Merge pull request #308 from fccview/develop

fccview · web-flow · commit f5a50aba7f7b · 2026-01-04T13:01:03.000Z
SECURITY UPDATE
diff --git a/app/_components/FeatureComponents/Header/QuickNav.tsx b/app/_components/FeatureComponents/Header/QuickNav.tsx
@@ -10,7 +10,7 @@ import { Button } from "@/app/_components/GlobalComponents/Buttons/Button";
 import { useRouter } from "next/navigation";
 import { useAppMode } from "@/app/_providers/AppModeProvider";
 import { useNavigationGuard } from "@/app/_providers/NavigationGuardProvider";
-import { AppMode, User } from "@/app/_types";
+import { AppMode, User, SanitisedUser } from "@/app/_types";
 import { Modes } from "@/app/_types/enums";
 import { cn } from "@/app/_utils/global-utils";
 import { NavigationGlobalIcon } from "../Navigation/Parts/NavigationGlobalIcon";
@@ -22,7 +22,7 @@ interface QuickNavProps {
   showSidebarToggle?: boolean;
   onSidebarToggle?: () => void;
   onOpenSettings?: () => void;
-  user: User | null;
+  user: SanitisedUser | null;
   onModeChange?: (mode: AppMode) => void;
   currentLocale: string;
 }
diff --git a/app/_components/FeatureComponents/Profile/Parts/ProfileTab.tsx b/app/_components/FeatureComponents/Profile/Parts/ProfileTab.tsx
@@ -22,7 +22,7 @@ import { useRouter } from "next/navigation";
 import { UserAvatar } from "@/app/_components/GlobalComponents/User/UserAvatar";
 import { useAppMode } from "@/app/_providers/AppModeProvider";
 import { generateApiKey, getApiKey } from "@/app/_server/actions/api";
-import { User as UserData } from "@/app/_types";
+import { User as UserData, SanitisedUser } from "@/app/_types";
 import { FormWrapper } from "@/app/_components/GlobalComponents/FormElements/FormWrapper";
 import { usePreferredDateTime } from "@/app/_hooks/usePreferredDateTime";
 import { useTranslations } from "next-intl";
@@ -31,9 +31,9 @@ import { MfaDisableModal } from "@/app/_components/GlobalComponents/Modals/MfaMo
 import { MfaRegenerateRecoveryCodeModal } from "@/app/_components/GlobalComponents/Modals/MfaModals/MfaRegenerateRecoveryCodeModal";
 
 interface ProfileTabProps {
-  user: UserData | null;
+  user: SanitisedUser | null;
   isAdmin: boolean;
-  setUser: React.Dispatch<React.SetStateAction<UserData | null>>;
+  setUser: React.Dispatch<React.SetStateAction<SanitisedUser | null>>;
   isSsoUser: boolean;
 }
 
@@ -191,7 +191,7 @@ export const ProfileTab = ({
 
       if (result.success) {
         setSuccess(t('profile.profileUpdated'));
-        setUser((prev: UserType | null) =>
+        setUser((prev: SanitisedUser | null) =>
           prev
             ? { ...prev, username: editedUsername, avatarUrl: avatarUrl }
             : null
@@ -227,7 +227,7 @@ export const ProfileTab = ({
       const result = await updateProfile(formData);
 
       if (result.success) {
-        setUser((prev: UserType | null) =>
+        setUser((prev: SanitisedUser | null) =>
           prev ? { ...prev, avatarUrl: url } : null
         );
         setSuccess(t('profile.avatarUpdated'));
@@ -252,7 +252,7 @@ export const ProfileTab = ({
       const result = await updateProfile(formData);
 
       if (result.success) {
-        setUser((prev: UserType | null) =>
+        setUser((prev: SanitisedUser | null) =>
           prev ? { ...prev, avatarUrl: undefined } : null
         );
         setSuccess(t('profile.avatarRemoved'));
diff --git a/app/_components/FeatureComponents/Profile/Parts/UserPreferencesTab.tsx b/app/_components/FeatureComponents/Profile/Parts/UserPreferencesTab.tsx
@@ -7,6 +7,7 @@ import { updateUserSettings } from "@/app/_server/actions/users";
 import { useTranslations } from "next-intl";
 import {
   User,
+  SanitisedUser,
   Category,
   EnableRecurrence,
   ShowCompletedSuggestions,
@@ -43,7 +44,7 @@ interface SettingsTabProps {
   localeOptions: Array<{id: string, name: JSX.Element}>;
 }
 
-const getSettingsFromUser = (user: User | null): Partial<User> => ({
+const getSettingsFromUser = (user: SanitisedUser | null): Partial<SanitisedUser> => ({
   preferredLocale: user?.preferredLocale || "en",
   preferredTheme: user?.preferredTheme || "system",
   tableSyntax: user?.tableSyntax || "html",
diff --git a/app/_components/FeatureComponents/PublicView/Parts/PublicChecklistHeader.tsx b/app/_components/FeatureComponents/PublicView/Parts/PublicChecklistHeader.tsx
@@ -6,11 +6,12 @@ import {
 import { ChecklistProgress } from "../../Checklists/Parts/Simple/ChecklistProgress";
 import { Checklist, User } from "@/app/_types";
 import { UserAvatar } from "@/app/_components/GlobalComponents/User/UserAvatar";
+import { PublicUser } from "@/app/_utils/user-sanitize-utils";
 
 interface PublicChecklistHeaderProps {
   checklist: Checklist;
   totalCount: number;
-  user: User | null;
+  user: PublicUser | null;
   avatarUrl: string;
 }
 
diff --git a/app/_components/FeatureComponents/PublicView/PublicChecklistView.tsx b/app/_components/FeatureComponents/PublicView/PublicChecklistView.tsx
@@ -4,10 +4,11 @@ import { useState, useEffect } from "react";
 import { Checklist, User } from "@/app/_types";
 import { PublicChecklistHeader } from "@/app/_components/FeatureComponents/PublicView/Parts/PublicChecklistHeader";
 import { PublicChecklistBody } from "@/app/_components/FeatureComponents/PublicView/Parts/PublicChecklistBody";
+import { PublicUser } from "@/app/_utils/user-sanitize-utils";
 
 interface PublicChecklistViewProps {
   checklist: Checklist;
-  user: User | null;
+  user: PublicUser | null;
 }
 
 export const PublicChecklistView = ({
diff --git a/app/_components/FeatureComponents/PublicView/PublicNoteView.tsx b/app/_components/FeatureComponents/PublicView/PublicNoteView.tsx
@@ -12,10 +12,11 @@ import { PGPEncryptionModal } from "@/app/_components/GlobalComponents/Modals/En
 import { XChaChaEncryptionModal } from "@/app/_components/GlobalComponents/Modals/EncryptionModals/XChaChaEncryptionModal";
 import { detectEncryptionMethod } from "@/app/_utils/encryption-utils";
 import { useTranslations } from "next-intl";
+import { PublicUser } from "@/app/_utils/user-sanitize-utils";
 
 interface PublicNoteViewProps {
   note: Note;
-  user: User | null;
+  user: PublicUser | null;
 }
 
 export const PublicNoteView = ({ note, user }: PublicNoteViewProps) => {
diff --git a/app/_components/FeatureComponents/Sidebar/Parts/CategoryList.tsx b/app/_components/FeatureComponents/Sidebar/Parts/CategoryList.tsx
@@ -1,6 +1,6 @@
 "use client";
 
-import { AppMode, Category, Checklist, Note, User } from "@/app/_types";
+import { AppMode, Category, Checklist, Note, User, SanitisedUser } from "@/app/_types";
 import {
   DndContext,
   DragEndEvent,
@@ -32,7 +32,7 @@ interface CategoryListProps {
   onEditItem?: (item: Checklist | Note) => void;
   isItemSelected: (item: Checklist | Note) => boolean;
   mode: AppMode;
-  user?: User;
+  user?: SanitisedUser;
 }
 
