security: enforce session-derived user identity on API routes (#186)

* security: enforce session user on api routes * test: harden auth guard failure path
2026-04-13 06:28:53 +03:00 · 2026-02-24 11:47:29 +05:30
parent f28ac8fa09
commit 6a548e3dac
24 changed files with 334 additions and 201 deletions
--- a/src/lib/auth-guards.ts
+++ b/src/lib/auth-guards.ts
@@ -0,0 +1,45 @@
+import type { APIContext } from "astro";
+import { auth } from "@/lib/auth";
+
+function unauthorizedResponse() {
+  return new Response(
+    JSON.stringify({
+      success: false,
+      error: "Unauthorized",
+    }),
+    {
+      status: 401,
+      headers: { "Content-Type": "application/json" },
+    }
+  );
+}
+
+/**
+ * Ensures request is authenticated and returns the authenticated user ID.
+ * Never trust client-provided userId for authorization decisions.
+ */
+export async function requireAuthenticatedUserId(
+  context: Pick<APIContext, "request" | "locals">
+): Promise<{ userId: string } | { response: Response }> {
+  const localUserId =
+    context.locals?.session?.userId || context.locals?.user?.id;
+
+  if (localUserId) {
+    return { userId: localUserId };
+  }
+
+  let session: Awaited<ReturnType<typeof auth.api.getSession>> | null = null;
+  try {
+    session = await auth.api.getSession({
+      headers: context.request.headers,
+    });
+  } catch {
+    return { response: unauthorizedResponse() };
+  }
+
+  if (!session?.user?.id) {
+    return { response: unauthorizedResponse() };
+  }
+
+  return { userId: session.user.id };
+}