fix(#55): implement user data isolation to prevent cross-user data access

- Add server-side authentication validation for all protected API endpoints
- Create auth utility with requireAuth() function for session validation
- Update CombinedDataRepository to filter data by authenticated user ID
- Add findByUserId() method to CatchRecordRepository for user-specific queries
- Replace client-side userId parameters with server-side session extraction
- Use MongoDB aggregation with $lookup and $expr for secure user filtering
- Return 401 errors for unauthenticated requests
- Fix critical security vulnerability where users could see others' catch records

Fixes: User data isolation bug where one user's catch records were used for everyone
Security: Prevents unauthorized access to other users' Pokemon tracking data
This commit is contained in:
Josh Creek
2025-07-26 16:34:19 +01:00
parent a4269259f9
commit 3aa716b941
7 changed files with 172 additions and 39 deletions
@@ -9,6 +9,10 @@ class CatchRecordRepository {
return CatchRecordModel.find().exec();
}
async findByUserId(userId: string): Promise<CatchRecord[]> {
return CatchRecordModel.find({ userId }).exec();
}
async create(data: Partial<CatchRecord>): Promise<CatchRecord> {
return CatchRecordModel.create(data);
}