Commit Graph

16 Commits

Author SHA1 Message Date
julien 6641da9a3d feat(validation): replace fieldValidation with express-validator on products and tags
Add products.validators.js and tags.validators.js following the same
pattern as articles/users. Wire createProductRules, updateProductRules,
and createTagRules into their respective routes via the validate middleware.
Remove the local fieldValidation helper from both controllers and fix
missing return statements on next() calls in products.controller.js.
2026-04-27 00:04:50 +02:00
julien 61cdec00e7 feat(validation): introduce express-validator on CMS user and article endpoints
Replaces the broken fieldValidation helper (called next() without return,
so execution continued on invalid input) with express-validator chains
applied at the route level. Validation covers: email format, username
constraints, password min length, field lengths, URL and phone formats.
products and tags controllers retain their local fieldValidation pending
a separate ecommerce validation pass.
2026-04-26 22:06:28 +02:00
julien c2e65adbc6 fix(security): require auth on clan creation, remove debug console.log
POST /herowars/clans was accessible without authentication.
console.log(req.profile) in profiles controller leaked user data to logs.
2026-04-26 21:57:31 +02:00
julien f293d35455 fix(herowars): replace Object.assign with explicit field whitelists
Mass assignment via Object.assign(entity, req.body) allowed callers
to overwrite protected fields (id, author). Updates are now restricted
to explicitly listed data fields on both Clan and Member.
2026-04-26 20:42:29 +02:00
julien a27b8018b1 fix(users): restrict role updates to Admin users only
Any authenticated user could previously call PUT /update/role and
escalate their own role to Admin. The endpoint now returns 403 if
the requesting user is not already an Admin.
2026-04-26 20:32:37 +02:00
julien ece5506904 fix(comments): use authenticated user id as authorId instead of req.body
Accepting authorId from the request body allowed any authenticated user
to create comments impersonating another user. The author is now always
the authenticated user from req.payload.
2026-04-26 20:31:37 +02:00
julien 4c765945b3 refactor(naming): harmonize controller and route file names
- Delete product.controller.js, merge unique functions into products.controller.js
- Rename user.controller.js → users.controller.js, user.routes.js → users.routes.js
- Remove dead herowars/herowars.routes.js reference from herowars index
- Update all import paths accordingly
2026-04-26 00:39:29 +02:00
julien 5bcecd01f9 refactor(skydive): replace MongoDB User with MySQL UserService
All skydive routes now fetch users via UserService (MySQL) instead of
mongoose.model('User'). Key changes:
- user._id.toString() → user.id (same UUID, different source)
- User.findOne({ username }) → UserService.getUserByUsername()
- /feed route migrated to async/await using UserService.getUserFollowed()
  to resolve the following list from the MySQL Follower table
- jump/file/application author set as user.id (UUID string) instead of
  the full Mongoose document
- jump.toJSONFor(null) — following field in responses is now always false
  until Jump model is migrated away from MongoDB User dependency
- user.controller: licence/poids/bg_image routed to SkydiverProfileService
  fixing the silent Sequelize save bug for those fields
2026-04-26 00:05:57 +02:00
julien d8195dbf31 Controller and Model updates 2026-03-21 02:30:46 +01:00
julien b710b34569 fix(user): persist updateUser correctly; add setup:api script and README update; seeders tweaks 2025-12-05 01:33:38 +01:00
julien 9355431730 Mise à jour et ajout de controllers, routes, services et utilities 2025-11-30 17:54:01 +01:00
julien 60feffd929 Refactoring et ajout de routes Hero Wars 2025-11-27 10:50:17 +01:00
Rampeur b1513dccdd Mise à jour de controleurs, models et routes 2025-08-19 05:13:24 +02:00
Rampeur f211bc4b5b Refactoring 2025-08-15 20:32:33 +02:00
Rampeur 8a011af73a Utilisation simultanée de mongodb et mysql 2025-08-14 18:22:05 +02:00
Rampeur 49b1a3f6b3 Ajout de la base de données MySQL 2025-08-13 21:51:07 +02:00