check ownership before trying to decrypt

src/main/java/com/lhamacorp/knotes/api/NoteController.java

@@ -9,6 +9,7 @@ import com.lhamacorp.knotes.context.UserContextHolder;
 import com.lhamacorp.knotes.domain.EncryptionMode;
 import com.lhamacorp.knotes.domain.Note;
 import com.lhamacorp.knotes.service.NoteService;
+import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
 
@@ -17,8 +18,7 @@ import java.util.List;
 import static com.lhamacorp.knotes.context.UserContextHolder.isAuthenticated;
 import static com.lhamacorp.knotes.domain.EncryptionMode.PRIVATE;
 import static com.lhamacorp.knotes.domain.EncryptionMode.PUBLIC;
-import static org.springframework.http.ResponseEntity.badRequest;
-import static org.springframework.http.ResponseEntity.ok;
+import static org.springframework.http.ResponseEntity.*;
 
 @RestController
 @RequestMapping("api/notes")
@@ -42,6 +42,10 @@ public class NoteController {
         UserContext user = UserContextHolder.get();
         Note note = service.findById(id);
 
+        if (!note.createdBy().equals("1") && !note.createdBy().equals(user.id())) {
+            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+        }
+
         EncryptionMode mode = note.encryptionMode() != null ? note.encryptionMode() : PUBLIC;
 
         return switch (mode) {