From e1b0b144e88b220715122fde23d9485da8c734b3 Mon Sep 17 00:00:00 2001
From: juancarmore <juancar_more2@hotmail.com>
Date: Tue, 10 Jun 2025 12:47:29 +0200
Subject: [PATCH] backend: add check for same room access middleware to
 getRoomPreferences endpoint

---
 .../src/middlewares/participant.middleware.ts | 22 ++++++++++++++++++-
 backend/src/routes/room.routes.ts             | 15 +++++++------
 2 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/backend/src/middlewares/participant.middleware.ts b/backend/src/middlewares/participant.middleware.ts
index 0ee2fc8..a75a901 100644
--- a/backend/src/middlewares/participant.middleware.ts
+++ b/backend/src/middlewares/participant.middleware.ts
@@ -39,7 +39,8 @@ export const configureParticipantTokenAuth = async (req: Request, res: Response,
 	if (authModeToAccessRoom === AuthMode.NONE) {
 		authValidators.push(allowAnonymous);
 	} else {
-		const isModeratorsOnlyMode = authModeToAccessRoom === AuthMode.MODERATORS_ONLY && role === ParticipantRole.MODERATOR;
+		const isModeratorsOnlyMode =
+			authModeToAccessRoom === AuthMode.MODERATORS_ONLY && role === ParticipantRole.MODERATOR;
 		const isAllUsersMode = authModeToAccessRoom === AuthMode.ALL_USERS;
 
 		if (isModeratorsOnlyMode || isAllUsersMode) {
@@ -72,3 +73,22 @@ export const withModeratorPermissions = async (req: Request, res: Response, next
 
 	return next();
 };
+
+export const checkParticipantFromSameRoom = async (req: Request, res: Response, next: NextFunction) => {
+	const { roomId } = req.params;
+	const payload = req.session?.tokenClaims;
+
+	if (!payload) {
+		const error = errorInsufficientPermissions();
+		return rejectRequestFromMeetError(res, error);
+	}
+
+	const sameRoom = payload.video?.room === roomId;
+
+	if (!sameRoom) {
+		const error = errorInsufficientPermissions();
+		return rejectRequestFromMeetError(res, error);
+	}
+
+	return next();
+};
diff --git a/backend/src/routes/room.routes.ts b/backend/src/routes/room.routes.ts
index c2ace5a..709e06a 100644
--- a/backend/src/routes/room.routes.ts
+++ b/backend/src/routes/room.routes.ts
@@ -5,6 +5,7 @@ import * as roomCtrl from '../controllers/room.controller.js';
 import {
 	allowAnonymous,
 	apiKeyValidator,
+	checkParticipantFromSameRoom,
 	configureRecordingTokenAuth,
 	configureRoomAuthorization,
 	participantTokenValidator,
@@ -68,6 +69,13 @@ internalRoomRouter.put(
 	withValidRoomPreferences,
 	roomCtrl.updateRoomPreferences
 );
+internalRoomRouter.get(
+	'/:roomId/preferences',
+	withAuth(participantTokenValidator),
+	withValidRoomId,
+	checkParticipantFromSameRoom,
+	roomCtrl.getRoomPreferences
+);
 internalRoomRouter.post(
 	'/:roomId/recording-token',
 	configureRecordingTokenAuth,
@@ -87,10 +95,3 @@ internalRoomRouter.get(
 	withValidRoomId,
 	roomCtrl.getRoomRoleAndPermissions
 );
-
-internalRoomRouter.get(
-	'/:roomId/preferences',
-	withAuth(participantTokenValidator),
-	withValidRoomId,
-	roomCtrl.getRoomPreferences
-);