From 0c9f5950474678a4d4e0a25ec45cbb737e8f6f57 Mon Sep 17 00:00:00 2001
From: adjoly <contact@adjoly.fr>
Date: Thu, 23 Oct 2025 15:49:35 +0200
Subject: [PATCH] =?UTF-8?q?=E3=80=8C=F0=9F=94=A8=E3=80=8D=20fix(user-manag?=
 =?UTF-8?q?ement):=20fix=20the=20fact=20the=20no=20fucking=20route=20was?=
 =?UTF-8?q?=20protected?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/api/user/dAvatar.js        |  6 ++++++
 src/api/user/dFriend.js        |  6 +++---
 src/api/user/dFriends.js       |  9 +++------
 src/api/user/dMatchHistory.js  |  9 +++------
 src/api/user/dMember.js        | 17 +++++++----------
 src/api/user/dUser.js          |  6 +++++-
 src/api/user/default.js        |  1 +
 src/api/user/gAvatar.js        |  3 +++
 src/api/user/gFriends.js       |  3 +++
 src/api/user/gMatchHistory.js  |  3 +++
 src/api/user/gNumberFriends.js |  4 ++++
 src/api/user/gNumberMatches.js |  3 +++
 src/api/user/gUser.js          | 19 ++++++++++++++++---
 src/api/user/pAvatar.js        |  3 +++
 src/api/user/pFriend.js        |  7 ++-----
 src/api/user/pMatchHistory.js  |  8 ++++----
 src/api/user/pUser.js          |  5 +----
 src/api/user/uAvatar.js        |  5 ++++-
 src/api/user/uMember.js        |  7 ++-----
 19 files changed, 76 insertions(+), 48 deletions(-)

diff --git a/src/api/user/dAvatar.js b/src/api/user/dAvatar.js
index dbd634a..cfbea1c 100644
--- a/src/api/user/dAvatar.js
+++ b/src/api/user/dAvatar.js
@@ -1,6 +1,12 @@
 export async function dAvatar(request, reply, fastify, getUserInfo, getAvatarId, deleteAvatarId, deleteImage) {
 	try {
 		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
+		if (!getUserInfo.get(userId)) {
+			return reply.code(404).send({ error: "User does not exist" });
+		}
 		if (!getUserInfo.get(userId)) {
 			return reply.cose(404).send({ error: "User does not exist" });
 		}
diff --git a/src/api/user/dFriend.js b/src/api/user/dFriend.js
index 333bd93..1f3fddd 100644
--- a/src/api/user/dFriend.js
+++ b/src/api/user/dFriend.js
@@ -1,9 +1,9 @@
 export async function dFriend(request, reply, fastify, getUserInfo, getFriend, deleteFriend) {
 	try {
-		if (!request.user) {
-			return reply.code(400).send({ error: "Please specify a user" });
-		}
 		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
diff --git a/src/api/user/dFriends.js b/src/api/user/dFriends.js
index 803dd89..11d4423 100644
--- a/src/api/user/dFriends.js
+++ b/src/api/user/dFriends.js
@@ -1,15 +1,12 @@
 export async function dFriends(request, reply, fastify, getUserInfo, deleteFriends) {
 	try {
-		if (!request.user) {
-			return reply.code(400).send({ error: "Please specify a user" });
-		}
 		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
-		if (request.user !== 'admin' && request.user !== userId) {
-			return reply.code(401).send({ error: "Unauthorized" });
-		}
 		deleteFriends.run(userId);
 		return reply.code(200).send({ msg: "Friends deleted successfully" });
 	} catch (err) {
diff --git a/src/api/user/dMatchHistory.js b/src/api/user/dMatchHistory.js
index 8b7cc0e..241813b 100644
--- a/src/api/user/dMatchHistory.js
+++ b/src/api/user/dMatchHistory.js
@@ -1,15 +1,12 @@
 export async function dMatchHistory(request, reply, fastify, getUserInfo, deleteMatchHistory, deleteStatsPong, deleteStatsTetris) {
 	try {
-		if (!request.user) {
-			return reply.code(400).send({ error: "Please specify a user" });
-		}
 		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
-		if (request.user !== 'admin' && request.user !== userId) {
-			return reply.code(401).send({ error: "Unauthorized" });
-		}
 		const { game } = request.query;
 		if (game !== 'pong' && game !== 'tetris') {
 			return reply.code(400).send({ error: "Specified game does not exist" });
diff --git a/src/api/user/dMember.js b/src/api/user/dMember.js
index 240a297..32630b9 100644
--- a/src/api/user/dMember.js
+++ b/src/api/user/dMember.js
@@ -1,22 +1,19 @@
 export async function dMember(request, reply, fastify, getUserInfo, changeDisplayName) {
 	try {
-		if (!request.user) {
-			return reply.code(400).send({ error: "Please specify a user" });
-		}
 		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
 		const user = request.user;
 		const member = request.params.member;
