identity: temporarily disable password recovery & changing

Notesnook.API/Dockerfile

@@ -27,8 +27,6 @@ FROM build AS publish
 RUN dotnet publish -c Release -o /app/publish \
   #--runtime alpine-x64 \
   --self-contained true \
-  /p:TrimMode=partial \
-  /p:PublishTrimmed=true \
   /p:PublishSingleFile=true \
   /p:JsonSerializerIsReflectionEnabledByDefault=true \
   -a $TARGETARCH

Notesnook.API/Hubs/SyncV2Hub.cs

@@ -247,7 +247,7 @@ namespace Notesnook.API.Hubs
                 var chunks = PrepareChunks(
                     userId,
                     ids,
-                    size: 1000,
+                    size: 100,
                     resetSync: device.IsSyncReset,
                     maxBytes: 7 * 1024 * 1024
                 );

Notesnook.API/Repositories/SyncItemsRepository.cs

@@ -91,11 +91,7 @@ namespace Notesnook.API.Repositories
         public void DeleteByUserId(string userId)
         {
             var filter = Builders<SyncItem>.Filter.Eq("UserId", userId);
-            var writes = new List<WriteModel<SyncItem>>
-            {
-                new DeleteManyModel<SyncItem>(filter)
-            };
-            dbContext.AddCommand((handle, ct) => Collection.BulkWriteAsync(handle, writes, options: null, ct));
+            dbContext.AddCommand((handle, ct) => Collection.DeleteManyAsync(handle, filter, null, ct));
         }
 
         public void Upsert(SyncItem item, string userId, long dateSynced)

Notesnook.API/Services/SyncDeviceService.cs

@@ -73,7 +73,7 @@ namespace Notesnook.API.Services
             return result;
         }
 
-        const int MaxIdsPerChunk = 400_000;
+        const int MaxIdsPerChunk = 25_000;
         public async Task AppendIdsAsync(string userId, string deviceId, string key, IEnumerable<ItemKey> ids)
         {
             var filter = DeviceIdsChunkFilter(userId, deviceId, key) & Builders<DeviceIdsChunk>.Filter.Where(x => x.Ids.Length < MaxIdsPerChunk);
@@ -81,7 +81,7 @@ namespace Notesnook.API.Services
 
             if (chunk != null)
             {
-                var update = Builders<DeviceIdsChunk>.Update.PushEach(x => x.Ids, ids.Select(i => i.ToString()));
+                var update = Builders<DeviceIdsChunk>.Update.AddToSetEach(x => x.Ids, ids.Select(i => i.ToString()));
                 await repositories.DeviceIdsChunks.Collection.UpdateOneAsync(
                     Builders<DeviceIdsChunk>.Filter.Eq(x => x.Id, chunk.Id),
                     update

Notesnook.API/Services/UserService.cs

@@ -182,6 +182,7 @@ namespace Notesnook.API.Services
 
         public async Task DeleteUserAsync(string userId)
         {
+            logger.LogInformation("Deleting user {UserId}", userId);
             var cc = new CancellationTokenSource();
 
             Repositories.Notes.DeleteByUserId(userId);

Streetwriters.Identity/Controllers/AccountController.cs

@@ -97,12 +97,12 @@ namespace Streetwriters.Identity.Controllers
                     }
                 case TokenType.RESET_PASSWORD:
                     {
-                        if (!await UserManager.VerifyUserTokenAsync(user, TokenOptions.DefaultProvider, "ResetPassword", code))
-                            return BadRequest("Invalid token.");
+                        // if (!await UserManager.VerifyUserTokenAsync(user, TokenOptions.DefaultProvider, "ResetPassword", code))
+                        return BadRequest("Password reset is temporarily disabled due to some issues. It should be back soon. We apologize for the inconvenience.");
 
-                        var authorizationCode = await UserManager.GenerateUserTokenAsync(user, TokenOptions.DefaultProvider, "PasswordResetAuthorizationCode");
-                        var redirectUrl = $"{client.AccountRecoveryRedirectURL}?userId={userId}&code={authorizationCode}";
-                        return RedirectPermanent(redirectUrl);
+                        // var authorizationCode = await UserManager.GenerateUserTokenAsync(user, TokenOptions.DefaultProvider, "PasswordResetAuthorizationCode");
+                        // var redirectUrl = $"{client.AccountRecoveryRedirectURL}?userId={userId}&code={authorizationCode}";
+                        // return RedirectPermanent(redirectUrl);
                     }
                 default:
                     return BadRequest("Invalid type.");
@@ -149,21 +149,22 @@ namespace Streetwriters.Identity.Controllers
         [EnableRateLimiting("strict")]
         public async Task<IActionResult> ResetUserPassword([FromForm] ResetPasswordForm form)
         {
-            var client = Clients.FindClientById(form.ClientId);
-            if (client == null) return BadRequest("Invalid client_id.");
+            return BadRequest(new { error = "Password reset is temporarily disabled due to some issues. It should be back soon. We apologize for the inconvenience." });
+            //             var client = Clients.FindClientById(form.ClientId);
+            //             if (client == null) return BadRequest("Invalid client_id.");
 
