From 78c4596e9348f872576234a692fcf6b1fd8044e1 Mon Sep 17 00:00:00 2001
From: Baptiste Arnaud <contact@baptiste-arnaud.fr>
Date: Tue, 3 May 2022 06:39:54 -0700
Subject: [PATCH] =?UTF-8?q?fix(integration):=20=F0=9F=94=92=EF=B8=8F=20Enf?=
 =?UTF-8?q?orce=20Sheets=20security?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../integrations/google-sheets/spreadsheets.ts | 18 ++----------------
 .../google-sheets/spreadsheets/[id]/sheets.ts  |  1 -
 .../[spreadsheetId]/sheets/[sheetId].ts        | 17 ++++++++++-------
 3 files changed, 12 insertions(+), 24 deletions(-)

diff --git a/apps/builder/pages/api/integrations/google-sheets/spreadsheets.ts b/apps/builder/pages/api/integrations/google-sheets/spreadsheets.ts
index e1d766740..2bb2b38aa 100644
--- a/apps/builder/pages/api/integrations/google-sheets/spreadsheets.ts
+++ b/apps/builder/pages/api/integrations/google-sheets/spreadsheets.ts
@@ -1,13 +1,8 @@
 import { NextApiRequest, NextApiResponse } from 'next'
 import { drive } from '@googleapis/drive'
 import { getAuthenticatedGoogleClient } from 'libs/google-sheets'
-import {
-  badRequest,
-  forbidden,
-  methodNotAllowed,
-  notAuthenticated,
-} from 'utils'
-import { captureException, setUser, withSentry } from '@sentry/nextjs'
+import { badRequest, methodNotAllowed, notAuthenticated } from 'utils'
+import { setUser, withSentry } from '@sentry/nextjs'
 import { getAuthenticatedUser } from 'services/api/utils'
 
 const handler = async (req: NextApiRequest, res: NextApiResponse) => {
@@ -21,15 +16,6 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
     const auth = await getAuthenticatedGoogleClient(user.id, credentialsId)
     if (!auth)
       return res.status(404).send("Couldn't find credentials in database")
-    if (auth.credentials.ownerId !== user.id) {
-      // It should never happen but for some reason it does in rare cases... Currently under investigation.
-      captureException(
-        new Error(
-          `Credentials ownerId does not match user id ${auth.credentials.ownerId} !== ${user.id}`
-        )
-      )
-      return forbidden(res)
-    }
     const response = await drive({
       version: 'v3',
       auth: auth.client,
diff --git a/apps/builder/pages/api/integrations/google-sheets/spreadsheets/[id]/sheets.ts b/apps/builder/pages/api/integrations/google-sheets/spreadsheets/[id]/sheets.ts
index 0b18d96c2..e1f423bc6 100644
--- a/apps/builder/pages/api/integrations/google-sheets/spreadsheets/[id]/sheets.ts
+++ b/apps/builder/pages/api/integrations/google-sheets/spreadsheets/[id]/sheets.ts
@@ -18,7 +18,6 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
   if (req.method === 'GET') {
     const credentialsId = req.query.credentialsId as string | undefined
     if (!credentialsId) return badRequest(res)
-
     const spreadsheetId = req.query.id.toString()
     const doc = new GoogleSpreadsheet(spreadsheetId)
     const auth = await getAuthenticatedGoogleClient(user.id, credentialsId)
diff --git a/apps/viewer/pages/api/integrations/google-sheets/spreadsheets/[spreadsheetId]/sheets/[sheetId].ts b/apps/viewer/pages/api/integrations/google-sheets/spreadsheets/[spreadsheetId]/sheets/[sheetId].ts
index 849b8140c..e2f509c05 100644
--- a/apps/viewer/pages/api/integrations/google-sheets/spreadsheets/[spreadsheetId]/sheets/[sheetId].ts
+++ b/apps/viewer/pages/api/integrations/google-sheets/spreadsheets/[spreadsheetId]/sheets/[sheetId].ts
@@ -12,9 +12,10 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
   await cors(req, res)
   const resultId = req.query.resultId as string | undefined
   if (req.method === 'GET') {
-    const spreadsheetId = req.query.spreadsheetId.toString()
-    const sheetId = req.query.sheetId.toString()
-    const credentialsId = req.query.credentialsId.toString()
+    const spreadsheetId = req.query.spreadsheetId as string
+    const sheetId = req.query.sheetId as string
+    const credentialsId = req.query.credentialsId as string | undefined
+    if (!credentialsId) return badRequest(res)
     const referenceCell = {
       column: req.query['referenceCell[column]'],
       value: req.query['referenceCell[value]'],
@@ -54,14 +55,15 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
     }
   }
   if (req.method === 'POST') {
-    const spreadsheetId = req.query.spreadsheetId.toString()
-    const sheetId = req.query.sheetId.toString()
+    const spreadsheetId = req.query.spreadsheetId as string
+    const sheetId = req.query.sheetId as string
     const { credentialsId, values } = (
       typeof req.body === 'string' ? JSON.parse(req.body) : req.body
     ) as {
-      credentialsId: string
+      credentialsId?: string
       values: { [key: string]: string }
     }
+    if (!credentialsId) return badRequest(res)
     const doc = new GoogleSpreadsheet(spreadsheetId)
     const auth = await getAuthenticatedGoogleClient(credentialsId)
     if (!auth)
@@ -84,10 +86,11 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
     const { credentialsId, values, referenceCell } = (
       typeof req.body === 'string' ? JSON.parse(req.body) : req.body
     ) as {
-      credentialsId: string
+      credentialsId?: string
       referenceCell: Cell
       values: { [key: string]: string }
     }
+    if (!credentialsId) return badRequest(res)
     const doc = new GoogleSpreadsheet(spreadsheetId)
     const auth = await getAuthenticatedGoogleClient(credentialsId)
     if (!auth)