From f0d8e08b59654b454e3f0d770aecedaeca655098 Mon Sep 17 00:00:00 2001
From: orbisai0security <mediratta01.pally@gmail.com>
Date: Wed, 20 May 2026 10:16:38 +0000
Subject: [PATCH] fix: the bank api uses the :user path parameter dire... in
 server.js

The bank API uses the :user path parameter directly to look up and modify account data without verifying that the authenticated requester is authorized to access that specific account
---
 7-bank-project/api/server.js | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/7-bank-project/api/server.js b/7-bank-project/api/server.js
index af114ea17a..4007382133 100644
--- a/7-bank-project/api/server.js
+++ b/7-bank-project/api/server.js
@@ -35,6 +35,15 @@ app.options('*', cors());
 // Configure routes
 const router = express.Router();
 
+// Authorization middleware - verify requester is authorized for the target account
+const authorizeUser = (req, res, next) => {
+  const authenticatedUser = req.headers['x-user'];
+  if (!authenticatedUser || authenticatedUser !== req.params.user) {
+    return res.status(403).json({ error: 'Unauthorized' });
+  }
+  next();
+};
+
 // Get server infos
 router.get('/', (req, res) => {
   return res.send(`${pkg.description} v${pkg.version}`);
@@ -79,7 +88,7 @@ router.post('/accounts', (req, res) => {
 // ----------------------------------------------
 
 // Get all data for the specified account
-router.get('/accounts/:user', (req, res) => {
+router.get('/accounts/:user', authorizeUser, (req, res) => {
   const account = db[req.params.user];
 
   // Check if account exists
@@ -93,7 +102,7 @@ router.get('/accounts/:user', (req, res) => {
 // ----------------------------------------------
 
 // Remove specified account
-router.delete('/accounts/:user', (req, res) => {
+router.delete('/accounts/:user', authorizeUser, (req, res) => {
   const account = db[req.params.user];
 
   // Check if account exists