Bug: sendMessage accepts username from request body — authenticated users can impersonate any teammate in chat

[anshul23102]

Description

In backend/controllers/chat.controller.js, the sendMessage handler reads the username field from the request body and stores it in Supabase without any server-side identity verification:

const { text, username, image, audio } = req.body;
const { data, error } = await supabase
    .from('messages')
    .insert([{ text, username, image, audio, status: 'sent' }])
    .select();

Although the route requires authenticateUser, the authenticated user's identity is never applied to the stored message. Any authenticated user can provide username: "other_person" in the request body to post chat messages under a different user's name.

To Reproduce

1. Authenticate as User A.
2. Send POST /api/messages with { "text": "Hello team", "username": "UserB" }.
3. The message is broadcast and stored as if UserB sent it.

Expected Behavior

The username should come from the authenticated session, not the request body. If the auth middleware attaches req.user:

const username = req.user?.username || req.user?.email || 'Anonymous';

Actual Behavior

Any authenticated user can send messages attributed to any arbitrary username.

Desktop

• Backend: Node.js / Express / Supabase
• File: backend/controllers/chat.controller.js, function: sendMessage

Additional context

Expected NSOC points: level2 (security - identity impersonation)

Labels: bug, NSoC'26, level2

Checklist:

• Searched existing issues - not a duplicate
• Read CONTRIBUTING.md and NSoC rules
• No AI/Claude mentions
• No em dashes or double hyphens
• Repository verified as NSOC

[github-actions]

👋 Hey @anshul23102!

Thanks for opening this issue! 🚀

📌 NSoC'26 Contribution Guidelines

⚠️ Please follow these rules carefully:

• Do NOT create a PR until this issue is assigned to you
• Include NSoC'26 tag
• Include screenshots if it's UI-related
• Follow all contribution guidelines properly

🧑‍💻 A mentor will review and assign this issue soon.

---

🙏 Thank you for raising this issue!
We’ll review it as soon as possible. We truly appreciate your contribution ✨

📖 Meanwhile, please make sure you have checked:

• README.md
• CONTRIBUTING.md
• CODE_OF_CONDUCT.md

🚫 Reminder: Do NOT create a PR until this issue has been assigned.

Happy coding! 💻🔥

[anshul23102]

@Shriii19 Could you please /assign this issue to me? I'd like to work on it under NSOC '26.

[Shriii19]

@anshul23102 you can start you work

[anshul23102]

Fixed in PR #164. username is now derived from req.user.user_metadata (falling back to req.user.email), so the authenticated identity is always used regardless of the request body.