omsimos / umamin Goto Github PK

dev

production

word filters

• per user? list of words to ban
• app-level filter (sentiment analysis?)

Is your feature request related to a problem? Please describe.
You might not need all the messages u have or just wanted to remove some for a reason.

Describe the solution you'd like
Add a delete message button

Describe the bug
I cannot see what anonymous messages me.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
Nothing much

Screenshots

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Describe the bug
This vulnerability/bug is also known as Insecure Direct Object References (IDOR) Bug. This bug allows unauthorized users to view anyone's Private Messages by obtaining the target user's receiverId/userId

To Reproduce
Steps to reproduce the behavior:

1. the endoint /api/graphql is the one vulnerable to this attack
2. My POST request data is as follows:

{"query":"mutation sendMessage($input: SendMessageInput!) {\n  sendMessage(input: $input) {\n     id\n    receiverId\n    content\n  }\n}\n","variables":{"input":{"receiverUsername":"TARGET_USERNAME","content":"CONTENT_HERE","receiverMsg":"Send me an anonymous message!"}},"operationName":"sendMessage"}

3. (Explanation to the request above) I just added receiverId variable to the original graphQL request.
4. The endpoint will unexpectedly respond with the private receiverId value like below:

{"data":{"sendMessage":{"id":"yyyyy-yyy-yyyy-yyyy-yyyyyy","receiverId":"xxxxxx-xxx-xxxx-xxxx-xxxxxx","content":"CONTENT_HERE"}}}

5. Now , send another POST request to the same endpoint /api/graphql

{"query":"query getMessages($userId: ID!) {\n  messages(userId: $userId) {\n    id\n    content\n    isOpened\n    receiverMsg\n  }\n}\n","variables":{"userId":"THE_RECEIVERID_YOU_OBTAINED_EARLIER"},"operationName":"getMessages"}

6. The endpoint will respond with the private messages corresponding to the userId you obtained

{"data":{"messages":[{"id":"yyyyy-yyy-yyyy-yyyy-yyyyyy","content":"vvvvvvvvvv","isOpened":false,"receiverMsg":"Send me an anonymous message!"},{"id":"yyyyy-yyy-yyyy-yyyy-yyyyyy","content":"vvvvvvvvvv","isOpened":true,"receiverMsg":"Send me an anonymous message!"}]}}

Expected behavior
This endpoint should return an error and not allow anyone to just grab other's private userId AND/OR the endpoint should not allow the use of any valid userId to non-authorized users

My problem is I’m always wondering who the person who messaged me is or if it is still the same person who messaged me yesterday. Yes, I know this is anonymous for messages, so it really needs to be hidden, but I would like to suggest a solution to avoid confusion.

The solution I would like to request is that when someone visits this site to confess, then their device location or the location of the person who sent me an anonymous message will be detected and notified to my notifications. Like, for example, the same thing with the Wix site app. If you visit the site, the location of those who visit my site can be detected and it will notify me. I mean, it is still anonymous because the real identity and username are still hidden, but the location is not hidden to avoid confusion and to be notified. It would be better if their location could be detected because then you would know if the person who messaged you yesterday is still the person who messaged you today.

I will send screenshots of an example of this kind of solution and what it looks like. Trust me, this is better and will lead to a safer environment, especially since people nowadays love to message rude and mean confessions, so I hope this request will be processed soon.

file path: src/pages/to/[username].tsx

isOpened & isDownloaded field on message

• this is to add a seen indicator on messages
• also for a future feature where the sender could see if their message was seen or downloaded

Describe the bug
i cant read anonymous message. It’s disappearing when Im trying to open it.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
I expected it will be fixed as soon as possible. I reported it earlier but its not working.

Screenshots

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone 11 pro max]
• OS: [e.g. iOS15.6]
• Browser [e.g. safari]
• Version [e.g. 15.6]

Additional context
Its keeping disappearing

My problem is I’m always wondering who the person who messaged me is or if it is still the same person who messaged me yesterday. Yes, I know this is anonymous for messages, so it really needs to be hidden, but I would like to suggest a solution to avoid confusion.

The solution I would like to request is that when someone visits this site to confess, then their device location or the location of the person who sent me an anonymous message will be detected and notified to my notifications. Like, for example, the same thing with the Wix site app. If you visit the site, the location of those who visit my site can be detected and it will notify me. I mean, it is still anonymous because the real identity and username are still hidden, but the location is not hidden to avoid confusion and to be notified. It would be better if their location could be detected because then you would know if the person who messaged you yesterday is still the person who messaged you today.

