library upgrade #38
Open
library upgrade #38
+27,015
−21,701
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filter and location issue resolved
maphathon flow updated
add mapathon issue fix
mapathin date validation fixed
user schema updated
update user profile resolvedd
asian race added
forgot password link updated
resolve forgot password issues and activate user flow
replace remove function with delete one
resolve activation account issue
new fields added in user model lastLocation lastActivityTime and device
allow repeating names for events
- Add lastLogin, inactivityEmailSent, and inactivityEmailSentAt fields to User model - Update all authentication endpoints (sign-in, Google, Facebook, Apple) to track lastLogin - Add archived account check for OAuth logins (returns 403 with userId) - Create new /auth/reactivate-account endpoint for archived users - Support password reset and profile update during reactivation - Auto-login users after successful reactivation with JWT tokens - Prepare backend for Salesforce integration for inactivity email workflows
There was a problem hiding this comment.
Pull request overview
This pull request implements a comprehensive library upgrade and feature expansion for the application. The changes modernize deprecated MongoDB methods, enhance authentication with Apple Sign-In support, introduce new accessibility review fields, and add donation/subscription functionality.
Key Changes:
- Upgraded MongoDB methods from deprecated versions (
.remove(),.count(),mongoose.Types.ObjectId()) to current standards (.deleteOne(),.countDocuments(),new mongoose.Types.ObjectId()) - Added Apple Sign-In authentication alongside existing Google and Facebook authentication
- Expanded venue accessibility review system with new fields (wheelchair parking, washrooms, multiple floors, etc.)
- Implemented in-app purchase/subscription system with Apple and Google webhook support
Reviewed changes
Copilot reviewed 92 out of 117 changed files in this pull request and generated 22 comments.
Show a summary per file
| File | Description |
|---|---|
| src/scripts/db/*.js | Updated deprecated Mongoose methods to modern equivalents |
| src/routes/auth/*.js | Added Apple Sign-In, reactivation flow, and updated token expiration |
| src/routes/venues/*.js | Added new venue details endpoint and expanded accessibility fields |
| src/routes/reviews/*.js | Updated review system with new accessibility criteria |
| src/routes/donatins/*.js | New donation/subscription system with payment verification |
| src/routes/events/*.js | Added event filtering by status (upcoming, old, joined) |
| src/routes/users/*.js | Enhanced user profile with additional demographic fields |
| src/models/*.js | Added new schemas for surveys and donations |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+67
to
+76
| return res.status(200).json({ general: "Joined" }); | ||
|
|
||
| if (true || event.isOpen) { | ||
| req.user.events = [...req.user.events, event.id]; | ||
| req.user.updatedAt = moment.utc().toDate(); | ||
|
|
||
|
|
||
|
|
||
| return res.status(200).json({ general: "Joined" }); | ||
| } else { |
There was a problem hiding this comment.
Unreachable code detected. Lines 69-152 will never execute because of the return statement on line 67. The condition if (true || event.isOpen) on line 69 suggests this might be debugging code that was left in. Either remove the early return on line 67 or remove the unreachable code block.
|
|
||
| let placesResponse; | ||
| try { | ||
| console.log(`https://maps.googleapis.com/maps/api/place/${searchType}/json${nearbyParams}&fields=photos,place_id`) |
There was a problem hiding this comment.
Debug console.log statement should be removed before merging to production. This appears to log API URLs which could expose sensitive query parameters.
Suggested change
| console.log(`https://maps.googleapis.com/maps/api/place/${searchType}/json${nearbyParams}&fields=photos,place_id`) |
| let places = []; | ||
| const placesIds = []; | ||
| placesResponse.data.results.forEach((place) => { | ||
| console.log(place?.photos) |
There was a problem hiding this comment.
Debug console.log statement should be removed before merging to production.
Suggested change
| console.log(place?.photos) |
| placeId, | ||
| }); | ||
| let customReviews; | ||
| // console.log("venue", venue); |
There was a problem hiding this comment.
Commented-out debug code should be removed to keep the codebase clean.
Suggested change
| // console.log("venue", venue); |
| placesIds.push(place.place_id); | ||
| }); | ||
|
|
||
| // console.log("calling venues"); |
There was a problem hiding this comment.
Commented-out debug code should be removed to keep the codebase clean.
Suggested change
| // console.log("calling venues"); |
| token, | ||
| }); | ||
| } catch (err) { | ||
| console.log(err) |
There was a problem hiding this comment.
Use console.error() instead of console.log() for error logging to properly categorize the log output.
Suggested change
| console.log(err) | |
| console.error(err); |
| refreshToken: refreshToken.key, | ||
| }); | ||
| } catch (err) { | ||
| console.log(err); |
There was a problem hiding this comment.
