Webhook sec fixes (#2883)

* Webhook sec fixes * Revert changes
2022-05-25 13:26:42 -06:00 · 2022-05-25 13:26:42 -06:00 · 1bd6d03352
parent 6c248bb9f0
commit 1bd6d03352
1 changed files with 49 additions and 13 deletions
--- a/apps/web/server/routers/viewer/webhook.tsx
+++ b/apps/web/server/routers/viewer/webhook.tsx
@ -42,22 +42,58 @@ export const webhookRouter = createProtectedRouter()
      eventTypeId: z.number().optional(),
      appId: z.string().optional().nullable(),
    }),
-    async resolve({ ctx, input }) {
+    async resolve({ ctx, input: { eventTypeId, ...input } }) {
-      if (input.eventTypeId) {
+      const webhookCreateInput: Prisma.WebhookCreateInput = {
-        return await ctx.prisma.webhook.create({
+        id: v4(),
-          data: {
+        ...input,
-            id: v4(),
+      };
-            ...input,
+      const webhookPayload = { webhooks: { create: webhookCreateInput } };
-          },
+      let teamId = -1;
      if (eventTypeId) {
        /* [1] If an eventType is provided, we find the team were it belongs */
        const team = await ctx.prisma.team.findFirst({
          rejectOnNotFound: true,
          where: { eventTypes: { some: { id: eventTypeId } } },
          select: { id: true },
        });
        /* [2] We save the id for later use */
        teamId = team.id;
      }
-      return await ctx.prisma.webhook.create({
+      await ctx.prisma.user.update({
-        data: {
+        where: { id: ctx.user.id },
-          id: v4(),
+        /**
-          userId: ctx.user.id,
+         * [3] Right now only team eventTypes can have webhooks so we make sure the
-          ...input,
+         * user adding the webhook belongs to the team.
-        },
+         */
        data: eventTypeId
          ? {
              teams: {
                update: {
                  /* [3.1] Here we make sure the requesting user belongs to the team */
                  where: { userId_teamId: { teamId, userId: ctx.user.id } },
                  data: {
                    team: {
                      update: {
                        eventTypes: {
                          update: {
                            where: { id: eventTypeId },
                            data: webhookPayload,
                          },
                        },
                      },
                    },
                  },
                },
              },
            }
          : /* [4] If there's no eventTypeId we create it to the current user instead. */
            webhookPayload,
      });
      const webhook = await ctx.prisma.webhook.findUnique({
        rejectOnNotFound: true,
        where: { id: webhookCreateInput.id },
      });
      return webhook;
    },
  })
  .mutation("edit", {