fix: admin only check

Author: potts99

apps/api/src/controllers/users.ts

@@ -2,6 +2,7 @@ import bcrypt from "bcrypt";
 import { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 
 import { track } from "../lib/hog";
+import { checkSession } from "../lib/session";
 import { prisma } from "../prisma";
 
 export function userRoutes(fastify: FastifyInstance) {
@@ -70,20 +71,25 @@ export function userRoutes(fastify: FastifyInstance) {
   // (ADMIN) Reset password
   fastify.put(
     "/api/v1/user/reset-password",
-
     async (request: FastifyRequest, reply: FastifyReply) => {
       const { password, id }: any = request.body;
 
-      const hashedPass = await bcrypt.hash(password, 10);
-      await prisma.user.update({
-        where: { id: id },
-        data: {
-          password: hashedPass,
-        },
-      });
-      reply
-        .status(201)
-        .send({ message: "password updated success", failed: false });
+      const session = await checkSession(request);
+
+      if (session!.isAdmin) {
+        const hashedPass = await bcrypt.hash(password, 10);
+        await prisma.user.update({
+          where: { id: id },
+          data: {
+            password: hashedPass,
+          },
+        });
+        reply
+          .status(201)
+          .send({ message: "password updated success", failed: false });
+      } else {
+        reply.status(403).send({ message: "Unauthorized", failed: true });
+      }
     }
   );