Only the current user can modify thier own data

2 years ago · 6474fe0afa
2 changed files with 15 additions and 1 deletions
--- a/packages/bridge-server/src/authorization/onlyme.guard.ts
+++ b/packages/bridge-server/src/authorization/onlyme.guard.ts
@ -0,0 +1,13 @@
+import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
+
+@Injectable()
+export class OnlyMeGuard implements CanActivate {
+  constructor() {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const request = context.switchToHttp().getRequest();
+    const user = request.user;
+
+    return request.params.id == user.sub;
+  }
+}
--- a/packages/bridge-server/src/users/users.controller.ts
+++ b/packages/bridge-server/src/users/users.controller.ts
@ -1,6 +1,7 @@
 import { Body, Controller, Get, Param, Post, UseGuards } from '@nestjs/common';
 import { JwtAuthGuard } from 'src/authz/authz.guard';
 import { UsersService } from './users.service';
+import { OnlyMeGuard } from 'src/authorization/onlyme.guard';

@Controller('users')
 export class UsersController {
@ -19,7 +20,7 @@ export class UsersController {
        return this.usersService.updateLastLogin(body.id, body.nickname, body.picture, body.time);
    }

-    @UseGuards(JwtAuthGuard)
+    @UseGuards(JwtAuthGuard, OnlyMeGuard)
    @Post(':id/update')
    async updateUserDetails(@Body() body: any) {
        await this.usersService.updateUserDetails(body.id, body.nickname, body.realname);