public-offering
/
cal.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: move 401 to throw early in all endpoints

pull/9078/head
Agusti Fernandez Pardo 2022-04-23 02:17:06 +02:00
parent 307eddcbd5
commit 8d5605dc7b
13 changed files with 39 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pages/api/availabilities/[id].ts
View File

@ -99,7 +99,8 @@ export async function availabilityById(req: NextApiRequest, res: NextApiResponse
const userId = req.userId;
const data = await prisma.availability.findMany({ where: { userId } });
const availabiltiesIds = data.map((availability) => availability.id);
if (availabiltiesIds.includes(safeQuery.data.id)) {
if (!availabiltiesIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
else {
switch (method) {
case "GET":
await prisma.availability
@ -142,8 +143,6 @@ export async function availabilityById(req: NextApiRequest, res: NextApiResponse
res.status(405).json({ message: "Method not allowed" });
break;
}
} else {
res.status(401).json({ message: "Unauthorized" });
}
}

5
pages/api/booking-references/index.ts
View File

@ -80,7 +80,8 @@ async function createOrlistAllBookingReferences(
throw new Error("User not found");
}
const userBookingIds = userWithBookings.bookings.map((booking: any) => booking.id).flat();
if (userBookingIds.includes(safe.data.bookingId)) {
if (!userBookingIds.includes(safe.data.bookingId)) res.status(401).json({ message: "Unauthorized" });
else {
const booking_reference = await prisma.bookingReference.create({
data: { ...safe.data },
});
@ -96,7 +97,7 @@ async function createOrlistAllBookingReferences(
error,
});
}
} else res.status(401).json({ message: "Unauthorized" });
}
} else res.status(405).json({ message: `Method ${method} not allowed` });
}

5
pages/api/bookings/[id].ts
View File

@ -97,7 +97,8 @@ export async function bookingById(req: NextApiRequest, res: NextApiResponse<Book
});
if (!userWithBookings) throw new Error("User not found");
const userBookingIds = userWithBookings.bookings.map((booking: any) => booking.id).flat();
if (userBookingIds.includes(safeQuery.data.id)) {
if (!userBookingIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
else {
switch (method) {
case "GET":
await prisma.booking
@ -151,7 +152,7 @@ export async function bookingById(req: NextApiRequest, res: NextApiResponse<Book
res.status(405).json({ message: "Method not allowed" });
break;
}
} else res.status(401).json({ message: "Unauthorized" });
}
}
export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdTransformParseInt(bookingById));

6
pages/api/daily-event-references/[id].ts
View File

@ -105,7 +105,9 @@ export async function dailyEventReferenceById(
const userBookingDailyEventReferenceIds = userBookingDailyEventReferences.map(
(dailyEventReference) => dailyEventReference.id
);
if (userBookingDailyEventReferenceIds.includes(safeQuery.data.id)) {
if (!userBookingDailyEventReferenceIds.includes(safeQuery.data.id))
res.status(401).json({ message: "Unauthorized" });
else {
switch (method) {
case "GET":
await prisma.dailyEventReference
@ -158,7 +160,7 @@ export async function dailyEventReferenceById(
res.status(405).json({ message: "Method not allowed" });
break;
}
} else res.status(401).json({ message: "Unauthorized" });
}
}
export default withMiddleware("HTTP_GET_DELETE_PATCH")(

5
pages/api/destination-calendars/[id].ts
View File

@ -101,7 +101,8 @@ export async function destionationCalendarById(
const userDestinationCalendars = data.map((destinationCalendar) => destinationCalendar.id);
// FIXME: Should we also check ownership of bokingId and eventTypeId to avoid users cross-pollinating other users calendars.
// On a related note, moving from sequential integer IDs to UUIDs would be a good idea. and maybe help avoid having this problem.
if (userDestinationCalendars.includes(safeQuery.data.id)) {
if (userDestinationCalendars.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
else {
switch (method) {
case "GET":
await prisma.destinationCalendar
@ -154,7 +155,7 @@ export async function destionationCalendarById(
res.status(405).json({ message: "Method not allowed" });
break;
}
} else res.status(401).json({ message: "Unauthorized" });
}
}
export default withMiddleware("HTTP_GET_DELETE_PATCH")(

6
pages/api/event-type-custom-inputs/[id].ts
View File

@ -102,7 +102,9 @@ async function eventTypeById(req: NextApiRequest, res: NextApiResponse<EventType
const userEventTypeCustomInputIds = userEventTypeCustomInputs.map(
(eventTypeCustomInput) => eventTypeCustomInput.id
);
if (userEventTypeCustomInputIds.includes(safeQuery.data.id)) {
if (!userEventTypeCustomInputIds.includes(safeQuery.data.id))
res.status(401).json({ message: "Unauthorized" });
else {
switch (method) {
case "GET":
await prisma.eventTypeCustomInput
@ -155,7 +157,7 @@ async function eventTypeById(req: NextApiRequest, res: NextApiResponse<EventType
res.status(405).json({ message: "Method not allowed" });
break;
}
} else res.status(401).json({ message: "Unauthorized" });
}
}
export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdTransformParseInt(eventTypeById));

