「🔨」 fix(user-management): fix the fact the no fucking route was protected

2025-12-31 21:56:41 +01:00 · 2025-10-23 15:49:35 +02:00
parent c4221d9463
commit 0c9f595047
19 changed files with 76 additions and 48 deletions
--- a/src/api/user/dAvatar.js
+++ b/src/api/user/dAvatar.js
@ -1,6 +1,12 @@
 export async function dAvatar(request, reply, fastify, getUserInfo, getAvatarId, deleteAvatarId, deleteImage) {
 	try {
 		const userId = request.params.userId;
 		if (request.user !== userId && request.user !== 'admin') {
 			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.cose(404).send({ error: "User does not exist" });
 		}
--- a/src/api/user/dFriend.js
+++ b/src/api/user/dFriend.js
@ -1,9 +1,9 @@
 export async function dFriend(request, reply, fastify, getUserInfo, getFriend, deleteFriend) {
 	try {
 		if (!request.user) {
 			return reply.code(400).send({ error: "Please specify a user" });
 		}
 		const userId = request.params.userId;
 		if (request.user !== userId && request.user !== 'admin') {
 			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
--- a/src/api/user/dFriends.js
+++ b/src/api/user/dFriends.js
@ -1,15 +1,12 @@
 export async function dFriends(request, reply, fastify, getUserInfo, deleteFriends) {
 	try {
 		if (!request.user) {
 			return reply.code(400).send({ error: "Please specify a user" });
 		}
 		const userId = request.params.userId;
 		if (request.user !== userId && request.user !== 'admin') {
 			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
 		if (request.user !== 'admin' && request.user !== userId) {
 			return reply.code(401).send({ error: "Unauthorized" });
 		}
 		deleteFriends.run(userId);
 		return reply.code(200).send({ msg: "Friends deleted successfully" });
 	} catch (err) {
--- a/src/api/user/dMatchHistory.js
+++ b/src/api/user/dMatchHistory.js
@ -1,15 +1,12 @@
 export async function dMatchHistory(request, reply, fastify, getUserInfo, deleteMatchHistory, deleteStatsPong, deleteStatsTetris) {
 	try {
 		if (!request.user) {
 			return reply.code(400).send({ error: "Please specify a user" });
 		}
 		const userId = request.params.userId;
 		if (request.user !== userId && request.user !== 'admin') {
 			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
 		if (request.user !== 'admin' && request.user !== userId) {
 			return reply.code(401).send({ error: "Unauthorized" });
 		}
 		const { game } = request.query;
 		if (game !== 'pong' && game !== 'tetris') {
 			return reply.code(400).send({ error: "Specified game does not exist" });
--- a/src/api/user/dMember.js
+++ b/src/api/user/dMember.js
@ -1,22 +1,19 @@
 export async function dMember(request, reply, fastify, getUserInfo, changeDisplayName) {
 	try {
 		if (!request.user) {
 			return reply.code(400).send({ error: "Please specify a user" });
 		}
 		const userId = request.params.userId;
 		if (request.user !== userId && request.user !== 'admin') {
 			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
 		const user = request.user;
 		const member = request.params.member;
-		if (user === 'admin' || user === request.params.userId) {
+		if (member === 'displayName') {
-			if (member === 'displayName') {
+			changeDisplayName.run("", request.params.userId);
-				changeDisplayName.run("", request.params.userId);
+			return reply.code(200).send({ msg: "Display name deleted successfully" });
 				return reply.code(200).send({ msg: "Display name deleted successfully" });
 			}
 			return reply.code(400).send({ msg: "Member does not exist" })
 		} else {
-			return reply.code(401).send({ error: 'You dont have the right to delete this' });
+			return reply.code(400).send({ msg: "Member does not exist" })
 		}
 	} catch (err) {
