From 2d1a3157f64ec3f3e196671dfa9a93b86d1ad28b Mon Sep 17 00:00:00 2001
From: leandrofars <leandrofars@gmail.com>
Date: Mon, 15 Apr 2024 18:28:06 -0300
Subject: [PATCH] feat(api): limit devices credentials access to admin user

---
 backend/services/controller/internal/api/device.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/backend/services/controller/internal/api/device.go b/backend/services/controller/internal/api/device.go
index f5669e8..8a96644 100644
--- a/backend/services/controller/internal/api/device.go
+++ b/backend/services/controller/internal/api/device.go
@@ -111,6 +111,18 @@ type DeviceAuth struct {
 }
 
 func (a *Api) deviceAuth(w http.ResponseWriter, r *http.Request) {
+
+	user, err := a.db.FindUser(r.Context().Value("email").(string))
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		utils.MarshallEncoder(err, w)
+		return
+	}
+	if user.Level != AdminUser {
+		w.WriteHeader(http.StatusForbidden)
+		return
+	}
+
 	if r.Method == http.MethodGet {
 
 		id := r.URL.Query().Get("id")