diff --git a/server.js b/server.js index 48709d7e..76d592cc 100644 --- a/server.js +++ b/server.js @@ -807,24 +807,33 @@ async function togetherEnsureMember(pool, res, groupId, username, jwtUserId) { return false; } try { - if (!jwtUserId) { - res.status(401).json({ error: '認証が必要です' }); + if (jwtUserId) { + const strict = await pool.query( + `SELECT 1 FROM together_members m + WHERE m.group_id = $1 AND ( + m.user_id = $2 + OR ( + (m.user_id IS NULL OR btrim(COALESCE(m.user_id, '')) = '') + AND m.username = ANY($3::text[]) + ) + )`, + [gidNum, jwtUserId, usernames] + ); + if (strict.rows.length > 0) return true; + res.status(403).json({ error: 'グループのメンバーではありません' }); return false; } - const strict = await pool.query( - `SELECT 1 FROM together_members m - WHERE m.group_id = $1 AND ( - m.user_id = $2 - OR ( - (m.user_id IS NULL OR btrim(COALESCE(m.user_id, '')) = '') - AND m.username = ANY($3::text[]) - ) - )`, - [gidNum, jwtUserId, usernames] + // JWT なし: username のみで照合(Together は Posimai アカウント不要のため継続許容) + const primaryUsername = usernames[0]; + const legacyOnly = await pool.query( + 'SELECT 1 FROM together_members WHERE group_id=$1 AND username=$2', + [gidNum, primaryUsername] ); - if (strict.rows.length > 0) return true; - res.status(403).json({ error: 'グループのメンバーではありません' }); - return false; + if (legacyOnly.rows.length === 0) { + res.status(403).json({ error: 'グループのメンバーではありません' }); + return false; + } + return true; } catch (e) { console.error('[Together] togetherEnsureMember', e.message); res.status(500).json({ error: 'Internal server error' });