From 3b5a0aace1776582ea72aae740c11d0db0bcbc4b Mon Sep 17 00:00:00 2001
From: Sebastion <sebastion@sebastion.dev>
Date: Tue, 2 Jun 2026 23:05:12 +0100
Subject: [PATCH] fix: add user ownership check to clearContext (CWE-862)

---
 backend/src/controllers/agent.controller.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/backend/src/controllers/agent.controller.ts b/backend/src/controllers/agent.controller.ts
index 77855e1..ca8af96 100644
--- a/backend/src/controllers/agent.controller.ts
+++ b/backend/src/controllers/agent.controller.ts
@@ -412,11 +412,12 @@ export const deleteSession = async (req: Request, res: Response) => {
 
 export const clearContext = async (req: Request, res: Response) => {
   try {
+    const userId = res.locals.userId;
     const { sessionId } = req.body;
     if (!sessionId) return res.status(400).json({ message: "sessionId is required" });
 
-    const session = await SessionsModel.findOne({ sessionId });
-    if (!session) return res.status(404).json({ message: "Session not found" });
+    const session = await requireActiveSession(userId, sessionId, res);
+    if (!session) return;
 
     abortSession(sessionId);