blsmedia/bot
2
0
Fork 0
Code Activity

build: 🔒️ Add extra user check in api

Browse Source
This commit is contained in:
Baptiste Arnaud
2022-03-04 17:21:01 +01:00
parent 2a31b13cb3
commit ec18912879
20 changed files with 80 additions and 179 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
apps/builder/pages/api/coupons/redeem.ts
View File

@ -1,17 +1,14 @@
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import { Prisma, User } from 'db' import { Prisma } from 'db'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { getAuthenticatedUser } from 'services/api/utils'
import { notAuthenticated } from 'utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
if (req.method === 'POST') { if (req.method === 'POST') {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = session.user as User
const { code } = const { code } =
typeof req.body === 'string' ? JSON.parse(req.body) : req.body typeof req.body === 'string' ? JSON.parse(req.body) : req.body
const coupon = await prisma.coupon.findFirst({ const coupon = await prisma.coupon.findFirst({

12
apps/builder/pages/api/credentials/google-sheets/callback.ts
View File

@ -1,16 +1,17 @@
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { Prisma } from 'db'
import { Prisma, User } from 'db'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { googleSheetsScopes } from './consent-url' import { googleSheetsScopes } from './consent-url'
import { stringify } from 'querystring' import { stringify } from 'querystring'
import { CredentialsType } from 'models' import { CredentialsType } from 'models'
import { encrypt } from 'utils' import { encrypt, notAuthenticated } from 'utils'
import { oauth2Client } from 'libs/google-sheets' import { oauth2Client } from 'libs/google-sheets'
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import { getAuthenticatedUser } from 'services/api/utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
const { redirectUrl, stepId } = JSON.parse( const { redirectUrl, stepId } = JSON.parse(
Buffer.from(req.query.state.toString(), 'base64').toString() Buffer.from(req.query.state.toString(), 'base64').toString()
) )
@ -18,9 +19,6 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const code = req.query.code.toString() const code = req.query.code.toString()
if (!code) if (!code)
return res.status(400).send({ message: "Bad request, couldn't get code" }) return res.status(400).send({ message: "Bad request, couldn't get code" })
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = session.user as User
const { tokens } = await oauth2Client.getToken(code) const { tokens } = await oauth2Client.getToken(code)
if (!tokens?.access_token) { if (!tokens?.access_token) {
console.error('Error getting oAuth tokens:') console.error('Error getting oAuth tokens:')

13
apps/builder/pages/api/folders.ts
View File

@ -1,17 +1,14 @@
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import { DashboardFolder, User } from 'db' import { DashboardFolder } from 'db'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed } from 'utils' import { methodNotAllowed, notAuthenticated } from 'utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = session.user as User
const parentFolderId = req.query.parentId const parentFolderId = req.query.parentId
? req.query.parentId.toString() ? req.query.parentId.toString()
: null : null

13
apps/builder/pages/api/folders/[id].ts
View File

@ -1,18 +1,15 @@
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import { DashboardFolder, User } from 'db' import { DashboardFolder } from 'db'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed } from 'utils' import { methodNotAllowed, notAuthenticated } from 'utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const id = req.query.id.toString() const id = req.query.id.toString()
const user = session.user as User
if (req.method === 'GET') { if (req.method === 'GET') {
const folder = await prisma.dashboardFolder.findUnique({ const folder = await prisma.dashboardFolder.findUnique({
where: { id_ownerId: { id, ownerId: user.id } }, where: { id_ownerId: { id, ownerId: user.id } },

12
apps/builder/pages/api/integrations/google-sheets/spreadsheets.ts
View File

@ -1,18 +1,14 @@
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { drive } from '@googleapis/drive' import { drive } from '@googleapis/drive'
import { getAuthenticatedGoogleClient } from 'libs/google-sheets' import { getAuthenticatedGoogleClient } from 'libs/google-sheets'
import { methodNotAllowed } from 'utils' import { methodNotAllowed, notAuthenticated } from 'utils'
import { getSession } from 'next-auth/react'
import { User } from 'db'
import { setUser, withSentry } from '@sentry/nextjs' import { setUser, withSentry } from '@sentry/nextjs'
import { getAuthenticatedUser } from 'services/api/utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = session.user as User
setUser({ email: user.email ?? undefined, id: user.id }) setUser({ email: user.email ?? undefined, id: user.id })
if (req.method === 'GET') { if (req.method === 'GET') {
const credentialsId = req.query.credentialsId.toString() const credentialsId = req.query.credentialsId.toString()

12
apps/builder/pages/api/integrations/google-sheets/spreadsheets/[id]/sheets.ts
View File