 		fastify.log.error(err);
--- a/src/api/user/dUser.js
+++ b/src/api/user/dUser.js
@ -1,6 +1,10 @@
 export async function dUser(request, reply, fastify, getUserInfo, deleteMatchHistory, deleteFriends, deleteUser) {
 	try {
-		if (!getUserInfo.get(request.params.userId)) {
+		const userId = request.params.userId;
 		if (request.user !== userId && request.user !== 'admin') {
 			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
 		deleteMatchHistory.run('pong', request.params.userId);
--- a/src/api/user/default.js
+++ b/src/api/user/default.js
@ -173,6 +173,7 @@ export default async function(fastify, options) {
 			if (jwt.user !== 'admin') {
 				throw ('You lack administrator privileges');
 			}
 			request.user = jwt.user;
 		} catch (err) {
 			reply.code(401).send({ error: 'Unauthorized' });
 		}
--- a/src/api/user/gAvatar.js
+++ b/src/api/user/gAvatar.js
@ -1,6 +1,9 @@
 export async function gAvatar(request, reply, fastify, getUserInfo, getAvatarId, getImage) {
 	try {
 		const userId = request.params.userId;
 		if (request.user !== userId && request.user !== 'admin') {
 			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
--- a/src/api/user/gFriends.js
+++ b/src/api/user/gFriends.js
@ -1,6 +1,9 @@
 export async function gFriends(request, reply, fastify, getUserInfo, getFriends) {
 	try {
 		const userId = request.params.userId;
 		if (request.user !== userId && request.user !== 'admin') {
 			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
--- a/src/api/user/gMatchHistory.js
+++ b/src/api/user/gMatchHistory.js
@ -1,6 +1,9 @@
 export async function gMatchHistory(request, reply, fastify, getUserInfo, getMatchHistory) {
 	try {
 		const userId = request.params.userId;
 		if (request.user !== userId && request.user !== 'admin') {
 			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
--- a/src/api/user/gNumberFriends.js
+++ b/src/api/user/gNumberFriends.js
@ -1,9 +1,13 @@
 export async function gNumberFriends(request, reply, fastify, getUserInfo, getNumberFriends) {
 	try {
 		const userId = request.params.userId;
 		if (request.user !== userId && request.user !== 'admin') {
 			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
 		const row = getNumberFriends.get(userId);
 		return reply.code(200).send({ n_friends: row.n_friends });
 	} catch (err) {
--- a/src/api/user/gNumberMatches.js
+++ b/src/api/user/gNumberMatches.js
@ -1,6 +1,9 @@
 export async function gNumberMatches(request, reply, fastify, getUserInfo, getNumberMatches) {
 	try {
 		const userId = request.params.userId;
 		if (request.user !== userId && request.user !== 'admin') {
 			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
--- a/src/api/user/gUser.js
+++ b/src/api/user/gUser.js
@ -1,11 +1,24 @@
 export async function gUser(request, reply, fastify, getUserInfo) {
 	try {
 		const userId = request.params.userId;
-		const userInfo = getUserInfo.get(userId);
+		if (request.user !== userId && request.user !== 'admin') {
-		if (!userInfo) {
+			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
-		return reply.code(200).send({ username: userInfo.username, displayName: userInfo.displayName, pong: { wins: userInfo.pongWins, losses: userInfo.pongLosses }, tetris: { wins: userInfo.tetrisWins, losses: userInfo.tetrisLosses } });
+		return reply.code(200).send({
 			username: userInfo.username,
 			displayName: userInfo.displayName,
 			pong: {
 				wins: userInfo.pongWins,
 				losses: userInfo.pongLosses
 			},
 			tetris: {
 				wins: userInfo.tetrisWins,
 				losses: userInfo.tetrisLosses
 			}
 		});
 	} catch (err) {
 		fastify.log.error(err);
 		return reply.code(500).send({ error: "Internal server error" });
--- a/src/api/user/pAvatar.js
