Webhook sec fixes (#2883)

* Webhook sec fixes * Revert changes
2022-05-25 13:26:42 -06:00 · 2022-05-25 13:26:42 -06:00 · 1bd6d03352
parent 6c248bb9f0
commit 1bd6d03352
1 changed files with 49 additions and 13 deletions
--- a/apps/web/server/routers/viewer/webhook.tsx
+++ b/apps/web/server/routers/viewer/webhook.tsx
@ -42,22 +42,58 @@ export const webhookRouter = createProtectedRouter()
      eventTypeId: z.number().optional(),
      appId: z.string().optional().nullable(),
    }),
-    async resolve({ ctx, input }) {
-      if (input.eventTypeId) {
-        return await ctx.prisma.webhook.create({
-          data: {
+    async resolve({ ctx, input: { eventTypeId, ...input } }) {
+      const webhookCreateInput: Prisma.WebhookCreateInput = {
        id: v4(),
        ...input,
-          },
+      };
+      const webhookPayload = { webhooks: { create: webhookCreateInput } };
+      let teamId = -1;
+      if (eventTypeId) {
+        /* [1] If an eventType is provided, we find the team were it belongs */
+        const team = await ctx.prisma.team.findFirst({
+          rejectOnNotFound: true,
+          where: { eventTypes: { some: { id: eventTypeId } } },
+          select: { id: true },
        });
+        /* [2] We save the id for later use */
+        teamId = team.id;
      }
-      return await ctx.prisma.webhook.create({
+      await ctx.prisma.user.update({
+        where: { id: ctx.user.id },
+        /**
+         * [3] Right now only team eventTypes can have webhooks so we make sure the
+         * user adding the webhook belongs to the team.
+         */
+        data: eventTypeId
+          ? {
+              teams: {
+                update: {
+                  /* [3.1] Here we make sure the requesting user belongs to the team */
+                  where: { userId_teamId: { teamId, userId: ctx.user.id } },
                  data: {
-          id: v4(),
-          userId: ctx.user.id,
-          ...input,
+                    team: {
+                      update: {
+                        eventTypes: {
+                          update: {
+                            where: { id: eventTypeId },
+                            data: webhookPayload,
                          },
+                        },
+                      },
+                    },
+                  },
+                },
+              },
+            }
+          : /* [4] If there's no eventTypeId we create it to the current user instead. */
+            webhookPayload,
      });
+      const webhook = await ctx.prisma.webhook.findUnique({
+        rejectOnNotFound: true,
+        where: { id: webhookCreateInput.id },
+      });
+      return webhook;
    },
  })
  .mutation("edit", {