dubs-server 1.0.0

package/ecosystem.config.js

@@ -0,0 +1,65 @@
+// PM2 Ecosystem Configuration
+// This ensures both API server and keeper bot run reliably
+
+module.exports = {
+  apps: [
+    {
+      name: 'dubs-api',
+      script: './server.js',
+      instances: 1,
+      autorestart: true,
+      watch: false,
+      max_memory_restart: '500M',
+      env: {
+        NODE_ENV: 'development',
+        SOLANA_NETWORK: 'https://api.devnet.solana.com',
+        PORT: 3001,
+      },
+      env_production: {
+        NODE_ENV: 'production',
+        SOLANA_NETWORK: 'https://api.mainnet-beta.solana.com',
+        PORT: 3001,
+      },
+      error_file: './logs/api-error.log',
+      out_file: './logs/api-out.log',
+      log_date_format: 'YYYY-MM-DD HH:mm:ss Z',
+    },
+    {
+      name: 'jackpot-keeper',
+      script: './scripts/jackpot/keeper.js',
+      instances: 1,
+      autorestart: true,
+      watch: false,
+      max_memory_restart: '300M',
+      env: {
+        NODE_ENV: 'development',
+      },
+      restart_delay: 5000, // Wait 5 seconds between restarts
+      max_restarts: 10, // Max 10 restarts in...
+      min_uptime: '10s', // ...10 seconds (prevents crash loop)
+      error_file: './logs/keeper-error.log',
+      out_file: './logs/keeper-out.log',
+      log_date_format: 'YYYY-MM-DD HH:mm:ss Z',
+    },
+    {
+      name: 'sports-oracle',
+      script: './cron/oracleMonitor.js',
+      instances: 1,
+      autorestart: true,
+      watch: false,
+      max_memory_restart: '300M',
+      env: {
+        NODE_ENV: 'development',
+        ORACLE_CHECK_INTERVAL: '60000', // Check every 60 seconds
+        NOTIFY_BEFORE_MINUTES: '10', // Notify 10 minutes before game starts
+      },
+      restart_delay: 5000,
+      max_restarts: 10,
+      min_uptime: '10s',
+      error_file: './logs/oracle-error.log',
+      out_file: './logs/oracle-out.log',
+      log_date_format: 'YYYY-MM-DD HH:mm:ss Z',
+    },
+  ],
+};
+

