fix: address coderabbit comments

Author: sosweetham

.env.example

@@ -92,7 +92,7 @@ PUBLIC_PROVISIONER_SHARED_SECRET="your-provisioner-shared-secret"
 
 PUBLIC_ESIGNER_BASE_URL="http://localhost:3004"
 PUBLIC_FILE_MANAGER_BASE_URL="http://localhost:3005"
-PUBLIC_PROFILE_EDITOR_BASE_URL="http://localhost:3007"
+PUBLIC_PROFILE_EDITOR_BASE_URL=http://localhost:3007
 
 DREAMSYNC_DATABASE_URL=postgresql://postgres:postgres@localhost:5432/dreamsync
 VITE_DREAMSYNC_BASE_URL="http://localhost:8888"

infrastructure/dev-sandbox/src/routes/+page.svelte

@@ -469,8 +469,12 @@ async function doProvision() {
                 identity.w3id,
                 profile,
             );
-            const next = [...identities];
-            next[selectedIndex] = { ...next[selectedIndex], displayName: profile.displayName };
+            const provisionedKeyId = identity.keyId;
+            const next = identities.map((id) =>
+                id.keyId === provisionedKeyId
+                    ? { ...id, displayName: profile.displayName }
+                    : id,
+            );
             identities = next;
             saveIdentities(next);
             addLog("success", "UserProfile created", profile.displayName);

platforms/file-manager/api/src/controllers/FileController.ts

@@ -453,7 +453,7 @@ export class FileController {
             }
 
             const { id } = req.params;
-            const { displayName, description, folderId } = req.body;
+            const { displayName, description, folderId, isPublic } = req.body;
 
             const file = await this.fileService.updateFile(
                 id,
@@ -473,6 +473,11 @@ export class FileController {
                     .json({ error: "File not found or not authorized" });
             }
 
+            if (typeof isPublic === "boolean") {
+                await this.fileService.setFilePublic(id, isPublic);
+                file.isPublic = isPublic;
+            }
+
             res.json({
                 id: file.id,
                 name: file.name,
@@ -483,6 +488,7 @@ export class FileController {
                 md5Hash: file.md5Hash,
                 ownerId: file.ownerId,
                 folderId: file.folderId,
+                isPublic: file.isPublic,
                 createdAt: file.createdAt,
                 updatedAt: file.updatedAt,
             });
@@ -568,8 +574,8 @@ export class FileController {
     };
 
     /**
-     * Serves a file publicly without authentication.
-     * The file ID acts as an unguessable capability token.
+     * Serves a file publicly. Only files explicitly marked isPublic=true
+     * are served; all others return 404.
      */
     publicPreview = async (req: Request, res: Response) => {
         try {
@@ -584,7 +590,10 @@ export class FileController {
                 return res.redirect(file.url);
             }
 
-            // Legacy fallback for files still in DB
+            if (!file.data) {
+                return res.status(410).json({ error: "File data unavailable" });
+            }
+
             res.setHeader("Content-Type", file.mimeType);
             res.setHeader(
                 "Content-Disposition",

platforms/file-manager/api/src/database/entities/File.ts

@@ -44,6 +44,9 @@ export class File {
     @Column({ type: "text", nullable: true })
     url!: string | null;
 
+    @Column({ default: false })
+    isPublic!: boolean;
+
     @Column()
     ownerId!: string;
 

platforms/file-manager/api/src/database/migrations/1775700000000-AddIsPublicToFiles.ts

@@ -0,0 +1,13 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class AddIsPublicToFiles1775700000000 implements MigrationInterface {
+    name = 'AddIsPublicToFiles1775700000000'
+
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`ALTER TABLE "files" ADD "isPublic" boolean NOT NULL DEFAULT false`);
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`ALTER TABLE "files" DROP COLUMN "isPublic"`);
+    }
+}

platforms/file-manager/api/src/services/FileService.ts

@@ -116,14 +116,18 @@ export class FileService {
 
     async getFileByIdPublic(id: string): Promise<File | null> {
         const file = await this.fileRepository.findOne({
-            where: { id },
+            where: { id, isPublic: true },
         });
         if (!file || file.name === SOFT_DELETED_FILE_NAME) {
             return null;
         }
         return file;
     }
 
