Task/improve user validation in delete auth device endpoint (#6614)

* Improve user validation * Update changelog
3 days ago · 8139b5dd4d
2 changed files with 28 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ### Changed

+- Hardened the endpoint `DELETE /api/v1/auth-device/:id` by improving the user validation
 - Improved the allocations by ETF holding on the allocations page by refining the grouping of the same assets with diverging names (experimental)
 - Improved the language localization for Polish (`pl`)
 - Upgraded `@trivago/prettier-plugin-sort-imports` from version `5.2.2` to `6.0.2`
--- a/apps/api/src/app/auth-device/auth-device.controller.ts
+++ b/apps/api/src/app/auth-device/auth-device.controller.ts
@ -2,18 +2,43 @@ import { AuthDeviceService } from '@ghostfolio/api/app/auth-device/auth-device.s
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
 import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';
 import { permissions } from '@ghostfolio/common/permissions';
+import { RequestWithUser } from '@ghostfolio/common/types';

-import { Controller, Delete, Param, UseGuards } from '@nestjs/common';
+import {
+  Controller,
+  Delete,
+  HttpException,
+  Inject,
+  Param,
+  UseGuards
+} from '@nestjs/common';
+import { REQUEST } from '@nestjs/core';
 import { AuthGuard } from '@nestjs/passport';
+import { getReasonPhrase, StatusCodes } from 'http-status-codes';

@Controller('auth-device')
 export class AuthDeviceController {
-  public constructor(private readonly authDeviceService: AuthDeviceService) {}
+  public constructor(
+    private readonly authDeviceService: AuthDeviceService,
+    @Inject(REQUEST) private readonly request: RequestWithUser
+  ) {}

  @Delete(':id')
  @HasPermission(permissions.deleteAuthDevice)
  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
  public async deleteAuthDevice(@Param('id') id: string): Promise<void> {
+    const originalAuthDevice = await this.authDeviceService.authDevice({
+      id,
+      userId: this.request.user.id
+    });
+
+    if (!originalAuthDevice) {
+      throw new HttpException(
+        getReasonPhrase(StatusCodes.FORBIDDEN),
+        StatusCodes.FORBIDDEN
+      );
+    }
+
    await this.authDeviceService.deleteAuthDevice({ id });
  }
 }