mirror of
https://github.com/jcreek/LivingDexTracker.git
synced 2026-07-13 11:03:44 +00:00
fix(#55): implement user data isolation to prevent cross-user data access
- Add server-side authentication validation for all protected API endpoints - Create auth utility with requireAuth() function for session validation - Update CombinedDataRepository to filter data by authenticated user ID - Add findByUserId() method to CatchRecordRepository for user-specific queries - Replace client-side userId parameters with server-side session extraction - Use MongoDB aggregation with $lookup and $expr for secure user filtering - Return 401 errors for unauthenticated requests - Fix critical security vulnerability where users could see others' catch records Fixes: User data isolation bug where one user's catch records were used for everyone Security: Prevents unauthorized access to other users' Pokemon tracking data
This commit is contained in:
@@ -9,6 +9,10 @@ class CatchRecordRepository {
|
||||
return CatchRecordModel.find().exec();
|
||||
}
|
||||
|
||||
async findByUserId(userId: string): Promise<CatchRecord[]> {
|
||||
return CatchRecordModel.find({ userId }).exec();
|
||||
}
|
||||
|
||||
async create(data: Partial<CatchRecord>): Promise<CatchRecord> {
|
||||
return CatchRecordModel.create(data);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user