From 9c46cac366324ab730ed6bbc7ac1de6514131efc Mon Sep 17 00:00:00 2001 From: Artur Sudnik-Hrynkiewicz Date: Tue, 15 Jun 2021 16:59:12 +0200 Subject: [PATCH] fix: security - did value should be taken from an access token not a payload --- .../pods/user/dto/register-did-user.dto.ts | 16 +++++++-------- .../src/pods/user/dto/user.dto.ts | 5 ----- .../src/pods/user/user.controller.ts | 20 +++++++++++++++++-- 3 files changed, 25 insertions(+), 16 deletions(-) diff --git a/packages/origin-backend/src/pods/user/dto/register-did-user.dto.ts b/packages/origin-backend/src/pods/user/dto/register-did-user.dto.ts index d0d6da4d7db..151eb06c049 100644 --- a/packages/origin-backend/src/pods/user/dto/register-did-user.dto.ts +++ b/packages/origin-backend/src/pods/user/dto/register-did-user.dto.ts @@ -3,12 +3,10 @@ import { ApiProperty, PickType } from '@nestjs/swagger'; import { IsNotEmpty, IsString } from 'class-validator'; import { UserDTO } from './user.dto'; -export class RegisterDidUserDTO - extends PickType(UserDTO, ['title', 'firstName', 'lastName', 'email', 'telephone'] as const) - implements DidUserRegistrationData -{ - @ApiProperty({ type: String }) - @IsNotEmpty() - @IsString() - did: string; -} +export class RegisterDidUserDTO extends PickType(UserDTO, [ + 'title', + 'firstName', + 'lastName', + 'email', + 'telephone' +] as const) {} diff --git a/packages/origin-backend/src/pods/user/dto/user.dto.ts b/packages/origin-backend/src/pods/user/dto/user.dto.ts index 4345c378e75..01fc6647f2d 100644 --- a/packages/origin-backend/src/pods/user/dto/user.dto.ts +++ b/packages/origin-backend/src/pods/user/dto/user.dto.ts @@ -37,11 +37,6 @@ export class UserDTO implements IUser { @IsString() email: string; - @ApiProperty({ type: String, required: false }) - @IsOptional() - @IsString() - did?: string; - @ApiProperty({ type: String }) @IsNotEmpty() @IsString() diff --git a/packages/origin-backend/src/pods/user/user.controller.ts b/packages/origin-backend/src/pods/user/user.controller.ts index f1ae6e488ec..1a8f4d90555 100644 --- a/packages/origin-backend/src/pods/user/user.controller.ts +++ b/packages/origin-backend/src/pods/user/user.controller.ts @@ -21,6 +21,7 @@ import { ParseIntPipe, Post, Put, + Request, UnauthorizedException, UseGuards, UseInterceptors, @@ -45,6 +46,7 @@ import { UpdateUserProfileDTO } from './dto/update-user-profile.dto'; import { UserDTO } from './dto/user.dto'; import { UserService } from './user.service'; import { RegisterDidUserDTO } from './dto/register-did-user.dto'; +import { Request as ExpressRequest } from 'express'; @ApiTags('user') @ApiBearerAuth('access-token') @@ -71,8 +73,22 @@ export class UserController { // TODO: should be allowed only when one of conditions met: // 1) user does not have a DID organizationadmin role within already onboarded organization // 2) user has an organizationadmin role within an organization - public async registerDid(@Body() userRegistrationData: RegisterDidUserDTO): Promise { - return this.userService.createDid(userRegistrationData); + public async registerDid( + @Request() req: ExpressRequest, + @Body() userRegistrationData: RegisterDidUserDTO + ): Promise { + const user = req.user as { did: string; iat: number; verifiedRoles: object[] }; + + const { title, firstName, lastName, email, telephone } = userRegistrationData; + + return this.userService.createDid({ + title, + firstName, + lastName, + email, + telephone, + did: user.did + }); } @Get('me')