Enable self service (#175)

* Get basic working (#109)

* Get basic working

* adds rss feeds

* added stablewatch founder and stablecoin intern from messaria as approvers on stablecoins feed

* fixes to config for grants, sui, and telegram channels (#102)

* add query param for selective processing (#103)

* adds query param to process

* add query param for processing

* simplify

* add tags

* Feat: implement frontend leaderboard (#93)

* feat: implement frontend leaderboard

* feat: implement a leaderboard in frontend

* feat: implemented leaderboard

* fix: rebuild implement leaderboard

* fix: prettier

* fix: prettier

* fix: reimplement frontend leaderboard

* fix: implement frontend leaderboard

* approval rate

* sets approval rate and hides curator

---------

Co-authored-by: Elliot Braem <elliot@ejlbraem.com>

* remove tailwind-scrollbar

* added bob to desci feed

* Get basic working

* set .env.example

* nitpicks

---------

Co-authored-by: Elliot Braem <elliot@ejlbraem.com>
Co-authored-by: codingshot <45281667+codingshot@users.noreply.github.com>
Co-authored-by: Elliot Braem <elliot@everything.dev>
Co-authored-by: Louis <112561517+louisdevzz@users.noreply.github.com>

* fix polyfills

* Explore Page (#108)

* Explore Page - commit-1

* Explore Page - commit-2

* explore page - commit-3

* explore page - commit - 4

* explore page - commit - prettier

* explore page responsiveness + code Rabbit Comments

* code Rabbit Comments resolved

* css updates

* css changes 2

* header update + mobile responsive

* conflicts resolved

* Rebase and changes

* Fix fmt

* Header + Explore Page Style (#113)

* Explore Page - commit-1

* Explore Page - commit-2

* explore page - commit-3

* explore page - commit - 4

* explore page - commit - prettier

* explore page responsiveness + code Rabbit Comments

* code Rabbit Comments resolved

* css updates

* css changes 2

* header update + mobile responsive

* conflicts resolved

* Rebase and changes

* Fix fmt

* Header Updates + Web3Auth getUserInfo + Explore Page changes

* fmt

* coderabbit comments resolved

* Profile page (#120)

* Update the FE to have the profile page (header and tabs init)

* Move tabs to it's own component

* Add stats and top badges to overview

* Finish the overview tab

* Update overview page and init content page

* feat(profile-page): add Content and My Feed tags

* feat(profile-page): finish profile page static UI

* refactor: fmt

* [FEATURE] Create Feed Page - DRAFT (#121)

* Curate Engine Step 1

* content-progress-configuration step-1

* Curation Settings Part 2 and 3

* CodeRabbit Comments Resolved + Mobile Responsive

* Responsiveness: empty State, JSON check

---------

Co-authored-by: Elliot Braem <elliot@everything.dev>

* update to main

* fmt

* Feat/submissions page (#127)

* Submissions Page + Feed Page + Mobile Responsiveness

* fixes

* craete-feed authenticated user condition

* fmt

* remove sqlite

---------

Co-authored-by: Elliot Braem <elliot@ejlbraem.com>

* Feed Page Tabs (#130)

* set tanstack routes (#132)

* [Task]: Add connect button to feed page  (#131)

* feat: Add connect button to feed page

* fix: recommit

* added back to stablecoins feed since stablewatch forked their own

* fix packages, update pg, and ignore cloudflare sockets

* fmt

---------

Co-authored-by: ethnclark <ethanclark1310@gmail.com>
Co-authored-by: codingshot <45281667+codingshot@users.noreply.github.com>
Co-authored-by: Elliot Braem <elliot@ejlbraem.com>

* uses prod data

* Update changes to latest staging

* Revert "Update changes to latest staging"

This reverts commit cd12908.

