fixed a bug that allowed user bios to be hijacked

routes/user.js

@@ -9,9 +9,10 @@ const router = Router();
 //todo: fix jank
 
 router.get('/:username', async (req, res, next) => {
-    let topComment = await db.all('SELECT * FROM feeder WHERE parentType = ? AND parentId = ? ORDER BY sortId ASC LIMIT ? OFFSET ?', [
+    let topComment = await db.all('SELECT * FROM feeder WHERE parentType = ? AND parentId = ? AND childId in (SELECT id FROM comment WHERE username = ?) ORDER BY sortId ASC LIMIT ? OFFSET ?', [
         'users',
         req.params.username,
+        req.params.username,
         1,
         0
     ]);