mai
/
posimai-root
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(together): require member auth on GET /together/groups/:groupId 

invite_code was accessible without authentication to anyone who knew
the groupId (sequential integer). Now requires ?u= + member check.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
posimai 2026-04-20 01:04:24 +09:00
parent 6cae7daa87
commit 222238f2b9
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
server.js
View File

@ -2579,10 +2579,14 @@ ${excerpt}
} }
}); });
// GET /together/groups/:groupId — グループ情報 // GET /together/groups/:groupId — グループ情報(メンバーのみ)
r.get('/together/groups/:groupId', async (req, res) => { r.get('/together/groups/:groupId', async (req, res) => {
if (!/^[a-zA-Z0-9_-]+$/.test(req.params.groupId)) return res.status(400).json({ error: 'invalid groupId' }); if (!/^[a-zA-Z0-9_-]+$/.test(req.params.groupId)) return res.status(400).json({ error: 'invalid groupId' });
const username = req.query.u;
if (!username) return res.status(400).json({ error: 'u (username) は必須です' });
const jwtUserId = getTogetherJwtUserId(req);
try { try {
if (!(await togetherEnsureMember(pool, res, req.params.groupId, username, jwtUserId))) return;
const result = await pool.query('SELECT id, name, invite_code, created_at FROM together_groups WHERE id=$1', [req.params.groupId]); const result = await pool.query('SELECT id, name, invite_code, created_at FROM together_groups WHERE id=$1', [req.params.groupId]);
if (result.rows.length === 0) return res.status(404).json({ error: 'グループが見つかりません' }); if (result.rows.length === 0) return res.status(404).json({ error: 'グループが見つかりません' });
res.json(result.rows[0]); res.json(result.rows[0]);