* Fix Sort By Oldest (#136)

* fix: Sort By Oldest

* fix: Sort By Oldest

* fix: Fix RecentSubmissions Sort Order Update

* fix: All feed should be hidden, remove double title

---------

Co-authored-by: vohuunhan1310@gmail.com <ethanclark1310@gmail.com>

* UI fixes (#138)

* UI fixes

* fmt

---------

Co-authored-by: Elliot Braem <elliot@everything.dev>

* Fix: Leaderboard improvements (#140)

* fix: Leaderboard improvements

* fix: fmt

* reorganize

* remove unused

* rename

* clean up

* fmt

---------

Co-authored-by: Elliot Braem <elliot@ejlbraem.com>

* clean up

* wallet wip

* todo

* auth flow, wip

* types clean up

* fix types

* login modal wip

* modals

* controller, service, successful create account

* clean with data, metadata, and pattern, validation, and json schema

* add migration doc

* add activity and delete user

* fix migration

* add seed remote method

* fix naming

* fix script call

* file extension

* remove build schema

* proper build time

* fix Dockerfile

* rsbuild

* Standard Header Component + Responsivenss Fixes (#146)

* Standard Header Component + Responsivenss Fixes

* fmt

* rename Hero

---------

Co-authored-by: Elliot Braem <elliot@ejlbraem.com>

* fix broken link

* don't distribute on staging

* fix path

* env log

* comment out

* railway env

* fix: Profile adjustments (#153)

* fix: Leaderboard improvements

* fix: fmt

* fix: Profile adjustments

* fix: resolve conversation

* Login Modal Fixes (#154)

* Login Modal Fixes

* Resolve Comments

* container

* container fixes

---------

Co-authored-by: Elliot Braem <elliot@everything.dev>

* organize

* fmt

* update feeds (#156)

* Leaderboard width fixes

* feat: save profile image to pinata (#158)

* feat(fe): save profile image to pinata

* fix: fix comment

* Feat Integrate NEAR Solana, Ethereum wallet selection (#159)

* fix: Leaderboard improvements

* fix: fmt

* fix: Profile adjustments

* fix: resolve conversation

* feat: Integrate NEAR wallet selection

* fix: run fmt

* fix: add function create accesstokenpayload use wallet selector near

* fix: resolve conversation

* Feed Submission + Feed Review Page (#160)

* Feed Review Page and Feed Creation

* fmt

* coderabbit comments resolved

* comments resolved

* comments resolved

* reset routeTree

* minor fixes (#164)

* minor fixes

* fmt

* remove node-compile-cache

* reuse user menu

* header clean up

* remove how it works

* clean up

* set submissions at root route

* fmt

* clean

* create is coming soon

* clean up

* user link

* Adds caddyfile and frontend clean up (#165)

* removes serve static from backend

* fmt

* fix build

* adds caddyfile

* clean up submission feed

* pnpm lock

* fix turbo

* fix build

* db migration

* without time zone

* cleans up submission list

* Adds shared-db, types package, initial migration (#166)

* init

* upgrade tsconfigs

* shared-db build

* shared-db wip

* transfer getAllSubmissions

* hooked up

* moves to shared-db

* fmt

* update dockerfile

* monorepo

* working build

* migration service

* turbo

* install pnpm

* temp proxy

* no include request headers

* clean up

* proper path

* renaming

* fmt

* update caddyfile

* different strategy

* use route

* fix BACKEND to API

* ignore temp

* temp remove

* back to orig

* turn on auto https

* disable

* route block

* clean up

* configure host

* favicon

* add staging domain

* http:

* set domain adn host

* correct bash

* matching host

* Adds edit feed and image upload (#168)

* adds page

* image upload and edit feed

* update pnpm lock

* CSR

* vercel json

* move

* temp disable auth

* set image

* fix query

* submisison service running

* Migrates submission service, is running (#169)

* init

* wip

* clean up

* feed list clean up

* break up functions

* fix config path

* adds plugins route and integrates with plugin service

* remote curate.config.json

* plugins table

* adds plugin pages

* set type

* fix feed types

* plguin errors

* env injection

* fix queries

* fix migration

* fix migration

* fix migration

* redo migration

* decouples moderation

* fix status

* fix feeds

* hide moderation actions

* adds overwrite script

* migrate timestamps

* better date handling

* fix

* Adds auth (#174)