package/env.template

@@ -0,0 +1,125 @@
+# Dubs Server Environment Variables
+# Copy this to .env and update values
+
+# Solana Configuration
+SOLANA_NETWORK=http://127.0.0.1:8899
+# For devnet: https://api.devnet.solana.com
+# For mainnet: https://api.mainnet-beta.solana.com
+
+PROGRAM_ID=8DJTkgk6MDr6tPtw4v2VzYAz9WWvmCg6786vZrEK3o5q
+
+# Oracle Configuration (for Automatic Sports Mode)
+ORACLE_WALLET_PATH=./wallets/oracle.json
+ORACLE_CHECK_INTERVAL=60000
+# Check interval in milliseconds (60000 = 1 minute, 300000 = 5 minutes)
+
+NOTIFY_BEFORE_MINUTES=10
+# Send "game starting soon" notification X minutes before lock time (default: 10)
+
+# Telegram Bot Configuration (for notifications)
+TELEGRAM_BOT_TOKEN=your_telegram_bot_token_here
+# Get this from @BotFather on Telegram
+
+TELEGRAM_BOT_URL=https://your-bot-url.herokuapp.com
+# URL to your deployed Telegram bot (for sending private chat notifications)
+# Example: https://dubs-telegram-bot-xxxxx.herokuapp.com
+
+# API URLs
+LIVE_SCORES_API_URL=http://localhost:3000
+# Your dubs-api endpoint with /api/livescores/:league
+
+DUBS_GAMES_API_URL=http://localhost:3001  
+# Your dubs-games-api endpoint (Firebase database)
+
+DUBS_SERVER_URL=http://localhost:3001
+# Your dubs-server endpoint (PostgreSQL database)
+# For production (Heroku): https://dubs-server-production.herokuapp.com
+# For local dev: http://localhost:3001 (should match PORT above)
+
+# Server Configuration
+PORT=3001
+NODE_ENV=development
+
+# Database Configuration (PostgreSQL)
+DATABASE_URL=postgresql://username:password@localhost:5432/dubs_db
+# For production (Heroku adds this automatically)
+# For local dev: postgresql://postgres:password@localhost:5432/dubs_db
+
+# Redis Configuration (for high-performance caching)
+REDIS_URL=redis://localhost:6379
+# For Heroku: Add Heroku Redis addon (automatically sets REDIS_URL)
+# For local dev: redis://localhost:6379
+# Optional: If not set, server runs in PostgreSQL-only mode (slightly slower)
+
+# Authentication & Security
+JWT_SECRET=your-super-secret-jwt-key-change-this-in-production
+# CRITICAL: Generate a secure random string for production!
+# Generate with: node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"
+
+JWT_EXPIRES_IN=7d
+# Token expiration time (e.g., 7d, 24h, 30m)
+
+# AWS S3 Configuration (for avatar uploads)
+AWS_REGION=us-east-1
+AWS_ACCESS_KEY_ID=your_aws_access_key
+AWS_SECRET_ACCESS_KEY=your_aws_secret_key
+AWS_S3_BUCKET_NAME=dubs-avatars
+
+# Exchange Rate API Configuration
+EXCHANGE_API_KEY=757419e9be20039acaf308a9
+# API key for exchangerate-api.com (v6)
+# Sign up at: https://www.exchangerate-api.com
+
+EXCHANGE_API_BASE_URL=https://v6.exchangerate-api.com/v6
+# Base URL for exchange rate API
+
+EXCHANGE_CACHE_TTL=300
+# Cache time-to-live in seconds (300 = 5 minutes)
+
+BASE_CURRENCY=USD
+# Default base currency for exchange rates
+
+SUPPORTED_CURRENCIES=USD,EUR,CAD,GBP,JPY,AUD,CHF,CNY,SEK,NZD
+# Comma-separated list of supported currencies
+
+# PandaScore API Configuration (Esports)
+PANDASCORE_API_KEY=your_pandascore_api_key_here
+# Get a free API key at: https://pandascore.co
+
+# Crypto Price API Configuration (CoinGecko)
+CRYPTO_PRICE_CACHE_TTL=300
+# Cache time-to-live in seconds (300 = 5 minutes, matches exchange rates)
+
+# ============================================
+# 🎰 JACKPOT CONFIGURATION
+# ============================================
+
+# Jackpot Program ID (Solana on-chain program)
+JACKPOT_PROGRAM_ID=BHidyz25KWkNPdTHgeANzMg25MM2KEiNnG4yE5F46XUz
+# Devnet: BHidyz25KWkNPdTHgeANzMg25MM2KEiNnG4yE5F46XUz
+# Mainnet: <DEPLOY AND UPDATE>
+
+# Jackpot Oracle Wallet (public key)
+JACKPOT_ORACLE_WALLET=FWUJCthDfPcgmTvdQWM5uofxxiYjqJFMMwiLYvS7LBFa
+# This wallet submits randomness for provably fair rounds
+
+# Keeper Private Key (JSON array format)
+# CRITICAL: Get from oracle.json wallet file
+# Format: [1,2,3,...,64] (64 byte array as JSON)
+KEEPER_PRIVATE_KEY=
+# To export: cat wallets/oracle.json
+
+# Keeper API Base URL
+API_BASE_URL=http://localhost:3001
+# For Heroku devnet: https://dubs-server-dev-xxxxx.herokuapp.com
+# For Heroku mainnet: https://dubs-server-prod-xxxxx.herokuapp.com
+
+# ============================================
+# 🎨 MATCHUP IMAGE GENERATION
+# ============================================
+
+# Base URL for fetching team logos (for matchup image generation)
+MATCHUP_LOGO_BASE_URL=http://localhost:3000
+# For local dev: http://localhost:3000 (your SPA's public folder)
+# For production: https://dubs.app (or wherever your SPA is hosted)
+

