fix(integration): 🔒️ Enforce Sheets security

apps/builder/pages/api/integrations/google-sheets/spreadsheets.ts

@@ -1,13 +1,8 @@
 import { NextApiRequest, NextApiResponse } from 'next'
 import { drive } from '@googleapis/drive'
 import { getAuthenticatedGoogleClient } from 'libs/google-sheets'
-import {
-  badRequest,
-  forbidden,
-  methodNotAllowed,
-  notAuthenticated,
-} from 'utils'
-import { captureException, setUser, withSentry } from '@sentry/nextjs'
+import { badRequest, methodNotAllowed, notAuthenticated } from 'utils'
+import { setUser, withSentry } from '@sentry/nextjs'
 import { getAuthenticatedUser } from 'services/api/utils'
 
 const handler = async (req: NextApiRequest, res: NextApiResponse) => {
@@ -21,15 +16,6 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
     const auth = await getAuthenticatedGoogleClient(user.id, credentialsId)
     if (!auth)
       return res.status(404).send("Couldn't find credentials in database")
-    if (auth.credentials.ownerId !== user.id) {
-      // It should never happen but for some reason it does in rare cases... Currently under investigation.
-      captureException(
-        new Error(
-          `Credentials ownerId does not match user id ${auth.credentials.ownerId} !== ${user.id}`
-        )
-      )
-      return forbidden(res)
-    }
     const response = await drive({
       version: 'v3',
       auth: auth.client,

apps/builder/pages/api/integrations/google-sheets/spreadsheets/[id]/sheets.ts

@@ -18,7 +18,6 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
   if (req.method === 'GET') {
     const credentialsId = req.query.credentialsId as string | undefined
     if (!credentialsId) return badRequest(res)
-
     const spreadsheetId = req.query.id.toString()
     const doc = new GoogleSpreadsheet(spreadsheetId)
     const auth = await getAuthenticatedGoogleClient(user.id, credentialsId)

apps/viewer/pages/api/integrations/google-sheets/spreadsheets/[spreadsheetId]/sheets/[sheetId].ts

@@ -12,9 +12,10 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
   await cors(req, res)
   const resultId = req.query.resultId as string | undefined
   if (req.method === 'GET') {
-    const spreadsheetId = req.query.spreadsheetId.toString()
-    const sheetId = req.query.sheetId.toString()
-    const credentialsId = req.query.credentialsId.toString()
+    const spreadsheetId = req.query.spreadsheetId as string
+    const sheetId = req.query.sheetId as string
+    const credentialsId = req.query.credentialsId as string | undefined
+    if (!credentialsId) return badRequest(res)
     const referenceCell = {
       column: req.query['referenceCell[column]'],
       value: req.query['referenceCell[value]'],
@@ -54,14 +55,15 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
     }
   }
   if (req.method === 'POST') {
-    const spreadsheetId = req.query.spreadsheetId.toString()
-    const sheetId = req.query.sheetId.toString()
+    const spreadsheetId = req.query.spreadsheetId as string
+    const sheetId = req.query.sheetId as string
     const { credentialsId, values } = (
       typeof req.body === 'string' ? JSON.parse(req.body) : req.body
     ) as {
-      credentialsId: string
+      credentialsId?: string
       values: { [key: string]: string }
     }
+    if (!credentialsId) return badRequest(res)
     const doc = new GoogleSpreadsheet(spreadsheetId)
     const auth = await getAuthenticatedGoogleClient(credentialsId)
     if (!auth)
@@ -84,10 +86,11 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
     const { credentialsId, values, referenceCell } = (
       typeof req.body === 'string' ? JSON.parse(req.body) : req.body
     ) as {
-      credentialsId: string
+      credentialsId?: string
       referenceCell: Cell
       values: { [key: string]: string }
     }
+    if (!credentialsId) return badRequest(res)
     const doc = new GoogleSpreadsheet(spreadsheetId)
     const auth = await getAuthenticatedGoogleClient(credentialsId)
     if (!auth)