diff --git a/SerpentRace_Backend/src/Api/routers/deckRouter.ts b/SerpentRace_Backend/src/Api/routers/deckRouter.ts index fe35d6cb..67632a33 100644 --- a/SerpentRace_Backend/src/Api/routers/deckRouter.ts +++ b/SerpentRace_Backend/src/Api/routers/deckRouter.ts @@ -199,12 +199,13 @@ deckRouter.patch('/:id', authRequired, async (req, res) => { try { const deckId = req.params.id; const userId = (req as any).user.userId; + const authLevel = (req as any).user.authLevel; logRequest('Update deck endpoint accessed', req, res, { deckId, userId, updateFields: Object.keys(req.body) }); // Convert string enum values to integers const updateData = convertEnumValues(req.body); - - const result = await container.updateDeckCommandHandler.execute({ id: deckId, ...updateData }); + + const result = await container.updateDeckCommandHandler.execute({ userid: userId, authLevel: authLevel, id: deckId, ...updateData }); logRequest('Deck updated successfully', req, res, { deckId, userId }); res.json(result); @@ -244,10 +245,11 @@ deckRouter.delete('/:id', authRequired, async (req, res) => { try { const deckId = req.params.id; const userId = (req as any).user.userId; + const authLevel = (req as any).user.authLevel; logRequest('Soft delete deck endpoint accessed', req, res, { deckId, userId }); - - const result = await container.deleteDeckCommandHandler.execute({ id: deckId, soft: true }); - + + const result = await container.deleteDeckCommandHandler.execute({ userid: userId, authLevel: authLevel, id: deckId, soft: true }); + logRequest('Deck soft delete successful', req, res, { deckId, userId, success: result }); res.json({ success: result }); } catch (error) { diff --git a/SerpentRace_Backend/src/Application/Deck/commands/DeleteDeckCommand.ts b/SerpentRace_Backend/src/Application/Deck/commands/DeleteDeckCommand.ts index bf8ac418..d41de235 100644 --- a/SerpentRace_Backend/src/Application/Deck/commands/DeleteDeckCommand.ts +++ b/SerpentRace_Backend/src/Application/Deck/commands/DeleteDeckCommand.ts @@ -1,4 +1,6 @@ export interface DeleteDeckCommand { + userid: string; + authLevel: number; id: string; soft?: boolean; } diff --git a/SerpentRace_Backend/src/Application/Deck/commands/DeleteDeckCommandHandler.ts b/SerpentRace_Backend/src/Application/Deck/commands/DeleteDeckCommandHandler.ts index e484c4ef..07309b19 100644 --- a/SerpentRace_Backend/src/Application/Deck/commands/DeleteDeckCommandHandler.ts +++ b/SerpentRace_Backend/src/Application/Deck/commands/DeleteDeckCommandHandler.ts @@ -1,10 +1,24 @@ import { IDeckRepository } from '../../../Domain/IRepository/IDeckRepository'; +import { logAuth, logError } from '../../Services/Logger'; import { DeleteDeckCommand } from './DeleteDeckCommand'; export class DeleteDeckCommandHandler { constructor(private readonly deckRepo: IDeckRepository) {} async execute(cmd: DeleteDeckCommand): Promise { + + //get decks userid + const deck = await this.deckRepo.findById(cmd.id); + if (!deck) { + logError(`Deck not found with ID: ${cmd.id}`); + throw new Error('Deck not found'); + } + + if(cmd.authLevel !==1 && deck.userid !== cmd.userid) { + logAuth(`Unauthorized access attempt to deck with ID: ${cmd.id}, UserID: ${cmd.userid}`); + throw new Error('Unauthorized'); + } + if (cmd.soft) { await this.deckRepo.softDelete(cmd.id); } else { diff --git a/SerpentRace_Backend/src/Application/Deck/commands/UpdateDeckCommand.ts b/SerpentRace_Backend/src/Application/Deck/commands/UpdateDeckCommand.ts index b1ce0066..9fbbb3a9 100644 --- a/SerpentRace_Backend/src/Application/Deck/commands/UpdateDeckCommand.ts +++ b/SerpentRace_Backend/src/Application/Deck/commands/UpdateDeckCommand.ts @@ -1,11 +1,10 @@ -import { n } from "framer-motion/dist/types.d-D0HXPxHm"; - export interface UpdateDeckCommand { + userid: string; + authLevel: number; id: string; userstate?: number; name?: string; type?: number; - userid?: string; cards?: any[]; ctype?: number; state?: number; diff --git a/SerpentRace_Backend/src/Application/Deck/commands/UpdateDeckCommandHandler.ts b/SerpentRace_Backend/src/Application/Deck/commands/UpdateDeckCommandHandler.ts index ced487ce..8e5b2ca5 100644 --- a/SerpentRace_Backend/src/Application/Deck/commands/UpdateDeckCommandHandler.ts +++ b/SerpentRace_Backend/src/Application/Deck/commands/UpdateDeckCommandHandler.ts @@ -3,7 +3,7 @@ import { UpdateDeckCommand } from './UpdateDeckCommand'; import { ShortDeckDto } from '../../DTOs/DeckDto'; import { DeckMapper } from '../../DTOs/Mappers/DeckMapper'; import { DeckAggregate } from '../../../Domain/Deck/DeckAggregate'; -import { logError } from '../../Services/Logger'; +import { logAuth, logError } from '../../Services/Logger'; export class UpdateDeckCommandHandler { constructor(private readonly deckRepo: IDeckRepository) {} @@ -24,6 +24,11 @@ export class UpdateDeckCommandHandler { throw new Error('Deck not found'); } + if(cmd.authLevel !==1 && existingDeck.userid !== cmd.userid) { + logAuth(`Unauthorized access attempt to deck with ID: ${cmd.id}, UserID: ${cmd.userid}`); + throw new Error('Unauthorized'); + } + const for_update: Partial = {}; if(cmd.name !== undefined) for_update.name = cmd.name; if(cmd.type !== undefined) for_update.type = cmd.type;