Elo rank endpoint return 404 on restricted accounts

Author: codergautam

api/eloRank.js

@@ -33,18 +33,26 @@ export default async function handler(req, res) {
   try {
 
     let user;
-    if(username && typeof username === 'string') {
-      // Prevent NoSQL injection - username must be a string
-      user = await User.findOne({ username: username }).collation(USERNAME_COLLATION).cache(120);
-    } else if(secret && typeof secret === 'string') {
+    let foundBySecret = false;
+
+    if(secret && typeof secret === 'string') {
       // Prevent NoSQL injection - secret must be a string
       user = await User.findOne({ secret }).cache(120);
+      if (user) foundBySecret = true;
+    } else if(username && typeof username === 'string') {
+      // Prevent NoSQL injection - username must be a string
+      user = await User.findOne({ username: username }).collation(USERNAME_COLLATION).cache(120);
     }
 
     if (!user) {
       return res.status(404).json({ message: 'User not found' });
     }
 
+    // If not found by their own secret, hide banned or pending-name-change users
+    if (!foundBySecret && (user.banned || user.pendingNameChange)) {
+      return res.status(404).json({ message: 'User not found' });
+    }
+
     const rank = (await User.countDocuments({
       elo: { $gt: user.elo },
       banned: false

components/home.js

@@ -322,7 +322,7 @@ export default function Home({ }) {
 
         // Fetch fresh data when account modal opens (to get updated elo after games)
         if (accountModalOpen) {
-            fetch(clientConfig().apiUrl + "/api/eloRank?username=" + session.token.username)
+            fetch(clientConfig().apiUrl + "/api/eloRank?username=" + session.token.username+"&secret=" + session.token.secret)
                 .then((res) => res.json())
                 .then((data) => {
                     if (data && data.elo !== undefined) {
@@ -1270,15 +1270,15 @@ export default function Home({ }) {
 
             // Use the passed options directly to avoid stale state issues
             const options = args[0] || multiplayerState.createOptions;
-            ws.send(JSON.stringify({ 
-                type: "setPrivateGameOptions", 
-                rounds: options.rounds, 
-                timePerRound: options.timePerRound, 
-                nm: options.nm, 
-                npz: options.npz, 
-                showRoadName: options.showRoadName, 
-                location: options.location, 
-                displayLocation: options.displayLocation 
+            ws.send(JSON.stringify({
+                type: "setPrivateGameOptions",
+                rounds: options.rounds,
+                timePerRound: options.timePerRound,
+                nm: options.nm,
+                npz: options.npz,
+                showRoadName: options.showRoadName,
+                location: options.location,
+                displayLocation: options.displayLocation
             }));
         }
 
@@ -1773,7 +1773,7 @@ export default function Home({ }) {
                 // Game was cancelled before it started (opponent left during countdown)
                 // No ELO was lost - just return to home and optionally re-queue
                 toast.info(text("opponentLeftBeforeStart") || "Opponent left before the game started. Returning to queue...");
-                
+
                 setScreen("home")
                 setMultiplayerChatEnabled(false)