From 093563a458f1488f3fce60416ca60e8d80ace2f1 Mon Sep 17 00:00:00 2001
From: Andreas Knuth <andreas.knuth@gmail.com>
Date: Fri, 12 Jun 2026 16:25:27 -0500
Subject: [PATCH] fix

---
 bizmatch-server/src/main.ts                 | 11 +++++++++++
 bizmatch-server/src/user/user.controller.ts |  7 +++++++
 2 files changed, 18 insertions(+)

diff --git a/bizmatch-server/src/main.ts b/bizmatch-server/src/main.ts
index 53be59b..10cacc3 100644
--- a/bizmatch-server/src/main.ts
+++ b/bizmatch-server/src/main.ts
@@ -60,6 +60,17 @@ async function bootstrap() {
     }),
   );
 
+  // Reject CSS/JS sourcemap requests before they reach any API controller.
+  // Sourcemap URLs resolve relative to the current page URL and can match
+  // wildcard route params (e.g. /bizmatch/user/default.css.map → @Get(':id')).
+  app.use((req, res, next) => {
+    if (req.path.endsWith('.css.map') || req.path.endsWith('.js.map')) {
+      res.status(404).end();
+      return;
+    }
+    next();
+  });
+
   await app.listen(process.env.PORT || 3001);
 }
 bootstrap();
diff --git a/bizmatch-server/src/user/user.controller.ts b/bizmatch-server/src/user/user.controller.ts
index d399df9..7fbad68 100644
--- a/bizmatch-server/src/user/user.controller.ts
+++ b/bizmatch-server/src/user/user.controller.ts
@@ -10,6 +10,7 @@ import { OptionalAuthGuard } from 'src/jwt-auth/optional-auth.guard';
 import { User } from '../models/db.model';
 import { JwtUser, Subscription, UserListingCriteria } from '../models/main.model';
 import { UserService } from './user.service';
+import { isUUID } from '../utils/slug.utils';
 
 @Controller('user')
 export class UserController {
@@ -29,6 +30,9 @@ export class UserController {
   @UseGuards(OptionalAuthGuard)
   @Get(':id')
   async findById(@Param('id') id: string): Promise<User> {
+    if (!isUUID(id)) {
+      throw new BadRequestException(`Invalid identifier format: ${id}`);
+    }
     const user = await this.userService.getUserById(id);
     return user;
   }
@@ -81,6 +85,9 @@ export class UserController {
   @UseGuards(AuthGuard)
   @Get('subscriptions/:id')
   async findSubscriptionsById(@Param('id') id: string): Promise<Subscription[]> {
+    if (!isUUID(id)) {
+      throw new BadRequestException(`Invalid identifier format: ${id}`);
+    }
     const subscriptions = [];
     const user = await this.userService.getUserById(id);
     subscriptions.forEach(s => {