8 +153,15 @@ router.post('/update-lookup', requireFirebaseAuth, async (req, res) => {
             results 
         });
     } catch (error) {
+        if (error instanceof z.ZodError) {
+            return res.status(400).json({ 
+                success: false,
+                error: 'Invalid input', 
+                details: error.errors 
+            });
+        }
         console.error('[Verification Update Lookup] Error:', error);
-        res.status(500).json({ success: false, error: error.message });
+        next(error);
     }
 });
 

package/functions/api-v2/routes/watchlists.js

@@ -21,17 +21,17 @@ router.get('/all', async (req, res) => {
         const watchlists = await latestUserCentricSnapshot(db, req.targetUserId, 'watchlists', 'watchlist', 'SignedInUsers', null);
         res.json({ success: true, count: watchlists.length, data: watchlists });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 
 // POST /watchlists/auto-generate (Rec 11)
-router.post('/auto-generate', async (req, res) => {
+router.post('/auto-generate', async (req, res, next) => {
     try {
         const result = await autoGenerateWatchlist(req.dependencies.db, req.targetUserId);
         res.json(result);
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 
@@ -40,11 +40,11 @@ router.get('/public', async (req, res) => {
     try {
         const data = await fetchPublicWatchlists(req.dependencies.db, req.query.limit, req.query.offset);
         res.json({ success: true, data });
-    } catch (e) { res.status(500).json({ error: e.message }); }
+    } catch (e) { next(e); }
 });
 
 // GET /watchlists/:id (Rec 12)
-router.get('/:id', async (req, res) => {
+router.get('/:id', async (req, res, next) => {
     try {
         const { db } = req.dependencies;
         const { id } = req.params;
@@ -52,7 +52,7 @@ router.get('/:id', async (req, res) => {
         if (!doc) return res.status(404).json({ error: "Watchlist not found" });
         res.json({ success: true, data: doc });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 
@@ -77,42 +77,42 @@ router.get('/:id/rankings-check', async (req, res) => {
         }
         res.json({ success: true, data: results });
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 
 // POST /watchlists/manage (Unified)
-router.post('/manage', async (req, res) => {
+router.post('/manage', async (req, res, next) => {
     try {
         const { db } = req.dependencies;
         const { instruction, payload } = req.body; 
         const result = await manageUserWatchlist(db, req.targetUserId, instruction, payload);
         res.json(result);
     } catch (error) {
-        res.status(500).json({ error: error.message });
+        next(error);
     }
 });
 
 // Public & Copy Routes (Existing)
-router.post('/:id/publish', async (req, res) => {
+router.post('/:id/publish', async (req, res, next) => {
     try {
         const result = await publishWatchlistVersion(req.dependencies.db, req.targetUserId, req.params.id);
         res.json(result);
-    } catch (e) { res.status(500).json({ error: e.message }); }
+    } catch (e) { next(e); }
 });
 
 router.post('/:id/copy', async (req, res) => {
     try {
         const result = await copyWatchlist(req.dependencies.db, req.targetUserId, req.params.id, req.body.version);
         res.json(result);
-    } catch (e) { res.status(500).json({ error: e.message }); }
+    } catch (e) { next(e); }
 });
 
-router.get('/:id/versions', async (req, res) => {
+router.get('/:id/versions', async (req, res, next) => {
     try {
         const data = await fetchWatchlistVersions(req.dependencies.db, req.params.id);
         res.json({ success: true, data });
-    } catch (e) { res.status(500).json({ error: e.message }); }
+    } catch (e) { next(e); }
 });
 
 // GET /watchlists/:id/trigger-counts - Get alert trigger counts for watchlist PIs
@@ -124,14 +124,14 @@ router.get('/:id/trigger-counts', async (req, res) => {
         res.json({ success: true, ...result });
     } catch (error) {
         if (error.message === "Watchlist not found") {
-            return res.status(404).json({ error: error.message });
+            error.status = 404;
         }
         res.status(500).json({ error: error.message });
     }
 });
 
 // POST /watchlists/:id/subscribe-all - Subscribe to all PIs in a watchlist
-router.post('/:id/subscribe-all', async (req, res) => {
+router.post('/:id/subscribe-all', async (req, res, next) => {
     try {
         const { db } = req.dependencies;
         const { id } = req.params;
@@ -140,7 +140,7 @@ router.post('/:id/subscribe-all', async (req, res) => {
         res.json(result);
     } catch (error) {
         if (error.message === "Watchlist not found") {
-            return res.status(404).json({ error: error.message });
+            error.status = 404;
         }
         res.status(500).json({ error: error.message });
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bulltrackers-module",
-  "version": "1.0.620",
+  "version": "1.0.621",
   "description": "Helper Functions for Bulltrackers.",
   "main": "index.js",
   "files": [
@@ -33,18 +33,20 @@
   ],
   "dependencies": {
     "@google-cloud/firestore": "^7.11.3",
+    "@google-cloud/monitoring": "latest",
     "@google-cloud/pubsub": "latest",
     "aiden-shared-calculations-unified": "^1.0.110",
     "cors": "^2.8.5",
     "dotenv": "latest",
     "express": "^4.19.2",
+    "express-rate-limit": "^8.2.1",
     "google-auth-library": "^10.5.0",
     "graphviz": "latest",
     "node-graphviz": "^0.1.1",
     "p-limit": "^3.1.0",
     "require-all": "^3.0.0",
     "sharedsetup": "latest",
-    "@google-cloud/monitoring": "latest"
+    "zod": "^4.3.5"
   },
   "devDependencies": {
     "bulltracker-deployer": "file:../bulltracker-deployer"