Check in middleware to ensure authorization for all endpoints (#2885)
Co-authored-by: Alex van Andel <me@alexvanandel.com>pull/2892/head
Hariom Balhara
GitHub
parent
40c81ee405
commit
727c6f723e
|
|
@ -9,8 +9,64 @@ import sendPayload from "@lib/webhooks/sendPayload";
|
||||||
|
|
||||||
import { createProtectedRouter } from "@server/createRouter";
|
import { createProtectedRouter } from "@server/createRouter";
|
||||||
import { getTranslation } from "@server/lib/i18n";
|
import { getTranslation } from "@server/lib/i18n";
|
||||||
|
import { TRPCError } from "@trpc/server";
|
||||||
|
|
||||||
|
// Common data for all endpoints under webhook
|
||||||
|
const webhookIdAndEventTypeIdSchema = z.object({
|
||||||
|
// Webhook ID
|
||||||
|
id: z.string().optional(),
|
||||||
|
// Event type ID
|
||||||
|
eventTypeId: z.number().optional(),
|
||||||
|
});
|
||||||
|
|
||||||
export const webhookRouter = createProtectedRouter()
|
export const webhookRouter = createProtectedRouter()
|
||||||
|
.middleware(async ({ ctx, rawInput, next }) => {
|
||||||
|
// Endpoints that just read the logged in user's data - like 'list' don't necessary have any input
|
||||||
|
if (!rawInput) {
|
||||||
|
return next();
|
||||||
|
}
|
||||||
|
const webhookIdAndEventTypeId = webhookIdAndEventTypeIdSchema.safeParse(rawInput);
|
||||||
|
if (!webhookIdAndEventTypeId.success) {
|
||||||
|
throw new TRPCError({ code: "PARSE_ERROR" });
|
||||||
|
}
|
||||||
|
const { eventTypeId, id } = webhookIdAndEventTypeId.data;
|
||||||
|
|
||||||
|
// A webhook is either linked to Event Type or to a user.
|
||||||
|
if (eventTypeId) {
|
||||||
|
const team = await ctx.prisma.team.findFirst({
|
||||||
|
where: {
|
||||||
|
eventTypes: {
|
||||||
|
some: {
|
||||||
|
id: eventTypeId,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
include: {
|
||||||
|
members: true,
|
||||||
|
},
|
||||||
|
});
|
||||||
|
|
||||||
|
// Team should be available and the user should be a member of the team
|
||||||
|
if (!team?.members.some((membership) => membership.userId === ctx.user.id)) {
|
||||||
|
throw new TRPCError({
|
||||||
|
code: "UNAUTHORIZED",
|
||||||
|
});
|
||||||
|
}
|
||||||
|
} else if (id) {
|
||||||
|
const authorizedHook = await ctx.prisma.webhook.findFirst({
|
||||||
|
where: {
|
||||||
|
id: id,
|
||||||
|
userId: ctx.user.id,
|
||||||
|
},
|
||||||
|
});
|
||||||
|
if (!authorizedHook) {
|
||||||
|
throw new TRPCError({
|
||||||
|
code: "UNAUTHORIZED",
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return next();
|
||||||
|
})
|
||||||
.query("list", {
|
.query("list", {
|
||||||
input: z
|
input: z
|
||||||
.object({
|
.object({
|
||||||
|
|
@ -42,58 +98,22 @@ export const webhookRouter = createProtectedRouter()
|
||||||
eventTypeId: z.number().optional(),
|
eventTypeId: z.number().optional(),
|
||||||
appId: z.string().optional().nullable(),
|
appId: z.string().optional().nullable(),
|
||||||
}),
|
}),
|
||||||
async resolve({ ctx, input: { eventTypeId, ...input } }) {
|
async resolve({ ctx, input }) {
|
||||||
const webhookCreateInput: Prisma.WebhookCreateInput = {
|
if (input.eventTypeId) {
|
||||||
id: v4(),
|
return await ctx.prisma.webhook.create({
|
||||||
...input,
|
data: {
|
||||||
};
|
id: v4(),
|
||||||
const webhookPayload = { webhooks: { create: webhookCreateInput } };
|
...input,
|
||||||
let teamId = -1;
|
},
|
||||||
if (eventTypeId) {
|
|
||||||
/* [1] If an eventType is provided, we find the team were it belongs */
|
|
||||||
const team = await ctx.prisma.team.findFirst({
|
|
||||||
rejectOnNotFound: true,
|
|
||||||
where: { eventTypes: { some: { id: eventTypeId } } },
|
|
||||||
select: { id: true },
|
|
||||||
});
|
});
|
||||||
/* [2] We save the id for later use */
|
|
||||||
teamId = team.id;
|
|
||||||
}
|
}
|
||||||
await ctx.prisma.user.update({
|
return await ctx.prisma.webhook.create({
|
||||||
where: { id: ctx.user.id },
|
data: {
|
||||||
/**
|
id: v4(),
|
||||||
* [3] Right now only team eventTypes can have webhooks so we make sure the
|
userId: ctx.user.id,
|
||||||
* user adding the webhook belongs to the team.
|
...input,
|
||||||
*/
|
},
|
||||||
data: eventTypeId
|
|
||||||
? {
|
|
||||||
teams: {
|
|
||||||
update: {
|
|
||||||
/* [3.1] Here we make sure the requesting user belongs to the team */
|
|
||||||
where: { userId_teamId: { teamId, userId: ctx.user.id } },
|
|
||||||
data: {
|
|
||||||
team: {
|
|
||||||
update: {
|
|
||||||
eventTypes: {
|
|
||||||
update: {
|
|
||||||
where: { id: eventTypeId },
|
|
||||||
data: webhookPayload,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
: /* [4] If there's no eventTypeId we create it to the current user instead. */
|
|
||||||
webhookPayload,
|
|
||||||
});
|
});
|
||||||
const webhook = await ctx.prisma.webhook.findUnique({
|
|
||||||
rejectOnNotFound: true,
|
|
||||||
where: { id: webhookCreateInput.id },
|
|
||||||
});
|
|
||||||
return webhook;
|
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
.mutation("edit", {
|
.mutation("edit", {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue