gabriel-hahn
diff --git a/‎api/src/app/routes/middleware/auth.js‎
Lines changed: 5 additions & 0 deletions b/‎api/src/app/routes/middleware/auth.js‎
Lines changed: 5 additions & 0 deletions
@@ -12,6 +12,11 @@ module.exports = async (req, res, next) => {
 
   try {
     const decoded = await promisify(jwt.verify)(token, process.env.APP_SECRET);
+
+    if (req.headers.userId && req.headers.userId !== decoded.id) {
+      return res.status(401).json({ message: 'Request not allowed' });
+    }
+
     req.userId = decoded.id;
   } catch (err) {
     return res.status(401).json({ message: 'Token invalid' });