From 8139b5dd4d7b716fe1f203ee79d22d759b81fd24 Mon Sep 17 00:00:00 2001
From: Thomas Kaul <4159106+dtslvr@users.noreply.github.com>
Date: Tue, 24 Mar 2026 20:13:04 +0100
Subject: [PATCH] Task/improve user validation in delete auth device endpoint
 (#6614)

* Improve user validation

* Update changelog
---
 CHANGELOG.md                                  |  1 +
 .../app/auth-device/auth-device.controller.ts | 29 +++++++++++++++++--
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d161599dc..6fec332fc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- Hardened the endpoint `DELETE /api/v1/auth-device/:id` by improving the user validation
 - Improved the allocations by ETF holding on the allocations page by refining the grouping of the same assets with diverging names (experimental)
 - Improved the language localization for Polish (`pl`)
 - Upgraded `@trivago/prettier-plugin-sort-imports` from version `5.2.2` to `6.0.2`
diff --git a/apps/api/src/app/auth-device/auth-device.controller.ts b/apps/api/src/app/auth-device/auth-device.controller.ts
index 15e853465..c46589d74 100644
--- a/apps/api/src/app/auth-device/auth-device.controller.ts
+++ b/apps/api/src/app/auth-device/auth-device.controller.ts
@@ -2,18 +2,43 @@ import { AuthDeviceService } from '@ghostfolio/api/app/auth-device/auth-device.s
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
 import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';
 import { permissions } from '@ghostfolio/common/permissions';
+import { RequestWithUser } from '@ghostfolio/common/types';
 
-import { Controller, Delete, Param, UseGuards } from '@nestjs/common';
+import {
+  Controller,
+  Delete,
+  HttpException,
+  Inject,
+  Param,
+  UseGuards
+} from '@nestjs/common';
+import { REQUEST } from '@nestjs/core';
 import { AuthGuard } from '@nestjs/passport';
+import { getReasonPhrase, StatusCodes } from 'http-status-codes';
 
 @Controller('auth-device')
 export class AuthDeviceController {
-  public constructor(private readonly authDeviceService: AuthDeviceService) {}
+  public constructor(
+    private readonly authDeviceService: AuthDeviceService,
+    @Inject(REQUEST) private readonly request: RequestWithUser
+  ) {}
 
   @Delete(':id')
   @HasPermission(permissions.deleteAuthDevice)
   @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
   public async deleteAuthDevice(@Param('id') id: string): Promise<void> {
+    const originalAuthDevice = await this.authDeviceService.authDevice({
+      id,
+      userId: this.request.user.id
+    });
+
+    if (!originalAuthDevice) {
+      throw new HttpException(
+        getReasonPhrase(StatusCodes.FORBIDDEN),
+        StatusCodes.FORBIDDEN
+      );
+    }
+
     await this.authDeviceService.deleteAuthDevice({ id });
   }
 }