From c906ebca04d7b28516afb2f7545d8b24b73252f3 Mon Sep 17 00:00:00 2001
From: Thomas Kaul <4159106+dtslvr@users.noreply.github.com>
Date: Sat, 21 Mar 2026 08:13:58 +0100
Subject: [PATCH] Improve user validation

---
 .../app/auth-device/auth-device.controller.ts | 29 +++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/apps/api/src/app/auth-device/auth-device.controller.ts b/apps/api/src/app/auth-device/auth-device.controller.ts
index 15e853465..c46589d74 100644
--- a/apps/api/src/app/auth-device/auth-device.controller.ts
+++ b/apps/api/src/app/auth-device/auth-device.controller.ts
@@ -2,18 +2,43 @@ import { AuthDeviceService } from '@ghostfolio/api/app/auth-device/auth-device.s
 import { HasPermission } from '@ghostfolio/api/decorators/has-permission.decorator';
 import { HasPermissionGuard } from '@ghostfolio/api/guards/has-permission.guard';
 import { permissions } from '@ghostfolio/common/permissions';
+import { RequestWithUser } from '@ghostfolio/common/types';
 
-import { Controller, Delete, Param, UseGuards } from '@nestjs/common';
+import {
+  Controller,
+  Delete,
+  HttpException,
+  Inject,
+  Param,
+  UseGuards
+} from '@nestjs/common';
+import { REQUEST } from '@nestjs/core';
 import { AuthGuard } from '@nestjs/passport';
+import { getReasonPhrase, StatusCodes } from 'http-status-codes';
 
 @Controller('auth-device')
 export class AuthDeviceController {
-  public constructor(private readonly authDeviceService: AuthDeviceService) {}
+  public constructor(
+    private readonly authDeviceService: AuthDeviceService,
+    @Inject(REQUEST) private readonly request: RequestWithUser
+  ) {}
 
   @Delete(':id')
   @HasPermission(permissions.deleteAuthDevice)
   @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
   public async deleteAuthDevice(@Param('id') id: string): Promise<void> {
+    const originalAuthDevice = await this.authDeviceService.authDevice({
+      id,
+      userId: this.request.user.id
+    });
+
+    if (!originalAuthDevice) {
+      throw new HttpException(
+        getReasonPhrase(StatusCodes.FORBIDDEN),
+        StatusCodes.FORBIDDEN
+      );
+    }
+
     await this.authDeviceService.deleteAuthDevice({ id });
   }
 }