feat: Security

This commit is contained in:
2026-06-05 18:34:01 +02:00
parent ee293d7daf
commit 45675192a5
134 changed files with 4128 additions and 446 deletions

View File

@@ -4,6 +4,7 @@ import {
listDeviceTokensForUser,
upsertDeviceToken
} from '../services/push-dispatch.service';
import { requireAuth } from '../middleware/require-auth';
export interface DeviceTokenRecord {
userId: string;
@@ -14,6 +15,8 @@ export interface DeviceTokenRecord {
const router = Router();
router.use(requireAuth);
router.post('/', async (req, res) => {
const { userId, platform, token } = req.body as Partial<DeviceTokenRecord>;
@@ -21,12 +24,20 @@ router.post('/', async (req, res) => {
return res.status(400).json({ error: 'Missing or invalid userId/platform/token' });
}
if (userId !== req.authUserId) {
return res.status(403).json({ error: 'Not authorized', errorCode: 'NOT_AUTHORIZED' });
}
await upsertDeviceToken({ userId, platform, token });
res.status(201).json({ ok: true });
});
router.get('/:userId', async (req, res) => {
if (req.params.userId !== req.authUserId) {
return res.status(403).json({ error: 'Not authorized', errorCode: 'NOT_AUTHORIZED' });
}
const records = await listDeviceTokensForUser(req.params.userId);
res.json({
@@ -40,6 +51,10 @@ router.get('/:userId', async (req, res) => {
});
router.post('/:userId/dispatch', async (req, res) => {
if (req.params.userId !== req.authUserId) {
return res.status(403).json({ error: 'Not authorized', errorCode: 'NOT_AUTHORIZED' });
}
const { title, body, data } = req.body as {
title?: string;
body?: string;