-            var user = await UserManager.FindByEmailAsync(form.Email) ?? throw new Exception("User not found.");
-            if (!await UserService.IsUserValidAsync(UserManager, user, form.ClientId)) return Ok();
+            //             var user = await UserManager.FindByEmailAsync(form.Email) ?? throw new Exception("User not found.");
+            //             if (!await UserService.IsUserValidAsync(UserManager, user, form.ClientId)) return Ok();
 
-            var code = await UserManager.GenerateUserTokenAsync(user, TokenOptions.DefaultProvider, "ResetPassword");
-            var callbackUrl = Url.TokenLink(user.Id.ToString(), code, client.Id, TokenType.RESET_PASSWORD);
-#if (DEBUG || STAGING)
-            return Ok(callbackUrl);
-#else
-            logger.LogInformation("Password reset email sent to: {Email}, callback URL: {CallbackUrl}", user.Email, callbackUrl);
-            await EmailSender.SendPasswordResetEmailAsync(user.Email, callbackUrl, client);
-            return Ok();
-#endif
+            //             var code = await UserManager.GenerateUserTokenAsync(user, TokenOptions.DefaultProvider, "ResetPassword");
+            //             var callbackUrl = Url.TokenLink(user.Id.ToString(), code, client.Id, TokenType.RESET_PASSWORD);
+            // #if (DEBUG || STAGING)
+            //             return Ok(callbackUrl);
+            // #else
+            //             logger.LogInformation("Password reset email sent to: {Email}, callback URL: {CallbackUrl}", user.Email, callbackUrl);
+            //             await EmailSender.SendPasswordResetEmailAsync(user.Email, callbackUrl, client);
+            //             return Ok();
+            // #endif
         }
 
         [HttpPost("logout")]
@@ -250,31 +251,33 @@ namespace Streetwriters.Identity.Controllers
                     }
                 case "change_password":
                     {
-                        ArgumentNullException.ThrowIfNull(form.OldPassword);
-                        ArgumentNullException.ThrowIfNull(form.NewPassword);
-                        var result = await UserManager.ChangePasswordAsync(user, form.OldPassword, form.NewPassword);
-                        if (result.Succeeded)
-                        {
-                            await SendLogoutMessageAsync(user.Id.ToString(), "Password changed.");
-                            return Ok();
-                        }
-                        return BadRequest(result.Errors.ToErrors());
+                        return BadRequest(new { error = "Password change is temporarily disabled due to some issues. It should be back soon. We apologize for the inconvenience." });
+                        // ArgumentNullException.ThrowIfNull(form.OldPassword);
+                        // ArgumentNullException.ThrowIfNull(form.NewPassword);
+                        // var result = await UserManager.ChangePasswordAsync(user, form.OldPassword, form.NewPassword);
+                        // if (result.Succeeded)
+                        // {
+                        //     await SendLogoutMessageAsync(user.Id.ToString(), "Password changed.");
+                        //     return Ok();
+                        // }
+                        // return BadRequest(result.Errors.ToErrors());
                     }
                 case "reset_password":
                     {
-                        ArgumentNullException.ThrowIfNull(form.NewPassword);
-                        var result = await UserManager.RemovePasswordAsync(user);
-                        if (result.Succeeded)
-                        {
-                            await MFAService.ResetMFAAsync(user);
-                            result = await UserManager.AddPasswordAsync(user, form.NewPassword);
-                            if (result.Succeeded)
-                            {
-                                await SendLogoutMessageAsync(user.Id.ToString(), "Password reset.");
-                                return Ok();
-                            }
-                        }
-                        return BadRequest(result.Errors.ToErrors());
+                        return BadRequest(new { error = "Password reset is temporarily disabled due to some issues. It should be back soon. We apologize for the inconvenience." });
+                        // ArgumentNullException.ThrowIfNull(form.NewPassword);
+                        // var result = await UserManager.RemovePasswordAsync(user);
+                        // if (result.Succeeded)
+                        // {
+                        //     await MFAService.ResetMFAAsync(user);
+                        //     result = await UserManager.AddPasswordAsync(user, form.NewPassword);
+                        //     if (result.Succeeded)
+                        //     {
+                        //         await SendLogoutMessageAsync(user.Id.ToString(), "Password reset.");
+                        //         return Ok();
+                        //     }
+                        // }
+                        // return BadRequest(result.Errors.ToErrors());
                     }
                 case "change_marketing_consent":
                     {