* adds fastintear auth, init

* auth flow

* fmt

* adds fastintear auth, init

* auth flow

* fmt

* frontend auth

* auth middleware

* feed protection

* fmt

* moderation wip

* update lock

* migration

* moderation actions

* hide moderation actions

* hack

* fix flow

* enable hosted service

* adds user identities and connect platform

* create profile

* ensureUserExists

* set network for staging

* near account id

* auth provider id not null

* init near

* fix monorepo build

* fmt

* user clean up

* update moderation

* switch to crosspost connected

* fix user id and error

* server side

* moderation hooks

* cleaner logs

* Update apps/api/src/services/moderation.service.ts

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update apps/app/src/lib/near.ts

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update apps/app/src/lib/near.ts

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* adds feature flags and moderation service clean up

---------

Co-authored-by: Zeeshan Ahmad <itexpert120@outlook.com>
Co-authored-by: codingshot <45281667+codingshot@users.noreply.github.com>
Co-authored-by: Louis <112561517+louisdevzz@users.noreply.github.com>
Co-authored-by: Muhammad Saad Iqbal <saadiqbal.dev@outlook.com>
Co-authored-by: ethnclark <ethanclark1310@gmail.com>
Co-authored-by: dungpt82 <69756171+dungpt99@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: 8 people

apps/api/package.json

@@ -33,9 +33,11 @@
     "nock": "^13.5.4",
     "typescript": "^5.3.3",
     "wait-on": "^8.0.2",
-    "zod": "^3.24.4"
+    "zod": "^3.25.62"
   },
   "dependencies": {
+    "@crosspost/sdk": "^0.3.0",
+    "@crosspost/types": "^0.3.0",
     "@crosspost/scheduler-sdk": "^0.1.1",
     "@curatedotfun/shared-db": "workspace:*",
     "@curatedotfun/types": "workspace:*",
@@ -59,6 +61,7 @@
     "lodash": "^4.17.21",
     "mustache": "^4.2.0",
     "near-api-js": "^5.1.1",
+    "near-sign-verify": "^0.3.6",
     "ora": "^8.1.1",
     "pg": "^8.15.6",
     "pinata-web3": "^0.5.4",

apps/api/src/app.ts

@@ -4,10 +4,11 @@ import { secureHeaders } from "hono/secure-headers";
 import { db } from "./db";
 import { apiRoutes } from "./routes/api";
 import { AppInstance, Env } from "./types/app";
-import { web3AuthJwtMiddleware } from "./utils/auth";
 import { getAllowedOrigins } from "./utils/config";
 import { errorHandler } from "./utils/error";
 import { ServiceProvider } from "./utils/service-provider";
+import { logger } from "utils/logger";
+import { createAuthMiddleware } from "./middlewares/auth.middleware";
 
 const ALLOWED_ORIGINS = getAllowedOrigins();
 
@@ -18,7 +19,7 @@ export async function createApp(): Promise<AppInstance> {
   const app = new Hono<Env>();
 
   app.onError((err, c) => {
-    return errorHandler(err, c);
+    return errorHandler(err, c, logger);
   });
 
   app.use(
@@ -44,8 +45,8 @@ export async function createApp(): Promise<AppInstance> {
     await next();
   });
 
-  // Authentication middleware
-  app.use("*", web3AuthJwtMiddleware);
+  // Apply auth middleware to all /api routes
+  app.use("/api/*", createAuthMiddleware());
 
