From c2e65adbc64372d3aaa0d3e775ce1a80c7728582 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Sun, 26 Apr 2026 21:57:31 +0200 Subject: [PATCH] fix(security): require auth on clan creation, remove debug console.log POST /herowars/clans was accessible without authentication. console.log(req.profile) in profiles controller leaked user data to logs. --- src/controllers/profiles.controller.js | 1 - src/routes/api/herowars/clans.routes.js | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/src/controllers/profiles.controller.js b/src/controllers/profiles.controller.js index 36de222..8f5be5d 100644 --- a/src/controllers/profiles.controller.js +++ b/src/controllers/profiles.controller.js @@ -25,7 +25,6 @@ module.exports.deleteFollowUser = asyncHandler(async (req, res, next) => { module.exports.getProfile = asyncHandler(async (req, res, next) => { try { - console.log(req.profile) /*const user = await UserService.getUserById(req.payload.id); if (!user) { return next(new ErrorResponse("Unauthorized", 401, "Authentication required.")); diff --git a/src/routes/api/herowars/clans.routes.js b/src/routes/api/herowars/clans.routes.js index eb7b35f..b073a34 100644 --- a/src/routes/api/herowars/clans.routes.js +++ b/src/routes/api/herowars/clans.routes.js @@ -6,7 +6,7 @@ const clanRouter = express.Router(); //clanRouter.param('clanId', getClan); clanRouter.get('/', auth.optional, getAllClans); -clanRouter.post('/', auth.optional, createClan); +clanRouter.post('/', auth.required, createClan); clanRouter.get('/:clanId', auth.required, getClan); clanRouter.put('/:clanId', auth.required, updateClan); clanRouter.delete('/:clanId', auth.required, deleteClan);