build: 🔒️ Add extra user check in api

2022-03-04 17:21:01 +01:00
parent 2a31b13cb3
commit ec18912879
20 changed files with 80 additions and 179 deletions
--- a/apps/builder/pages/api/users/[id].ts
+++ b/apps/builder/pages/api/users/[id].ts
@ -1,14 +1,12 @@
 import { withSentry } from '@sentry/nextjs'
 import prisma from 'libs/prisma'
 import { NextApiRequest, NextApiResponse } from 'next'
-import { getSession } from 'next-auth/react'
-import { methodNotAllowed } from 'utils'
+import { getAuthenticatedUser } from 'services/api/utils'
+import { methodNotAllowed, notAuthenticated } from 'utils'

 const handler = async (req: NextApiRequest, res: NextApiResponse) => {
-  const session = await getSession({ req })
-
-  if (!session?.user)
-    return res.status(401).json({ message: 'Not authenticated' })
+  const user = await getAuthenticatedUser(req)
+  if (!user) return notAuthenticated(res)

  const id = req.query.id.toString()
  if (req.method === 'PUT') {
--- a/apps/builder/pages/api/users/[id]/credentials.ts
+++ b/apps/builder/pages/api/users/[id]/credentials.ts
@ -1,18 +1,14 @@
 import { withSentry } from '@sentry/nextjs'
-import { Prisma, User } from 'db'
+import { Prisma } from 'db'
 import prisma from 'libs/prisma'
 import { Credentials } from 'models'
 import { NextApiRequest, NextApiResponse } from 'next'
-import { getSession } from 'next-auth/react'
-import { encrypt, methodNotAllowed } from 'utils'
+import { getAuthenticatedUser } from 'services/api/utils'
+import { encrypt, methodNotAllowed, notAuthenticated } from 'utils'

 const handler = async (req: NextApiRequest, res: NextApiResponse) => {
-  const session = await getSession({ req })
-
-  if (!session?.user)
-    return res.status(401).json({ message: 'Not authenticated' })
-
-  const user = session.user as User
+  const user = await getAuthenticatedUser(req)
+  if (!user) return notAuthenticated(res)
  const id = req.query.id.toString()
  if (user.id !== id) return res.status(401).send({ message: 'Forbidden' })
  if (req.method === 'GET') {
--- a/apps/builder/pages/api/users/[id]/credentials/[credentialsId].ts
+++ b/apps/builder/pages/api/users/[id]/credentials/[credentialsId].ts
@ -1,17 +1,12 @@
 import { withSentry } from '@sentry/nextjs'
-import { User } from 'db'
 import prisma from 'libs/prisma'
 import { NextApiRequest, NextApiResponse } from 'next'
-import { getSession } from 'next-auth/react'
-import { methodNotAllowed } from 'utils'
+import { getAuthenticatedUser } from 'services/api/utils'
+import { methodNotAllowed, notAuthenticated } from 'utils'

 const handler = async (req: NextApiRequest, res: NextApiResponse) => {
-  const session = await getSession({ req })
-
-  if (!session?.user)
-    return res.status(401).json({ message: 'Not authenticated' })
-
-  const user = session.user as User
+  const user = await getAuthenticatedUser(req)
+  if (!user) return notAuthenticated(res)
  const id = req.query.id.toString()
  if (user.id !== id) return res.status(401).send({ message: 'Forbidden' })
  if (req.method === 'DELETE') {
--- a/apps/builder/pages/api/users/[id]/customDomains.ts
+++ b/apps/builder/pages/api/users/[id]/customDomains.ts
@ -1,18 +1,14 @@
 import { withSentry } from '@sentry/nextjs'
-import { CustomDomain, Prisma, User } from 'db'
+import { CustomDomain, Prisma } from 'db'
 import { got, HTTPError } from 'got'
 import prisma from 'libs/prisma'
 import { NextApiRequest, NextApiResponse } from 'next'
-import { getSession } from 'next-auth/react'
-import { methodNotAllowed } from 'utils'
+import { getAuthenticatedUser } from 'services/api/utils'
+import { methodNotAllowed, notAuthenticated } from 'utils'

 const handler = async (req: NextApiRequest, res: NextApiResponse) => {
-  const session = await getSession({ req })
-
-  if (!session?.user)
-    return res.status(401).json({ message: 'Not authenticated' })
-
-  const user = session.user as User
+  const user = await getAuthenticatedUser(req)
+  if (!user) return notAuthenticated(res)
  const id = req.query.id.toString()
  if (user.id !== id) return res.status(401).send({ message: 'Forbidden' })
  if (req.method === 'GET') {
--- a/apps/builder/pages/api/users/[id]/customDomains/[domain].ts
+++ b/apps/builder/pages/api/users/[id]/customDomains/[domain].ts
@ -1,18 +1,13 @@
 import { withSentry } from '@sentry/nextjs'
-import { User } from 'db'
 import prisma from 'libs/prisma'
 import { NextApiRequest, NextApiResponse } from 'next'
-import { getSession } from 'next-auth/react'
-import { methodNotAllowed } from 'utils'
+import { methodNotAllowed, notAuthenticated } from 'utils'
 import { got } from 'got'
+import { getAuthenticatedUser } from 'services/api/utils'

 const handler = async (req: NextApiRequest, res: NextApiResponse) => {
-  const session = await getSession({ req })
-
-  if (!session?.user)
-    return res.status(401).json({ message: 'Not authenticated' })
-
-  const user = session.user as User
+  const user = await getAuthenticatedUser(req)
+  if (!user) return notAuthenticated(res)
  const id = req.query.id.toString()
  if (user.id !== id) return res.status(401).send({ message: 'Forbidden' })
  if (req.method === 'DELETE') {