Donat/SerpentRace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Auth Check For Decks #68

Merged
Donat merged 1 commits from Backend_Fix into main 2025-10-24 20:29:05 +02:00
Conversation 0 Commits 1 Files Changed 5
+31 -9
5 changed files with 31 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SerpentRace_Backend/src/Api/routers/deckRouter.ts
+7 -5
View File
@@ -199,12 +199,13 @@ deckRouter.patch('/:id', authRequired, async (req, res) => {
try { try {
const deckId = req.params.id; const deckId = req.params.id;
const userId = (req as any).user.userId; const userId = (req as any).user.userId;
const authLevel = (req as any).user.authLevel;
logRequest('Update deck endpoint accessed', req, res, { deckId, userId, updateFields: Object.keys(req.body) }); logRequest('Update deck endpoint accessed', req, res, { deckId, userId, updateFields: Object.keys(req.body) });
// Convert string enum values to integers // Convert string enum values to integers
const updateData = convertEnumValues(req.body); const updateData = convertEnumValues(req.body);
const result = await container.updateDeckCommandHandler.execute({ id: deckId, ...updateData }); const result = await container.updateDeckCommandHandler.execute({ userid: userId, authLevel: authLevel, id: deckId, ...updateData });
logRequest('Deck updated successfully', req, res, { deckId, userId }); logRequest('Deck updated successfully', req, res, { deckId, userId });
res.json(result); res.json(result);
@@ -244,10 +245,11 @@ deckRouter.delete('/:id', authRequired, async (req, res) => {
try { try {
const deckId = req.params.id; const deckId = req.params.id;
const userId = (req as any).user.userId; const userId = (req as any).user.userId;
const authLevel = (req as any).user.authLevel;
logRequest('Soft delete deck endpoint accessed', req, res, { deckId, userId }); logRequest('Soft delete deck endpoint accessed', req, res, { deckId, userId });
const result = await container.deleteDeckCommandHandler.execute({ id: deckId, soft: true }); const result = await container.deleteDeckCommandHandler.execute({ userid: userId, authLevel: authLevel, id: deckId, soft: true });
logRequest('Deck soft delete successful', req, res, { deckId, userId, success: result }); logRequest('Deck soft delete successful', req, res, { deckId, userId, success: result });
res.json({ success: result }); res.json({ success: result });
} catch (error) { } catch (error) {
SerpentRace_Backend/src/Application/Deck/commands/DeleteDeckCommand.ts
+2
View File
@@ -1,4 +1,6 @@
export interface DeleteDeckCommand { export interface DeleteDeckCommand {
userid: string;
authLevel: number;
id: string; id: string;
soft?: boolean; soft?: boolean;
} }
SerpentRace_Backend/src/Application/Deck/commands/DeleteDeckCommandHandler.ts
+14
View File
@@ -1,10 +1,24 @@
import { IDeckRepository } from '../../../Domain/IRepository/IDeckRepository'; import { IDeckRepository } from '../../../Domain/IRepository/IDeckRepository';
import { logAuth, logError } from '../../Services/Logger';
import { DeleteDeckCommand } from './DeleteDeckCommand'; import { DeleteDeckCommand } from './DeleteDeckCommand';
export class DeleteDeckCommandHandler { export class DeleteDeckCommandHandler {
constructor(private readonly deckRepo: IDeckRepository) {} constructor(private readonly deckRepo: IDeckRepository) {}
async execute(cmd: DeleteDeckCommand): Promise<boolean> { async execute(cmd: DeleteDeckCommand): Promise<boolean> {
//get decks userid
const deck = await this.deckRepo.findById(cmd.id);
if (!deck) {
logError(`Deck not found with ID: ${cmd.id}`);
throw new Error('Deck not found');
}
if(cmd.authLevel !==1 && deck.userid !== cmd.userid) {
logAuth(`Unauthorized access attempt to deck with ID: ${cmd.id}, UserID: ${cmd.userid}`);
throw new Error('Unauthorized');
}
if (cmd.soft) { if (cmd.soft) {
await this.deckRepo.softDelete(cmd.id); await this.deckRepo.softDelete(cmd.id);
} else { } else {
SerpentRace_Backend/src/Application/Deck/commands/UpdateDeckCommand.ts
+2 -3
View File
@@ -1,11 +1,10 @@
import { n } from "framer-motion/dist/types.d-D0HXPxHm";
export interface UpdateDeckCommand { export interface UpdateDeckCommand {
userid: string;
authLevel: number;
id: string; id: string;
userstate?: number; userstate?: number;
name?: string; name?: string;
type?: number; type?: number;
userid?: string;
cards?: any[]; cards?: any[];
ctype?: number; ctype?: number;
state?: number; state?: number;
SerpentRace_Backend/src/Application/Deck/commands/UpdateDeckCommandHandler.ts
+6 -1
View File
@@ -3,7 +3,7 @@ import { UpdateDeckCommand } from './UpdateDeckCommand';
import { ShortDeckDto } from '../../DTOs/DeckDto'; import { ShortDeckDto } from '../../DTOs/DeckDto';
import { DeckMapper } from '../../DTOs/Mappers/DeckMapper'; import { DeckMapper } from '../../DTOs/Mappers/DeckMapper';
import { DeckAggregate } from '../../../Domain/Deck/DeckAggregate'; import { DeckAggregate } from '../../../Domain/Deck/DeckAggregate';
import { logError } from '../../Services/Logger'; import { logAuth, logError } from '../../Services/Logger';
export class UpdateDeckCommandHandler { export class UpdateDeckCommandHandler {
constructor(private readonly deckRepo: IDeckRepository) {} constructor(private readonly deckRepo: IDeckRepository) {}
@@ -24,6 +24,11 @@ export class UpdateDeckCommandHandler {
throw new Error('Deck not found'); throw new Error('Deck not found');
} }
if(cmd.authLevel !==1 && existingDeck.userid !== cmd.userid) {
logAuth(`Unauthorized access attempt to deck with ID: ${cmd.id}, UserID: ${cmd.userid}`);
throw new Error('Unauthorized');
}
const for_update: Partial<DeckAggregate> = {}; const for_update: Partial<DeckAggregate> = {};
if(cmd.name !== undefined) for_update.name = cmd.name; if(cmd.name !== undefined) for_update.name = cmd.name;
if(cmd.type !== undefined) for_update.type = cmd.type; if(cmd.type !== undefined) for_update.type = cmd.type;