   // Mount API routes
   app.route("/api", apiRoutes);

apps/api/src/db/index.ts

@@ -5,6 +5,6 @@ import { Pool } from "pg";
 const pool = new Pool({
   connectionString: process.env.DATABASE_URL!,
 });
-const db: DB = drizzle(pool, { schema });
+const db: DB = drizzle({ client: pool, schema, casing: "snake_case" });
 
 export { db, pool };

apps/api/src/middlewares/auth.middleware.ts

@@ -0,0 +1,54 @@
+import { Context, MiddlewareHandler, Next } from "hono";
+import { verify } from "near-sign-verify";
+
+export function createAuthMiddleware(): MiddlewareHandler {
+  return async (c: Context, next: Next) => {
+    const method = c.req.method;
+    let accountId: string | null = null;
+
+    if (method === "GET") {
+      const nearAccountHeader = c.req.header("X-Near-Account");
+      if (
+        nearAccountHeader &&
+        nearAccountHeader.toLowerCase() !== "anonymous"
+      ) {
+        accountId = nearAccountHeader;
+      }
+      // If header is missing or "anonymous", accountId remains null
+      c.set("accountId", accountId);
+      await next();
+      return;
+    }
+
+    // For non-GET requests (POST, PUT, DELETE, PATCH, etc.)
+    const authHeader = c.req.header("Authorization");
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      c.status(401);
+      return c.json({
+        error: "Unauthorized",
+        details: "Missing or malformed Authorization header.",
+      });
+    }
+
+    const token = authHeader.substring(7); // Remove "Bearer "
+
+    try {
+      const verificationResult = await verify(token, {
+        expectedRecipient: "curatefun.near",
+        requireFullAccessKey: false,
+        nonceMaxAge: 300000, // 5 mins
+      });
+
+      accountId = verificationResult.accountId;
+      c.set("accountId", accountId);
+      await next();
+    } catch (error) {
+      console.error("Token verification error:", error);
+      c.status(401);
+      return c.json({
+        error: "Unauthorized",
+        details: "Invalid token signature or recipient.",
+      });
+    }
+  };
+}

apps/api/src/routes/api/feeds.ts

@@ -3,6 +3,9 @@ import { Env } from "../../types/app";
 import { badRequest } from "../../utils/error";
 import { logger } from "../../utils/logger";
 import { insertFeedSchema, updateFeedSchema } from "@curatedotfun/shared-db";
+import { z } from "zod"; // Added import for z
+import { zValidator } from "@hono/zod-validator"; // Added import for zValidator
+import { ModerationService } from "../../services/moderation.service"; // Added import for ModerationService
 
 const feedsRoutes = new Hono<Env>();
 
@@ -25,17 +28,49 @@ feedsRoutes.get("/", async (c) => {
  * Create a new feed
  */
 feedsRoutes.post("/", async (c) => {
+  const accountId = c.get("accountId");
+  if (!accountId) {
+    return c.json(
+      { error: "Unauthorized. User must be logged in to create a feed." },
+      401,
+    );
+  }
+
   const body = await c.req.json();
-  const validationResult = insertFeedSchema.safeParse(body);
+  const partialValidationResult = insertFeedSchema
+    .omit({ created_by: true })
+    .safeParse(body);
 
-  if (!validationResult.success) {
-    return badRequest(c, "Invalid feed data", validationResult.error.flatten());
+  if (!partialValidationResult.success) {
+    return badRequest(
+      c,
+      "Invalid feed data",
+      partialValidationResult.error.flatten(),
+    );
+  }
+
+  const feedDataWithCreator = {
+    ...partialValidationResult.data,
+    created_by: accountId,
+  };
+
+  const finalValidationResult = insertFeedSchema.safeParse(feedDataWithCreator);
+  if (!finalValidationResult.success) {
+    logger.error(
+      "Error in final validation after adding created_by",
+      finalValidationResult.error,
+    );
+    return badRequest(
+      c,
+      "Internal validation error",
+      finalValidationResult.error.flatten(),
+    );
   }
 
