Update server.js

server.js

@@ -9,9 +9,12 @@ const streamifier = require('streamifier');
 const app = express();
 const upload = multer({ storage: multer.memoryStorage() });
 
+// Detect if we are in production (HTTPS) or development
+const IS_PROD = process.env.NODE_ENV === 'production';
+
 app.set('trust proxy', 1);
 
-// Configure Cloudinary with your .env variables
+// Configure Cloudinary
 cloudinary.config({
   cloud_name: process.env.CLOUDINARY_CLOUD_NAME,
   api_key: process.env.CLOUDINARY_API_KEY,
@@ -21,9 +24,8 @@ cloudinary.config({
 const DB_FILE = 'megapin_master_db.json'; 
 const MAX_TRENDING = 100;
 
-// ADMIN CONFIGURATION
-const ADMIN_USER = process.env.ADMIN_USER; // Set this in your .env
-const ADMIN_PASS = process.env.ADMIN_PASS; // Set this in your .env
+const ADMIN_USER = process.env.ADMIN_USER; 
+const ADMIN_PASS = process.env.ADMIN_PASS; 
 const DEFAULT_AVATAR = "https://cdn-icons-png.flaticon.com/512/149/149071.png"; 
 
 let localDB = null; 
@@ -32,14 +34,17 @@ app.use(express.urlencoded({ extended: true }));
 app.use(express.json());
 app.set('view engine', 'ejs');
 
+// --- FIXED SESSION CONFIG ---
 app.use(cookieSession({
   name: '__Secure-session',
-  keys: [process.env.SESSION_SECRET || 'secret'],
+  keys: [process.env.SESSION_SECRET || 'secret_key_change_me'],
   maxAge: 24 * 60 * 60 * 1000,
-  secure: true,
-  sameSite: 'none',
+  // Only require secure (HTTPS) if we are definitely in production. 
+  // This fixes "Signup broken" issues on localhost or non-https spaces.
+  secure: IS_PROD, 
+  sameSite: IS_PROD ? 'none' : 'lax',
   httpOnly: true,
-  partitioned: true
+  partitioned: IS_PROD
 }));
 
 // --- DB ENGINE ---
@@ -52,6 +57,7 @@ async function initDB() {
         if (!localDB.users) localDB.users = {};
         if (!localDB.pins) localDB.pins = [];
     } catch (e) {
+        // If file doesn't exist yet, create structure
         localDB = { users: {}, pins: [] };
     }
     return localDB;
@@ -84,8 +90,8 @@ function addNotification(toUser, fromUser, type, pinId = null, preview = "") {
     
     localDB.users[toUser].notifications.unshift({
         from: fromUser,
-        fromAvatar: localDB.users[fromUser].avatar,
-        type: type, // 'like', 'comment', 'follow'
+        fromAvatar: localDB.users[fromUser].avatar || DEFAULT_AVATAR,
+        type: type, 
         pinId: pinId,
         preview: preview,
         timestamp: Date.now(),
@@ -100,7 +106,12 @@ async function checkBan(req, res, next) {
     if (!req.session.user) return next();
     await initDB();
     const user = localDB.users[req.session.user];
-    if (user && user.banned) {
+    // If user deleted but session exists, clear session
+    if (!user) {
+        req.session = null;
+        return res.redirect('/');
+    }
+    if (user.banned) {
         req.session = null;
         return res.send("Account Suspended.");
     }
@@ -114,15 +125,16 @@ function checkAdmin(req, res, next) {
 
 // --- ROUTES ---
 
-// Helper to format pins for view
+// Helper to format pins for view safely
 function formatPins(pins, username) {
     return pins.map(pin => {
-        const authorData = localDB.users[pin.author] || { avatar: DEFAULT_AVATAR, displayName: pin.author };
+        // Handle case where user was deleted but pin exists
+        const authorData = localDB.users[pin.author] || { avatar: DEFAULT_AVATAR, displayName: pin.author + " (Deleted)", badge: '' };
         return {
             ...pin,
             authorDisplayName: authorData.displayName || pin.author,
-            authorAvatar: authorData.avatar,
-            badge: authorData.badge,
+            authorAvatar: authorData.avatar || DEFAULT_AVATAR,
+            badge: authorData.badge || '',
             likeCount: pin.likes ? pin.likes.length : 0,
             hasLiked: pin.likes && username ? pin.likes.includes(username) : false,
             comments: pin.comments || []
@@ -186,7 +198,8 @@ app.get('/u/:username', async (req, res) => {
         postCount: userPins.length,
         followerCount: targetUser.followers ? targetUser.followers.length : 0,
         followingCount: targetUser.following ? targetUser.following.length : 0,
-        isFollowing: targetUser.followers && targetUser.followers.includes(username)
+        isFollowing: targetUser.followers && targetUser.followers.includes(username),
+        badge: targetUser.badge || ''
     };
 
