mirror of
https://github.com/jcreek/LivingDexTracker.git
synced 2026-07-16 04:23:43 +00:00
fix(#55): implement user data isolation to prevent cross-user data access
- Add server-side authentication validation for all protected API endpoints - Create auth utility with requireAuth() function for session validation - Update CombinedDataRepository to filter data by authenticated user ID - Add findByUserId() method to CatchRecordRepository for user-specific queries - Replace client-side userId parameters with server-side session extraction - Use MongoDB aggregation with $lookup and $expr for secure user filtering - Return 401 errors for unauthenticated requests - Fix critical security vulnerability where users could see others' catch records Fixes: User data isolation bug where one user's catch records were used for everyone Security: Prevents unauthorized access to other users' Pokemon tracking data
This commit is contained in:
@@ -0,0 +1,29 @@
|
||||
import type { RequestEvent } from '@sveltejs/kit';
|
||||
import { error } from '@sveltejs/kit';
|
||||
|
||||
/**
|
||||
* Validates the user session and returns the authenticated user ID
|
||||
* Throws a 401 error if the user is not authenticated
|
||||
*/
|
||||
export async function requireAuth(event: RequestEvent): Promise<string> {
|
||||
const { session, user } = await event.locals.safeGetSession();
|
||||
|
||||
if (!session || !user) {
|
||||
throw error(401, 'Authentication required');
|
||||
}
|
||||
|
||||
return user.id;
|
||||
}
|
||||
|
||||
/**
|
||||
* Optionally validates the user session and returns the user ID if authenticated
|
||||
* Returns null if not authenticated (no error thrown)
|
||||
*/
|
||||
export async function getOptionalUserId(event: RequestEvent): Promise<string | null> {
|
||||
try {
|
||||
const { session, user } = await event.locals.safeGetSession();
|
||||
return user?.id || null;
|
||||
} catch {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user