fix: security - did value should be taken from an access token not a …

…payload

packages/origin-backend/src/pods/user/dto/register-did-user.dto.ts

@@ -3,12 +3,10 @@ import { ApiProperty, PickType } from '@nestjs/swagger';
 import { IsNotEmpty, IsString } from 'class-validator';
 import { UserDTO } from './user.dto';
 
-export class RegisterDidUserDTO
-    extends PickType(UserDTO, ['title', 'firstName', 'lastName', 'email', 'telephone'] as const)
-    implements DidUserRegistrationData
-{
-    @ApiProperty({ type: String })
-    @IsNotEmpty()
-    @IsString()
-    did: string;
-}
+export class RegisterDidUserDTO extends PickType(UserDTO, [
+    'title',
+    'firstName',
+    'lastName',
+    'email',
+    'telephone'
+] as const) {}

packages/origin-backend/src/pods/user/dto/user.dto.ts

@@ -37,11 +37,6 @@ export class UserDTO implements IUser {
     @IsString()
     email: string;
 
-    @ApiProperty({ type: String, required: false })
-    @IsOptional()
-    @IsString()
-    did?: string;
-
     @ApiProperty({ type: String })
     @IsNotEmpty()
     @IsString()

packages/origin-backend/src/pods/user/user.controller.ts

@@ -21,6 +21,7 @@ import {
     ParseIntPipe,
     Post,
     Put,
+    Request,
     UnauthorizedException,
     UseGuards,
     UseInterceptors,
@@ -45,6 +46,7 @@ import { UpdateUserProfileDTO } from './dto/update-user-profile.dto';
 import { UserDTO } from './dto/user.dto';
 import { UserService } from './user.service';
 import { RegisterDidUserDTO } from './dto/register-did-user.dto';
+import { Request as ExpressRequest } from 'express';
 
 @ApiTags('user')
 @ApiBearerAuth('access-token')
@@ -71,8 +73,22 @@ export class UserController {
     // TODO: should be allowed only when one of conditions met:
     //  1) user does not have a DID organizationadmin role within already onboarded organization
     //  2) user has an organizationadmin role within an organization
-    public async registerDid(@Body() userRegistrationData: RegisterDidUserDTO): Promise<UserDTO> {
-        return this.userService.createDid(userRegistrationData);
+    public async registerDid(
+        @Request() req: ExpressRequest,
+        @Body() userRegistrationData: RegisterDidUserDTO
+    ): Promise<UserDTO> {
+        const user = req.user as { did: string; iat: number; verifiedRoles: object[] };
+
+        const { title, firstName, lastName, email, telephone } = userRegistrationData;
+
+        return this.userService.createDid({
+            title,
+            firstName,
+            lastName,
+            email,
+            telephone,
+            did: user.did
+        });
     }
 
     @Get('me')