blsmedia/bot
2
0
Fork 0
Code Activity

fix(integration): 🔒️ Enforce Sheets security

Browse Source
This commit is contained in:
Baptiste Arnaud
2022-05-03 06:39:54 -07:00
parent a863a4cb21
commit 78c4596e93
3 changed files with 12 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
apps/builder/pages/api/integrations/google-sheets/spreadsheets.ts
View File

@ -1,13 +1,8 @@
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { drive } from '@googleapis/drive' import { drive } from '@googleapis/drive'
import { getAuthenticatedGoogleClient } from 'libs/google-sheets' import { getAuthenticatedGoogleClient } from 'libs/google-sheets'
import { import { badRequest, methodNotAllowed, notAuthenticated } from 'utils'
badRequest, import { setUser, withSentry } from '@sentry/nextjs'
forbidden,
methodNotAllowed,
notAuthenticated,
} from 'utils'
import { captureException, setUser, withSentry } from '@sentry/nextjs'
import { getAuthenticatedUser } from 'services/api/utils' import { getAuthenticatedUser } from 'services/api/utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
@ -21,15 +16,6 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const auth = await getAuthenticatedGoogleClient(user.id, credentialsId) const auth = await getAuthenticatedGoogleClient(user.id, credentialsId)
if (!auth) if (!auth)
return res.status(404).send("Couldn't find credentials in database") return res.status(404).send("Couldn't find credentials in database")
if (auth.credentials.ownerId !== user.id) {
// It should never happen but for some reason it does in rare cases... Currently under investigation.
captureException(
new Error(
`Credentials ownerId does not match user id ${auth.credentials.ownerId} !== ${user.id}`
)
)
return forbidden(res)
}
const response = await drive({ const response = await drive({
version: 'v3', version: 'v3',
auth: auth.client, auth: auth.client,

1
apps/builder/pages/api/integrations/google-sheets/spreadsheets/[id]/sheets.ts
View File

@ -18,7 +18,6 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
if (req.method === 'GET') { if (req.method === 'GET') {
const credentialsId = req.query.credentialsId as string | undefined const credentialsId = req.query.credentialsId as string | undefined
if (!credentialsId) return badRequest(res) if (!credentialsId) return badRequest(res)
const spreadsheetId = req.query.id.toString() const spreadsheetId = req.query.id.toString()
const doc = new GoogleSpreadsheet(spreadsheetId) const doc = new GoogleSpreadsheet(spreadsheetId)
const auth = await getAuthenticatedGoogleClient(user.id, credentialsId) const auth = await getAuthenticatedGoogleClient(user.id, credentialsId)

17
apps/viewer/pages/api/integrations/google-sheets/spreadsheets/[spreadsheetId]/sheets/[sheetId].ts
View File

@ -12,9 +12,10 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
await cors(req, res) await cors(req, res)
const resultId = req.query.resultId as string | undefined const resultId = req.query.resultId as string | undefined
if (req.method === 'GET') { if (req.method === 'GET') {
const spreadsheetId = req.query.spreadsheetId.toString() const spreadsheetId = req.query.spreadsheetId as string
const sheetId = req.query.sheetId.toString() const sheetId = req.query.sheetId as string
const credentialsId = req.query.credentialsId.toString() const credentialsId = req.query.credentialsId as string | undefined
if (!credentialsId) return badRequest(res)
const referenceCell = { const referenceCell = {
column: req.query['referenceCell[column]'], column: req.query['referenceCell[column]'],
value: req.query['referenceCell[value]'], value: req.query['referenceCell[value]'],
@ -54,14 +55,15 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
} }
} }
if (req.method === 'POST') { if (req.method === 'POST') {
const spreadsheetId = req.query.spreadsheetId.toString() const spreadsheetId = req.query.spreadsheetId as string
const sheetId = req.query.sheetId.toString() const sheetId = req.query.sheetId as string
const { credentialsId, values } = ( const { credentialsId, values } = (
typeof req.body === 'string' ? JSON.parse(req.body) : req.body typeof req.body === 'string' ? JSON.parse(req.body) : req.body
) as { ) as {
credentialsId: string credentialsId?: string
values: { [key: string]: string } values: { [key: string]: string }
} }
if (!credentialsId) return badRequest(res)
const doc = new GoogleSpreadsheet(spreadsheetId) const doc = new GoogleSpreadsheet(spreadsheetId)
const auth = await getAuthenticatedGoogleClient(credentialsId) const auth = await getAuthenticatedGoogleClient(credentialsId)
if (!auth) if (!auth)
@ -84,10 +86,11 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const { credentialsId, values, referenceCell } = ( const { credentialsId, values, referenceCell } = (
typeof req.body === 'string' ? JSON.parse(req.body) : req.body typeof req.body === 'string' ? JSON.parse(req.body) : req.body
) as { ) as {
credentialsId: string credentialsId?: string
referenceCell: Cell referenceCell: Cell
values: { [key: string]: string } values: { [key: string]: string }
} }
if (!credentialsId) return badRequest(res)
const doc = new GoogleSpreadsheet(spreadsheetId) const doc = new GoogleSpreadsheet(spreadsheetId)
const auth = await getAuthenticatedGoogleClient(credentialsId) const auth = await getAuthenticatedGoogleClient(credentialsId)
if (!auth) if (!auth)