feat: multi-profile picture support

Author: YasharF

config/passport.js

@@ -98,7 +98,21 @@ async function handleAuthLogin(req, accessToken, refreshToken, providerName, par
     user[providerName] = providerProfile.id;
     user.profile.name = user.profile.name || providerProfile.name;
     user.profile.gender = user.profile.gender || providerProfile.gender;
-    user.profile.picture = user.profile.picture || providerProfile.picture;
+
+    if (providerProfile.picture) {
+      if (!user.profile.pictures || user.profile.pictureSource === undefined) {
+        // legacy account (pre-multi-picture support)
+        user.profile.pictures = new Map();
+        user.profile.picture = providerProfile.picture;
+        user.profile.pictureSource = providerName;
+      }
+      user.profile.pictures.set(providerName, providerProfile.picture);
+      if (user.profile.pictureSource === 'gravatar') {
+        user.profile.picture = providerProfile.picture;
+        user.profile.pictureSource = providerName;
+      }
+    }
+
     user.profile.location = user.profile.location || providerProfile.location;
     user.profile.website = user.profile.website || providerProfile.website;
     user.profile.email = user.profile.email || providerProfile.email;
@@ -131,7 +145,14 @@ async function handleAuthLogin(req, accessToken, refreshToken, providerName, par
   }
   user.profile.name = providerProfile.name;
   user.profile.gender = providerProfile.gender;
-  user.profile.picture = providerProfile.picture;
+
+  if (providerProfile.picture) {
+    user.profile.pictures = new Map();
+    user.profile.pictures.set(providerName, providerProfile.picture);
+    user.profile.picture = providerProfile.picture;
+    user.profile.pictureSource = providerName;
+  }
+
   user.profile.location = providerProfile.location;
   user.profile.website = providerProfile.website;
   user.profile.email = providerProfile.email;

controllers/user.js

@@ -310,6 +310,19 @@ exports.postUpdateProfile = async (req, res, next) => {
     user.profile.gender = req.body.gender || '';
     user.profile.location = req.body.location || '';
     user.profile.website = req.body.website || '';
+
+    // Handle picture source selection
+    if (typeof req.body.pictureSource === 'string') {
+      const newProfilePictureSource = req.body.pictureSource.trim();
+      if (newProfilePictureSource && user.profile.pictures && user.profile.pictures.has(newProfilePictureSource)) {
+        user.profile.pictureSource = newProfilePictureSource;
+        user.profile.picture = user.profile.pictures.get(newProfilePictureSource);
+      } else {
+        req.flash('errors', { msg: 'Invalid profile picture change request.' });
+        return res.redirect('/account');
+      }
+    }
+
     await user.save();
     req.flash('success', { msg: 'Profile information has been updated.' });
     res.redirect('/account');
@@ -383,6 +396,32 @@ exports.getOauthUnlink = async (req, res, next) => {
     const user = await User.findById(req.user.id);
     user[provider.toLowerCase()] = undefined;
     const tokensWithoutProviderToUnlink = user.tokens.filter((token) => token.kind !== provider.toLowerCase());
+
+    // Remove provider's picture entry
+    if (user.profile.pictures && user.profile.pictures.has(provider.toLowerCase())) {
+      user.profile.pictures.delete(provider.toLowerCase());
+
+      // If current picture source was the unlinked provider, select fallback
+      if (user.profile.pictureSource === provider.toLowerCase()) {
+        let fallbackSource = null;
+
+        // Priority order: gravatar -> any remaining provider -> undefined
+        if (user.profile.pictures.has('gravatar')) {
+          fallbackSource = 'gravatar';
+        } else if (user.profile.pictures.size > 0) {
+          fallbackSource = user.profile.pictures.keys().next().value;
+        }
+
+        if (fallbackSource) {
+          user.profile.pictureSource = fallbackSource;
+          user.profile.picture = user.profile.pictures.get(fallbackSource);
+        } else {
+          user.profile.pictureSource = undefined;
+          user.profile.picture = undefined;
+        }
+      }
+    }
+
     // Some auth providers do not provide an email address in the user profile.
     // As a result, we need to verify that unlinking the provider is safe by ensuring
     // that another login method exists.

models/User.js

@@ -56,6 +56,12 @@ const userSchema = new mongoose.Schema(
       location: String,
       website: String,
       picture: String,
+      pictureSource: String,
+
+      pictures: {
+        type: Map,
+        of: String,
+      },
     },
   },
   { timestamps: true },
@@ -135,6 +141,34 @@ userSchema.methods.gravatar = function gravatarUrl(size) {
   return `https://gravatar.com/avatar/${sha256}?s=${size}&d=retro`;
 };
 
