fix(auth): restric readonly users in user routes

Author: devxsameer

src/modules/user/user.repository.ts

@@ -11,8 +11,8 @@ export function findUserById(id: string) {
       and(
         eq(usersTable.id, id),
         eq(usersTable.isActive, true),
-        isNull(usersTable.deletedAt)
-      )
+        isNull(usersTable.deletedAt),
+      ),
     )
     .limit(1);
 }
@@ -25,8 +25,8 @@ export function findUserByEmail(email: string) {
       and(
         eq(usersTable.email, email),
         eq(usersTable.isActive, true),
-        isNull(usersTable.deletedAt)
-      )
+        isNull(usersTable.deletedAt),
+      ),
     )
     .limit(1);
 }
@@ -52,13 +52,7 @@ export function createUser(data: {
 
 export function updateUser(
   userId: string,
-  data: Partial<{
-    username: string;
-    bio: string;
-    avatarUrl: string;
-    isActive: boolean;
-    role: "admin" | "author" | "user";
-  }>
+  data: Partial<typeof usersTable.$inferInsert>,
 ) {
   return db
     .update(usersTable)

src/modules/user/user.routes.ts

@@ -1,6 +1,10 @@
 // src/modules/user/user.routes.ts
 import { Router } from "express";
-import { requireAuth, requireRole } from "@/middlewares/auth.middleware.js";
+import {
+  blockReadOnly,
+  requireAuth,
+  requireRole,
+} from "@/middlewares/auth.middleware.js";
 import { Role } from "@/constants/roles.js";
 import * as UserController from "./user.controller.js";
 import { validateParams } from "@/middlewares/validate.middleware.js";
@@ -12,22 +16,23 @@ userRoutes.get(
   "/",
   requireAuth,
   requireRole(Role.ADMIN),
-  UserController.adminListUsers
+  UserController.adminListUsers,
 );
 
-userRoutes.put("/me", requireAuth, UserController.updateMe);
+userRoutes.put("/me", requireAuth, blockReadOnly, UserController.updateMe);
 
 userRoutes.put(
   "/:userId",
   requireAuth,
   requireRole(Role.ADMIN),
+  blockReadOnly,
   validateParams(userIdParamSchema),
-  UserController.adminUpdateUser
+  UserController.adminUpdateUser,
 );
 userRoutes.get(
   "/me/avatar/upload",
   requireAuth,
-  UserController.getAvatarUpload
+  UserController.getAvatarUpload,
 );
 
 userRoutes.put("/me/avatar", requireAuth, UserController.updateAvatar);

src/modules/user/user.service.ts

@@ -6,15 +6,21 @@ import { AuthUser } from "@/@types/auth.js";
 import { cloudinary } from "@/config/cloudinary.js";
 import crypto from "node:crypto";
 
-export async function updateMe(user: AuthUser, input: any) {
+export async function updateMe(
+  user: AuthUser,
+  input: { username?: string; bio?: string },
+) {
   const [updated] = await UserRepo.updateUser(user.id, input);
   return updated;
 }
 
 export async function adminUpdateUser(
   admin: AuthUser,
   targetUserId: string,
-  input: any
+  input: {
+    username?: string;
+    bio?: string;
+  },
 ) {
   if (!canUpdateUser(admin, targetUserId)) {
     throw new ForbiddenError();
@@ -42,7 +48,7 @@ export function getAvatarUploadSignature(userId: string) {
       public_id: publicId,
       folder: "avatars",
     },
-    cloudinary.config().api_secret!
+    cloudinary.config().api_secret!,
   );
 
   return {
@@ -71,7 +77,7 @@ export async function adminListUsers(query: any) {
     pageInfo: {
       hasNextPage,
       nextCursor: hasNextPage
-        ? items[items.length - 1].createdAt?.toISOString() ?? null
+        ? (items[items.length - 1].createdAt?.toISOString() ?? null)
         : null,
     },
   };