π΄ Where to work
Primary files to edit:
api/src/common/guards/auth.guard.ts [REWRITE] β currently reads X-User-Id header (line 28). Rewrite to verify JWT from Authorization: Bearer header using Passport strategy.
api/src/common/guards/stream-ownership.guard.ts [EDIT] β same X-User-Id pattern (line 30). Update to extract user from validated JWT.
New files to create:
api/src/auth/jwt.strategy.ts [NEW] β Passport JWT strategy extending PassportStrategy(Strategy)
api/src/auth/jwt-auth.guard.ts [NEW] β guard extending AuthGuard('jwt')
Files to update:
api/src/auth/auth.module.ts [EDIT] β add PassportModule import
api/src/streams/streams.module.ts [EDIT] β update guard imports to JWT versions
api/src/tags/tags.module.ts [EDIT] β update guard imports to JWT versions
api/src/gateways/streams.gateway.ts [VERIFY] β already does JWT verification independently, ensure uses same strategy
Reference patterns:
api/src/auth/auth.service.ts β JwtService.sign() already creates valid tokens
api/src/auth/auth.module.ts β JwtModule already registered
Problem Statement
The AuthGuard at api/src/common/guards/auth.guard.ts:28 reads user identity from X-User-Id header with zero verification: const rawUserId = (req.header("x-user-id") ?? "").trim(). Any caller can impersonate any user. Exploit: curl -H "X-User-Id: 1" http://localhost:3001/streams.
Acceptance Criteria
Testing Strategy
- Unit: Test JwtStrategy.validate() with valid/invalid/expired tokens
- Unit: Test JwtAuthGuard.canActivate() with valid/missing/malformed headers
- Integration: Full POST /auth/login β GET /streams flow
- Negative: Expired token, wrong secret, missing header, malformed token
Security Considerations
Primary security fix. Follow OWASP authentication best practices. JWT secret from environment only. Token expiry enforced. Use sub claim as user identifier.
π΄ Where to work
Primary files to edit:
api/src/common/guards/auth.guard.ts[REWRITE] β currently readsX-User-Idheader (line 28). Rewrite to verify JWT fromAuthorization: Bearerheader using Passport strategy.api/src/common/guards/stream-ownership.guard.ts[EDIT] β sameX-User-Idpattern (line 30). Update to extract user from validated JWT.New files to create:
api/src/auth/jwt.strategy.ts[NEW] β Passport JWT strategy extendingPassportStrategy(Strategy)api/src/auth/jwt-auth.guard.ts[NEW] β guard extendingAuthGuard('jwt')Files to update:
api/src/auth/auth.module.ts[EDIT] β addPassportModuleimportapi/src/streams/streams.module.ts[EDIT] β update guard imports to JWT versionsapi/src/tags/tags.module.ts[EDIT] β update guard imports to JWT versionsapi/src/gateways/streams.gateway.ts[VERIFY] β already does JWT verification independently, ensure uses same strategyReference patterns:
api/src/auth/auth.service.tsβ JwtService.sign() already creates valid tokensapi/src/auth/auth.module.tsβ JwtModule already registeredProblem Statement
The AuthGuard at
api/src/common/guards/auth.guard.ts:28reads user identity fromX-User-Idheader with zero verification:const rawUserId = (req.header("x-user-id") ?? "").trim(). Any caller can impersonate any user. Exploit:curl -H "X-User-Id: 1" http://localhost:3001/streams.Acceptance Criteria
Testing Strategy
Security Considerations
Primary security fix. Follow OWASP authentication best practices. JWT secret from environment only. Token expiry enforced. Use
subclaim as user identifier.