Skip to content

fix(security): GET /reputation/me unreachable due to route order and missing JwtAuthGuardΒ #115

Description

@Josue19-08

πŸ”– Title

Fix `GET /reputation/me` β€” unreachable route and missing auth guard


πŸ“„ Description

`GET /reputation/me` in `reputation.controller.ts` is permanently unreachable and would not work even if it were reachable. Two distinct bugs:

Bug 1 β€” Route ordering: `@Get(':wallet')` is declared before `@Get('me')`. NestJS/Fastify matches routes in declaration order, so `/reputation/me` is captured by the `:wallet` handler first. The wallet param regex rejects the string `"me"` and returns a 400 β€” the `/me` endpoint is dead code that can never execute.

Bug 2 β€” Missing auth guard: `GET /reputation/me` has no `@UseGuards(JwtAuthGuard)` decorator. The handler reads `req.user?.wallet` directly; without Passport processing the request, `req.user` is always `undefined`, causing the endpoint to throw `UnauthorizedException` for every call β€” even if the routing bug were fixed.


βœ… Tasks to complete

  • Move `@Get('me')` above `@Get(':wallet')` in `reputation.controller.ts`
  • Add `@UseGuards(JwtAuthGuard)` to `GET /reputation/me`
  • Replace raw `@Request() req` with `@CurrentUser() user` decorator (already exists in `src/common/decorators/`)
  • Ensure `JwtModule` and `PassportModule` are imported in `reputation.module.ts`
  • Add unit tests in `reputation.controller.spec.ts` covering: authenticated call returns score, unauthenticated call returns 401, route precedence (me is not matched by :wallet)
  • Add E2E test `test/e2e/modules/reputation/reputation.e2e-spec.ts`: valid JWT β†’ 200 with score; no token β†’ 401

πŸ“š Documentation/context for AI

(This link never should removed)
https://github.com/TrustUp-app/TrustUp-API/tree/main/docs

Relevant files:

  • `src/modules/reputation/reputation.controller.ts`
  • `src/modules/reputation/reputation.module.ts`
  • `src/common/decorators/current-user.decorator.ts`
  • `src/modules/auth/guards/jwt-auth.guard.ts`

πŸ—’οΈ Additional notes

  • Follow the same auth pattern as `GET /users/me` (`users.controller.ts`) β€” it correctly uses `@UseGuards(JwtAuthGuard)` + `@CurrentUser()`
  • The `:wallet` route should remain below `/me` in the final file
  • This is a security issue: the `/me` endpoint currently exposes unintended behavior (always 400 or always 401 depending on call path)

Metadata

Metadata

Assignees

Labels

GrantFox OSSIssue tracked in GrantFox OSSMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial Campaign | FWC26Campaign: Official Campaign | FWC26

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions