Auth Check For Decks

2025-10-24 20:28:45 +02:00
parent 5722846da3
commit b9fedb3601
5 changed files with 31 additions and 9 deletions
@@ -199,12 +199,13 @@ deckRouter.patch('/:id', authRequired, async (req, res) => {
 	try {
 		const deckId = req.params.id;
 		const userId = (req as any).user.userId;
+		const authLevel = (req as any).user.authLevel;
 		logRequest('Update deck endpoint accessed', req, res, { deckId, userId, updateFields: Object.keys(req.body) });
 		
 		// Convert string enum values to integers
 		const updateData = convertEnumValues(req.body);

-		const result = await container.updateDeckCommandHandler.execute({ id: deckId, ...updateData });
+		const result = await container.updateDeckCommandHandler.execute({ userid: userId, authLevel: authLevel, id: deckId, ...updateData });
 		
 		logRequest('Deck updated successfully', req, res, { deckId, userId });
 		res.json(result);
@@ -244,9 +245,10 @@ deckRouter.delete('/:id', authRequired, async (req, res) => {
 	try {
 		const deckId = req.params.id;
 		const userId = (req as any).user.userId;
+		const authLevel = (req as any).user.authLevel;
 		logRequest('Soft delete deck endpoint accessed', req, res, { deckId, userId });

-		const result = await container.deleteDeckCommandHandler.execute({ id: deckId, soft: true });
+		const result = await container.deleteDeckCommandHandler.execute({ userid: userId, authLevel: authLevel, id: deckId, soft: true });

 		logRequest('Deck soft delete successful', req, res, { deckId, userId, success: result });
 		res.json({ success: result });
@@ -1,4 +1,6 @@
 export interface DeleteDeckCommand {
+  userid: string;
+  authLevel: number;
  id: string;
  soft?: boolean;
 }
@@ -1,10 +1,24 @@
 import { IDeckRepository } from '../../../Domain/IRepository/IDeckRepository';
+import { logAuth, logError } from '../../Services/Logger';
 import { DeleteDeckCommand } from './DeleteDeckCommand';

 export class DeleteDeckCommandHandler {
  constructor(private readonly deckRepo: IDeckRepository) {}

  async execute(cmd: DeleteDeckCommand): Promise<boolean> {
+
+    //get decks userid
+    const deck = await this.deckRepo.findById(cmd.id);
+    if (!deck) {
+      logError(`Deck not found with ID: ${cmd.id}`);
+      throw new Error('Deck not found');
+    }
+
+    if(cmd.authLevel !==1 && deck.userid !== cmd.userid) {
+      logAuth(`Unauthorized access attempt to deck with ID: ${cmd.id}, UserID: ${cmd.userid}`);
+      throw new Error('Unauthorized');
+    }
+
    if (cmd.soft) {
      await this.deckRepo.softDelete(cmd.id);
    } else {
@@ -1,11 +1,10 @@
-import { n } from "framer-motion/dist/types.d-D0HXPxHm";
-
 export interface UpdateDeckCommand {
+  userid: string;
+  authLevel: number;
  id: string;
  userstate?: number;
  name?: string;
  type?: number;
-  userid?: string;
  cards?: any[];
  ctype?: number;
  state?: number;
@@ -3,7 +3,7 @@ import { UpdateDeckCommand } from './UpdateDeckCommand';
 import { ShortDeckDto } from '../../DTOs/DeckDto';
 import { DeckMapper } from '../../DTOs/Mappers/DeckMapper';
 import { DeckAggregate } from '../../../Domain/Deck/DeckAggregate';
-import { logError } from '../../Services/Logger';
+import { logAuth, logError } from '../../Services/Logger';

 export class UpdateDeckCommandHandler {
  constructor(private readonly deckRepo: IDeckRepository) {}
@@ -24,6 +24,11 @@ export class UpdateDeckCommandHandler {
            throw new Error('Deck not found');
        }

+        if(cmd.authLevel !==1 && existingDeck.userid !== cmd.userid) {
+          logAuth(`Unauthorized access attempt to deck with ID: ${cmd.id}, UserID: ${cmd.userid}`);
+          throw new Error('Unauthorized');
+        }
+
        const for_update: Partial<DeckAggregate> = {};
        if(cmd.name !== undefined) for_update.name = cmd.name;
        if(cmd.type !== undefined) for_update.type = cmd.type;