+++ b/src/api/user/pAvatar.js
@ -8,6 +8,9 @@ import sharp from 'sharp';
 export async function pAvatar(request, reply, fastify, getUserInfo, setAvatarId, postImage) {
 	try {
 		const userId = request.params.userId;
 		if (request.user !== userId && request.user !== 'admin') {
 			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
 		}
--- a/src/api/user/pFriend.js
+++ b/src/api/user/pFriend.js
@ -1,11 +1,8 @@
 export async function pFriend(request, reply, fastify, getUserInfo, getFriend, addFriend) {
 	try {
 		const userId = request.params.userId;
-		if (!request.user) {
+		if (request.user !== userId && request.user !== 'admin') {
-			return reply.code(400).send({ error: "Please specify a user" });
+			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (request.user !== 'admin' && request.user !== userId) {
 			return reply.code(401).send({ error: "Unauthorized" });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });
--- a/src/api/user/pMatchHistory.js
+++ b/src/api/user/pMatchHistory.js
@ -16,11 +16,11 @@ async function fetchSave(request, reply, userId, addMatch) {
 export async function pMatchHistory(request, reply, fastify, getUserInfo, addMatch, incWinsPong, incLossesPong, incWinsTetris, incLossesTetris) {
 	try {
 		const userId = request.params.userId;
-		if (!request.user) {
+		if (request.user !== userId && request.user !== 'admin') {
-			return reply.code(400).send({ error: "Please specify a user" });
+			return reply.code(401).send({ error: 'Unauthorized' });
 		}
-		if (request.user !== 'admin' && request.user !== userId) {
+		if (!getUserInfo.get(userId)) {
-			return reply.code(401).send({ error: "Unauthorized" });
+			return reply.code(404).send({ error: "User does not exist" });
 		}
 		if (request.body.game !== 'pong' && request.body.game !== 'tetris') {
 			return reply.code(400).send({ error: "Specified game does not exist" });
--- a/src/api/user/pUser.js
+++ b/src/api/user/pUser.js
@ -1,10 +1,7 @@
 export async function pUser(request, reply, fastify, getUserInfo, createUser) {
 	try {
 		const userId = request.params.userId;
-		if (!request.user || !request.user.user) {
+		if (request.user !== 'admin') {
 			return reply.code(400).send({ error: "Please specify a user" });
 		}
 		if (request.user.user !== 'admin') {
 			return reply.code(401).send({ error: "Unauthorized" });
 		}
 		if (getUserInfo.get(userId)) {
--- a/src/api/user/uAvatar.js
+++ b/src/api/user/uAvatar.js
@ -3,8 +3,11 @@ import sharp from 'sharp';
 export async function uAvatar(request, reply, fastify, getUserInfo, setAvatarId, getAvatarId, deleteAvatarId, postImage, deleteImage) {
 	try {
 		const userId = request.params.userId;
 		if (request.user !== userId && request.user !== 'admin') {
 			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (!getUserInfo.get(userId)) {
-			return reply.cose(404).send({ error: "User does not exist" });
+			return reply.code(404).send({ error: "User does not exist" });
 		}
 		deleteAvatarId.run(userId);
 		const parts = request.parts();
--- a/src/api/user/uMember.js
+++ b/src/api/user/uMember.js
@ -1,11 +1,8 @@
 export async function uMember(request, reply, fastify, getUserInfo, changeDisplayName, changeAvatarId) {
 	try {
 		const userId = request.params.userId;
-		if (!request.user) {
+		if (request.user !== userId && request.user !== 'admin') {
-			return reply.code(400).send({ error: "Please specify a user" });
+			return reply.code(401).send({ error: 'Unauthorized' });
 		}
 		if (request.user !== 'admin' && request.user !== userId) {
 			return reply.code(401).send({ error: "Unauthorized" });
 		}
 		if (!getUserInfo.get(userId)) {
 			return reply.code(404).send({ error: "User does not exist" });