protecting backend images

backend/images/handler.go

@@ -37,12 +37,26 @@ type ImagesReturn struct {
 }
 
 func (h *ImageHandler) serveImage(w http.ResponseWriter, r *http.Request) {
-	imageId, err := middleware.GetPathParamID(h.logger, "id", w, r)
+	imageID, err := middleware.GetPathParamID(h.logger, "id", w, r)
 	if err != nil {
 		return
 	}
 
-	image, err := h.imageModel.Get(r.Context(), imageId)
+	ctx := r.Context()
+
+	userID, err := middleware.GetUserID(ctx, h.logger, w)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	isAuthorized := h.imageModel.IsUserAuthorized(ctx, imageID, userID)
+	if !isAuthorized {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
+	image, err := h.imageModel.Get(r.Context(), imageID)
 	if err != nil {
 		w.WriteHeader(http.StatusNotFound)
 		fmt.Fprintf(w, "Could not get image")
@@ -235,15 +249,13 @@ func (h *ImageHandler) reprocessImage(w http.ResponseWriter, r *http.Request) {
 func (h *ImageHandler) CreateRoutes(r chi.Router) {
 	h.logger.Info("Mounting image router")
 
-	// Public route for serving images (not protected)
-	r.Get("/{id}", h.serveImage)
-
 	// Protected routes
 	r.Group(func(r chi.Router) {
 		r.Use(middleware.ProtectedRoute)
 		r.Use(middleware.SetJson)
 
 		r.Get("/", h.listImages)
+		r.Get("/{id}", h.serveImage)
 		r.Post("/{name}", middleware.WithLimit(h.logger, h.limitsManager.HasReachedImageLimit, h.uploadImage))
 		r.Delete("/{image-id}", h.deleteImage)
 	})