From 9254070bb5a5420a25bd7817a8c6b6d356e454cc Mon Sep 17 00:00:00 2001
From: L4168 <L4168@student.jamk.fi>
Date: Tue, 18 Jun 2019 19:12:52 +0300
Subject: [PATCH] added gameId to jwt to deny admin exploit

---
 src/game/game.entity.ts   | 3 ++-
 src/shared/roles.guard.ts | 8 ++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/game/game.entity.ts b/src/game/game.entity.ts
index 293b420..12106af 100644
--- a/src/game/game.entity.ts
+++ b/src/game/game.entity.ts
@@ -75,10 +75,11 @@ export class Game_PersonEntity {
     return gametoken;
   }
   private get gametoken() {
-    const { gamepersonId, role } = this;
+    const { gamepersonId, game, role } = this;
     return jwt.sign(
       {
         gamepersonId,
+        game,
         role,
       },
       process.env.SECRET,
diff --git a/src/shared/roles.guard.ts b/src/shared/roles.guard.ts
index fcb7ae8..2397ac3 100644
--- a/src/shared/roles.guard.ts
+++ b/src/shared/roles.guard.ts
@@ -5,9 +5,7 @@ import {
   HttpException,
   HttpStatus,
 } from '@nestjs/common';
-import { Observable } from 'rxjs';
 import { Reflector } from '@nestjs/core';
-
 import * as jwt from 'jsonwebtoken';
 
 @Injectable()
@@ -15,13 +13,16 @@ export class RolesGuard implements CanActivate {
   constructor(private readonly reflector: Reflector) {}
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
+    // get roles that are allowed access, identified by @Roles('role') decorators in controllers
     const roles = this.reflector.get<string[]>('roles', context.getHandler());
     if (!roles) {
       return true;
     }
     const request = context.switchToHttp().getRequest();
+    const gameId = request.params.id
     const role = await this.checkRole(request.headers.authorization);
-    return roles.includes(role['role'])
+    // check that the role matches the criteria and that token is valid for this game
+    return roles.includes(role['role']) && role['game']['id'] === gameId;
   }
 
   async checkRole(auth: string) {
@@ -32,7 +33,6 @@ export class RolesGuard implements CanActivate {
     // get the token
     const token = auth.split(' ')[1];
     try {
-      console.log(jwt.verify(token, process.env.SECRET))
       return await jwt.verify(token, process.env.SECRET)
     } catch (err) {
       const message = `Token error: ${err.message || err.name}`;
-- 
GitLab