fix(#55): implement user data isolation to prevent cross-user data access

- Add server-side authentication validation for all protected API endpoints
- Create auth utility with requireAuth() function for session validation
- Update CombinedDataRepository to filter data by authenticated user ID
- Add findByUserId() method to CatchRecordRepository for user-specific queries
- Replace client-side userId parameters with server-side session extraction
- Use MongoDB aggregation with $lookup and $expr for secure user filtering
- Return 401 errors for unauthenticated requests
- Fix critical security vulnerability where users could see others' catch records

Fixes: User data isolation bug where one user's catch records were used for everyone
Security: Prevents unauthorized access to other users' Pokemon tracking data
This commit is contained in:
Josh Creek
2025-07-26 16:34:19 +01:00
parent a4269259f9
commit 3aa716b941
7 changed files with 172 additions and 39 deletions
+29
View File
@@ -0,0 +1,29 @@
import type { RequestEvent } from '@sveltejs/kit';
import { error } from '@sveltejs/kit';
/**
* Validates the user session and returns the authenticated user ID
* Throws a 401 error if the user is not authenticated
*/
export async function requireAuth(event: RequestEvent): Promise<string> {
const { session, user } = await event.locals.safeGetSession();
if (!session || !user) {
throw error(401, 'Authentication required');
}
return user.id;
}
/**
* Optionally validates the user session and returns the user ID if authenticated
* Returns null if not authenticated (no error thrown)
*/
export async function getOptionalUserId(event: RequestEvent): Promise<string | null> {
try {
const { session, user } = await event.locals.safeGetSession();
return user?.id || null;
} catch {
return null;
}
}