+userSchema.pre('save', function updateGravatarOnEmailChange() {
+  if (!this.isModified('email')) return;
+  if (!this.profile.pictures) {
+    this.profile.pictures = new Map();
+  }
+  if (!this.profile.pictureSource) {
+    this.profile.pictureSource = 'gravatar';
+  }
+  const url = this.gravatar();
+  this.profile.pictures.set('gravatar', url);
+  if (this.profile.pictureSource === 'gravatar') {
+    this.profile.picture = url;
+  }
+});
+
+userSchema.methods.noMultiPictureUpgrade = function noMultiPictureUpgrade() {
+  if (!this.profile.pictures) {
+    this.profile.pictures = new Map();
+  }
+  if (!this.profile.pictureSource) {
+    this.profile.pictureSource = 'gravatar';
+  }
+  const url = this.gravatar();
+  this.profile.pictures.set('gravatar', url);
+  if (this.profile.pictureSource === 'gravatar') {
+    this.profile.picture = url;
+  }
+};
 // Helper methods for creating hashed IP addresses
 // This is used to prevent CSRF attacks by ensuring that the token is valid for
 // the IP address it was generated from

test/models.test.js

@@ -564,6 +564,138 @@ describe('User Model', () => {
       const url = user.gravatar(200);
       expect(url).to.include('00000000000000000000000000000000');
     });
+
+    it('Scenario 1: Gravatar generation when email is present - after save', async () => {
+      const user = new User({
+        email: 'test@gmail.com',
+        password: 'password123',
+      });
+
+      await user.save();
+
+      const sha256 = '87924606b4131a8aceeeae8868531fbb9712aaa07a5d3a756b26ce0f5d6ca674';
+
+      expect(user.profile.pictures).to.be.instanceOf(Map);
+      expect(user.profile.pictures.get('gravatar')).to.include(sha256);
+      expect(user.profile.pictureSource).to.equal('gravatar');
+      expect(user.profile.picture).to.include(sha256);
+    });
+
+    it('Scenario 2: Gravatar update on email change', async () => {
+      const user = new User({
+        email: 'user1@example.com',
+        password: 'password123',
+      });
+
+      await user.save();
+
+      const originalGravatar = user.profile.pictures.get('gravatar');
+      expect(user.profile.picture).to.equal(originalGravatar);
+
+      // Change email
+      user.email = 'user2@example.com';
+      await user.save();
+
+      const newGravatar = user.profile.pictures.get('gravatar');
+      expect(newGravatar).to.not.equal(originalGravatar);
+      expect(user.profile.picture).to.equal(newGravatar);
+    });
+
+    it('Scenario 3: noMultiPictureUpgrade behavior', () => {
+      const user = new User({
+        email: 'test@example.com',
+        password: 'password123',
+      });
+
+      user.noMultiPictureUpgrade();
+
+      expect(user.profile.pictures).to.be.instanceOf(Map);
+      expect(user.profile.pictureSource).to.equal('gravatar');
+      expect(user.profile.pictures.get('gravatar')).to.include(user.gravatar());
+      expect(user.profile.picture).to.equal(user.gravatar());
+    });
+
+    it('Scenario 4: Preserve non-gravatar pictureSource', async () => {
+      const user = new User({
+        email: 'test@example.com',
+        password: 'password123',
+        profile: {
+          pictureSource: 'facebook',
+          picture: 'https://facebook/pic.jpg',
+        },
+      });
+
+      await user.save();
+
+      expect(user.profile.pictures.get('gravatar')).to.include(user.gravatar());
+      expect(user.profile.picture).to.equal('https://facebook/pic.jpg');
+      expect(user.profile.pictureSource).to.equal('facebook');
+    });
+
+    it('Scenario 5: Preserve non-gravatar pictureSource - noMultiPictureUpgrade', () => {
+      const user = new User({
+        email: 'test@example.com',
+        password: 'password123',
+        profile: {
+          pictureSource: 'github',
+          picture: 'https://github/pic.jpg',
+        },
+      });
+
+      user.noMultiPictureUpgrade();
+
+      expect(user.profile.pictures.get('gravatar')).to.include(user.gravatar());
+      expect(user.profile.picture).to.equal('https://github/pic.jpg');
+      expect(user.profile.pictureSource).to.equal('github');
+    });
+
+    it('Scenario 6: Legacy account upgrade path', () => {
+      const user = new User({
+        email: 'legacy@example.com',
+        password: 'password123',
+        profile: {
+          picture: 'old-picture.jpg',
+          // pictureSource and pictures are undefined
+        },
+      });
+
+      user.noMultiPictureUpgrade();
+
+      expect(user.profile.pictures).to.be.instanceOf(Map);
+      expect(user.profile.pictures.get('gravatar')).to.include(user.gravatar());
+      expect(user.profile.pictureSource).to.equal('gravatar');
+      expect(user.profile.picture).to.equal(user.gravatar());
+    });
+
+    it('Scenario 7: Map persistence', async () => {
+      const user = new User({
+        email: 'maptest@example.com',
+        password: 'password123',
+      });
+
+      await user.save();
+
+      const reloaded = await User.findById(user._id);
+
+      expect(reloaded.profile.pictures).to.be.instanceOf(Map);
+      expect(reloaded.profile.pictures.get('gravatar')).to.include(user.gravatar());
+    });
+
+    it('Scenario 8: No duplicate gravatar entries', async () => {
+      const user = new User({
+        email: 'noduplicate@example.com',
+        password: 'password123',
+      });
+
+      await user.save();
+      const initialSize = user.profile.pictures.size;
+
+      // Save again without changing email
+      await user.save();
+
+      expect(user.profile.pictures.size).to.equal(initialSize);
+      expect(user.profile.pictures.get('gravatar')).to.include(user.gravatar());
+    });
   });
 
   describe('Token Cleanup on Save', () => {