@ -1,18 +1,14 @@
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { GoogleSpreadsheet } from 'google-spreadsheet' import { GoogleSpreadsheet } from 'google-spreadsheet'
import { getAuthenticatedGoogleClient } from 'libs/google-sheets' import { getAuthenticatedGoogleClient } from 'libs/google-sheets'
import { isDefined, methodNotAllowed } from 'utils' import { isDefined, methodNotAllowed, notAuthenticated } from 'utils'
import { getSession } from 'next-auth/react'
import { User } from 'db'
import { withSentry, setUser } from '@sentry/nextjs' import { withSentry, setUser } from '@sentry/nextjs'
import { getAuthenticatedUser } from 'services/api/utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = session.user as User
setUser({ email: user.email ?? undefined, id: user.id }) setUser({ email: user.email ?? undefined, id: user.id })
if (req.method === 'GET') { if (req.method === 'GET') {
const credentialsId = req.query.credentialsId.toString() const credentialsId = req.query.credentialsId.toString()

11
apps/builder/pages/api/publicTypebots.ts
View File

@ -1,15 +1,12 @@
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed } from 'utils' import { methodNotAllowed, notAuthenticated } from 'utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
try { try {
if (req.method === 'POST') { if (req.method === 'POST') {
const data = const data =

10
apps/builder/pages/api/publicTypebots/[id].ts
View File

@ -1,14 +1,12 @@
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed } from 'utils' import { methodNotAllowed, notAuthenticated } from 'utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const id = req.query.id.toString() const id = req.query.id.toString()
if (req.method === 'PUT') { if (req.method === 'PUT') {

13
apps/builder/pages/api/typebots.ts
View File

@ -1,17 +1,14 @@
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import { Prisma, User } from 'db' import { Prisma } from 'db'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { getAuthenticatedUser } from 'services/api/utils'
import { parseNewTypebot } from 'services/typebots/typebots' import { parseNewTypebot } from 'services/typebots/typebots'
import { methodNotAllowed } from 'utils' import { methodNotAllowed, notAuthenticated } from 'utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!session?.user) if (!user) return notAuthenticated(res)
return res.status(401).json({ message: 'Not authenticated' })
const user = session.user as User
if (!user.id) return res.status(401).json({ message: 'Not authenticated' })
try { try {
if (req.method === 'GET') { if (req.method === 'GET') {
const folderId = req.query.folderId ? req.query.folderId.toString() : null const folderId = req.query.folderId ? req.query.folderId.toString() : null

11
apps/builder/pages/api/typebots/[typebotId].ts
View File

@ -2,19 +2,16 @@ import { withSentry } from '@sentry/nextjs'
import { CollaborationType, Prisma, User } from 'db' import { CollaborationType, Prisma, User } from 'db'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed } from 'utils' import { methodNotAllowed, notAuthenticated } from 'utils'
const adminEmail = 'contact@baptiste-arnaud.fr' const adminEmail = 'contact@baptiste-arnaud.fr'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const typebotId = req.query.typebotId.toString() const typebotId = req.query.typebotId.toString()
const user = session.user as User
if (req.method === 'GET') { if (req.method === 'GET') {
const typebot = await prisma.typebot.findFirst({ const typebot = await prisma.typebot.findFirst({
where: parseWhereFilter(typebotId, user, 'read'), where: parseWhereFilter(typebotId, user, 'read'),

34
apps/builder/pages/api/typebots/[typebotId]/collaborators copy/[userId].ts
View File

@ -1,34 +0,0 @@
import { withSentry } from '@sentry/nextjs'
import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next'
import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed, notAuthenticated } from 'utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
const typebotId = req.query.typebotId as string
const userId = req.query.userId as string
if (req.method === 'PUT') {
const data = req.body
await prisma.collaboratorsOnTypebots.upsert({
where: { userId_typebotId: { typebotId, userId } },
create: data,
update: data,
})
return res.send({
message: 'success',
})
}
if (req.method === 'DELETE') {
await prisma.collaboratorsOnTypebots.delete({
where: { userId_typebotId: { typebotId, userId } },
})
return res.send({
message: 'success',
})
}
methodNotAllowed(res)
}
export default withSentry(handler)

13
apps/builder/pages/api/typebots/[typebotId]/results.ts
View File

@ -1,20 +1,15 @@
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import { User } from 'db'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { getAuthenticatedUser } from 'services/api/utils'
import { isFreePlan } from 'services/user/user' import { isFreePlan } from 'services/user/user'
import { methodNotAllowed } from 'utils' import { methodNotAllowed, notAuthenticated } from 'utils'
const adminEmail = 'contact@baptiste-arnaud.fr' const adminEmail = 'contact@baptiste-arnaud.fr'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).send({ message: 'Not authenticated' })
const user = session.user as User
if (req.method === 'GET') { if (req.method === 'GET') {
const typebotId = req.query.typebotId.toString() const typebotId = req.query.typebotId.toString()
const lastResultId = req.query.lastResultId?.toString() const lastResultId = req.query.lastResultId?.toString()