 export const CategoryList = (props: CategoryListProps) => {
diff --git a/app/_components/FeatureComponents/Sidebar/Parts/CategoryRenderer.tsx b/app/_components/FeatureComponents/Sidebar/Parts/CategoryRenderer.tsx
@@ -13,7 +13,7 @@ import {
 import { Button } from "@/app/_components/GlobalComponents/Buttons/Button";
 import { cn } from "@/app/_utils/global-utils";
 import { DropdownMenu } from "@/app/_components/GlobalComponents/Dropdowns/DropdownMenu";
-import { AppMode, Category, Checklist, Note } from "@/app/_types";
+import { AppMode, Category, Checklist, Note, SanitisedUser } from "@/app/_types";
 import { Draggable } from "@/app/_components/FeatureComponents/Sidebar/Parts/Draggable";
 import { SidebarItem } from "@/app/_components/FeatureComponents/Sidebar/Parts/SidebarItem";
 import { Modes } from "@/app/_types/enums";
@@ -35,7 +35,7 @@ interface CategoryRendererProps {
   onEditItem?: (item: Checklist | Note) => void;
   isItemSelected: (item: Checklist | Note) => boolean;
   mode: AppMode;
-  user?: any;
+  user?: SanitisedUser;
 }
 
 export const CategoryRenderer = (props: CategoryRendererProps) => {
diff --git a/app/_components/GlobalComponents/Layout/Layout.tsx b/app/_components/GlobalComponents/Layout/Layout.tsx
@@ -4,7 +4,7 @@ import { useState } from "react";
 import { QuickNav } from "@/app/_components/FeatureComponents/Header/QuickNav";
 import { Sidebar } from "@/app/_components/FeatureComponents/Sidebar/Sidebar";
 import { SettingsSidebar } from "@/app/_components/FeatureComponents/Sidebar/SettingsSidebar";
-import { Category, User } from "@/app/_types";
+import { Category, User, SanitisedUser } from "@/app/_types";
 import { useAppMode } from "@/app/_providers/AppModeProvider";
 import { useMobileGestures } from "@/app/_hooks/useMobileGestures";
 import { isMobileDevice } from "@/app/_utils/global-utils";
@@ -19,7 +19,7 @@ interface LayoutProps {
   onCategoryDeleted?: (categoryName: string) => void;
   onCategoryRenamed?: (oldName: string, newName: string) => void;
   children: React.ReactNode;
-  user: User | null;
+  user: SanitisedUser | null;
   customSidebar?: (props: { isOpen: boolean; onClose: () => void }) => React.ReactNode;
 }
 
diff --git a/app/_hooks/useSidebar.tsx b/app/_hooks/useSidebar.tsx
@@ -2,7 +2,7 @@ import { useRouter, usePathname } from "next/navigation";
 import { useAppMode } from "../_providers/AppModeProvider";
 import { useNavigationGuard } from "../_providers/NavigationGuardProvider";
 import { useState, useEffect, useRef, useCallback, useMemo } from "react";
-import { Checklist, Category, Note, AppMode, User } from "../_types";
+import { Checklist, Category, Note, AppMode, User, SanitisedUser } from "../_types";
 import { ItemTypes, Modes } from "../_types/enums";
 import { deleteCategory, renameCategory } from "../_server/actions/category";
 import { buildCategoryPath, encodeId } from "../_utils/global-utils";
@@ -13,7 +13,7 @@ export interface SidebarProps {
   onOpenCreateModal: (initialCategory?: string) => void;
   onOpenCategoryModal: (parentCategory?: string) => void;
   categories: Category[];
-  user: User | null;
+  user: SanitisedUser | null;
   onCategoryDeleted?: (categoryName: string) => void;
   onCategoryRenamed?: (oldName: string, newName: string) => void;
   onOpenSettings: () => void;
diff --git a/app/_providers/AppModeProvider.tsx b/app/_providers/AppModeProvider.tsx
@@ -17,6 +17,7 @@ import {
   AppModeContextType,
   AllSharedItems,
   UserSharedItems,
+  SanitisedUser,
 } from "@/app/_types";
 import { Modes } from "@/app/_types/enums";
 import { LinkIndex } from "../_server/actions/link";
@@ -44,7 +45,7 @@ export const AppModeProvider = ({
   isDemoMode?: boolean;
   isRwMarkable?: boolean;
   usersPublicData?: Partial<User>[];
-  user?: User | null;
+  user?: SanitisedUser | null;
   pathname?: string;
   appVersion?: string;
   initialSettings?: AppSettings;
@@ -78,7 +79,7 @@ export const AppModeProvider = ({
   const [mode, setMode] = useState<AppMode>(modeToSet);
   const [selectedNote, setSelectedNote] = useState<string | null>(null);
   const [isInitialized, setIsInitialized] = useState(false);
-  const [user, setUser] = useState<User | null>(initialUser || null);
+  const [user, setUser] = useState<SanitisedUser | null>(initialUser || null);
 
