chore(api): validate deviceId string

api/src/auth/auth.controller.ts

@@ -69,6 +69,7 @@ export class AuthController {
     return { data }
   }
 
+  // TODO: Add a guard to check if the user is the owner of the api key
   @UseGuards(AuthGuard)
   @ApiOperation({ summary: 'Generate Api Key' })
   @ApiBearerAuth()

api/src/gateway/guards/can-modify-device.guard.ts

@@ -5,6 +5,7 @@ import {
   HttpStatus,
   Injectable,
 } from '@nestjs/common'
+import mongoose from 'mongoose'
 import { UserRole } from 'src/users/user-roles.enum'
 import { GatewayService } from '../gateway.service'
 
@@ -18,6 +19,14 @@ export class CanModifyDevice implements CanActivate {
     const deviceId = request.params.id
     const userId = request.user?.id
 
+    const isValidId = mongoose.Types.ObjectId.isValid(deviceId)
+    if (!isValidId) {
+      throw new HttpException(
+        { error: 'Invalid device id' },
+        HttpStatus.BAD_REQUEST,
+      )
+    }
+
     const device = await this.gatewayService.getDeviceById(deviceId)
     if (
       !!userId &&