fix(sheets): 🔒️ Check token id before updating creds

baptisteArno · Jul 2, 2022 · 9cddc75 · 9cddc75 · vercel · Jul 2, 2022
1 parent 994ae61
commit 9cddc75
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 15 deletions.
diff --git a/apps/builder/libs/google-sheets.ts b/apps/builder/libs/google-sheets.ts
@@ -1,7 +1,7 @@
 import { Credentials as CredentialsFromDb } from 'db'
 import { OAuth2Client, Credentials } from 'google-auth-library'
 import { GoogleSheetsCredentialsData } from 'models'
-import { decrypt, encrypt } from 'utils'
+import { decrypt, encrypt, isDefined } from 'utils'
 import prisma from './prisma'
 
 export const oauth2Client = new OAuth2Client(
@@ -33,9 +33,15 @@ export const getAuthenticatedGoogleClient = async (
 const updateTokens =
   (credentialsId: string, existingCredentials: GoogleSheetsCredentialsData) =>
   async (credentials: Credentials) => {
-    const newCredentials = {
-      refresh_token: existingCredentials.refresh_token,
-      ...credentials,
+    if (
+      isDefined(existingCredentials.id_token) &&
+      credentials.id_token !== existingCredentials.id_token
+    )
+      return
+    const newCredentials: GoogleSheetsCredentialsData = {
+      ...existingCredentials,
+      expiry_date: credentials.expiry_date,
+      access_token: credentials.access_token,
     }
     const { encryptedData, iv } = encrypt(newCredentials)
     await prisma.credentials.update({

diff --git a/apps/builder/pages/api/credentials/google-sheets/callback.ts b/apps/builder/pages/api/credentials/google-sheets/callback.ts
@@ -37,7 +37,6 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
       return res
         .status(400)
         .send({ message: "User didn't accepted required scopes" })
-    // console.log(tokens)
     const { encryptedData, iv } = encrypt(tokens)
     const credentials = {
       name: email,

diff --git a/apps/viewer/libs/google-sheets.ts b/apps/viewer/libs/google-sheets.ts
@@ -1,7 +1,7 @@
 import { Credentials as CredentialsFromDb } from 'db'
 import { OAuth2Client, Credentials } from 'google-auth-library'
 import { GoogleSheetsCredentialsData } from 'models'
-import { decrypt, encrypt } from 'utils'
+import { decrypt, encrypt, isDefined } from 'utils'
 import prisma from './prisma'
 
 export const getAuthenticatedGoogleClient = async (
@@ -29,9 +29,15 @@ export const getAuthenticatedGoogleClient = async (
 const updateTokens =
   (credentialsId: string, existingCredentials: GoogleSheetsCredentialsData) =>
   async (credentials: Credentials) => {
-    const newCredentials = {
-      refresh_token: existingCredentials.refresh_token,
-      ...credentials,
+    if (
+      isDefined(existingCredentials.id_token) &&
+      credentials.id_token !== existingCredentials.id_token
+    )
+      return
+    const newCredentials: GoogleSheetsCredentialsData = {
+      ...existingCredentials,
+      expiry_date: credentials.expiry_date,
+      access_token: credentials.access_token,
     }
     const { encryptedData, iv } = encrypt(newCredentials)
     await prisma.credentials.update({

diff --git a/...wer/pages/api/integrations/google-sheets/spreadsheets/[spreadsheetId]/sheets/[sheetId].ts b/...wer/pages/api/integrations/google-sheets/spreadsheets/[spreadsheetId]/sheets/[sheetId].ts
@@ -1,5 +1,5 @@
 import { NextApiRequest, NextApiResponse } from 'next'
-import { badRequest, initMiddleware, methodNotAllowed } from 'utils'
+import { badRequest, initMiddleware, methodNotAllowed, hasValue } from 'utils'
 import { GoogleSpreadsheet } from 'google-spreadsheet'
 import { getAuthenticatedGoogleClient } from 'libs/google-sheets'
 import { Cell } from 'models'
@@ -15,7 +15,7 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
     const spreadsheetId = req.query.spreadsheetId as string
     const sheetId = req.query.sheetId as string
     const credentialsId = req.query.credentialsId as string | undefined
-    if (!credentialsId) return badRequest(res)
+    if (!hasValue(credentialsId)) return badRequest(res)
     const referenceCell = {
       column: req.query['referenceCell[column]'],
       value: req.query['referenceCell[value]'],
@@ -63,7 +63,7 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
       credentialsId?: string
       values: { [key: string]: string }
     }
-    if (!credentialsId) return badRequest(res)
+    if (!hasValue(credentialsId)) return badRequest(res)
     const doc = new GoogleSpreadsheet(spreadsheetId)
     const auth = await getAuthenticatedGoogleClient(credentialsId)
     if (!auth)
@@ -81,16 +81,16 @@ const handler = async (req: NextApiRequest, res: NextApiResponse) => {
     }
   }
   if (req.method === 'PATCH') {
-    const spreadsheetId = req.query.spreadsheetId.toString()
-    const sheetId = req.query.sheetId.toString()
+    const spreadsheetId = req.query.spreadsheetId as string
+    const sheetId = req.query.sheetId as string
     const { credentialsId, values, referenceCell } = (
       typeof req.body === 'string' ? JSON.parse(req.body) : req.body
     ) as {
       credentialsId?: string
       referenceCell: Cell
       values: { [key: string]: string }
     }
-    if (!credentialsId) return badRequest(res)
+    if (!hasValue(credentialsId)) return badRequest(res)
     const doc = new GoogleSpreadsheet(spreadsheetId)
     const auth = await getAuthenticatedGoogleClient(credentialsId)
     if (!auth)

diff --git a/packages/utils/src/utils.ts b/packages/utils/src/utils.ts
@@ -259,3 +259,12 @@ export const env = (key = ''): string | undefined => {
     ? undefined
     : (process.env['NEXT_PUBLIC_' + key] as string)
 }
+
+export const hasValue = (
+  value: string | undefined | null
+): value is NonNullable<string> =>
+  value !== undefined &&
+  value !== null &&
+  value !== '' &&
+  value !== 'undefined' &&
+  value !== 'null'