added gameId to jwt to deny admin exploit

src/game/game.entity.ts

@@ -75,10 +75,11 @@ export class Game_PersonEntity {
     return gametoken;
   }
   private get gametoken() {
-    const { gamepersonId, role } = this;
+    const { gamepersonId, game, role } = this;
     return jwt.sign(
       {
         gamepersonId,
+        game,
         role,
       },
       process.env.SECRET,

src/shared/roles.guard.ts

@@ -5,9 +5,7 @@ import {
   HttpException,
   HttpStatus,
 } from '@nestjs/common';
-import { Observable } from 'rxjs';
 import { Reflector } from '@nestjs/core';
-
 import * as jwt from 'jsonwebtoken';
 
 @Injectable()
@@ -15,13 +13,16 @@ export class RolesGuard implements CanActivate {
   constructor(private readonly reflector: Reflector) {}
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
+    // get roles that are allowed access, identified by @Roles('role') decorators in controllers
     const roles = this.reflector.get<string[]>('roles', context.getHandler());
     if (!roles) {
       return true;
     }
     const request = context.switchToHttp().getRequest();
+    const gameId = request.params.id
     const role = await this.checkRole(request.headers.authorization);
-    return roles.includes(role['role'])
+    // check that the role matches the criteria and that token is valid for this game
+    return roles.includes(role['role']) && role['game']['id'] === gameId;
   }
 
   async checkRole(auth: string) {
@@ -32,7 +33,6 @@ export class RolesGuard implements CanActivate {
     // get the token
     const token = auth.split(' ')[1];
     try {
-      console.log(jwt.verify(token, process.env.SECRET))
       return await jwt.verify(token, process.env.SECRET)
     } catch (err) {
       const message = `Token error: ${err.message || err.name}`;