Use console.error() instead of console.log() for error logging to properly categorize the log output.
Suggested change
| console.log(err); | |
| console.error(err); |
| return res.status(400).json({ message: "verification failed" }); | ||
| } | ||
| } catch (error) { | ||
| console.log(error); |
There was a problem hiding this comment.
Use console.error() instead of console.log() for error logging to properly categorize the log output.
| }); | ||
| return res.status(200).json({ result }); | ||
| } catch (error) { | ||
| console.log(error); |
There was a problem hiding this comment.
Use console.error() instead of console.log() for error logging to properly categorize the log output.
Suggested change
| console.log(error); | |
| console.error(error); |
Comment on lines
+14
to
+15
| // const { errors, isValid } = validateCreateEditReview(req.body); | ||
| // if (!isValid) return res.status(400).json(errors); |
There was a problem hiding this comment.
Validation is commented out, which means invalid review data can be submitted without any checks. This could lead to data integrity issues. Either uncomment the validation or remove it if it's intentionally disabled.
Suggested change
| // const { errors, isValid } = validateCreateEditReview(req.body); | |
| // if (!isValid) return res.status(400).json(errors); | |
| const { errors, isValid } = validateCreateEditReview(req.body); | |
| if (!isValid) return res.status(400).json(errors); |
- Add rememberMe field to RefreshToken model (defaults to false) - Update sign-in validation to accept optional rememberMe parameter - Implement dual token expiration: * Without remember me: 7 days * With remember me: 90 days - Apply to all auth methods: email, Google OAuth, Facebook OAuth - Token refresh respects original rememberMe preference
feat: implement remember me functionality for authentication
- Add inactivity email templates (warning, archived, weekly report) - Create reactivate-user endpoint for archived accounts - Update sign-in endpoints to handle archived users with proper response - Reset inactivity tracking flags on successful login - Create inactivity-checker helper with functions: * sendInactivityWarnings: email users inactive for 1+ year * archiveInactiveUsers: archive users 7 days after warning * runWeeklyReport: send admin summary email - Add cron endpoints for scheduled tasks: * POST /cron/inactivity-check (daily) * POST /cron/weekly-report (weekly) - Protected cron endpoints with CRON_SECRET header - Add validation for reactivate-user endpoint Inactivity workflow: 1. User inactive for 1 year -> warning email sent 2. No login within 7 days -> account archived 3. Archived user can reactivate via /users/reactivate endpoint
…llback - Remove $or condition that used createdAt as fallback - Only send warning emails to users with recorded lastLogin - This prevents mass emails to 13k+ existing users - Inactivity tracking will only apply to users who log in after this feature is deployed
- Fix textContent email fallback (use displayName instead of user.firstName directly) - Add reactivatedAt field to User model for accurate reactivation tracking - Update getReactivatedUsersCount to use reactivatedAt timestamp - Set reactivatedAt when user reactivates their account - Fix CRON_SECRET check to fail closed (reject if not configured) - Remove userId from archived user responses (security/enumeration risk) - Remove debug console.log from sign-in
BREAKING CHANGE: Reactivation endpoint now requires userId instead of email Security improvements: - Reactivation now requires userId (from 403 login response) + currentPassword - This prevents account takeover - attacker must know original password - Sign-in endpoints return userId in 403 response for archived users - Generic "Invalid credentials" errors prevent enumeration Removed weekly reports: - Removed sendWeeklyReport() and runWeeklyReportJob() functions - Removed /cron/weekly-report endpoint - Only daily inactivity check remains Updated validation: - validateReactivateUser now validates userId (24-char ObjectId) - Requires currentPassword + newPassword fields Frontend guide updated with new API contract.
- forgotten-password.js: Include archived users in lookup - reset-password.js: Reset inactivity flags when password is reset - Sets lastLogin to reset inactivity timer - Sets isArchived to false to reactivate account - Clears inactivityEmailSent and inactivityEmailSentAt - Sets reactivatedAt if user was archived This provides an alternative recovery path for: - Users who forgot their password - Social login users who need to reactivate archived accounts Updated frontend guide with new recovery flow documentation.
… endpoint BREAKING CHANGE: /auth/reactivate-account now requires currentPassword Removed duplicate endpoint: - Deleted /users/reactivate endpoint and reactivate-user.js - Removed validateReactivateUser from users/validations.js Updated /auth/reactivate-account with security improvements: - Now requires currentPassword to prove account ownership - Uses newPassword instead of password for clarity - Generic "Invalid credentials" error prevents enumeration - Social login users directed to forgot password flow - Uses user.save() with model's virtual password setter Updated frontend guide with correct endpoint path.
feat: implement full inactivity tracking and account reactivation system
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.