Missing Mandatory Chat Ownership Check

[beetle-ai]

ISSUE_NUMBER: GH-9

Description

The createMessage and getMessagesByChatId functions in src/controllers/Chat/index.ts have optional checks to ensure the user owns the chat. These checks should be mandatory to prevent unauthorized access to chat data.
File: repositories/chatgptapi/src/controllers/Chat/index.ts
Lines: 62, 99
Severity: high

Current Behavior

The code has optional checks for chat ownership, which might be skipped, leading to potential security vulnerabilities.

Expected Behavior

The code should enforce mandatory chat ownership checks to ensure that only authorized users can create messages or retrieve messages from a chat.

Suggested Fix

Remove the "Optional" comments and ensure that the chat ownership check is always executed.

Code Context

// Optional: Add a check to ensure the user owns the chat
if (chat.user.toString() !== userId.toString()) {
return res.status(403).json({ message: 'User does not have access to this chat' });
}

Additional Notes

This is a critical security issue that could allow unauthorized users to access sensitive chat data.