package/middleware/apiKeyAuth.js

@@ -0,0 +1,136 @@
+/**
+ * 🔑 API Key Authentication Middleware
+ *
+ * Validates developer API keys from the X-API-Key header.
+ * Hashes the key and looks up in developer_api_keys table.
+ * Attaches developer app info to req.developerApp on success.
+ */
+
+const crypto = require('crypto');
+const { pool } = require('../services/db');
+
+/**
+ * Hash an API key for lookup (same SHA-256 used at key creation)
+ */
+function hashApiKey(key) {
+  return crypto.createHash('sha256').update(key).digest('hex');
+}
+
+/**
+ * Middleware: Require valid API key in X-API-Key header
+ * Attaches req.developerApp with { appId, developerId, commissionWallet, environment, appName }
+ */
+async function apiKeyAuth(req, res, next) {
+  const apiKey = req.headers['x-api-key'];
+
+  if (!apiKey) {
+    return res.status(401).json({
+      success: false,
+      error: 'Missing API key — set X-API-Key header',
+      code: 'NO_API_KEY'
+    });
+  }
+
+  // Validate prefix format
+  if (!apiKey.startsWith('dubs_test_') && !apiKey.startsWith('dubs_live_')) {
+    return res.status(401).json({
+      success: false,
+      error: 'Invalid API key format',
+      code: 'INVALID_KEY_FORMAT'
+    });
+  }
+
+  try {
+    const keyHash = hashApiKey(apiKey);
+
+    const result = await pool.query(`
+      SELECT
+        k.id as key_id,
+        k.app_id,
+        k.environment,
+        k.is_active,
+        a.developer_id,
+        a.app_name,
+        a.status as app_status,
+        a.network_mode,
+        d.commission_wallet,
+        d.wallet_address as developer_wallet
+      FROM developer_api_keys k
+      JOIN developer_apps a ON k.app_id = a.id
+      JOIN developer_accounts d ON a.developer_id = d.id
+      WHERE k.key_hash = $1
+    `, [keyHash]);
+
+    if (result.rows.length === 0) {
+      return res.status(401).json({
+        success: false,
+        error: 'Invalid API key',
+        code: 'INVALID_API_KEY'
+      });
+    }
+
+    const row = result.rows[0];
+
+    if (!row.is_active) {
+      return res.status(401).json({
+        success: false,
+        error: 'API key has been revoked',
+        code: 'KEY_REVOKED'
+      });
+    }
+
+    if (row.app_status !== 'active') {
+      return res.status(403).json({
+        success: false,
+        error: `App is ${row.app_status}`,
+        code: 'APP_INACTIVE'
+      });
+    }
+
+    // Attach developer context to request
+    req.developerApp = {
+      keyId: row.key_id,
+      appId: row.app_id,
+      developerId: row.developer_id,
+      commissionWallet: row.commission_wallet,
+      developerWallet: row.developer_wallet,
+      environment: row.environment,
+      appName: row.app_name,
+      networkMode: row.network_mode,
+    };
+
+    // Update last_used_at (fire-and-forget, don't block the request)
+    pool.query(
+      'UPDATE developer_api_keys SET last_used_at = NOW() WHERE id = $1',
+      [row.key_id]
+    ).catch(() => {});
+
+    next();
+  } catch (error) {
+    console.error('[ApiKeyAuth] Error:', error.message);
+    return res.status(500).json({
+      success: false,
+      error: 'Authentication error',
+      code: 'AUTH_ERROR'
+    });
+  }
+}
+
+/**
+ * Log an API call for analytics (fire-and-forget)
+ */
+function logApiCall(req, statusCode, responseTimeMs) {
+  if (!req.developerApp) return;
+
+  pool.query(
+    `INSERT INTO developer_api_logs (app_id, endpoint, method, status_code, response_time_ms)
+     VALUES ($1, $2, $3, $4, $5)`,
+    [req.developerApp.appId, req.originalUrl, req.method, statusCode, responseTimeMs]
+  ).catch(() => {});
+}
+
+module.exports = {
+  apiKeyAuth,
+  hashApiKey,
+  logApiCall,
+};

