2
0

fix(integration): 🔒️ Enforce Sheets security

This commit is contained in:
Baptiste Arnaud
2022-05-03 06:39:54 -07:00
parent a863a4cb21
commit 78c4596e93
3 changed files with 12 additions and 24 deletions

View File

@ -1,13 +1,8 @@
import { NextApiRequest, NextApiResponse } from 'next'
import { drive } from '@googleapis/drive'
import { getAuthenticatedGoogleClient } from 'libs/google-sheets'
import {
badRequest,
forbidden,
methodNotAllowed,
notAuthenticated,
} from 'utils'
import { captureException, setUser, withSentry } from '@sentry/nextjs'
import { badRequest, methodNotAllowed, notAuthenticated } from 'utils'
import { setUser, withSentry } from '@sentry/nextjs'
import { getAuthenticatedUser } from 'services/api/utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => {
@ -21,15 +16,6 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const auth = await getAuthenticatedGoogleClient(user.id, credentialsId)
if (!auth)
return res.status(404).send("Couldn't find credentials in database")
if (auth.credentials.ownerId !== user.id) {
// It should never happen but for some reason it does in rare cases... Currently under investigation.
captureException(
new Error(
`Credentials ownerId does not match user id ${auth.credentials.ownerId} !== ${user.id}`
)
)
return forbidden(res)
}
const response = await drive({
version: 'v3',
auth: auth.client,

View File

@ -18,7 +18,6 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
if (req.method === 'GET') {
const credentialsId = req.query.credentialsId as string | undefined
if (!credentialsId) return badRequest(res)
const spreadsheetId = req.query.id.toString()
const doc = new GoogleSpreadsheet(spreadsheetId)
const auth = await getAuthenticatedGoogleClient(user.id, credentialsId)

View File

@ -12,9 +12,10 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
await cors(req, res)
const resultId = req.query.resultId as string | undefined
if (req.method === 'GET') {
const spreadsheetId = req.query.spreadsheetId.toString()
const sheetId = req.query.sheetId.toString()
const credentialsId = req.query.credentialsId.toString()
const spreadsheetId = req.query.spreadsheetId as string
const sheetId = req.query.sheetId as string
const credentialsId = req.query.credentialsId as string | undefined
if (!credentialsId) return badRequest(res)
const referenceCell = {
column: req.query['referenceCell[column]'],
value: req.query['referenceCell[value]'],
@ -54,14 +55,15 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
}
}
if (req.method === 'POST') {
const spreadsheetId = req.query.spreadsheetId.toString()
const sheetId = req.query.sheetId.toString()
const spreadsheetId = req.query.spreadsheetId as string
const sheetId = req.query.sheetId as string
const { credentialsId, values } = (
typeof req.body === 'string' ? JSON.parse(req.body) : req.body
) as {
credentialsId: string
credentialsId?: string
values: { [key: string]: string }
}
if (!credentialsId) return badRequest(res)
const doc = new GoogleSpreadsheet(spreadsheetId)
const auth = await getAuthenticatedGoogleClient(credentialsId)
if (!auth)
@ -84,10 +86,11 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const { credentialsId, values, referenceCell } = (
typeof req.body === 'string' ? JSON.parse(req.body) : req.body
) as {
credentialsId: string
credentialsId?: string
referenceCell: Cell
values: { [key: string]: string }
}
if (!credentialsId) return badRequest(res)
const doc = new GoogleSpreadsheet(spreadsheetId)
const auth = await getAuthenticatedGoogleClient(credentialsId)
if (!auth)