fix(together): revert broken userCheck that caused 403 for all JWT users

userCheck required username to match users.user_id/name, but Together usernames (mai, EIJI) never matched users table entries (maita, partner). All JWT-bearing clients were getting 403. Reverts to member-row-only check until user_id backfill is complete (Phase 1). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-19 19:08:36 +09:00 · 2026-04-19 19:08:36 +09:00 · 6cae7daa87
parent a1483ed00b
commit 6cae7daa87
1 changed files with 1 additions and 9 deletions
--- a/server.js
+++ b/server.js
@ -797,15 +797,7 @@ async function togetherEnsureMember(pool, res, groupId, username, jwtUserId) {
                [gidNum, username]
            );
            if (legacy.rows.length > 0) {
-                // JWT ユーザーが送信した username の本人であることを確認（なりすまし防止）
-                const userCheck = await pool.query(
-                    'SELECT 1 FROM users WHERE user_id=$1 AND (user_id=$2 OR name=$2)',
-                    [jwtUserId, username]
-                );
-                if (userCheck.rows.length === 0) {
-                    res.status(403).json({ error: 'グループのメンバーではありません' });
-                    return false;
-                }
+                // user_id 未紐付け期間の暫定: メンバー行があれば許可（紐付け完了後に削除予定）
                console.warn('[Together] legacy path used user=%s username=%s group=%s', jwtUserId, username, gidNum);
                return true;
            }