From 6c0b06113644ec0ea384b7c4fe3ebdae02ef719b Mon Sep 17 00:00:00 2001 From: FuturMix Date: Sun, 14 Jun 2026 09:42:42 +0800 Subject: [PATCH] fix: use userId param in profile endpoint and restrict returned fields MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The /api/user/profile/[userId] endpoint extracted the userId from URL params but never used it — every request returned the authenticated user's own profile regardless of the userId. Additionally, select('*') returned all columns including sensitive fields (salt, backup_pin_hash, phone_number, auth_user_id). Changes: - Use the userId param to look up the requested user's profile - Return expanded fields for own profile, public fields only for other users' profiles - Exclude sensitive columns (salt, backup_pin_hash, phone_number, auth_user_id) from all responses --- src/app/api/user/profile/[userId]/route.js | 33 ++++++++++++++++------ 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/src/app/api/user/profile/[userId]/route.js b/src/app/api/user/profile/[userId]/route.js index d2d7f42..8a12710 100644 --- a/src/app/api/user/profile/[userId]/route.js +++ b/src/app/api/user/profile/[userId]/route.js @@ -6,25 +6,42 @@ export async function GET(request, { params } = {}) { try { const { userId } = params; const supabase = await createSupabaseServerClient(); - + // Verify user is authenticated const { data: { user: authUser }, error: authError } = await supabase.auth.getUser(); - + if (authError || !authUser) { return NextResponse.json({ error: 'Not authenticated' }, { status: 401 }); } - - // Get user profile + + const isOwnProfile = userId === authUser.id; + + if (isOwnProfile) { + // Own profile: return all non-sensitive fields + const { data: userProfile, error: profileError } = await supabase + .from('users') + .select('id, username, display_name, avatar_url, bio, website, unique_identifier, status, is_online, last_seen, last_active_at, sms_notifications_enabled, created_at, updated_at') + .eq('auth_user_id', authUser.id) + .single(); + + if (profileError) { + return NextResponse.json({ error: profileError.message }, { status: 404 }); + } + + return NextResponse.json({ user: userProfile }); + } + + // Other user's profile: return only public fields const { data: userProfile, error: profileError } = await supabase .from('users') - .select('*') - .eq('auth_user_id', authUser.id) + .select('id, username, display_name, avatar_url, bio, website, unique_identifier, status, is_online') + .eq('id', userId) .single(); - + if (profileError) { return NextResponse.json({ error: profileError.message }, { status: 404 }); } - + return NextResponse.json({ user: userProfile }); } catch (error) { console.error('User profile API error:', error);