From 398ec30daa9d427d8fdf2a59311f89fecae837ea Mon Sep 17 00:00:00 2001
From: isra el <vernu1997@gmail.com>
Date: Mon, 17 Apr 2023 11:07:15 +0300
Subject: [PATCH] chore(api): validate deviceId string

---
 api/src/auth/auth.controller.ts                   | 1 +
 api/src/gateway/guards/can-modify-device.guard.ts | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/api/src/auth/auth.controller.ts b/api/src/auth/auth.controller.ts
index 2c1eec1..15c8fdc 100644
--- a/api/src/auth/auth.controller.ts
+++ b/api/src/auth/auth.controller.ts
@@ -69,6 +69,7 @@ export class AuthController {
     return { data }
   }
 
+  // TODO: Add a guard to check if the user is the owner of the api key
   @UseGuards(AuthGuard)
   @ApiOperation({ summary: 'Generate Api Key' })
   @ApiBearerAuth()
diff --git a/api/src/gateway/guards/can-modify-device.guard.ts b/api/src/gateway/guards/can-modify-device.guard.ts
index 742aae2..ec489bd 100644
--- a/api/src/gateway/guards/can-modify-device.guard.ts
+++ b/api/src/gateway/guards/can-modify-device.guard.ts
@@ -5,6 +5,7 @@ import {
   HttpStatus,
   Injectable,
 } from '@nestjs/common'
+import mongoose from 'mongoose'
 import { UserRole } from 'src/users/user-roles.enum'
 import { GatewayService } from '../gateway.service'
 
@@ -18,6 +19,14 @@ export class CanModifyDevice implements CanActivate {
     const deviceId = request.params.id
     const userId = request.user?.id
 
+    const isValidId = mongoose.Types.ObjectId.isValid(deviceId)
+    if (!isValidId) {
+      throw new HttpException(
+        { error: 'Invalid device id' },
+        HttpStatus.BAD_REQUEST,
+      )
+    }
+
     const device = await this.gatewayService.getDeviceById(deviceId)
     if (
       !!userId &&