From c06955ee8c49cb1569902cc711c8b34ef77c180e Mon Sep 17 00:00:00 2001
From: orbisai0security <mediratta01.pally@gmail.com>
Date: Wed, 20 May 2026 08:17:56 +0000
Subject: [PATCH] fix: the bank api has no authentication mechanism in
 server.js

The bank API has no authentication mechanism
---
 7-bank-project/api/server.js | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/7-bank-project/api/server.js b/7-bank-project/api/server.js
index af114ea17a..028a4c3726 100644
--- a/7-bank-project/api/server.js
+++ b/7-bank-project/api/server.js
@@ -64,12 +64,14 @@ router.post('/accounts', (req, res) => {
   }
 
   // Create account
+  const token = crypto.randomBytes(16).toString('hex');
   const account = {
     user: req.body.user,
     currency: req.body.currency,
     description: req.body.description || `${req.body.user}'s budget`,
     balance: balance || 0,
     transactions: [],
+    token,
   };
   db[req.body.user] = account;
 
@@ -87,6 +89,11 @@ router.get('/accounts/:user', (req, res) => {
     return res.status(404).json({ error: 'User does not exist' });
   }
 
+  // Verify caller identity via token
+  if (req.headers.authorization !== account.token) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
   return res.json(account);
 });
 
@@ -101,6 +108,11 @@ router.delete('/accounts/:user', (req, res) => {
     return res.status(404).json({ error: 'User does not exist' });
   }
 
+  // Verify caller identity via token
+  if (req.headers.authorization !== account.token) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
   // Removed account
   delete db[req.params.user];
 
@@ -118,6 +130,11 @@ router.post('/accounts/:user/transactions', (req, res) => {
     return res.status(404).json({ error: 'User does not exist' });
   }
 
+  // Verify caller identity via token
+  if (req.headers.authorization !== account.token) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
   // Check mandatory requests parameters
   if (!req.body.date || !req.body.object || !req.body.amount) {
     return res.status(400).json({ error: 'Missing parameters' });
@@ -171,6 +188,11 @@ router.delete('/accounts/:user/transactions/:id', (req, res) => {
     return res.status(404).json({ error: 'User does not exist' });
   }
 
+  // Verify caller identity via token
+  if (req.headers.authorization !== account.token) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
   const transactionIndex = account.transactions.findIndex(
     (transaction) => transaction.id === req.params.id
   );