MettaChain · devdeen213 · Jun 27, 2026 · Jun 27, 2026 · Jun 27, 2026 · Jun 27, 2026
diff --git a/src/admin/admin.controller.ts b/src/admin/admin.controller.ts
@@ -3,18 +3,23 @@
 import {
   Body,
   Controller,
+  Delete,
   Get,
+  NotFoundException,
   Param,
   Patch,
   Post,
   Put,
   Query,
   Res,
   UseGuards,
+  UseInterceptors,
   HttpException,
   HttpStatus,
 } from '@nestjs/common';
 import { Response } from 'express';
+import * as fs from 'fs';
+import * as path from 'path';
 import { CurrentUser } from '../auth/decorators/current-user.decorator';
 import { Roles } from '../auth/decorators/roles.decorator';
 import { JwtAuthGuard } from '../auth/guards/jwt-auth.guard';
@@ -37,6 +42,7 @@
   UpdateTransactionStatusDto,
 } from './dto/admin.dto';
 import { RestoreBackupDto, UpdateBackupScheduleDto } from '../backup/dto/backup.dto';
+import { AdminAuditInterceptor } from './admin-audit.interceptor';
 
 @Controller('admin')
 @UseGuards(JwtAuthGuard, RolesGuard)
@@ -49,22 +55,22 @@
  ) {}

  @Get('dashboard')
  getDashboard() {
    return this.adminService.getDashboard();
  }

  @Get('backups')
  listBackups() {
    return this.adminService.listBackups();
  }

  @Get('backups/status')
  getBackupStatus() {
    return this.adminService.getBackupStatus();
  }

  @Get('backups/schedule')
  getBackupSchedule() {
    return this.adminService.getBackupSchedule();
  }

@@ -270,4 +276,17 @@
       note: 'This is a preview with sample data. Actual emails will use real data.',
     };
   }
+
+  @Delete('exports/:filename')
+  deleteExport(@Param('filename') filename: string) {
+    const filepath = path.join(process.cwd(), 'exports', filename);
+
+    if (!fs.existsSync(filepath)) {
+      throw new NotFoundException('Export file not found');
+    }
+
+    fs.unlinkSync(filepath);
+
+    return { message: 'Export file deleted successfully' };
+  }
 }
diff --git a/src/auth/auth.service.ts b/src/auth/auth.service.ts
@@ -32,7 +32,6 @@ import {
   comparePassword,
   createSha256,
   generateBackupCodes,
-  getPasswordHistoryLimit,
   hashPassword,
   parseDuration,
   randomBase32Secret,
@@ -111,7 +110,7 @@ export class AuthService {
       throw new BadRequestException('A user with that email already exists');
     }
 
-    const passwordErrors = validatePassword(data.password);
+    const passwordErrors = validatePassword(data.password, this.configService);
     if (passwordErrors.length > 0) {
       throw new BadRequestException(
         `Password does not meet complexity requirements: ${passwordErrors.join('; ')}`,
@@ -663,7 +662,7 @@ export class AuthService {
   }
 
   async changePassword(user: AuthUserPayload, data: ChangePasswordDto) {
-    const passwordHistoryLimit = getPasswordHistoryLimit();
+    const passwordHistoryLimit = this.getPasswordHistoryLimit();
     const existingUser = await this.prisma.user.findUnique({
       where: { id: user.sub },
       include: {
@@ -685,7 +684,7 @@ export class AuthService {
       throw new UnauthorizedException('Current password is incorrect');
     }
 
-    const passwordErrors = validatePassword(data.newPassword);
+    const passwordErrors = validatePassword(data.newPassword, this.configService);
     if (passwordErrors.length > 0) {
       throw new BadRequestException(
         `Password does not meet complexity requirements: ${passwordErrors.join('; ')}`,
@@ -1294,9 +1293,9 @@ export class AuthService {
       throw new BadRequestException('Account is blocked');
     }
 
-    const passwordHistoryLimit = getPasswordHistoryLimit();
+    const passwordHistoryLimit = this.getPasswordHistoryLimit();
 
-    const passwordErrors = validatePassword(data.newPassword);
+    const passwordErrors = validatePassword(data.newPassword, this.configService);
     if (passwordErrors.length > 0) {
       throw new BadRequestException(
         `Password does not meet complexity requirements: ${passwordErrors.join('; ')}`,
@@ -1396,6 +1395,11 @@ export class AuthService {
     });
   }
 