     let currentUser = null;
@@ -208,6 +221,7 @@ app.get('/api/pin/:id', async (req, res) => {
     await initDB();
     const pin = localDB.pins.find(p => p.id === parseInt(req.params.id));
     if(!pin) return res.json({error: "Not found"});
+    // Use req.session.user to determine "hasLiked" state in the modal
     const formatted = formatPins([pin], req.session.user)[0];
     res.json(formatted);
 });
@@ -218,8 +232,8 @@ app.get('/api/search-users', async (req, res) => {
     const users = Object.keys(localDB.users).filter(u => u.toLowerCase().includes(q));
     const results = users.map(u => ({
         username: u,
-        avatar: localDB.users[u].avatar,
-        badge: localDB.users[u].badge
+        avatar: localDB.users[u].avatar || DEFAULT_AVATAR,
+        badge: localDB.users[u].badge || ''
     }));
     res.json(results);
 });
@@ -276,8 +290,10 @@ app.post('/api/comment', checkBan, async (req, res) => {
     if (!req.session.user) return res.status(401).json({error: "Login required"});
     await initDB();
     const { pinId, text } = req.body;
+    if(!text || !text.trim()) return res.json({success:false});
+
     const pin = localDB.pins.find(p => p.id === parseInt(pinId));
-    if (pin && text) {
+    if (pin) {
         if (!pin.comments) pin.comments = [];
         const comment = {
             id: Date.now(),
@@ -334,7 +350,13 @@ app.post('/api/admin/delete-user', checkAdmin, async (req, res) => {
     const { targetUser } = req.body;
     if(localDB.users[targetUser] && targetUser !== ADMIN_USER) {
         delete localDB.users[targetUser];
+        // Remove their pins
         localDB.pins = localDB.pins.filter(p => p.author !== targetUser);
+        // Clean up follows (optional but good)
+        Object.values(localDB.users).forEach(u => {
+            if(u.followers) u.followers = u.followers.filter(f => f !== targetUser);
+            if(u.following) u.following = u.following.filter(f => f !== targetUser);
+        });
         await saveDB();
         res.json({success: true});
     } else {
@@ -347,9 +369,16 @@ app.post('/api/admin/delete-user', checkAdmin, async (req, res) => {
 app.post('/signup', async (req, res) => {
     const { username, password, email } = req.body;
     await initDB();
-    if (localDB.users[username]) return res.send("Username taken.");
-    localDB.users[username] = {
-        displayName: username,
+    
+    // VALIDATION FIX: Check empty fields
+    if(!username || !password) return res.send("Username and Password are required.");
+    
+    // Sanitize username
+    const safeUser = username.trim();
+    if (localDB.users[safeUser]) return res.send("Username taken.");
+    
+    localDB.users[safeUser] = {
+        displayName: safeUser,
         hash: bcrypt.hashSync(password, 8),
         email: email,
         avatar: DEFAULT_AVATAR,
@@ -359,13 +388,17 @@ app.post('/signup', async (req, res) => {
         banned: false
     };
     await saveDB();
-    req.session.user = username;
+    req.session.user = safeUser;
     res.redirect('/');
 });
 
 app.post('/login', async (req, res) => {
     const { username, password } = req.body;
     await initDB();
+    
+    // VALIDATION FIX
+    if(!username || !password) return res.send("Missing credentials.");
+
     // Admin Login Check
     if (username === ADMIN_USER && password === ADMIN_PASS) {
         req.session.user = username;
@@ -429,4 +462,4 @@ app.post('/delete', checkBan, async (req, res) => {
 app.get('/logout', (req, res) => { req.session = null; res.redirect('/'); });
 
 initDB();
-app.listen(7860, () => console.log("Megapin Complete Active"));
+app.listen(7860, () => console.log("Megapin Complete Active"));