package/middleware/authenticate.js

@@ -0,0 +1,214 @@
+/**
+ * 🔐 JWT Authentication Middleware
+ * 
+ * Validates JWT tokens from cookies and attaches user info to requests
+ */
+
+const jwt = require('jsonwebtoken');
+const { pool } = require('../services/db'); // Shared database pool
+
+require('dotenv').config();
+
+// JWT Secret - MUST be set in environment variables
+const JWT_SECRET = process.env.JWT_SECRET || (() => {
+  console.warn('⚠️  WARNING: JWT_SECRET not set! Using default (INSECURE for production)');
+  return 'dev-secret-change-in-production';
+})();
+
+const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || '7d';
+
+/**
+ * Generate JWT token for a user
+ */
+function generateToken(walletAddress, userId) {
+  return jwt.sign(
+    { 
+      walletAddress,
+      userId,
+      iat: Math.floor(Date.now() / 1000)
+    },
+    JWT_SECRET,
+    { expiresIn: JWT_EXPIRES_IN }
+  );
+}
+
+/**
+ * Middleware: Authenticate user via JWT token (Authorization header)
+ * Attaches user info to req.user if valid
+ */
+async function authenticate(req, res, next) {
+  try {
+    // Get token from Authorization header
+    const authHeader = req.headers.authorization;
+    
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      return res.status(401).json({ 
+        success: false,
+        error: 'Authentication required - Missing or invalid Authorization header',
+        code: 'NO_TOKEN'
+      });
+    }
+    
+    const token = authHeader.substring(7); // Remove 'Bearer ' prefix
+
+    // Verify token
+    let decoded;
+    try {
+      decoded = jwt.verify(token, JWT_SECRET);
+    } catch (err) {
+      if (err.name === 'TokenExpiredError') {
+        return res.status(401).json({ 
+          success: false,
+          error: 'Session expired',
+          code: 'TOKEN_EXPIRED'
+        });
+      }
+      return res.status(401).json({ 
+        success: false,
+        error: 'Invalid token',
+        code: 'INVALID_TOKEN'
+      });
+    }
+
+    // Check if session exists in database (optional but recommended)
+    const sessionCheck = await pool.query(
+      'SELECT * FROM user_sessions WHERE wallet_address = $1 AND token_hash = $2 AND expires_at > NOW()',
+      [decoded.walletAddress, hashToken(token)]
+    );
+
+    if (sessionCheck.rows.length === 0) {
+      return res.status(401).json({ 
+        success: false,
+        error: 'Session not found or expired',
+        code: 'SESSION_INVALID'
+      });
+    }
+
+    // Optional: Verify wallet address from header matches token
+    const walletHeader = req.headers['x-wallet-address'];
+    if (walletHeader && walletHeader !== decoded.walletAddress) {
+      return res.status(403).json({ 
+        success: false,
+        error: 'Wallet address mismatch',
+        code: 'WALLET_MISMATCH'
+      });
+    }
+
+    // Attach user info to request
+    req.user = {
+      walletAddress: decoded.walletAddress,
+      userId: decoded.userId,
+    };
+
+    // Update last activity
+    await pool.query(
+      'UPDATE user_sessions SET last_activity = NOW() WHERE wallet_address = $1 AND token_hash = $2',
+      [decoded.walletAddress, hashToken(token)]
+    );
+
+    next();
+  } catch (error) {
+    console.error('[Auth] Middleware error:', error);
+    return res.status(500).json({ 
+      success: false,
+      error: 'Authentication error',
+      code: 'AUTH_ERROR'
+    });
+  }
+}
+
+/**
+ * Optional middleware: Only check if authenticated but don't require it
+ * Useful for endpoints that behave differently for logged-in users
+ */
+async function optionalAuth(req, res, next) {
+  try {
+    const authHeader = req.headers.authorization;
+    
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      req.user = null;
+      return next();
+    }
+
+    const token = authHeader.substring(7);
+    const decoded = jwt.verify(token, JWT_SECRET);
+    req.user = {
+      walletAddress: decoded.walletAddress,
+      userId: decoded.userId,
+    };
+    
+    next();
+  } catch (error) {
+    // If token is invalid, just continue without user
+    req.user = null;
+    next();
+  }
+}
+
+/**
+ * Hash token for storage (don't store raw tokens in database)
+ */
+function hashToken(token) {
+  const crypto = require('crypto');
+  return crypto.createHash('sha256').update(token).digest('hex');
+}
+
+/**
+ * Store session in database
+ */
+async function createSession(walletAddress, userId, token, expiresAt) {
+  const tokenHash = hashToken(token);
+  
+  await pool.query(
+    `INSERT INTO user_sessions (wallet_address, user_id, token_hash, expires_at, created_at, last_activity)
+     VALUES ($1, $2, $3, $4, NOW(), NOW())`,
+    [walletAddress, userId, tokenHash, expiresAt]
+  );
+}
+
+/**
+ * Delete session from database
+ */
+async function deleteSession(walletAddress, token) {
+  const tokenHash = hashToken(token);
+  
+  await pool.query(
+    'DELETE FROM user_sessions WHERE wallet_address = $1 AND token_hash = $2',
+    [walletAddress, tokenHash]
+  );
+}
+
+/**
+ * Delete all sessions for a wallet (logout from all devices)
+ */
+async function deleteAllSessions(walletAddress) {
+  await pool.query(
+    'DELETE FROM user_sessions WHERE wallet_address = $1',
+    [walletAddress]
+  );
+}
+
+/**
+ * Clean up expired sessions (call this periodically)
+ */
+async function cleanupExpiredSessions() {
+  const result = await pool.query(
+    'DELETE FROM user_sessions WHERE expires_at < NOW()'
+  );
+  return result.rowCount;
+}
+
+module.exports = {
+  authenticate,
+  optionalAuth,
+  generateToken,
+  createSession,
+  deleteSession,
+  deleteAllSessions,
+  cleanupExpiredSessions,
+  hashToken,
+  JWT_SECRET,
+  JWT_EXPIRES_IN
+};
+
+

