chore: Safely handle user IDs

api.planx.uk/editor/copyFlow.ts

@@ -1,6 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { makeUniqueFlow, getFlowData, insertFlow } from "../helpers";
 import { Flow } from "../types";
+import { userContext } from "../modules/auth/middleware";
 
 const copyFlow = async (
   req: Request,
@@ -25,13 +26,15 @@ const copyFlow = async (
     const shouldInsert = (req.body?.insert as boolean) || false;
     if (shouldInsert) {
       const newSlug = flow.slug + "-copy";
-      const creatorId = parseInt(req.user!.sub!, 10);
+      const creatorId = userContext.getStore()?.user?.sub;
+      if (!creatorId) throw Error("User details missing from request");
+
       // Insert the flow and an associated operation
       await insertFlow(
         flow.team_id,
         newSlug,
         uniqueFlowData,
-        creatorId,
+        parseInt(creatorId),
         req.params.flowId,
       );
     }

api.planx.uk/editor/publish.ts

@@ -5,6 +5,7 @@ import { dataMerged, getMostRecentPublishedFlow } from "../helpers";
 import { gql } from "graphql-request";
 import intersection from "lodash/intersection";
 import { ComponentType } from "@opensystemslab/planx-core/types";
+import { userContext } from "../modules/auth/middleware";
 
 const validateAndDiffFlow = async (
   req: Request,
@@ -73,6 +74,9 @@ const publishFlow = async (
     const mostRecent = await getMostRecentPublishedFlow(req.params.flowId);
     const delta = jsondiffpatch.diff(mostRecent, flattenedFlow);
 
+    const userId = userContext.getStore()?.user?.sub;
+    if (!userId) throw Error("User details missing from request");
+
     if (delta) {
       const response = await adminClient.request(
         gql`
@@ -101,7 +105,7 @@ const publishFlow = async (
         {
           data: flattenedFlow,
           flow_id: req.params.flowId,
-          publisher_id: parseInt(req.user!.sub!, 10),
+          publisher_id: parseInt(userId),
           summary: req.query?.summary || null,
         },
       );