Streetwriters.Identity/Dockerfile

@@ -27,8 +27,6 @@ FROM build AS publish
 RUN dotnet publish -c Release -o /app/publish \
   #--runtime alpine-x64 \
   --self-contained true \
-  /p:TrimMode=partial \
-  /p:PublishTrimmed=true \
   /p:PublishSingleFile=true \
   /p:JsonSerializerIsReflectionEnabledByDefault=true \
   -a $TARGETARCH

Streetwriters.Messenger/Dockerfile

@@ -27,8 +27,6 @@ FROM build AS publish
 RUN dotnet publish -c Release -o /app/publish \
   #--runtime alpine-x64 \
   --self-contained true \
-  /p:TrimMode=partial \
-  /p:PublishTrimmed=true \
   /p:PublishSingleFile=true \
   /p:JsonSerializerIsReflectionEnabledByDefault=true \
   -a $TARGETARCH

cors-proxy/src/index.ts

@@ -210,7 +210,21 @@ const server = Bun.serve({
       });
     }
 
-    // Proxy the request
+    // Check if it's a YouTube URL and redirect instead of proxying
+    if (isYouTubeEmbed(targetUrl)) {
+      // YouTube URL detected, redirect to youtube-nocookie.com
+      logRequest(req.method, targetUrl, 200);
+      return new Response(serveYouTubeEmbed(targetUrl), {
+        status: 200,
+        headers: {
+          "Content-Type": "text/html; charset=utf-8",
+          "Content-Security-Policy": "frame-ancestors *",
+          "X-Frame-Options": "ALLOWALL",
+        },
+      });
+    }
+
+    // Proxy the request for non-YouTube URLs
     const response = await proxyRequest(targetUrl);
     logRequest(req.method, targetUrl, response.status);
     return response;
@@ -229,3 +243,80 @@ console.log(
 );
 console.log(`📋 Health check: http://${server.hostname}:${server.port}/health`);
 console.log(`🌍 Environment: ${Bun.env.NODE_ENV || "development"}`);
+
+/**
+ * This is required to bypass YouTube's Referrer Policy restrictions when
+ * embedding videos on the mobile app. It basically "proxies" the Referrer and
+ * allows any YouTube video to be embedded anywhere without restrictions.
+ */
+function serveYouTubeEmbed(url: string) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
+    <meta name="referrer" content="strict-origin-when-cross-origin">
+    <meta name="robots" content="noindex,nofollow">
+    <title>YouTube Video Embed</title>
+    <style>
+    * {
+        margin: 0;
+        padding: 0;
+        box-sizing:border-box
+    }
+
+    body, html {
+        overflow: hidden;
+        background:#000
+    }
+
+    iframe {
+        border: 0;
+        width: 100vw;
+        height: 100vh;
+        display: block
+    }
+    </style>
+</head>
+<body>
+    <iframe src="${transformYouTubeUrl(
+      url
+    )}" allow="accelerometer;autoplay;clipboard-write;encrypted-media;gyroscope;picture-in-picture;web-share" allowfullscreen referrerpolicy="strict-origin-when-cross-origin" title="Video player"></iframe>
+</body>
+</html>`;
+}
+
+// Check if URL is a YouTube embed (including youtube-nocookie.com)
+function isYouTubeEmbed(urlString: string) {
+  const url = new URL(urlString);
+  return (
+    (url.hostname === "www.youtube.com" ||
+      url.hostname === "youtube.com" ||
+      url.hostname === "m.youtube.com" ||
+      url.hostname === "www.youtube-nocookie.com" ||
+      url.hostname === "youtube-nocookie.com") &&
+    url.pathname.startsWith("/embed/")
+  );
+}
+
+// Transform YouTube URLs to use youtube-nocookie.com for enhanced privacy
+function transformYouTubeUrl(urlString: string): string {
+  try {
+    const url = new URL(urlString);
+
+    // Check if it's a YouTube domain
+    if (
+      url.hostname === "www.youtube.com" ||
+      url.hostname === "youtube.com" ||
+      url.hostname === "m.youtube.com"
+    ) {
+      // Replace with youtube-nocookie.com
+      url.hostname = "www.youtube-nocookie.com";
+      return url.toString();
+    }
+
+    return urlString;
+  } catch {
+    return urlString;
+  }
+}