package/middleware/developerUserAuth.js

@@ -0,0 +1,76 @@
+/**
+ * Developer User Authentication Middleware
+ *
+ * Validates Authorization: Bearer <JWT> after apiKeyAuth has already run.
+ * Reuses the same JWT_SECRET, hashToken, and user_sessions table as the main auth system.
+ * Attaches req.developerUser = { walletAddress, userId } (NOT req.user to avoid collision).
+ */
+
+const jwt = require('jsonwebtoken');
+const { pool } = require('../services/db');
+const { JWT_SECRET, hashToken } = require('./authenticate');
+
+async function developerUserAuth(req, res, next) {
+  try {
+    const authHeader = req.headers.authorization;
+
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      return res.status(401).json({
+        success: false,
+        error: { code: 'no_user_token', message: 'Authorization header with Bearer token is required' },
+      });
+    }
+
+    const token = authHeader.substring(7);
+
+    let decoded;
+    try {
+      decoded = jwt.verify(token, JWT_SECRET);
+    } catch (err) {
+      if (err.name === 'TokenExpiredError') {
+        return res.status(401).json({
+          success: false,
+          error: { code: 'token_expired', message: 'User token has expired' },
+        });
+      }
+      return res.status(401).json({
+        success: false,
+        error: { code: 'invalid_token', message: 'Invalid user token' },
+      });
+    }
+
+    // Check session exists in user_sessions (same table as main auth)
+    const sessionCheck = await pool.query(
+      'SELECT 1 FROM user_sessions WHERE wallet_address = $1 AND token_hash = $2 AND expires_at > NOW()',
+      [decoded.walletAddress, hashToken(token)]
+    );
+
+    if (sessionCheck.rows.length === 0) {
+      return res.status(401).json({
+        success: false,
+        error: { code: 'session_invalid', message: 'Session not found or expired' },
+      });
+    }
+
+    req.developerUser = {
+      walletAddress: decoded.walletAddress,
+      userId: decoded.userId,
+    };
+
+    // Update last activity (fire-and-forget)
+    pool.query(
+      'UPDATE user_sessions SET last_activity = NOW() WHERE wallet_address = $1 AND token_hash = $2',
+      [decoded.walletAddress, hashToken(token)]
+    ).catch(() => {});
+
+    next();
+  } catch (error) {
+    console.error('[DevUserAuth] Middleware error:', error);
+    return res.status(500).json({
+      success: false,
+      error: { code: 'auth_error', message: 'Authentication error' },
+    });
+  }
+}
+
+module.exports = { developerUserAuth };

package/middleware/socketAuth.js

@@ -0,0 +1,69 @@
+/**
+ * 🔐 WebSocket JWT Authentication Middleware
+ * 
+ * Authenticates socket.io connections using JWT tokens from auth parameter
+ */
+
+const jwt = require('jsonwebtoken');
+const { pool } = require('../services/db'); // Shared database pool
+
+require('dotenv').config();
+
+const JWT_SECRET = process.env.JWT_SECRET || 'dev-secret-change-in-production';
+
+/**
+ * Socket.io middleware to authenticate connections
+ */
+function socketAuthMiddleware(socket, next) {
+  try {
+    // Get token from auth parameter (sent by client during connection)
+    const token = socket.handshake.auth?.token;
+    
+    if (!token) {
+      console.log('[Socket] Connection rejected: No token in auth parameter');
+      return next(new Error('Authentication required - Missing token'));
+    }
+
+    // Verify JWT
+    let decoded;
+    try {
+      decoded = jwt.verify(token, JWT_SECRET);
+    } catch (err) {
+      console.log('[Socket] Connection rejected: Invalid token');
+      return next(new Error('Invalid token'));
+    }
+
+    // Verify session exists in database
+    const crypto = require('crypto');
+    const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+    
+    pool.query(
+      'SELECT * FROM user_sessions WHERE wallet_address = $1 AND token_hash = $2 AND expires_at > NOW()',
+      [decoded.walletAddress, tokenHash]
+    ).then(result => {
+      if (result.rows.length === 0) {
+        console.log('[Socket] Connection rejected: Session not found');
+        return next(new Error('Session expired'));
+      }
+
+      // Attach user info to socket
+      socket.user = {
+        userId: decoded.userId,
+        walletAddress: decoded.walletAddress,
+      };
+
+      console.log(`[Socket] ✅ Authenticated: ${decoded.walletAddress.slice(0, 8)}...`);
+      next();
+    }).catch(err => {
+      console.error('[Socket] Database error:', err);
+      next(new Error('Authentication error'));
+    });
+  } catch (error) {
+    console.error('[Socket] Auth middleware error:', error);
+    next(new Error('Authentication error'));
+  }
+}
+
+module.exports = { socketAuthMiddleware };
+
+