From cbd43f511876936353c6778acb47b53604e88097 Mon Sep 17 00:00:00 2001 From: Yin Date: Wed, 8 Jul 2026 00:47:06 +0800 Subject: [PATCH] fix(workout-session): require auth + ownership to delete a workout session MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit deleteWorkoutSessionAction used the unauthenticated actionClient and fetched the session's userId only to discard it, deleting by id alone — so any logged-in user could delete any other user's session. Switch to authenticatedActionClient (which injects ctx.user via serverAuth) and reject when session.userId !== ctx.user.id, returning the same 'not found' for missing and non-owned rows to avoid existence disclosure. Fixes #238 --- .../actions/delete-workout-session.action.ts | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/features/workout-session/actions/delete-workout-session.action.ts b/src/features/workout-session/actions/delete-workout-session.action.ts index e6f40bfd..61e3e9f7 100644 --- a/src/features/workout-session/actions/delete-workout-session.action.ts +++ b/src/features/workout-session/actions/delete-workout-session.action.ts @@ -3,13 +3,13 @@ import { z } from "zod"; import { prisma } from "@/shared/lib/prisma"; -import { actionClient } from "@/shared/api/safe-actions"; +import { authenticatedActionClient } from "@/shared/api/safe-actions"; const deleteWorkoutSessionSchema = z.object({ id: z.string(), }); -export const deleteWorkoutSessionAction = actionClient.schema(deleteWorkoutSessionSchema).action(async ({ parsedInput }) => { +export const deleteWorkoutSessionAction = authenticatedActionClient.schema(deleteWorkoutSessionSchema).action(async ({ parsedInput, ctx }) => { try { const { id } = parsedInput; @@ -18,7 +18,9 @@ export const deleteWorkoutSessionAction = actionClient.schema(deleteWorkoutSessi select: { userId: true }, }); - if (!session) { + // Return the same error for missing and non-owned sessions so the endpoint + // cannot be used to disclose which session ids exist. + if (!session || session.userId !== ctx.user.id) { console.error("❌ Session not found:", id); return { serverError: "Session not found" }; }