I will send screenshots of an example of this kind of solution and what it looks like. Trust me, this is better and will lead to a safer environment, especially since people nowadays love to message rude and mean confessions, so I hope this request will be processed soon.

#request
#safer

Currently using railway.app in production for a PostgreSQL database.

railway (left) vs planetscale (right)

Railway will be nerfing free tier
Read more

Platnetscale has 1 billion row reads a month + 10 million row writes a month for free.
Should we move to a Vitess/MySQL database w/ planetscale @princejoogie ?

PS: umamin will be free and ad-free so I want to use free tiers.

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

when u click the link, copy to clipboard then show a toast "Copied to clipboard"

TODOS:

• csrf prevention
• cors
• captcha (login/register)
• rate limiter (send message)

di po nakikita yung ibang message

My problem is I’m always wondering who the person who messaged me is or if it is still the same person who messaged me yesterday. Yes, I know this is anonymous for messages, so it really needs to be hidden, but I would like to suggest a solution to avoid confusion.

The solution I would like to request is that when someone visits this site to confess, then their device location or the location of the person who sent me an anonymous message will be detected and notified to my notifications. Like, for example, the same thing with the Wix site app. If you visit the site, the location of those who visit my site can be detected and it will notify me. I mean, it is still anonymous because the real identity and username are still hidden, but the location is not hidden to avoid confusion and to be notified. It would be better if their location could be detected because then you would know if the person who messaged you yesterday is still the person who messaged you today.

I will send screenshots of an example of this kind of solution and what it looks like. Trust me, this is better and will lead to a safer environment, especially since people nowadays love to message rude and mean confessions, so I hope this request will be processed soon.

lru-cache will be used for the rate limiter
ref: https://github.com/vercel/next.js/blob/canary/examples/api-routes-rate-limit/utils/rate-limit.ts

Describe the bug
Account/user's inbox does not change after signing out and then logging in with a different account but only changes after a reload.

To Reproduce
Steps to reproduce the behavior:

1. Login
2. Logout
3. Login with a different account
4. You'll see that the user in the unique link was from the one you previously logged in

Expected behavior
The user in the inbox should be the one that is currently logged in on first render

Screenshots

• logged in as test but previously logged in as testuser.
  

currently the app generates a random password to use for logging in during the signup process.

i think it is better to let them set it on their own during sign up considering we have no reset password (yet). which would require them to register their email later on.

they can also easily forget or misplace the generated password for them (which i did a few times and had to delete that user from the db)

WDYT? @joshxfi @hyamero

• currently using session-based auth
• need to convert to jwt-based auth to support mobile app

https://next-auth.js.org/configuration/options#jwt

cors will be replaced with JWT token to protect API route (to allow queries in the mobile app). JWT token to include userId in payload

1. light mode
2. customizable profile picture

useQuery expects a key and uses it for caching. when fetching something that has a dependency, make sure to add it to the key.

e.g.

// This is how the current is
const user = useQuery("user", () => getUser({ username }))
// ^ We are using a variable (username) in the `getUser()` so it is a dependency.
// This will cause caching errors if the key is just "user"

// instead we should update the key to:
const user = useQuery(["user", { username, /* other deps */ }], () => getUser({ username }))
// ^ This is how you should query a user. This also applies to other queries like user messages, etc.

READ MORE

cc @joshxfi @hyamero

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

probably caused by the variables in src/styles/utils.css

route: /login

Describe the bug
it shows that i have 3 umamin messages but i can't view any of them. all of them starts disappearing in a split second after refreshing.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
i expect to see my umamin messages after this.

Screenshots

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Samsung Galaxy j4 plus
• Android
• Chrome
• ver. 9

Additional context
Add any other context about the problem here.

• add a share button in each message card
• will export an image of the message card (used to post in ig story etc.)

if possible,

• a share button that directly creates a story instance in instagram

uses less execution time than getting all the messages at once.

• Recent
• Seen
• Sent

how do you plan to do authentication?

1. credentials (email/username & password)
2. oauth (google, fb, etc.)

• create link redirects to /create which is a 404

You are unable to receive a message unless you use original browser.

Bug
Opening link error

To Reproduce
Steps to reproduce the behavior:

1. Go to 'dashboard'
2. Copy URL
3. Open URL

Screenshots

• add google analytics
• we can use firebase for this
• used to track number of users and geo info

• change custom message #40
• change password