+    async setFilePublic(id: string, isPublic: boolean): Promise<void> {
+        await this.fileRepository.update(id, { isPublic });
+    }
+
     async getFileById(id: string, userId: string): Promise<File | null> {
         const file = await this.fileRepository.findOne({
             where: { id },

platforms/pictique/api/src/controllers/WebhookController.ts

@@ -41,11 +41,13 @@ export class WebhookController {
             const mapping = Object.values(this.adapter.mapping).find(
                 (m) => m.schemaId === schemaId
             );
-            this.adapter.addToLockedIds(globalId);
 
             if (!mapping) {
+                console.log(`[webhook] skipping unknown schema ${schemaId} for ${globalId}`);
                 return res.status(200).send();
             }
+
+            this.adapter.addToLockedIds(globalId);
             const local = await this.adapter.fromGlobal({
                 data: req.body.data,
                 mapping,

platforms/profile-editor/api/src/services/EVaultProfileService.ts

@@ -295,6 +295,11 @@ export class EVaultProfileService {
 			if (data.avatar !== undefined) u.avatar = data.avatar;
 			if (data.banner !== undefined) u.banner = data.banner;
 			await repo.save(u);
+
+			// Mark new avatar/banner files as publicly accessible
+			const { markFilePublic } = await import("../utils/file-proxy");
+			if (data.avatar) markFilePublic(data.avatar, eName).catch(() => {});
+			if (data.banner) markFilePublic(data.banner, eName).catch(() => {});
 		}
 
 		const cached = this.cache.get(eName);
@@ -470,7 +475,10 @@ export class EVaultProfileService {
 		try {
 			const userNode = await this.findMetaEnvelopeByOntology(client, USER_ONTOLOGY);
 			const existing = (userNode?.parsed ?? {}) as Record<string, unknown>;
+			// Preserve the existing ACL; only default to public for new envelopes
+			const existingAcl = (userNode as any)?.acl;
 
+			// Only patch avatarUrl/bannerUrl — don't overwrite other User fields
 			const patch: Record<string, unknown> = { ...existing };
 			if (profile.avatar) {
 				patch.avatarUrl = getFileManagerPublicUrl(profile.avatar);
@@ -482,7 +490,11 @@ export class EVaultProfileService {
 			if (userNode) {
 				await client.request<UpdateResult>(UPDATE_MUTATION, {
 					id: userNode.id,
-					input: { ontology: USER_ONTOLOGY, payload: patch, acl: ["*"] },
+					input: {
+						ontology: USER_ONTOLOGY,
+						payload: patch,
+						acl: existingAcl ?? ["*"],
+					},
 				});
 			} else {
 				patch.ename = eName;

platforms/profile-editor/api/src/utils/file-proxy.ts

@@ -12,6 +12,59 @@ function mintFmToken(userId: string): string {
 	return jwt.sign({ userId }, secret, { expiresIn: "1h" });
 }
 