   const sp = c.get("sp");
   const feedService = sp.getFeedService();
   try {
-    const newFeed = await feedService.createFeed(validationResult.data);
+    const newFeed = await feedService.createFeed(finalValidationResult.data);
     return c.json(newFeed, 201);
   } catch (error) {
     logger.error("Error creating feed:", error);
@@ -66,16 +101,37 @@ feedsRoutes.get("/:feedId", async (c) => {
  * Update an existing feed
  */
 feedsRoutes.put("/:feedId", async (c) => {
+  const accountId = c.get("accountId");
+  if (!accountId) {
+    return c.json(
+      { error: "Unauthorized. User must be logged in to update a feed." },
+      401,
+    );
+  }
+
   const feedId = c.req.param("feedId");
+  const sp = c.get("sp");
+  const feedService = sp.getFeedService();
+
+  const canUpdate = await feedService.hasPermission(
+    accountId,
+    feedId,
+    "update",
+  );
+  if (!canUpdate) {
+    return c.json(
+      { error: "Forbidden. You do not have permission to update this feed." },
+      403,
+    );
+  }
+
   const body = await c.req.json();
   const validationResult = updateFeedSchema.safeParse(body);
 
   if (!validationResult.success) {
     return badRequest(c, "Invalid feed data", validationResult.error.flatten());
   }
 
-  const sp = c.get("sp");
-  const feedService = sp.getFeedService();
   try {
     const updatedFeed = await feedService.updateFeed(
       feedId,
@@ -97,6 +153,14 @@ feedsRoutes.put("/:feedId", async (c) => {
  * Example: /api/feeds/solana/process?distributors=@curatedotfun/rss
  */
 feedsRoutes.post("/:feedId/process", async (c) => {
+  const accountId = c.get("accountId");
+  if (!accountId) {
+    return c.json(
+      { error: "Unauthorized. User must be logged in to process a feed." },
+      401,
+    );
+  }
+
   const sp = c.get("sp");
   const feedService = sp.getFeedService();
 
@@ -127,9 +191,30 @@ feedsRoutes.post("/:feedId/process", async (c) => {
  * Delete a specific feed by its ID
  */
 feedsRoutes.delete("/:feedId", async (c) => {
+  const accountId = c.get("accountId");
+  if (!accountId) {
+    return c.json(
+      { error: "Unauthorized. User must be logged in to delete a feed." },
+      401,
+    );
+  }
+
   const feedId = c.req.param("feedId");
   const sp = c.get("sp");
   const feedService = sp.getFeedService();
+
+  const canDelete = await feedService.hasPermission(
+    accountId,
+    feedId,
+    "delete",
+  );
+  if (!canDelete) {
+    return c.json(
+      { error: "Forbidden. You do not have permission to delete this feed." },
+      403,
+    );
+  }
+
   try {
     const result = await feedService.deleteFeed(feedId);
     if (!result) {
@@ -142,4 +227,44 @@ feedsRoutes.delete("/:feedId", async (c) => {
   }
 });
 
+const feedParamSchemaCanModerate = z.object({
+  // Renamed to avoid conflict if other schemas exist
+  feedId: z.string().min(1, "Feed ID is required"),
+});
+
+feedsRoutes.get(
+  "/:feedId/can-moderate",
+  zValidator("param", feedParamSchemaCanModerate),
+  async (c) => {
+    const { feedId } = c.req.valid("param");
+    const sp = c.get("sp");
+    const moderationService =
+      sp.getService<ModerationService>("moderationService");
+
+    const actingAccountId = c.get("accountId");
+
+    if (!actingAccountId) {
+      return c.json({ canModerate: false, reason: "User not authenticated" });
+    }
+
+    try {
+      const canModerate =
+        await moderationService.checkUserFeedModerationPermission(
+          feedId,
+          actingAccountId,
+        );
+      return c.json({ canModerate });
+    } catch (error: any) {
+      logger.error(
+        `Error in /:feedId/can-moderate for feed ${feedId}, user ${actingAccountId}:`,
+        error,
+      );
+      return c.json(
+        { canModerate: false, error: "Failed to check moderation permission" },
+        500,
+      );
+    }
+  },
+);
+
 export { feedsRoutes };