+  private getPasswordHistoryLimit(): number {
+    const parsed = Number(this.configService.get('PASSWORD_HISTORY_LIMIT') ?? 5);
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : 5;
+  }
+
   private async verifyCaptcha(token: string): Promise<boolean> {
     const secret = this.configService.get<string>('RECAPTCHA_SECRET');
     if (!secret) {

diff --git a/src/auth/password.utils.ts b/src/auth/password.utils.ts
@@ -1,5 +1,7 @@
 // @ts-nocheck
 
+import { ConfigService } from '@nestjs/config';
+
 export type PasswordPolicy = {
   minLength: number;
   requireUppercase: boolean;
@@ -9,22 +11,22 @@ export type PasswordPolicy = {
   specialChars?: string;
 };
 
-export function getPasswordPolicy(): PasswordPolicy {
-  const minLength = Number(process.env.PASSWORD_MIN_LENGTH ?? 8);
+export function getPasswordPolicy(configService: ConfigService): PasswordPolicy {
+  const minLength = Number(configService.get('PASSWORD_MIN_LENGTH') ?? 8);
   return {
     minLength: Number.isFinite(minLength) && minLength > 0 ? minLength : 8,
-    requireUppercase: (process.env.PASSWORD_REQUIRE_UPPERCASE ?? 'true') === 'true',
-    requireLowercase: (process.env.PASSWORD_REQUIRE_LOWERCASE ?? 'true') === 'true',
-    requireDigit: (process.env.PASSWORD_REQUIRE_DIGIT ?? 'true') === 'true',
-    requireSpecial: (process.env.PASSWORD_REQUIRE_SPECIAL ?? 'true') === 'true',
+    requireUppercase: (configService.get('PASSWORD_REQUIRE_UPPERCASE') ?? 'true') === 'true',
+    requireLowercase: (configService.get('PASSWORD_REQUIRE_LOWERCASE') ?? 'true') === 'true',
+    requireDigit: (configService.get('PASSWORD_REQUIRE_DIGIT') ?? 'true') === 'true',
+    requireSpecial: (configService.get('PASSWORD_REQUIRE_SPECIAL') ?? 'true') === 'true',
     specialChars:
-      process.env.PASSWORD_SPECIAL_CHARS ?? '!@#$%^&*()_+-=[]{}|;:\",./<>?'.slice(0, 32),
+      configService.get('PASSWORD_SPECIAL_CHARS') ?? '!@#$%^&*()_+-=[]{}|;:\",./<>?'.slice(0, 32),
   };
 }
 
-export function validatePassword(password: string): string[] {
+export function validatePassword(password: string, configService: ConfigService): string[] {
   const errors: string[] = [];
-  const policy = getPasswordPolicy();
+  const policy = getPasswordPolicy(configService);
 
   if (!password || password.length < policy.minLength) {
     errors.push(`Password must be at least ${policy.minLength} characters long`);

diff --git a/src/auth/security.utils.ts b/src/auth/security.utils.ts
@@ -78,11 +78,6 @@ export function generateBackupCodes(count = 8): string[] {
   return Array.from({ length: count }, () => randomBytes(4).toString('hex').toUpperCase());
 }
 
-export function getPasswordHistoryLimit(): number {
-  const parsed = Number(process.env.PASSWORD_HISTORY_LIMIT ?? 5);
-  return Number.isFinite(parsed) && parsed > 0 ? parsed : 5;
-}
-
 export function verifyBackupCode(candidate: string, backupCodeHashes: string[]) {
   const digest = createSha256(candidate.trim().toUpperCase());
   const digestBuffer = Buffer.from(digest);

diff --git a/src/email/email.module.ts b/src/email/email.module.ts
@@ -6,7 +6,7 @@ import { EmailWebhookController } from './email-webhook.controller';
 import { PrismaModule } from '../database/prisma.module';
 import { TrackingModule } from '../tracking/tracking.module';
 import { MailerModule } from '@nestjs-modules/mailer';
-import { EjsAdapter } from '@nestjs-modules/mailer/dist/adapters/ejs.adapter';
+import { EjsAdapter } from '@nestjs-modules/mailer/adapters/ejs.adapter';
 import { ConfigService } from '@nestjs/config';
 import { join } from 'path';
 import { BullModule } from '@nestjs/bullmq';

diff --git a/src/transactions/dto/transaction.dto.ts b/src/transactions/dto/transaction.dto.ts
@@ -1,6 +1,6 @@
 // @ts-nocheck
 