-		if (user === 'admin' || user === request.params.userId) {
-			if (member === 'displayName') {
-				changeDisplayName.run("", request.params.userId);
-				return reply.code(200).send({ msg: "Display name deleted successfully" });
-			}
-			return reply.code(400).send({ msg: "Member does not exist" })
+		if (member === 'displayName') {
+			changeDisplayName.run("", request.params.userId);
+			return reply.code(200).send({ msg: "Display name deleted successfully" });
 		} else {
-			return reply.code(401).send({ error: 'You dont have the right to delete this' });
+			return reply.code(400).send({ msg: "Member does not exist" })
 		}
 	} catch (err) {
 		fastify.log.error(err);
diff --git a/src/api/user/dUser.js b/src/api/user/dUser.js
index d2728af..864d8cb 100644
--- a/src/api/user/dUser.js
+++ b/src/api/user/dUser.js
@@ -1,6 +1,10 @@
 export async function dUser(request, reply, fastify, getUserInfo, deleteMatchHistory, deleteFriends, deleteUser) {
 	try {
-		if (!getUserInfo.get(request.params.userId)) {
+		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
+		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
 		deleteMatchHistory.run('pong', request.params.userId);
diff --git a/src/api/user/default.js b/src/api/user/default.js
index 79b5786..2a3ee89 100644
--- a/src/api/user/default.js
+++ b/src/api/user/default.js
@@ -173,6 +173,7 @@ export default async function(fastify, options) {
 			if (jwt.user !== 'admin') {
 				throw ('You lack administrator privileges');
 			}
+			request.user = jwt.user;
 		} catch (err) {
 			reply.code(401).send({ error: 'Unauthorized' });
 		}
diff --git a/src/api/user/gAvatar.js b/src/api/user/gAvatar.js
index 6c0d3f6..f7c386f 100644
--- a/src/api/user/gAvatar.js
+++ b/src/api/user/gAvatar.js
@@ -1,6 +1,9 @@
 export async function gAvatar(request, reply, fastify, getUserInfo, getAvatarId, getImage) {
 	try {
 		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
diff --git a/src/api/user/gFriends.js b/src/api/user/gFriends.js
index 5fbb941..8050e17 100644
--- a/src/api/user/gFriends.js
+++ b/src/api/user/gFriends.js
@@ -1,6 +1,9 @@
 export async function gFriends(request, reply, fastify, getUserInfo, getFriends) {
 	try {
 		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
diff --git a/src/api/user/gMatchHistory.js b/src/api/user/gMatchHistory.js
index 6999c9b..e8d3a55 100644
--- a/src/api/user/gMatchHistory.js
+++ b/src/api/user/gMatchHistory.js
@@ -1,6 +1,9 @@
 export async function gMatchHistory(request, reply, fastify, getUserInfo, getMatchHistory) {
 	try {
 		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
diff --git a/src/api/user/gNumberFriends.js b/src/api/user/gNumberFriends.js
index ca1ec24..03730bf 100644
--- a/src/api/user/gNumberFriends.js
+++ b/src/api/user/gNumberFriends.js
@@ -1,9 +1,13 @@
 export async function gNumberFriends(request, reply, fastify, getUserInfo, getNumberFriends) {
 	try {
 		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
+
 		const row = getNumberFriends.get(userId);
 		return reply.code(200).send({ n_friends: row.n_friends });
 	} catch (err) {
diff --git a/src/api/user/gNumberMatches.js b/src/api/user/gNumberMatches.js
index f26e628..a784fac 100644
--- a/src/api/user/gNumberMatches.js
+++ b/src/api/user/gNumberMatches.js
@@ -1,6 +1,9 @@
 export async function gNumberMatches(request, reply, fastify, getUserInfo, getNumberMatches) {
 	try {
 		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
diff --git a/src/api/user/gUser.js b/src/api/user/gUser.js
index 6937e6c..24648bd 100644
--- a/src/api/user/gUser.js
+++ b/src/api/user/gUser.js
@@ -1,11 +1,24 @@
 export async function gUser(request, reply, fastify, getUserInfo) {
 	try {
 		const userId = request.params.userId;
-		const userInfo = getUserInfo.get(userId);
-		if (!userInfo) {
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
+		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
-		return reply.code(200).send({ username: userInfo.username, displayName: userInfo.displayName, pong: { wins: userInfo.pongWins, losses: userInfo.pongLosses }, tetris: { wins: userInfo.tetrisWins, losses: userInfo.tetrisLosses } });
+		return reply.code(200).send({
+			username: userInfo.username,
