From 6cae7daa877cdaaa9aeaa942ea6c87084b086d68 Mon Sep 17 00:00:00 2001
From: posimai <posimai.project@gmail.com>
Date: Sun, 19 Apr 2026 19:08:36 +0900
Subject: [PATCH] fix(together): revert broken userCheck that caused 403 for
 all JWT users

userCheck required username to match users.user_id/name, but Together
usernames (mai, EIJI) never matched users table entries (maita, partner).
All JWT-bearing clients were getting 403. Reverts to member-row-only
check until user_id backfill is complete (Phase 1).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 server.js | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/server.js b/server.js
index 8fb50e95..32eda9c1 100644
--- a/server.js
+++ b/server.js
@@ -797,15 +797,7 @@ async function togetherEnsureMember(pool, res, groupId, username, jwtUserId) {
                 [gidNum, username]
             );
             if (legacy.rows.length > 0) {
-                // JWT ユーザーが送信した username の本人であることを確認（なりすまし防止）
-                const userCheck = await pool.query(
-                    'SELECT 1 FROM users WHERE user_id=$1 AND (user_id=$2 OR name=$2)',
-                    [jwtUserId, username]
-                );
-                if (userCheck.rows.length === 0) {
-                    res.status(403).json({ error: 'グループのメンバーではありません' });
-                    return false;
-                }
+                // user_id 未紐付け期間の暫定: メンバー行があれば許可（紐付け完了後に削除予定）
                 console.warn('[Together] legacy path used user=%s username=%s group=%s', jwtUserId, username, gidNum);
                 return true;
             }