-import { IsString, IsNumber, IsOptional, IsEnum, IsUUID, IsDate, IsIn, Min } from 'class-validator';
+import { IsString, IsNumber, IsOptional, IsEnum, IsUUID, IsDate, IsIn, Min, Max } from 'class-validator';
 import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
 import { Type } from 'class-transformer';
 
@@ -213,6 +213,13 @@ export class TransactionAnalyticsQueryDto {
   @IsOptional()
   @IsEnum(TransactionTypeDto)
   type?: TransactionTypeDto;
+
+  @ApiPropertyOptional({ description: 'Maximum number of days for the date range (1-365)' })
+  @IsOptional()
+  @IsNumber()
+  @Min(1)
+  @Max(365)
+  maxDays?: number = 365;
 }
 
 export class TransactionVolumeTrendDto {

diff --git a/src/transactions/transactions.service.ts b/src/transactions/transactions.service.ts
@@ -315,6 +315,7 @@ export class TransactionsService {
    */
   async getAnalytics(query: TransactionAnalyticsQueryDto = {}): Promise<TransactionAnalyticsDto> {
     const where: Record<string, any> = {};
+    const maxDays = query.maxDays ?? 365;
 
     if (query.type) {
       where.type = query.type;
@@ -324,6 +325,24 @@ export class TransactionsService {
       where.createdAt = {};
       if (query.startDate) where.createdAt.gte = query.startDate;
       if (query.endDate) where.createdAt.lte = query.endDate;
+
+      if (query.startDate && query.endDate) {
+        const diffMs = new Date(query.endDate).getTime() - new Date(query.startDate).getTime();
+        const diffDays = Math.ceil(diffMs / (1000 * 60 * 60 * 24));
+        if (diffDays > maxDays) {
+          const cappedEnd = new Date(query.startDate);
+          cappedEnd.setDate(cappedEnd.getDate() + maxDays);
+          where.createdAt.lte = cappedEnd;
+        }
+      } else if (query.startDate && !query.endDate) {
+        const cappedEnd = new Date(query.startDate);
+        cappedEnd.setDate(cappedEnd.getDate() + maxDays);
+        where.createdAt.lte = cappedEnd;
+      } else if (!query.startDate && query.endDate) {
+        const cappedStart = new Date(query.endDate);
+        cappedStart.setDate(cappedStart.getDate() - maxDays);
+        where.createdAt.gte = cappedStart;
+      }
     }
 
     const transactions = await this.prisma.transaction.findMany({

diff --git a/src/users/avatar-upload.controller.ts b/src/users/avatar-upload.controller.ts
@@ -16,7 +16,8 @@ import {
 import { FileInterceptor } from '@nestjs/platform-express';
 import { AvatarUploadService } from './avatar-upload.service';
 import { UsersService } from './users.service';
-import { AvatarUploadResponseDto, AvatarDeleteDto } from './dto/avatar-upload.dto';
+import { AvatarUploadResponseDto } from './dto/avatar-upload.dto';
+import { FilenameValidationPipe } from './pipes/filename-validation.pipe';
 
 // Multer type definition
 interface MulterFile {
@@ -67,7 +68,7 @@ export class AvatarUploadController {
 
   @Delete('delete')
   async deleteAvatar(
-    @Body() deleteDto: AvatarDeleteDto,
+    @Body('filename', FilenameValidationPipe) filename: string,
     @Request() req: { user: { id: string } },
   ): Promise<{ message: string }> {
     if (!req.user || !req.user.id) {
@@ -76,7 +77,7 @@ export class AvatarUploadController {
 
     try {
       // Delete avatar file
-      await this.avatarUploadService.deleteAvatar(req.user.id, deleteDto.filename);
+      await this.avatarUploadService.deleteAvatar(req.user.id, filename);
 
       // Remove avatar URL from user's record
       await this.usersService.updateAvatar(req.user.id, null);
@@ -89,7 +90,7 @@ export class AvatarUploadController {
 
