From cafa7d7afeddc45b9c0b8ff67fc388603b42b769 Mon Sep 17 00:00:00 2001
From: Efe <hbehar@syncad.com>
Date: Wed, 7 May 2025 12:15:30 +0200
Subject: [PATCH 1/2] Enhance API request security and type safety

- Add URL encoding for username parameter in API requests
- Add additional username format validation
- Fix Peakd badge mapping to match Badge type interface
- Add proper error handling and logging
- Add proper headers for API requests
- Add type checking for API responses

This change improves security by properly validating and encoding user input
before making API requests, and ensures type safety throughout the badge
handling logic.
---
 apps/blog/pages/[param]/communities.tsx | 61 +++++++++++++++++++------
 1 file changed, 47 insertions(+), 14 deletions(-)

diff --git a/apps/blog/pages/[param]/communities.tsx b/apps/blog/pages/[param]/communities.tsx
index 501bf3753..0c00ee221 100644
--- a/apps/blog/pages/[param]/communities.tsx
+++ b/apps/blog/pages/[param]/communities.tsx
@@ -90,8 +90,8 @@ const UserCommunities = ({
 export default UserCommunities;
 
 export const getServerSideProps: GetServerSideProps = async (context) => {
-  let hivebuzzJsonStateOn = [];
-  let peakdJsonMapedWithURL = [];
+  let hivebuzzJsonStateOn: Badge[] = [];
+  let peakdJsonMapedWithURL: Badge[] = [];
   let errorCode = 0;
 
   try {
@@ -104,20 +104,53 @@ export const getServerSideProps: GetServerSideProps = async (context) => {
       throw new Error({ statusCode: 404 });
     }
 
-    const hivebuzzRes = await fetch(`https://hivebuzz.me/api/badges/${username}`);
-    if (hivebuzzRes.ok) {
-      const hivebuzzJson = await hivebuzzRes.json();
-      hivebuzzJsonStateOn = hivebuzzJson.filter((badge: Badge) => badge.state === 'on');
+    // Additional validation for username format
+    if (!/^[a-z][a-z0-9-.]{2,15}$/.test(username)) {
+      errorCode = 400;
+      throw new Error({ statusCode: 400 });
     }
 
-    const peakdRes = await fetch(`https://peakd.com/api/public/badge/${username}`);
-    if (peakdRes.ok) {
-      const peakdJson = await peakdRes.json();
-      peakdJsonMapedWithURL = peakdJson?.map((obj: Badge) => ({
-        id: obj.title,
-        url: `https://images.hive.blog/u/${obj.name}/avatar`,
-        title: obj.title
-      }));
+    // Encode username for URL safety
+    const encodedUsername = encodeURIComponent(username);
+
+    try {
+      const hivebuzzRes = await fetch(`https://hivebuzz.me/api/badges/${encodedUsername}`, {
+        headers: {
+          'Accept': 'application/json',
+          'User-Agent': 'HiveBlog/1.0'
+        }
+      });
+      
+      if (hivebuzzRes.ok) {
+        const hivebuzzJson = await hivebuzzRes.json();
+        if (Array.isArray(hivebuzzJson)) {
+          hivebuzzJsonStateOn = hivebuzzJson.filter((badge: Badge) => badge.state === 'on');
+        }
+      }
+
+      const peakdRes = await fetch(`https://peakd.com/api/public/badge/${encodedUsername}`, {
+        headers: {
+          'Accept': 'application/json',
+          'User-Agent': 'HiveBlog/1.0'
+        }
+      });
+      
+      if (peakdRes.ok) {
+        const peakdJson = await peakdRes.json();
+        if (Array.isArray(peakdJson)) {
+          peakdJsonMapedWithURL = peakdJson?.map((obj: any) => ({
+            id: obj.title,
+            url: `https://images.hive.blog/u/${encodeURIComponent(obj.name)}/avatar`,
+            title: obj.title,
+            name: obj.name,
+            state: 'on',
+            type: 'badge'
+          }));
+        }
+      }
+    } catch (error) {
+      logger.error('Error fetching badges: %o', error);
+      // Don't throw here, just log the error and continue with empty arrays
     }
   } catch (error) {
     logger.error('Error in getServerSideProps: %o', error);
-- 
GitLab


From 35501f079e45c452495cf13cad8f722a4eaa575e Mon Sep 17 00:00:00 2001
From: Efe <hbehar@syncad.com>
Date: Wed, 7 May 2025 12:17:53 +0200
Subject: [PATCH 2/2] Improve username validation and error handling

- Remove redundant regex validation in favor of validateHiveAccountName
- Change error code from 404 to 400 for validation failures
- Add validation error message to error object for better error reporting
- Keep URL encoding and API request security measures

This change simplifies the validation logic while maintaining security by
relying on the comprehensive validateHiveAccountName function which already
implements Hive protocol's account name rules.
---
 apps/blog/pages/[param]/communities.tsx | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/apps/blog/pages/[param]/communities.tsx b/apps/blog/pages/[param]/communities.tsx
index 0c00ee221..9f07f910a 100644
--- a/apps/blog/pages/[param]/communities.tsx
+++ b/apps/blog/pages/[param]/communities.tsx
@@ -100,14 +100,8 @@ export const getServerSideProps: GetServerSideProps = async (context) => {
     const validationResult = validateHiveAccountName(username);
     logger.info('validationResult: %s', validationResult);
     if (validationResult !== null) {
-      errorCode = 404;
-      throw new Error({ statusCode: 404 });
-    }
-
-    // Additional validation for username format
-    if (!/^[a-z][a-z0-9-.]{2,15}$/.test(username)) {
       errorCode = 400;
-      throw new Error({ statusCode: 400 });
+      throw new Error({ statusCode: 400, message: validationResult });
     }
 
     // Encode username for URL safety
-- 
GitLab