+import dns from "dns/promises";
+import net from "net";
+
+/**
+ * Validates a URL is safe to fetch (not internal/private).
+ * Blocks non-https schemes (except data:), loopback, private, and link-local IPs.
+ */
+async function isUrlAllowed(url: string): Promise<boolean> {
+	if (url.startsWith("data:")) return true;
+	let parsed: URL;
+	try {
+		parsed = new URL(url);
+	} catch {
+		return false;
+	}
+	if (parsed.protocol !== "https:" && parsed.protocol !== "http:") return false;
+
+	const hostname = parsed.hostname;
+	if (hostname === "localhost" || hostname === "[::1]") return false;
+
+	// Resolve hostname to IP and check for private ranges
+	let addresses: string[];
+	try {
+		if (net.isIP(hostname)) {
+			addresses = [hostname];
+		} else {
+			const results = await dns.resolve4(hostname).catch(() => [] as string[]);
+			const results6 = await dns.resolve6(hostname).catch(() => [] as string[]);
+			addresses = [...results, ...results6];
+		}
+	} catch {
+		return false;
+	}
+
+	for (const addr of addresses) {
+		if (net.isIPv4(addr)) {
+			const parts = addr.split(".").map(Number);
+			if (parts[0] === 127) return false;                                    // 127.0.0.0/8
+			if (parts[0] === 10) return false;                                     // 10.0.0.0/8
+			if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) return false; // 172.16.0.0/12
+			if (parts[0] === 192 && parts[1] === 168) return false;                // 192.168.0.0/16
+			if (parts[0] === 169 && parts[1] === 254) return false;                // 169.254.0.0/16
+			if (parts[0] === 0) return false;                                      // 0.0.0.0/8
+		} else if (net.isIPv6(addr)) {
+			const normalized = addr.toLowerCase();
+			if (normalized === "::1") return false;
+			if (normalized.startsWith("fc") || normalized.startsWith("fd")) return false; // fc00::/7
+			if (normalized.startsWith("fe80")) return false;                              // fe80::/10
+		}
+	}
+	return true;
+}
+
 /**
  * Downloads an image from a URL (HTTP or data: URI) and uploads it to the
  * file-manager service, returning the resulting file ID.
@@ -22,6 +75,11 @@ export async function downloadUrlAndUploadToFileManager(
 	ename: string,
 ): Promise<string | null> {
 	try {
+		if (!(await isUrlAllowed(url))) {
+			console.warn("SSRF blocked: disallowed URL", url);
+			return null;
+		}
+
 		let buffer: Buffer;
 		let mimeType = "image/png";
 		let filename = "avatar.png";
@@ -37,6 +95,7 @@ export async function downloadUrlAndUploadToFileManager(
 			const response = await axios.get(url, {
 				responseType: "arraybuffer",
 				timeout: 15_000,
+				maxRedirects: 3,
 			});
 			buffer = Buffer.from(response.data);
 			const ct = response.headers["content-type"];
@@ -63,7 +122,11 @@ export async function downloadUrlAndUploadToFileManager(
 			},
 		);
 
-		return res.data?.id ?? null;
+		const fileId = res.data?.id;
+		if (fileId) {
+			await markFilePublic(fileId, ename);
+		}
+		return fileId ?? null;
 	} catch (error: any) {
 		console.error(
 			"Failed to download/upload avatar or banner:",
@@ -73,6 +136,28 @@ export async function downloadUrlAndUploadToFileManager(
 	}
 }
 
+/**
+ * Marks a file as publicly accessible in file-manager via PATCH.
+ */
+export async function markFilePublic(fileId: string, ename: string): Promise<void> {
+	try {
+		const token = mintFmToken(ename);
+		await axios.patch(
+			`${FILE_MANAGER_BASE_URL()}/api/files/${fileId}`,
+			{ isPublic: true },
+			{
+				headers: {
+					"Content-Type": "application/json",
+					Authorization: `Bearer ${token}`,
+				},
+				timeout: 10_000,
+			},
+		);
+	} catch (error: any) {
+		console.error("Failed to mark file as public:", error.message);
+	}
+}
+
 export async function proxyFileFromFileManager(
 	fileId: string,
 	ename: string,

platforms/profile-editor/client/src/lib/utils/file-manager.ts

@@ -1,8 +1,5 @@
-import { PUBLIC_PROFILE_EDITOR_BASE_URL } from '$env/static/public';
 import { apiClient } from './axios';
 
-const API_BASE = () => PUBLIC_PROFILE_EDITOR_BASE_URL || 'http://localhost:3007';
-
 export async function uploadFile(
 	file: File,
 	onProgress?: (progress: number) => void
@@ -27,5 +24,6 @@ export async function uploadFile(
 export type ProfileAssetType = 'avatar' | 'banner' | 'cv' | 'video';
 
 export function getProfileAssetUrl(ename: string, type: ProfileAssetType): string {
-	return `${API_BASE()}/api/profiles/${encodeURIComponent(ename)}/${type}`;
+	const base = apiClient.defaults.baseURL || 'http://localhost:3007';
+	return `${base}/api/profiles/${encodeURIComponent(ename)}/${type}`;
 }