Fixed major flaw with authMiddleware

authMiddleware should not use defaultResponder directly as it will catch thrown error and we need those errors to prevent running the rest of the code.
2022-10-10 19:46:45 -06:00 · 2022-10-10 19:46:45 -06:00 · c03144c343
parent a35454bb68
commit c03144c343
6 changed files with 38 additions and 36 deletions
--- a/pages/api/attendees/[id]/_auth-middleware.ts
+++ b/pages/api/attendees/[id]/_auth-middleware.ts
@ -1,7 +1,6 @@
 import type { NextApiRequest } from "next";
 import { HttpError } from "@calcom/lib/http-error";
 import { defaultResponder } from "@calcom/lib/server";
 import { schemaQueryIdParseInt } from "@lib/validations/shared/queryIdTransformParseInt";
@ -18,4 +17,4 @@ async function authMiddleware(req: NextApiRequest) {
  if (!attendee) throw new HttpError({ statusCode: 401, message: "Unauthorized" });
 }
-export default defaultResponder(authMiddleware);
+export default authMiddleware;
--- a/pages/api/attendees/[id]/index.ts
+++ b/pages/api/attendees/[id]/index.ts
@ -1,16 +1,18 @@
 import { NextApiRequest, NextApiResponse } from "next";
-import { defaultHandler } from "@calcom/lib/server";
+import { defaultHandler, defaultResponder } from "@calcom/lib/server";
 import { withMiddleware } from "@lib/helpers/withMiddleware";
 import authMiddleware from "./_auth-middleware";
-export default withMiddleware("HTTP_GET_DELETE_PATCH")(async (req: NextApiRequest, res: NextApiResponse) => {
+export default withMiddleware("HTTP_GET_DELETE_PATCH")(
-  await authMiddleware(req, res);
+  defaultResponder(async (req: NextApiRequest, res: NextApiResponse) => {
-  return defaultHandler({
+    await authMiddleware(req);
-    GET: import("./_get"),
+    return defaultHandler({
-    PATCH: import("./_patch"),
+      GET: import("./_get"),
-    DELETE: import("./_delete"),
+      PATCH: import("./_patch"),
-  })(req, res);
+      DELETE: import("./_delete"),
-});
+    })(req, res);
  })
 );
--- a/pages/api/availabilities/[id]/_auth-middleware.ts
+++ b/pages/api/availabilities/[id]/_auth-middleware.ts
@ -1,10 +1,8 @@
 import type { NextApiRequest } from "next";
 import { defaultResponder } from "@calcom/lib/server";
 import { schemaQueryIdParseInt } from "@lib/validations/shared/queryIdTransformParseInt";
-export async function authMiddleware(req: NextApiRequest) {
+async function authMiddleware(req: NextApiRequest) {
  const { userId, prisma, isAdmin, query } = req;
  const { id } = schemaQueryIdParseInt.parse(query);
  /** Admins can skip the ownership verification */
@ -18,4 +16,4 @@ export async function authMiddleware(req: NextApiRequest) {
  });
 }
-export default defaultResponder(authMiddleware);
+export default authMiddleware;
--- a/pages/api/availabilities/[id]/index.ts
+++ b/pages/api/availabilities/[id]/index.ts
@ -1,16 +1,18 @@
 import { NextApiRequest, NextApiResponse } from "next";
-import { defaultHandler } from "@calcom/lib/server";
+import { defaultHandler, defaultResponder } from "@calcom/lib/server";
 import { withMiddleware } from "@lib/helpers/withMiddleware";
 import authMiddleware from "./_auth-middleware";
-export default withMiddleware("HTTP_GET_DELETE_PATCH")(async (req: NextApiRequest, res: NextApiResponse) => {
+export default withMiddleware("HTTP_GET_DELETE_PATCH")(
-  await authMiddleware(req, res);
+  defaultResponder(async (req: NextApiRequest, res: NextApiResponse) => {
-  return defaultHandler({
+    await authMiddleware(req);
-    GET: import("./_get"),
+    return defaultHandler({
-    PATCH: import("./_patch"),
+      GET: import("./_get"),
-    DELETE: import("./_delete"),
+      PATCH: import("./_patch"),
-  })(req, res);
+      DELETE: import("./_delete"),
-});
+    })(req, res);
  })
 );
--- a/pages/api/bookings/[id]/_auth-middleware.ts
+++ b/pages/api/bookings/[id]/_auth-middleware.ts
@ -1,11 +1,10 @@
 import type { NextApiRequest } from "next";
 import { HttpError } from "@calcom/lib/http-error";
 import { defaultResponder } from "@calcom/lib/server";
 import { schemaQueryIdParseInt } from "@lib/validations/shared/queryIdTransformParseInt";
-export async function authMiddleware(req: NextApiRequest) {
+async function authMiddleware(req: NextApiRequest) {
  const { userId, prisma, isAdmin, query } = req;
  const { id } = schemaQueryIdParseInt.parse(query);
  const userWithBookings = await prisma.user.findUnique({
@ -22,4 +21,4 @@ export async function authMiddleware(req: NextApiRequest) {
  }
 }
-export default defaultResponder(authMiddleware);
+export default authMiddleware;
--- a/pages/api/bookings/[id]/index.ts
+++ b/pages/api/bookings/[id]/index.ts
@ -1,16 +1,18 @@
 import { NextApiRequest, NextApiResponse } from "next";
-import { defaultHandler } from "@calcom/lib/server";
+import { defaultHandler, defaultResponder } from "@calcom/lib/server";
 import { withMiddleware } from "@lib/helpers/withMiddleware";
 import authMiddleware from "./_auth-middleware";
-export default withMiddleware("HTTP_GET_DELETE_PATCH")(async (req: NextApiRequest, res: NextApiResponse) => {
+export default withMiddleware("HTTP_GET_DELETE_PATCH")(
-  await authMiddleware(req, res);
+  defaultResponder(async (req: NextApiRequest, res: NextApiResponse) => {
-  return defaultHandler({
+    await authMiddleware(req);
-    GET: import("./_get"),
+    return defaultHandler({
-    PATCH: import("./_patch"),
+      GET: import("./_get"),
-    DELETE: import("./_delete"),
+      PATCH: import("./_patch"),
-  })(req, res);
+      DELETE: import("./_delete"),
-});
+    })(req, res);
  })
 );