From ea57608ca677962e3664e66c498aba85856ab7dc Mon Sep 17 00:00:00 2001
From: Nawaz Dhandala <hello@nawazdhandala.com>
Date: Sat, 7 Mar 2026 18:44:27 +0000
Subject: [PATCH] feat(api): add item validation and user ID checks in
 verification endpoints for UserCall, UserEmail, UserSMS, and UserWhatsApp

---
 Common/Server/API/UserCallAPI.ts     | 29 ++++++++++++++++++++++++++++
 Common/Server/API/UserEmailAPI.ts    | 29 ++++++++++++++++++++++++++++
 Common/Server/API/UserSmsAPI.ts      | 29 ++++++++++++++++++++++++++++
 Common/Server/API/UserWhatsAppAPI.ts | 29 ++++++++++++++++++++++++++++
 4 files changed, 116 insertions(+)

diff --git a/Common/Server/API/UserCallAPI.ts b/Common/Server/API/UserCallAPI.ts
index a38cb15bf8..593ec26042 100644
--- a/Common/Server/API/UserCallAPI.ts
+++ b/Common/Server/API/UserCallAPI.ts
@@ -136,6 +136,35 @@ export default class UserCallAPI extends BaseAPI<
             );
           }
 
+          const item: UserCall | null = await this.service.findOneById({
+            id: req.body["itemId"],
+            props: {
+              isRoot: true,
+            },
+            select: {
+              userId: true,
+            },
+          });
+
+          if (!item) {
+            return Response.sendErrorResponse(
+              req,
+              res,
+              new BadDataException("Item not found"),
+            );
+          }
+
+          if (
+            item.userId?.toString() !==
+            (req as OneUptimeRequest)?.userAuthorization?.userId?.toString()
+          ) {
+            return Response.sendErrorResponse(
+              req,
+              res,
+              new BadDataException("Invalid user ID"),
+            );
+          }
+
           await this.service.resendVerificationCode(req.body.itemId);
 
           return Response.sendEmptySuccessResponse(req, res);
diff --git a/Common/Server/API/UserEmailAPI.ts b/Common/Server/API/UserEmailAPI.ts
index 8a3e8e806e..90cb3111ac 100644
--- a/Common/Server/API/UserEmailAPI.ts
+++ b/Common/Server/API/UserEmailAPI.ts
@@ -137,6 +137,35 @@ export default class UserEmailAPI extends BaseAPI<
             );
           }
 
+          const item: UserEmail | null = await this.service.findOneById({
+            id: req.body["itemId"],
+            props: {
+              isRoot: true,
+            },
+            select: {
+              userId: true,
+            },
+          });
+
+          if (!item) {
+            return Response.sendErrorResponse(
+              req,
+              res,
+              new BadDataException("Item not found"),
+            );
+          }
+
+          if (
+            item.userId?.toString() !==
+            (req as OneUptimeRequest)?.userAuthorization?.userId?.toString()
+          ) {
+            return Response.sendErrorResponse(
+              req,
+              res,
+              new BadDataException("Invalid user ID"),
+            );
+          }
+
           await this.service.resendVerificationCode(req.body.itemId);
 
           return Response.sendEmptySuccessResponse(req, res);
diff --git a/Common/Server/API/UserSmsAPI.ts b/Common/Server/API/UserSmsAPI.ts
index ffe588a7c2..47f55f54ed 100644
--- a/Common/Server/API/UserSmsAPI.ts
+++ b/Common/Server/API/UserSmsAPI.ts
@@ -132,6 +132,35 @@ export default class UserSMSAPI extends BaseAPI<UserSMS, UserSMSServiceType> {
             );
           }
 
+          const item: UserSMS | null = await this.service.findOneById({
+            id: req.body["itemId"],
+            props: {
+              isRoot: true,
+            },
+            select: {
+              userId: true,
+            },
+          });
+
+          if (!item) {
+            return Response.sendErrorResponse(
+              req,
+              res,
+              new BadDataException("Item not found"),
+            );
+          }
+
+          if (
+            item.userId?.toString() !==
+            (req as OneUptimeRequest)?.userAuthorization?.userId?.toString()
+          ) {
+            return Response.sendErrorResponse(
+              req,
+              res,
+              new BadDataException("Invalid user ID"),
+            );
+          }
+
           await this.service.resendVerificationCode(req.body.itemId);
 
           return Response.sendEmptySuccessResponse(req, res);
diff --git a/Common/Server/API/UserWhatsAppAPI.ts b/Common/Server/API/UserWhatsAppAPI.ts
index b7679d7253..7a388acda4 100644
--- a/Common/Server/API/UserWhatsAppAPI.ts
+++ b/Common/Server/API/UserWhatsAppAPI.ts
@@ -143,6 +143,35 @@ export default class UserWhatsAppAPI extends BaseAPI<
             );
           }
 
+          const item: UserWhatsApp | null = await this.service.findOneById({
+            id: req.body["itemId"],
+            props: {
+              isRoot: true,
+            },
+            select: {
+              userId: true,
+            },
+          });
+
+          if (!item) {
+            return Response.sendErrorResponse(
+              req,
+              res,
+              new BadDataException("Item not found"),
+            );
+          }
+
+          if (
+            item.userId?.toString() !==
+            (req as OneUptimeRequest)?.userAuthorization?.userId?.toString()
+          ) {
+            return Response.sendErrorResponse(
+              req,
+              res,
+              new BadDataException("Invalid user ID"),
+            );
+          }
+
           await this.service.resendVerificationCode(req.body.itemId);
 
           return Response.sendEmptySuccessResponse(req, res);