security: enforce session-derived user identity on API routes (#186)

* security: enforce session user on api routes * test: harden auth guard failure path
2026-04-12 05:58:53 +03:00 · 2026-02-24 11:47:29 +05:30
parent f28ac8fa09
commit 6a548e3dac
24 changed files with 334 additions and 201 deletions
--- a/src/lib/auth-guards.test.ts
+++ b/src/lib/auth-guards.test.ts
@@ -0,0 +1,66 @@
+import { describe, expect, mock, test } from "bun:test";
+
+const getSessionMock = mock(async () => null);
+
+mock.module("@/lib/auth", () => ({
+  auth: {
+    api: {
+      getSession: getSessionMock,
+    },
+  },
+}));
+
+import { requireAuthenticatedUserId } from "./auth-guards";
+
+describe("requireAuthenticatedUserId", () => {
+  test("returns user id from locals session without calling auth api", async () => {
+    getSessionMock.mockImplementation(async () => {
+      throw new Error("should not be called");
+    });
+
+    const result = await requireAuthenticatedUserId({
+      request: new Request("http://localhost/test"),
+      locals: {
+        session: { userId: "local-user-id" },
+      } as any,
+    });
+
+    expect("userId" in result).toBe(true);
+    if ("userId" in result) {
+      expect(result.userId).toBe("local-user-id");
+    }
+  });
+
+  test("returns user id from auth session when locals are empty", async () => {
+    getSessionMock.mockImplementation(async () => ({
+      user: { id: "session-user-id" },
+      session: { id: "session-id" },
+    }));
+
+    const result = await requireAuthenticatedUserId({
+      request: new Request("http://localhost/test"),
+      locals: {} as any,
+    });
+
+    expect("userId" in result).toBe(true);
+    if ("userId" in result) {
+      expect(result.userId).toBe("session-user-id");
+    }
+  });
+
+  test("returns unauthorized response when auth lookup throws", async () => {
+    getSessionMock.mockImplementation(async () => {
+      throw new Error("session provider unavailable");
+    });
+
+    const result = await requireAuthenticatedUserId({
+      request: new Request("http://localhost/test"),
+      locals: {} as any,
+    });
+
+    expect("response" in result).toBe(true);
+    if ("response" in result) {
+      expect(result.response.status).toBe(401);
+    }
+  });
+});
--- a/src/lib/auth-guards.ts
+++ b/src/lib/auth-guards.ts
@@ -0,0 +1,45 @@
+import type { APIContext } from "astro";
+import { auth } from "@/lib/auth";
+
+function unauthorizedResponse() {
+  return new Response(
+    JSON.stringify({
+      success: false,
+      error: "Unauthorized",
+    }),
+    {
+      status: 401,
+      headers: { "Content-Type": "application/json" },
+    }
+  );
+}
+
+/**
+ * Ensures request is authenticated and returns the authenticated user ID.
+ * Never trust client-provided userId for authorization decisions.
+ */
+export async function requireAuthenticatedUserId(
+  context: Pick<APIContext, "request" | "locals">
+): Promise<{ userId: string } | { response: Response }> {
+  const localUserId =
+    context.locals?.session?.userId || context.locals?.user?.id;
+
+  if (localUserId) {
+    return { userId: localUserId };
+  }
+
+  let session: Awaited<ReturnType<typeof auth.api.getSession>> | null = null;
+  try {
+    session = await auth.api.getSession({
+      headers: context.request.headers,
+    });
+  } catch {
+    return { response: unauthorizedResponse() };
+  }
+
+  if (!session?.user?.id) {
+    return { response: unauthorizedResponse() };
+  }
+
+  return { userId: session.user.id };
+}