   useEffect(() => {
     setIsInitialized(true);
diff --git a/app/_providers/ShortcutsProvider.tsx b/app/_providers/ShortcutsProvider.tsx
@@ -13,7 +13,7 @@ import { CreateNoteModal } from "@/app/_components/GlobalComponents/Modals/Notes
 import { CreateListModal } from "@/app/_components/GlobalComponents/Modals/ChecklistModals/CreateListModal";
 import { CreateCategoryModal } from "@/app/_components/GlobalComponents/Modals/CategoryModals/CreateCategoryModal";
 import { SettingsModal } from "@/app/_components/GlobalComponents/Modals/SettingsModals/Settings";
-import { Category, User } from "@/app/_types";
+import { Category, SanitisedUser, User } from "@/app/_types";
 import { Modes } from "@/app/_types/enums";
 import { buildCategoryPath } from "@/app/_utils/global-utils";
 import { useRouter } from "next/navigation";
@@ -48,7 +48,7 @@ export const ShortcutProvider = ({
   children: ReactNode;
   noteCategories: Category[];
   checklistCategories: Category[];
-  user: User | null;
+  user: SanitisedUser | null;
 }) => {
   const router = useRouter();
   const { mode, setMode } = useAppMode();
diff --git a/app/_types/index.ts b/app/_types/index.ts
@@ -364,6 +364,8 @@ export interface UserSharedItems {
   checklists: UserSharedItem[];
 }
 
+export type SanitisedUser = Omit<User, 'passwordHash' | 'apiKey' | 'lastLogin'>;
+
 export interface AppModeContextType {
   mode: AppMode;
   setMode: (mode: AppMode) => void;
@@ -372,8 +374,8 @@ export interface AppModeContextType {
   isInitialized: boolean;
   isDemoMode: boolean;
   isRwMarkable: boolean;
-  user: User | null;
-  setUser: (user: User | null) => void;
+  user: SanitisedUser | null;
+  setUser: (user: SanitisedUser | null) => void;
   appVersion: string;
   appSettings: AppSettings | null;
   usersPublicData: Partial<User>[];
diff --git a/app/_utils/user-sanitize-utils.ts b/app/_utils/user-sanitize-utils.ts
@@ -0,0 +1,45 @@
+import { User, SanitisedUser } from "@/app/_types";
+
+export type PublicUser = {
+  username: string;
+  avatarUrl?: string;
+};
+
+export function sanitizeUserForClient(user: User | null): SanitisedUser | null {
+  if (!user) return null;
+
+  return {
+    username: user.username,
+    isAdmin: user.isAdmin,
+    isSuperAdmin: user.isSuperAdmin,
+    avatarUrl: user.avatarUrl,
+    preferredTheme: user.preferredTheme,
+    imageSyntax: user.imageSyntax,
+    tableSyntax: user.tableSyntax,
+    landingPage: user.landingPage,
+    notesAutoSaveInterval: user.notesAutoSaveInterval,
+    notesDefaultEditor: user.notesDefaultEditor,
+    notesDefaultMode: user.notesDefaultMode,
+    pinnedLists: user.pinnedLists,
+    pinnedNotes: user.pinnedNotes,
+    enableRecurrence: user.enableRecurrence,
+    showCompletedSuggestions: user.showCompletedSuggestions,
+    fileRenameMode: user.fileRenameMode,
+    preferredDateFormat: user.preferredDateFormat,
+    preferredTimeFormat: user.preferredTimeFormat,
+    disableRichEditor: user.disableRichEditor,
+    markdownTheme: user.markdownTheme,
+    encryptionSettings: user.encryptionSettings,
+    defaultChecklistFilter: user.defaultChecklistFilter,
+    defaultNoteFilter: user.defaultNoteFilter,
+  };
+}
+
+export function sanitizeUserForPublic(user: User | null, includeAvatar: boolean = false): PublicUser | null {
+  if (!user) return null;
+
+  return {
+    username: user.username,
+    ...(includeAvatar && user.avatarUrl ? { avatarUrl: user.avatarUrl } : {}),
+  };
+}
diff --git a/app/layout.tsx b/app/layout.tsx
@@ -40,6 +40,7 @@ import { writeJsonFile } from "./_server/actions/file";
 import { NextIntlClientProvider } from 'next-intl';
 import { getMessages } from 'next-intl/server';
 import { getAvailableLocalesWithNames } from '@/app/_utils/locale-utils';
+import { sanitizeUserForClient } from '@/app/_utils/user-sanitize-utils';
 
