Skip to content

fix(chat): use authenticated session identity for sendMessage username [NSoC'26]#164

Open
anshul23102 wants to merge 1 commit into
Shriii19:masterfrom
anshul23102:fix/160-sendmessage-username-from-auth
Open

fix(chat): use authenticated session identity for sendMessage username [NSoC'26]#164
anshul23102 wants to merge 1 commit into
Shriii19:masterfrom
anshul23102:fix/160-sendmessage-username-from-auth

Conversation

@anshul23102
Copy link
Copy Markdown

@anshul23102 anshul23102 commented Jun 2, 2026

Description

sendMessage read the username field from req.body and stored it in Supabase without any server-side identity verification. Any authenticated user could supply username: "teammate" in the request body to post messages that appear to come from a different person.

Root Cause

The route already requires authenticateUser, which populates req.user from the Supabase session. The handler ignored this and trusted the client-supplied value instead.

Changes Made

File Change
backend/controllers/chat.controller.js Removed username from destructured req.body. Derived username from req.user.user_metadata.username, falling back to req.user.user_metadata.name, then req.user.email, then "Anonymous".

Testing Done

  • POST with username: "other_user" in body now stores the real authenticated user's name.
  • No regression on message content, image, and audio fields.

Checklist

  • No merge conflicts with master
  • No em dashes or double hyphens in comments
  • Changes focused on the reported surface

Closes #160

@anshul23102
fix(chat): derive username from authenticated session instead of requ…
507f472 
…est body [NSoC'26]

sendMessage read the username field directly from req.body and stored it
in Supabase. Any authenticated user could supply username: 'other_user' in
the request body to post messages appearing to come from a different person.

The route already requires authenticateUser, so req.user is always populated.
The username is now derived from req.user.user_metadata (falling back to
req.user.email) so it always reflects the real authenticated identity.

Closes Shriii19#160
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 2, 2026

@anshul23102 is attempting to deploy a commit to the shreemp194-gmailcom's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 2, 2026

👋 Thank you for opening this pull request! I will review your changes and assist you soon.

@anshul23102 anshul23102 mentioned this pull request Jun 2, 2026
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: sendMessage accepts username from request body — authenticated users can impersonate any teammate in chat

1 participant

@anshul23102