   @Get(':filename')
   async getAvatar(
-    @Param('filename') filename: string,
+    @Param('filename', FilenameValidationPipe) filename: string,
     @Request() req: { user: { id: string } },
   ): Promise<{ avatarUrl: string }> {
     if (!req.user || !req.user.id) {

diff --git a/src/users/pipes/filename-validation.pipe.ts b/src/users/pipes/filename-validation.pipe.ts
@@ -0,0 +1,31 @@
+import { PipeTransform, Injectable, BadRequestException } from '@nestjs/common';
+
+const FILENAME_REGEX = /^[a-zA-Z0-9._-]+$/;
+const MAX_FILENAME_LENGTH = 255;
+
+@Injectable()
+export class FilenameValidationPipe implements PipeTransform<string, string> {
+  transform(value: string): string {
+    if (!value || value.trim().length === 0) {
+      throw new BadRequestException('Filename must not be empty');
+    }
+
+    if (value.length > MAX_FILENAME_LENGTH) {
+      throw new BadRequestException(
+        `Filename must not exceed ${MAX_FILENAME_LENGTH} characters`,
+      );
+    }
+
+    if (value.includes('..') || value.includes('/') || value.includes('\\')) {
+      throw new BadRequestException('Filename must not contain path traversal sequences');
+    }
+
+    if (!FILENAME_REGEX.test(value)) {
+      throw new BadRequestException(
+        'Filename must only contain alphanumeric characters, dots, hyphens, and underscores',
+      );
+    }
+
+    return value;
+  }
+}
diff --git a/src/users/users.controller.ts b/src/users/users.controller.ts
@@ -6,6 +6,8 @@ import {
   Delete,
   ForbiddenException,
   Get,
+  GoneException,
+  HttpException,
   HttpStatus,
   InternalServerErrorException,
   NotFoundException,
@@ -27,6 +29,7 @@ import { CurrentUser } from '../auth/decorators/current-user.decorator';
 import { AuthUserPayload } from '../auth/types/auth-user.type';
 import { UserRole } from '../types/prisma.types';
 import { UsersService } from './users.service';
+import { ActivityLogService } from './activity-log.service';
 import {
   CreateUserDto,
   SearchUsersDto,
@@ -39,7 +42,10 @@ import { UpdateProfileDto } from './dto/update-profile.dto';
 
 @Controller('users')
 export class UsersController {
-  constructor(private readonly usersService: UsersService) {}
+  constructor(
+    private readonly usersService: UsersService,
+    private readonly activityLogService: ActivityLogService,
+  ) {}
 
   // ─── Admin Endpoints ─────────────────────────────────────────────
 
@@ -165,12 +171,26 @@ export class UsersController {
       throw new NotFoundException('Export file not found');
     }
 
+    const stats = fs.statSync(filepath);
+    const expirationTime = 24 * 60 * 60 * 1000;
+    if (Date.now() - stats.mtimeMs > expirationTime) {
+      throw new GoneException('Export file has expired');
+    }
+
     const ownerId = this.extractExportOwnerId(filename);
 
     if (user.sub !== ownerId && user.role !== UserRole.ADMIN) {
       throw new ForbiddenException('You are not authorized to download this export');
     }
 
+    this.activityLogService.create(user.sub, {
+      action: 'EXPORT_DOWNLOAD',
+      entityType: 'USER',
+      entityId: ownerId,
+      description: `Downloaded export file: ${filename}`,
+      metadata: { filename, ownerId },
+    });
+
     res.download(filepath, (err) => {
       if (err && !res.headersSent) {
         res.status(HttpStatus.INTERNAL_SERVER_ERROR).send({
@@ -191,17 +211,25 @@ export class UsersController {
   }
 
   @Post('me/reactivate')
-  reactivateAccount(
+  async reactivateAccount(
     @Body() data: { email: string; token?: string },
     @Body() reactivateDto: ReactivateAccountDto,
   ) {
-    return this.usersService.findByEmail(data.email).then((foundUser) => {
+    try {
+      const foundUser = await this.usersService.findByEmail(data.email);
+
       if (!foundUser) {
-        throw new Error('User not found');
+        throw new NotFoundException('User not found');
       }
 
       return this.usersService.reactivate(foundUser.id, reactivateDto);
-    });
+    } catch (error) {
+      if (error instanceof HttpException) {
+        throw error;
+      }
+
+      throw new InternalServerErrorException('An unexpected error occurred');
+    }
   }
 
   // ─── Admin Verification ────────────────────────────────────────