Not validating user in requests #354
Description
Access guards is checking whether the request is performed by a platform, in which case it will validate the jwt from the header:
https://github.com/MetaState-Prototype-Project/prototype/blob/main/infrastructure/evault-core/src/protocol/vault-access-guard.ts#L66
However, if the request is coming from a user, the code assumes the value in context.currentUser is legit.
As far as I can see the value is set at https://github.com/MetaState-Prototype-Project/prototype/blob/main/infrastructure/evault-core/src/protocol/graphql-server.ts#L303 at which pioint we are simply parsing it out from the jwt, without actually running any verification on it.
Can you show where in the code we make sure a malicous requester didn't just put my ename in the header?