From 8f804c7505298b7e5fd4498022f94c6ba7f8bf67 Mon Sep 17 00:00:00 2001
From: Artem Streltsov <artem@streltsov.dev>
Date: Tue, 17 Sep 2024 23:44:01 +0200
Subject: [PATCH] auth fix for /details

---
 internal/handlers/handlers.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go
index aaf71dc..341ba15 100644
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -610,6 +610,13 @@ func (h *Handler) deleteURLHandler(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) urlDetailsHandler(w http.ResponseWriter, r *http.Request) {
+	session, _ := h.store.Get(r, "session")
+	user, ok := session.Values["user"].(*database.User)
+	if !ok {
+		http.Redirect(w, r, "/login", http.StatusSeeOther)
+		return
+	}
+
 	urlID, err := strconv.ParseInt(strings.TrimPrefix(r.URL.Path, "/details/"), 10, 64)
 	if err != nil {
 		http.Error(w, "Invalid URL ID", http.StatusBadRequest)
@@ -622,6 +629,11 @@ func (h *Handler) urlDetailsHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if url.UserID != user.ID {
+		http.Error(w, "Unauthorized", http.StatusForbidden)
+		return
+	}
+
 	shortURL := fmt.Sprintf("http://%s/r/%s", r.Host, url.Key)
 	qrCode, err := qrcode.Encode(shortURL, qrcode.Medium, 256)
 	if err != nil {