From 222238f2b9da6b5bc46ff008196440feee02c75d Mon Sep 17 00:00:00 2001
From: posimai <posimai.project@gmail.com>
Date: Mon, 20 Apr 2026 01:04:24 +0900
Subject: [PATCH] fix(together): require member auth on GET
 /together/groups/:groupId

invite_code was accessible without authentication to anyone who knew
the groupId (sequential integer). Now requires ?u= + member check.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 server.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/server.js b/server.js
index 32eda9c1..e584d975 100644
--- a/server.js
+++ b/server.js
@@ -2579,10 +2579,14 @@ ${excerpt}
         }
     });
 
-    // GET /together/groups/:groupId — グループ情報
+    // GET /together/groups/:groupId — グループ情報（メンバーのみ）
     r.get('/together/groups/:groupId', async (req, res) => {
         if (!/^[a-zA-Z0-9_-]+$/.test(req.params.groupId)) return res.status(400).json({ error: 'invalid groupId' });
+        const username = req.query.u;
+        if (!username) return res.status(400).json({ error: 'u (username) は必須です' });
+        const jwtUserId = getTogetherJwtUserId(req);
         try {
+            if (!(await togetherEnsureMember(pool, res, req.params.groupId, username, jwtUserId))) return;
             const result = await pool.query('SELECT id, name, invite_code, created_at FROM together_groups WHERE id=$1', [req.params.groupId]);
             if (result.rows.length === 0) return res.status(404).json({ error: 'グループが見つかりません' });
             res.json(result.rows[0]);