upd

src/common/decorators/current-profile.decorator.ts

@@ -0,0 +1,9 @@
+import { createParamDecorator, ExecutionContext } from '@nestjs/common';
+
+export const CurrentProfile = createParamDecorator(
+  (data: string, ctx: ExecutionContext) => {
+    const request = ctx.switchToHttp().getRequest();
+    const profile = request.profile;
+    return data ? profile?.[data] : profile;
+  },
+);

src/common/guards/profile-owner.guard.ts

@@ -0,0 +1,36 @@
+import { CanActivate, ExecutionContext, ForbiddenException, Injectable, NotFoundException } from '@nestjs/common';
+import { eq } from 'drizzle-orm';
+import { DrizzleService } from '../../database/drizzle.service';
+import { profile } from '../../database/schema';
+
+/**
+ * Verifies that the profileId in request body/params belongs to the authenticated user.
+ * Expects profileId in: params.profileId OR body.profileId OR query.profileId
+ */
+@Injectable()
+export class ProfileOwnerGuard implements CanActivate {
+  constructor(private readonly drizzleService: DrizzleService) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest();
+    const userId = request.user?.id;
+    const profileId =
+      request.params?.profileId ||
+      request.body?.profileId ||
+      request.query?.profileId;
+
+    if (!profileId) return true;
+
+    const [found] = await this.drizzleService.db
+      .select({ id: profile.id, userId: profile.userId })
+      .from(profile)
+      .where(eq(profile.id, profileId))
+      .limit(1);
+
+    if (!found) throw new NotFoundException('Profile not found');
+    if (found.userId !== userId) throw new ForbiddenException('Profile does not belong to you');
+
+    request.profile = found;
+    return true;
+  }
+}