Files
LivingDexTracker/src/lib/repositories/CatchRecordRepository.ts
T
Josh Creek 3aa716b941 fix(#55): implement user data isolation to prevent cross-user data access
- Add server-side authentication validation for all protected API endpoints
- Create auth utility with requireAuth() function for session validation
- Update CombinedDataRepository to filter data by authenticated user ID
- Add findByUserId() method to CatchRecordRepository for user-specific queries
- Replace client-side userId parameters with server-side session extraction
- Use MongoDB aggregation with $lookup and $expr for secure user filtering
- Return 401 errors for unauthenticated requests
- Fix critical security vulnerability where users could see others' catch records

Fixes: User data isolation bug where one user's catch records were used for everyone
Security: Prevents unauthorized access to other users' Pokemon tracking data
2025-07-26 16:34:19 +01:00

40 lines
1.1 KiB
TypeScript

import CatchRecordModel, { type CatchRecord } from '$lib/models/CatchRecord';
class CatchRecordRepository {
async findById(id: string): Promise<CatchRecord | null> {
return CatchRecordModel.findById(id).exec();
}
async findAll(): Promise<CatchRecord[]> {
return CatchRecordModel.find().exec();
}
async findByUserId(userId: string): Promise<CatchRecord[]> {
return CatchRecordModel.find({ userId }).exec();
}
async create(data: Partial<CatchRecord>): Promise<CatchRecord> {
return CatchRecordModel.create(data);
}
async update(id: string, data: Partial<CatchRecord>): Promise<CatchRecord | null> {
return CatchRecordModel.findByIdAndUpdate(id, data, { new: true }).exec();
}
async delete(id: string): Promise<void> {
await CatchRecordModel.findByIdAndDelete(id).exec();
}
async upsert(data: Partial<CatchRecord>): Promise<CatchRecord | null> {
if (data._id) {
// Update existing record
return CatchRecordModel.findByIdAndUpdate(data._id, data, { new: true }).exec();
} else {
// Create new record
return CatchRecordModel.create(data);
}
}
}
export default CatchRecordRepository;