Open
Conversation
filter and location issue resolved
maphathon flow updated
add mapathon issue fix
mapathin date validation fixed
user schema updated
update user profile resolvedd
asian race added
forgot password link updated
resolve forgot password issues and activate user flow
replace remove function with delete one
resolve activation account issue
new fields added in user model lastLocation lastActivityTime and device
- Add inactivity email templates (warning, archived, weekly report) - Create reactivate-user endpoint for archived accounts - Update sign-in endpoints to handle archived users with proper response - Reset inactivity tracking flags on successful login - Create inactivity-checker helper with functions: * sendInactivityWarnings: email users inactive for 1+ year * archiveInactiveUsers: archive users 7 days after warning * runWeeklyReport: send admin summary email - Add cron endpoints for scheduled tasks: * POST /cron/inactivity-check (daily) * POST /cron/weekly-report (weekly) - Protected cron endpoints with CRON_SECRET header - Add validation for reactivate-user endpoint Inactivity workflow: 1. User inactive for 1 year -> warning email sent 2. No login within 7 days -> account archived 3. Archived user can reactivate via /users/reactivate endpoint
…llback - Remove $or condition that used createdAt as fallback - Only send warning emails to users with recorded lastLogin - This prevents mass emails to 13k+ existing users - Inactivity tracking will only apply to users who log in after this feature is deployed
- Fix textContent email fallback (use displayName instead of user.firstName directly) - Add reactivatedAt field to User model for accurate reactivation tracking - Update getReactivatedUsersCount to use reactivatedAt timestamp - Set reactivatedAt when user reactivates their account - Fix CRON_SECRET check to fail closed (reject if not configured) - Remove userId from archived user responses (security/enumeration risk) - Remove debug console.log from sign-in
BREAKING CHANGE: Reactivation endpoint now requires userId instead of email Security improvements: - Reactivation now requires userId (from 403 login response) + currentPassword - This prevents account takeover - attacker must know original password - Sign-in endpoints return userId in 403 response for archived users - Generic "Invalid credentials" errors prevent enumeration Removed weekly reports: - Removed sendWeeklyReport() and runWeeklyReportJob() functions - Removed /cron/weekly-report endpoint - Only daily inactivity check remains Updated validation: - validateReactivateUser now validates userId (24-char ObjectId) - Requires currentPassword + newPassword fields Frontend guide updated with new API contract.
- forgotten-password.js: Include archived users in lookup - reset-password.js: Reset inactivity flags when password is reset - Sets lastLogin to reset inactivity timer - Sets isArchived to false to reactivate account - Clears inactivityEmailSent and inactivityEmailSentAt - Sets reactivatedAt if user was archived This provides an alternative recovery path for: - Users who forgot their password - Social login users who need to reactivate archived accounts Updated frontend guide with new recovery flow documentation.
… endpoint BREAKING CHANGE: /auth/reactivate-account now requires currentPassword Removed duplicate endpoint: - Deleted /users/reactivate endpoint and reactivate-user.js - Removed validateReactivateUser from users/validations.js Updated /auth/reactivate-account with security improvements: - Now requires currentPassword to prove account ownership - Uses newPassword instead of password for clarity - Generic "Invalid credentials" error prevents enumeration - Social login users directed to forgot password flow - Uses user.save() with model's virtual password setter Updated frontend guide with correct endpoint path.
feat: implement full inactivity tracking and account reactivation system
fix: handle empty event array in get-event to prevent crash
- Updated isAuthenticated middleware to check for archived users - Returns 403 with requiresReactivation flag for archived users - Simplified reactivate-account endpoint (removed currentPassword requirement) - User must set new password and resubmit profile info to reactivate - Added comprehensive logging to reactivate-account endpoint - Added src/AWSLambaFunction and docs to .gitignore
- Added race normalization to handle case-insensitive values - Fixes existing invalid race values like 'Asian' -> 'asian' - Maps common variations to valid enum values
…with lastLogin and valid email
- Add POST /reviews/voice-to-review endpoint - Accepts audio file, transcribes via OpenAI Whisper - Extracts structured review data using GPT-4 - Add comprehensive documentation and frontend code examples
- sign-up.js: Use FRONTEND_URL for activation email link - forgotten-password.js: Use FRONTEND_URL for password reset email link - activate-account.js: Use FRONTEND_URL for post-activation redirect This fixes the bug where users on test/staging environments received links pointing to production (axsmap.com) instead of the correct environment-specific URL. Affected user: sidquazafar009@gmail.com
…inks - sign-up.js: Accept frontendUrl in request body for activation email - forgotten-password.js: Accept frontendUrl in request body for reset email Frontend should pass their origin URL in the request: - Web: window.location.origin - Mobile: appropriate deep link URL Falls back to https://axsmap.com if not provided.
Frontend handles 5-second minimum audio duration check. Backend no longer rejects short transcriptions - let GPT-4 handle it.
After toObject() on Mongoose model, the 'id' virtual getter may not be available. Using _id (which always exists) with fallback to id for compatibility.
req.user is a plain object after toObject() in auth middleware, so it doesn't have .save() method. Need to fetch the User document again to update reviewFieldsAmount and reviewsAmount.
- status=active: returns events where startDate <= today AND endDate >= today - status=inactive: returns events where endDate < today (past events) - status=all or no status: returns all events (no date filter) - Added isOpen field to response for frontend to check manual status
- Allow compound names like 'Van Dyke', 'De La Cruz', 'Mary Ann' - Fixes signup failure for users with multi-word names
- Activation ticket stores 'dateOfBirth' as string - User model expects 'birthday' as Date - Convert string to Date object when creating user - Fixes date of birth not being saved during signup
- Add normalizeDateToNoonUTC helper function to helpers/index.js - Apply normalization in activate-account.js (signup) - Apply normalization in edit-user.js (profile update) - Apply normalization in reactivate-account.js (account reactivation) - Ensures birthday is always stored at noon UTC to prevent off-by-one day errors - Fixes dateOfBirth -> birthday field mapping in activate-account.js
…ateUser, editUser)
…iles req.user is a plain object from toObject() in auth middleware, so .save() and .comparePassword() are not available. This caused TypeError 500 errors on create/join/leave events, create/leave teams, change password, and petition approval. - create-event.js: findByIdAndUpdate + fix endDate typo + add startDate - join-event.js: findByIdAndUpdate $push events - leave-event.js: findByIdAndUpdate $pull events - create-team.js: findByIdAndUpdate $push teams - leave-team.js: findByIdAndUpdate $pull teams - change-password.js: fetch Mongoose doc for comparePassword + save - edit-petition.js: findByIdAndUpdate for events and teams (2 occurrences)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.