 export const generateMetadata = async (): Promise<Metadata> => {
   const settings = await getSettings();
@@ -150,18 +151,20 @@ export default async function RootLayout({
   children: React.ReactNode;
 }) {
   const pathname = headers().get("x-pathname");
+  const isPublicRoute = pathname?.startsWith("/public");
   const settings = await getSettings();
   const appName =
     settings?.appName || (settings?.isRwMarkable ? "rwMarkable" : "jotty·page");
   const noteCategories = await getCategories(Modes.NOTES);
   const checklistCategories = await getCategories(Modes.CHECKLISTS);
-  const user = await getCurrentUser();
+  const userRecord = await getCurrentUser();
   const appVersion = await readPackageVersion();
   const customThemes = await loadCustomThemes();
   const stopCheckUpdates = process.env.STOP_CHECK_UPDATES?.toLowerCase();
-  const users = await getUsers();
-  const linkIndex = user?.username ? await readLinkIndex(user.username) : null;
+  const users = (isPublicRoute || !userRecord) ? [] : await getUsers();
+  const linkIndex = userRecord?.username ? await readLinkIndex(userRecord.username) : null;
   const messages = await getMessages();
+  const user = sanitizeUserForClient(userRecord);
 
   const shouldParseContent = settings?.parseContent === "yes";
 
@@ -173,29 +176,33 @@ export default async function RootLayout({
     globalSharing,
     availableLocales,
   ] = await Promise.all([
-    shouldParseContent
+    shouldParseContent && user && !isPublicRoute
       ? getUserNotes()
-      : getUserNotes({
-        projection: ["id", "title", "category", "owner", "uuid"],
-      }),
-    shouldParseContent
+      : user && !isPublicRoute
+        ? getUserNotes({
+          projection: ["id", "title", "category", "owner", "uuid"],
+        })
+        : Promise.resolve({ success: false, data: [] }),
+    shouldParseContent && user && !isPublicRoute
       ? getUserChecklists()
-      : getUserChecklists({
-        projection: [
-          "id",
-          "title",
-          "category",
-          "owner",
-          "uuid",
-          "type",
-          "items",
-        ],
-      }),
-    getAllSharedItems(),
-    user
+      : user && !isPublicRoute
+        ? getUserChecklists({
+          projection: [
+            "id",
+            "title",
+            "category",
+            "owner",
+            "uuid",
+            "type",
+            "items",
+          ],
+        })
+        : Promise.resolve({ success: false, data: [] }),
+    (user && !isPublicRoute) ? getAllSharedItems() : Promise.resolve({ notes: [], checklists: [], public: { notes: [], checklists: [] } }),
+    (user && !isPublicRoute)
       ? getAllSharedItemsForUser(user.username)
       : Promise.resolve({ notes: [], checklists: [] }),
-    readShareFile("all"),
+    (user && !isPublicRoute) ? readShareFile("all") : Promise.resolve(null),
     getAvailableLocalesWithNames(),
   ]);
 
diff --git a/app/public/checklist/[...categoryPath]/page.tsx b/app/public/checklist/[...categoryPath]/page.tsx
diff --git a/app/public/note/[...categoryPath]/page.tsx b/app/public/note/[...categoryPath]/page.tsx
diff --git a/package.json b/package.json