3
pages/api/event-types/[id].ts
View File

@ -99,7 +99,8 @@ export async function eventTypeById(req: NextApiRequest, res: NextApiResponse<Ev
const userId = req.userId;
const data = await prisma.eventType.findMany({ where: { userId } });
const userEventTypes = data.map((eventType) => eventType.id);
if (userEventTypes.includes(safeQuery.data.id)) {
if (!userEventTypes.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
else {
switch (method) {
case "GET":
await prisma.eventType

5
pages/api/memberships/[id].ts
View File

@ -108,7 +108,8 @@ export async function membershipById(req: NextApiRequest, res: NextApiResponse<M
// This is how we set the userId and teamId in the query for managing compoundId.
const [paramUserId, teamId] = safeQuery.data.id.split("_");
const userId = req.userId;
if (parseInt(paramUserId) === userId) {
if (parseInt(paramUserId) !== userId) res.status(401).json({ message: "Unauthorized" });
else {
switch (method) {
case "GET":
await prisma.membership
@ -181,7 +182,7 @@ export async function membershipById(req: NextApiRequest, res: NextApiResponse<M
res.status(405).json({ message: "Method not allowed" });
break;
}
} else res.status(401).json({ message: "Unauthorized" });
}
}
export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdString(membershipById));

6
pages/api/payments/[id].ts
View File

@ -48,10 +48,10 @@ export async function paymentById(req: NextApiRequest, res: NextApiResponse<Paym
.findUnique({ where: { id: safeQuery.data.id } })
.then((data) => schemaPaymentPublic.parse(data))
.then((payment) => {
if (userWithBookings?.bookings.map((b) => b.id).includes(payment.bookingId)) {
res.status(200).json({ payment });
} else {
if (!userWithBookings?.bookings.map((b) => b.id).includes(payment.bookingId)) {
res.status(401).json({ message: "Unauthorized" });
} else {
res.status(200).json({ payment });
}
})
.catch((error: Error) =>

5
pages/api/schedules/[id].ts
View File

@ -93,7 +93,8 @@ export async function scheduleById(req: NextApiRequest, res: NextApiResponse<Sch
const userId = req.userId;
const userSchedules = await prisma.schedule.findMany({ where: { userId } });
const userScheduleIds = userSchedules.map((schedule) => schedule.id);
if (userScheduleIds.includes(safeQuery.data.id)) {
if (!userScheduleIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
else {
switch (method) {
case "GET":
await prisma.schedule
@ -144,7 +145,7 @@ export async function scheduleById(req: NextApiRequest, res: NextApiResponse<Sch
res.status(405).json({ message: "Method not allowed" });
break;
}
} else res.status(401).json({ message: "Unauthorized" });
}
}
export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdTransformParseInt(scheduleById));

5
pages/api/selected-calendars/[id].ts
View File

@ -132,7 +132,8 @@ export async function selectedCalendarById(
// This is how we set the userId and externalId in the query for managing compoundId.
const [paramUserId, integration, externalId] = safeQuery.data.id.split("_");
const userId = req.userId;
if (userId === parseInt(paramUserId)) {
if (userId !== parseInt(paramUserId)) res.status(401).json({ message: "Unauthorized" });
else {
switch (method) {
case "GET":
await prisma.selectedCalendar
@ -208,7 +209,7 @@ export async function selectedCalendarById(
res.status(405).json({ message: "Method not allowed" });
break;
}
} else res.status(401).json({ message: "Unauthorized" });
}
}
export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdString(selectedCalendarById));

5
pages/api/teams/[id].ts
View File

@ -97,7 +97,8 @@ export async function teamById(req: NextApiRequest, res: NextApiResponse<TeamRes
//FIXME: This is a hack to get the teamId from the user's membership
console.log(userWithMemberships);
const userTeamIds = userWithMemberships.map((membership) => membership.teamId);
if (userTeamIds.includes(safeQuery.data.id)) {
if (!userTeamIds.includes(safeQuery.data.id)) res.status(401).json({ message: "Unauthorized" });
else {
switch (method) {
case "GET":
await prisma.team
@ -148,7 +149,7 @@ export async function teamById(req: NextApiRequest, res: NextApiResponse<TeamRes
res.status(405).json({ message: "Method not allowed" });
break;
}
} else res.status(401).json({ message: "Unauthorized" });
}
}
export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdTransformParseInt(teamById));

5
pages/api/users/[id].ts
View File

@ -91,7 +91,8 @@ export async function userById(req: NextApiRequest, res: NextApiResponse<UserRes
const safeBody = schemaUserBodyParams.safeParse(body);
if (!safeQuery.success) throw new Error("Invalid request query", safeQuery.error);
const userId = req.userId;
if (safeQuery.data.id === userId) {
if (safeQuery.data.id !== userId) res.status(401).json({ message: "Unauthorized" });
else {
switch (method) {
case "GET":
await prisma.user
@ -132,7 +133,7 @@ export async function userById(req: NextApiRequest, res: NextApiResponse<UserRes
res.status(405).json({ message: "Method not allowed" });
break;
}
} else res.status(401).json({ message: "Unauthorized" });
}
}
export default withMiddleware("HTTP_GET_DELETE_PATCH")(withValidQueryIdTransformParseInt(userById));