fix(routes): resolve superOAuthId → DB userId — critical auth bug

req.user.id = SuperOAuth UUID, pas l'UUID TypeORM en DB. Sans ce fix : getUserPlanLevel retourne toujours 0, ownerId ne matche jamais. - video.routes: resolveDbUserId avant getUserPlanLevel - playlist.routes: resolveDbUserId sur toutes les opérations owner/member
2026-03-14 08:12:11 +01:00
parent 87d076313c
commit 11d9432218
2 changed files with 36 additions and 9 deletions
--- a/backend/src/routes/video.routes.ts
+++ b/backend/src/routes/video.routes.ts
@@ -1,15 +1,24 @@
 import { Router, Request, Response } from "express";
 import { AppDataSource } from "../config/data-source";
 import { Video } from "../entities/Video";
+import { User } from "../entities/User";
 import { requireAuth, AuthenticatedRequest, AuthenticatedUser } from "../middleware/auth.middleware";
 import { UserSubscription } from "../entities/UserSubscription";

 const router = Router();

+/** Résout le superOAuthId vers l'UUID DB, retourne null si user inconnu */
+async function resolveDbUserId(superOAuthId: string): Promise<string | null> {
+  const user = await AppDataSource.getRepository(User).findOne({ where: { superOAuthId } });
+  return user?.id ?? null;
+}
+
 /** Récupère le niveau de plan actif d'un user (0 = free si aucun abonnement actif) */
-async function getUserPlanLevel(userId: string): Promise<number> {
+async function getUserPlanLevel(superOAuthId: string): Promise<number> {
+  const dbUserId = await resolveDbUserId(superOAuthId);
+  if (!dbUserId) return 0;
  const sub = await AppDataSource.getRepository(UserSubscription).findOne({
-    where: { userId, status: "active" },
+    where: { userId: dbUserId, status: "active" },
    relations: ["plan"],
    order: { startsAt: "DESC" },
  });