13
apps/builder/pages/api/typebots/[typebotId]/results/answers/count.ts
View File

@ -1,18 +1,13 @@
import { PublicTypebot } from 'models' import { PublicTypebot } from 'models'
import { User } from 'db'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { methodNotAllowed, notAuthenticated } from 'utils'
import { methodNotAllowed } from 'utils'
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import { getAuthenticatedUser } from 'services/api/utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).send({ message: 'Not authenticated' })
const user = session.user as User
if (req.method === 'GET') { if (req.method === 'GET') {
const typebotId = req.query.typebotId.toString() const typebotId = req.query.typebotId.toString()
const typebot = await prisma.typebot.findUnique({ const typebot = await prisma.typebot.findUnique({

13
apps/builder/pages/api/typebots/[typebotId]/results/stats.ts
View File

@ -1,18 +1,13 @@
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import { User } from 'db'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { Stats } from 'models' import { Stats } from 'models'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed } from 'utils' import { methodNotAllowed, notAuthenticated } from 'utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).send({ message: 'Not authenticated' })
const user = session.user as User
if (req.method === 'GET') { if (req.method === 'GET') {
const typebotId = req.query.typebotId.toString() const typebotId = req.query.typebotId.toString()

10
apps/builder/pages/api/users/[id].ts
View File

@ -1,14 +1,12 @@
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed } from 'utils' import { methodNotAllowed, notAuthenticated } from 'utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const id = req.query.id.toString() const id = req.query.id.toString()
if (req.method === 'PUT') { if (req.method === 'PUT') {

14
apps/builder/pages/api/users/[id]/credentials.ts
View File

@ -1,18 +1,14 @@
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import { Prisma, User } from 'db' import { Prisma } from 'db'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { Credentials } from 'models' import { Credentials } from 'models'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { getAuthenticatedUser } from 'services/api/utils'
import { encrypt, methodNotAllowed } from 'utils' import { encrypt, methodNotAllowed, notAuthenticated } from 'utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = session.user as User
const id = req.query.id.toString() const id = req.query.id.toString()
if (user.id !== id) return res.status(401).send({ message: 'Forbidden' }) if (user.id !== id) return res.status(401).send({ message: 'Forbidden' })
if (req.method === 'GET') { if (req.method === 'GET') {

13
apps/builder/pages/api/users/[id]/credentials/[credentialsId].ts
View File

@ -1,17 +1,12 @@
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import { User } from 'db'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed } from 'utils' import { methodNotAllowed, notAuthenticated } from 'utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = session.user as User
const id = req.query.id.toString() const id = req.query.id.toString()
if (user.id !== id) return res.status(401).send({ message: 'Forbidden' }) if (user.id !== id) return res.status(401).send({ message: 'Forbidden' })
if (req.method === 'DELETE') { if (req.method === 'DELETE') {

14
apps/builder/pages/api/users/[id]/customDomains.ts
View File

@ -1,18 +1,14 @@
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import { CustomDomain, Prisma, User } from 'db' import { CustomDomain, Prisma } from 'db'
import { got, HTTPError } from 'got' import { got, HTTPError } from 'got'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed } from 'utils' import { methodNotAllowed, notAuthenticated } from 'utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = session.user as User
const id = req.query.id.toString() const id = req.query.id.toString()
if (user.id !== id) return res.status(401).send({ message: 'Forbidden' }) if (user.id !== id) return res.status(401).send({ message: 'Forbidden' })
if (req.method === 'GET') { if (req.method === 'GET') {

13
apps/builder/pages/api/users/[id]/customDomains/[domain].ts
View File

@ -1,18 +1,13 @@
import { withSentry } from '@sentry/nextjs' import { withSentry } from '@sentry/nextjs'
import { User } from 'db'
import prisma from 'libs/prisma' import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next' import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react' import { methodNotAllowed, notAuthenticated } from 'utils'
import { methodNotAllowed } from 'utils'
import { got } from 'got' import { got } from 'got'
import { getAuthenticatedUser } from 'services/api/utils'
const handler = async (req: NextApiRequest, res: NextApiResponse) => { const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req }) const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = session.user as User
const id = req.query.id.toString() const id = req.query.id.toString()
if (user.id !== id) return res.status(401).send({ message: 'Forbidden' }) if (user.id !== id) return res.status(401).send({ message: 'Forbidden' })
if (req.method === 'DELETE') { if (req.method === 'DELETE') {

2
apps/builder/services/api/utils.ts
View File

@ -6,6 +6,6 @@ export const getAuthenticatedUser = async (
req: NextApiRequest req: NextApiRequest
): Promise<User | undefined> => { ): Promise<User | undefined> => {
const session = await getSession({ req }) const session = await getSession({ req })
if (session?.user && !('id' in session.user)) return if (!session?.user || !('id' in session.user)) return
return session?.user as User return session?.user as User
} }