+			displayName: userInfo.displayName,
+			pong: {
+				wins: userInfo.pongWins,
+				losses: userInfo.pongLosses
+			},
+			tetris: {
+				wins: userInfo.tetrisWins,
+				losses: userInfo.tetrisLosses
+			}
+		});
 	} catch (err) {
 		fastify.log.error(err);
 		return reply.code(500).send({ error: "Internal server error" });
diff --git a/src/api/user/pAvatar.js b/src/api/user/pAvatar.js
index a567589..f90299e 100644
--- a/src/api/user/pAvatar.js
+++ b/src/api/user/pAvatar.js
@@ -8,6 +8,9 @@ import sharp from 'sharp';
 export async function pAvatar(request, reply, fastify, getUserInfo, setAvatarId, postImage) {
 	try {
 		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
diff --git a/src/api/user/pFriend.js b/src/api/user/pFriend.js
index dfb5341..ae7d414 100644
--- a/src/api/user/pFriend.js
+++ b/src/api/user/pFriend.js
@@ -1,11 +1,8 @@
 export async function pFriend(request, reply, fastify, getUserInfo, getFriend, addFriend) {
 	try {
 		const userId = request.params.userId;
-		if (!request.user) {
-			return reply.code(400).send({ error: "Please specify a user" });
-		}
-		if (request.user !== 'admin' && request.user !== userId) {
-			return reply.code(401).send({ error: "Unauthorized" });
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
diff --git a/src/api/user/pMatchHistory.js b/src/api/user/pMatchHistory.js
index 584b53e..f722775 100644
--- a/src/api/user/pMatchHistory.js
+++ b/src/api/user/pMatchHistory.js
@@ -16,11 +16,11 @@ async function fetchSave(request, reply, userId, addMatch) {
 export async function pMatchHistory(request, reply, fastify, getUserInfo, addMatch, incWinsPong, incLossesPong, incWinsTetris, incLossesTetris) {
 	try {
 		const userId = request.params.userId;
-		if (!request.user) {
-			return reply.code(400).send({ error: "Please specify a user" });
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
 		}
-		if (request.user !== 'admin' && request.user !== userId) {
-			return reply.code(401).send({ error: "Unauthorized" });
+		if (!getUserInfo.get(userId)) {
+			return reply.code(404).send({ error: "User does not exist" });
 		}
 		if (request.body.game !== 'pong' && request.body.game !== 'tetris') {
 			return reply.code(400).send({ error: "Specified game does not exist" });
diff --git a/src/api/user/pUser.js b/src/api/user/pUser.js
index c5dd88e..31ce8bd 100644
--- a/src/api/user/pUser.js
+++ b/src/api/user/pUser.js
@@ -1,10 +1,7 @@
 export async function pUser(request, reply, fastify, getUserInfo, createUser) {
 	try {
 		const userId = request.params.userId;
-		if (!request.user || !request.user.user) {
-			return reply.code(400).send({ error: "Please specify a user" });
-		}
-		if (request.user.user !== 'admin') {
+		if (request.user !== 'admin') {
 			return reply.code(401).send({ error: "Unauthorized" });
 		}
 		if (getUserInfo.get(userId)) {
diff --git a/src/api/user/uAvatar.js b/src/api/user/uAvatar.js
index 1076e44..344307e 100644
--- a/src/api/user/uAvatar.js
+++ b/src/api/user/uAvatar.js
@@ -3,8 +3,11 @@ import sharp from 'sharp';
 export async function uAvatar(request, reply, fastify, getUserInfo, setAvatarId, getAvatarId, deleteAvatarId, postImage, deleteImage) {
 	try {
 		const userId = request.params.userId;
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
+		}
 		if (!getUserInfo.get(userId)) {
-			return reply.cose(404).send({ error: "User does not exist" });
+			return reply.code(404).send({ error: "User does not exist" });
 		}
 		deleteAvatarId.run(userId);
 		const parts = request.parts();
diff --git a/src/api/user/uMember.js b/src/api/user/uMember.js
index 01c1dc5..adf5fce 100644
--- a/src/api/user/uMember.js
+++ b/src/api/user/uMember.js
@@ -1,11 +1,8 @@
 export async function uMember(request, reply, fastify, getUserInfo, changeDisplayName, changeAvatarId) {
 	try {
 		const userId = request.params.userId;
-		if (!request.user) {
-			return reply.code(400).send({ error: "Please specify a user" });
-		}
-		if (request.user !== 'admin' && request.user !== userId) {
-			return reply.code(401).send({ error: "Unauthorized" });
+		if (request.user !== userId && request.user !== 'admin') {
+			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });