boostcampwm-2024 · koomchang · Nov 9, 2024 · Nov 9, 2024 · Nov 9, 2024 · Nov 9, 2024
@@ -17,15 +17,15 @@ export const AuthUser = createParamDecorator(
 );
 
 export interface AuthUser {
-  userId: string;
+  userId: number;
   role: string;
 }
 
 function isAuthUser(obj: any): obj is AuthUser {
   return (
     typeof obj === 'object' &&
     obj !== null &&
-    typeof obj.userId === 'number' &&
+    !isNaN(obj.userId) &&
     typeof obj.role === 'string'
   );
 }
@@ -4,6 +4,7 @@ import { TokenExpiredError } from 'jsonwebtoken';
 import { ConfigService } from '@nestjs/config';
 import { AuthenticationException } from './exception/AuthenticationException';
 import { extractBearerToken } from './utils';
+import { AuthUser } from './AuthUser.decorator';
 
 @Injectable()
 export class JwtAuthGuard implements CanActivate {
@@ -20,10 +21,7 @@ export class JwtAuthGuard implements CanActivate {
       throw new AuthenticationException('토큰이 없습니다.');
     }
     try {
-      request.user = jwt.verify(token, this.jwtSecretKey) as {
-        userId: string;
-        role: string;
-      };
+      request.user = jwt.verify(token, this.jwtSecretKey) as AuthUser;
       return true;
     } catch (error) {
       if (error instanceof TokenExpiredError) {

@@ -2,7 +2,7 @@ const BEARER = 'Bearer';
 const BEARER_REGEX = new RegExp(`^${BEARER}\\s+([A-Za-z0-9\\-._~+\\/=]*)$`);
 
 export function extractBearerToken(header: string): string | null {
-  const match = header.match(BEARER_REGEX);
+  const match = header?.match(BEARER_REGEX);
   return match ? match[1] : null;
 }
 

@@ -8,11 +8,15 @@ import {
   Param,
   Patch,
   Put,
+  UseGuards,
 } from '@nestjs/common';
 import { CreateCourseRequest } from './dto/CreateCourseRequest';
 import { UpdateCourseInfoRequest } from './dto/UpdateCourseInfoRequest';
 import { CourseService } from './course.service';
 import { SetPlacesOfCourseRequest } from './dto/AddPlaceToCourseRequest';
+import { JwtAuthGuard } from '../auth/JwtAuthGuard';
+import { AuthUser } from '../auth/AuthUser.decorator';
+import { CoursePermissionGuard } from './guards/CoursePermissionGuard';
 
 @Controller('/courses')
 export class CourseController {
@@ -31,9 +35,9 @@ export class CourseController {
   }
 
   @Get('/my')
-  async getMyCourseList() {
-    const userId = 1; // Todo. 로그인 기능 완성 후 수정
-    return await this.courseService.getOwnCourses(userId);
+  @UseGuards(JwtAuthGuard)
+  async getMyCourseList(@AuthUser() user: AuthUser) {
+    return await this.courseService.getOwnCourses(user.userId);
   }
 
   @Get('/:id')
@@ -42,12 +46,19 @@ export class CourseController {
   }
 
   @Post()
-  async createCourse(@Body() createCourseRequest: CreateCourseRequest) {
-    const userId = 1; // Todo. 로그인 기능 완성 후 수정
-    return await this.courseService.createCourse(userId, createCourseRequest);
+  @UseGuards(JwtAuthGuard)
+  async createCourse(
+    @AuthUser() user: AuthUser,
+    @Body() createCourseRequest: CreateCourseRequest,
+  ) {
+    return await this.courseService.createCourse(
+      user.userId,
+      createCourseRequest,
+    );
   }
 
   @Put('/:id/places')
+  @UseGuards(JwtAuthGuard, CoursePermissionGuard)
   async setPlacesOfCourse(
     @Param('id') id: number,
     @Body() setPlacesOfCourseRequest: SetPlacesOfCourseRequest,
@@ -59,6 +70,7 @@ export class CourseController {
   }
 
   @Patch('/:id/info')
+  @UseGuards(JwtAuthGuard, CoursePermissionGuard)
   async updateCourseInfo(
     @Param('id') id: number,
     @Body() updateCourseInfoRequest: UpdateCourseInfoRequest,
@@ -68,6 +80,7 @@ export class CourseController {
   }
 
   @Patch('/:id/visibility')
+  @UseGuards(JwtAuthGuard, CoursePermissionGuard)
   async updateCourseVisibility(
     @Param('id') id: number,
     @Body('isPublic') isPublic: boolean,
@@ -77,6 +90,7 @@ export class CourseController {
   }
 
   @Delete('/:id')
+  @UseGuards(JwtAuthGuard, CoursePermissionGuard)
   async deleteCourse(@Param('id') id: number) {
     return await this.courseService.deleteCourse(id);
   }

@@ -72,6 +72,13 @@ export class CourseService {
     return await CourseDetailResponse.from(map);
   }
 
+  async getCourseOwnerId(courseId: number) {
+    const course = await this.courseRepository.findById(courseId);
+    if (!course) throw new CourseNotFoundException(courseId);
+
+    return course.user.id;
+  }
+
   async createCourse(userId: number, createMapForm: CreateCourseRequest) {
     const user = { id: userId } as User;
     const map = createMapForm.toEntity(user);

@@ -0,0 +1,12 @@
+import { BaseException } from '../../common/exception/BaseException';
+import { HttpStatus } from '@nestjs/common';
+
+export class CoursePermissionException extends BaseException {
+  constructor(id: number) {
+    super({
+      code: 905,
+      message: `id:${id} 코스에 대한 권한이 없습니다.`,
+      status: HttpStatus.FORBIDDEN,
+    });
+  }
+}
@@ -0,0 +1,20 @@
+import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
+import { CourseService } from '../course.service';
+import { CoursePermissionException } from '../exception/CoursePermissionException';
+
+@Injectable()
+export class CoursePermissionGuard implements CanActivate {
+  constructor(private readonly courseService: CourseService) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest();
+    const courseId = Number(request.params.id);
+    const userId = Number(request.user.userId);
+
+    const course = await this.courseService.getCourseOwnerId(courseId);
+    if (course !== userId) {
+      throw new CoursePermissionException(courseId);
+    }
+    return true;
+  }
+}