bulltrackers-module 1.0.853 → 1.0.855

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/functions/api-v3/middleware/identity.js +14 -3
  2. package/functions/api-v3/routes/verification.js +4 -4
  3. package/package.json +1 -1
package/functions/api-v3/middleware/identity.js CHANGED
@@ -54,11 +54,22 @@ function createIdentityMiddleware() {
54
54
  }
55
55
  }
56
56
  } else {
57
- // Header/query set a target. Rule: acting user (UID) must match target, or requester must be a developer.
58
- // Compare as strings so number vs string (e.g. from JSON) never causes a false impersonation block.
57
+ // Header/query set a target. Allow if: target is same as Firebase UID, or target is current user's CID, or requester is a developer.
59
58
  const targetStr = String(targetUserId);
60
59
  const uidStr = uid != null && uid !== '' ? String(uid) : '';
61
- if (uidStr && targetStr !== uidStr) {
60
+ const targetMatchesUid = uidStr && targetStr === uidStr;
61
+ let targetMatchesMyCid = false;
62
+ if (!targetMatchesUid && req.firebaseUser.email) {
63
+ try {
64
+ const lookup = await authService.lookupCidByEmail(req.firebaseUser.email);
65
+ if (lookup?.cid != null) {
66
+ targetMatchesMyCid = targetStr === String(lookup.cid);
67
+ }
68
+ } catch (lookupError) {
69
+ // ignore; will fall through to developer check
70
+ }
71
+ }
72
+ if (!targetMatchesUid && !targetMatchesMyCid) {
62
73
  const isRequesterDev = await userDataService.isDeveloper(uidStr);
63
74
  if (!isRequesterDev) {
64
75
  return res.status(403).json({
package/functions/api-v3/routes/verification.js CHANGED
@@ -29,16 +29,16 @@ function getClientIp(req) {
29
29
  return req.ip || req.connection?.remoteAddress || req.headers?.['x-forwarded-for']?.split(',')[0]?.trim() || '';
30
30
  }
31
31
 
32
- // GET /verification/lookup - Lookup CID by email (query param or from Bearer token)
33
- // Frontend sends Bearer token only; email is taken from decoded token so existing users are recognized.
32
+ // GET /verification/lookup - Lookup CID by email (query param, Bearer token, or X-User-Email header)
33
+ // Frontend sends Bearer token; email is taken from decoded token, or from X-User-Email when provided.
34
34
  router.get('/lookup', async (req, res, next) => {
35
35
  try {
36
- const email = req.query.email || req.firebaseUser?.email;
36
+ const email = req.query.email || req.firebaseUser?.email || (req.get('x-user-email') || '').trim() || null;
37
37
  if (!email || typeof email !== 'string' || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email.trim())) {
38
38
  return res.status(400).json({
39
39
  success: false,
40
40
  error: 'Email required',
41
- message: 'Provide email in query or sign in with Bearer token'
41
+ message: 'Provide email in query, or sign in with Bearer token, or set X-User-Email header'
42
42
  });
43
43
  }
44
44
  const { authService } = req.services;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "bulltrackers-module",
3
- "version": "1.0.853",
3
+ "version": "1.0.855",
4
4
  "description": "Helper Functions for Bulltrackers.",
5
5
  "main": "index.js",
6
6
  "files": [