fix

bizmatch-server/src/main.ts

@@ -60,6 +60,17 @@ async function bootstrap() {
     }),
   );
 
+  // Reject CSS/JS sourcemap requests before they reach any API controller.
+  // Sourcemap URLs resolve relative to the current page URL and can match
+  // wildcard route params (e.g. /bizmatch/user/default.css.map → @Get(':id')).
+  app.use((req, res, next) => {
+    if (req.path.endsWith('.css.map') || req.path.endsWith('.js.map')) {
+      res.status(404).end();
+      return;
+    }
+    next();
+  });
+
   await app.listen(process.env.PORT || 3001);
 }
 bootstrap();

bizmatch-server/src/user/user.controller.ts

@@ -10,6 +10,7 @@ import { OptionalAuthGuard } from 'src/jwt-auth/optional-auth.guard';
 import { User } from '../models/db.model';
 import { JwtUser, Subscription, UserListingCriteria } from '../models/main.model';
 import { UserService } from './user.service';
+import { isUUID } from '../utils/slug.utils';
 
 @Controller('user')
 export class UserController {
@@ -29,6 +30,9 @@ export class UserController {
   @UseGuards(OptionalAuthGuard)
   @Get(':id')
   async findById(@Param('id') id: string): Promise<User> {
+    if (!isUUID(id)) {
+      throw new BadRequestException(`Invalid identifier format: ${id}`);
+    }
     const user = await this.userService.getUserById(id);
     return user;
   }
@@ -81,6 +85,9 @@ export class UserController {
   @UseGuards(AuthGuard)
   @Get('subscriptions/:id')
   async findSubscriptionsById(@Param('id') id: string): Promise<Subscription[]> {
+    if (!isUUID(id)) {
+      throw new BadRequestException(`Invalid identifier format: ${id}`);
+    }
     const subscriptions = [];
     const user = await this.userService.getUserById(id);
     subscriptions.forEach(s => {