fix: protect GET /wallet/:id and GET /wallet/:id/trust_relationships

Greenstand · Apr 12, 2024 · e053be2 · e053be2
1 parent b05008b
commit e053be2
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 22 deletions.
diff --git a/server/handlers/walletHandler/index.js b/server/handlers/walletHandler/index.js
@@ -57,9 +57,13 @@ const walletSingleGet = async (req, res) => {
     abortEarly: false,
   });
 
-  const { wallet_id } = validatedParams;
+  const { wallet_id: requestedWalletId } = validatedParams;
+  const { wallet_id: loggedInWalletId } = req;
   const walletService = new WalletService();
-  const wallet = await walletService.getWallet(wallet_id);
+  const wallet = await walletService.getWallet(
+    loggedInWalletId,
+    requestedWalletId,
+  );
   res.status(200).send(wallet);
 };
 
@@ -74,15 +78,19 @@ const walletGetTrustRelationships = async (req, res) => {
     },
   );
 
-  const { wallet_id } = validatedParams;
+  const { wallet_id: walletId } = validatedParams;
+  const { wallet_id: loggedInWalletId } = req;
   const { state, type, request_type } = validatedQuery;
   const trustService = new TrustService();
-  const trust_relationships = await trustService.getTrustRelationships({
-    walletId: wallet_id,
-    state,
-    type,
-    request_type,
-  });
+  const trust_relationships = await trustService.getTrustRelationships(
+    loggedInWalletId,
+    {
+      walletId,
+      state,
+      type,
+      request_type,
+    },
+  );
   res.status(200).json({
     trust_relationships,
   });

diff --git a/server/models/Wallet.js b/server/models/Wallet.js
@@ -50,8 +50,14 @@ class Wallet {
     return this._walletRepository.getById(id);
   }
 
-  async getWallet(walletId) {
+  async getWallet(loggedInWalletId, walletId) {
     const wallet = await this._walletRepository.getById(walletId);
+
+    // requested wallet is not managed by currently logged-in user
+    if (!(await this.hasControlOver(loggedInWalletId, walletId))) {
+      throw new HttpError(403, 'Have no permission to access this wallet');
+    }
+
     const tokenCount = await this._tokenRepository.countByFilter({
       wallet_id: walletId,
     });

diff --git a/server/services/TrustService.js b/server/services/TrustService.js
@@ -11,18 +11,14 @@ class TrustService {
     this._eventService = new EventService();
   }
 
-  async getTrustRelationships({
-    walletId,
-    state,
-    type,
-    request_type,
-    offset,
-    limit,
-  }) {
+  async getTrustRelationships(
+    loggedInWalletId,
+    { walletId, state, type, request_type, offset, limit },
+  ) {
     // check if wallet exists first
     // throws error if no wallet matching walletId exists
     const walletService = new WalletService();
-    await walletService.getWallet(walletId);
+    await walletService.getWallet(loggedInWalletId, walletId);
 
     return this._trust.getTrustRelationships({
       walletId,
@@ -34,7 +30,14 @@ class TrustService {
     });
   }
 
-  async getAllTrustRelationships({ walletId, state, type, request_type, offset, limit }) {
+  async getAllTrustRelationships({
+    walletId,
+    state,
+    type,
+    request_type,
+    offset,
+    limit,
+  }) {
     return this._trust.getAllTrustRelationships({
       walletId,
       state,

diff --git a/server/services/WalletService.js b/server/services/WalletService.js
@@ -30,8 +30,8 @@ class WalletService {
     return this._wallet.getByName(name);
   }
 
-  async getWallet(walletId) {
-    return this._wallet.getWallet(walletId);
+  async getWallet(loggedInWalletId, walletId) {
+    return this._wallet.getWallet(loggedInWalletId, walletId);
   }
 
   async getByIdOrName(idOrName) {