Skip to content

Commit

Permalink
build: 🔒️ Add extra user check in api
Browse files Browse the repository at this point in the history
  • Loading branch information
@baptisteArno
baptisteArno committed Mar 4, 2022
1 parent 2a31b13 commit ec18912
Show file tree
Hide file tree
Showing 20 changed files with 80 additions and 179 deletions.
13 changes: 5 additions & 8 deletions apps/builder/pages/api/coupons/redeem.ts
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,14 @@
import { withSentry } from '@sentry/nextjs'
import { Prisma, User } from 'db'
import { Prisma } from 'db'
import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
import { getAuthenticatedUser } from 'services/api/utils'
import { notAuthenticated } from 'utils'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
if (req.method === 'POST') {
const session = await getSession({ req })

if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })

const user = session.user as User
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
const { code } =
typeof req.body === 'string' ? JSON.parse(req.body) : req.body
const coupon = await prisma.coupon.findFirst({
Expand Down
12 changes: 5 additions & 7 deletions apps/builder/pages/api/credentials/google-sheets/callback.ts
View file
Original file line number Diff line number Diff line change
@@ -1,26 +1,24 @@
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
import { Prisma, User } from 'db'
import { Prisma } from 'db'
import prisma from 'libs/prisma'
import { googleSheetsScopes } from './consent-url'
import { stringify } from 'querystring'
import { CredentialsType } from 'models'
import { encrypt } from 'utils'
import { encrypt, notAuthenticated } from 'utils'
import { oauth2Client } from 'libs/google-sheets'
import { withSentry } from '@sentry/nextjs'
import { getAuthenticatedUser } from 'services/api/utils'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
const { redirectUrl, stepId } = JSON.parse(
Buffer.from(req.query.state.toString(), 'base64').toString()
)
if (req.method === 'GET') {
const code = req.query.code.toString()
if (!code)
return res.status(400).send({ message: "Bad request, couldn't get code" })
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = session.user as User
const { tokens } = await oauth2Client.getToken(code)
if (!tokens?.access_token) {
console.error('Error getting oAuth tokens:')
Expand Down
13 changes: 5 additions & 8 deletions apps/builder/pages/api/folders.ts
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,14 @@
import { withSentry } from '@sentry/nextjs'
import { DashboardFolder, User } from 'db'
import { DashboardFolder } from 'db'
import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
import { methodNotAllowed } from 'utils'
import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed, notAuthenticated } from 'utils'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)

if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })

const user = session.user as User
const parentFolderId = req.query.parentId
? req.query.parentId.toString()
: null
Expand Down
13 changes: 5 additions & 8 deletions apps/builder/pages/api/folders/[id].ts
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,15 @@
import { withSentry } from '@sentry/nextjs'
import { DashboardFolder, User } from 'db'
import { DashboardFolder } from 'db'
import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
import { methodNotAllowed } from 'utils'
import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed, notAuthenticated } from 'utils'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })

if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)

const id = req.query.id.toString()
const user = session.user as User
if (req.method === 'GET') {
const folder = await prisma.dashboardFolder.findUnique({
where: { id_ownerId: { id, ownerId: user.id } },
Expand Down
12 changes: 4 additions & 8 deletions apps/builder/pages/api/integrations/google-sheets/spreadsheets.ts
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,14 @@
import { NextApiRequest, NextApiResponse } from 'next'
import { drive } from '@googleapis/drive'
import { getAuthenticatedGoogleClient } from 'libs/google-sheets'
import { methodNotAllowed } from 'utils'
import { getSession } from 'next-auth/react'
import { User } from 'db'
import { methodNotAllowed, notAuthenticated } from 'utils'
import { setUser, withSentry } from '@sentry/nextjs'
import { getAuthenticatedUser } from 'services/api/utils'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)

if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })

const user = session.user as User
setUser({ email: user.email ?? undefined, id: user.id })
if (req.method === 'GET') {
const credentialsId = req.query.credentialsId.toString()
Expand Down
12 changes: 4 additions & 8 deletions apps/builder/pages/api/integrations/google-sheets/spreadsheets/[id]/sheets.ts
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,14 @@
import { NextApiRequest, NextApiResponse } from 'next'
import { GoogleSpreadsheet } from 'google-spreadsheet'
import { getAuthenticatedGoogleClient } from 'libs/google-sheets'
import { isDefined, methodNotAllowed } from 'utils'
import { getSession } from 'next-auth/react'
import { User } from 'db'
import { isDefined, methodNotAllowed, notAuthenticated } from 'utils'
import { withSentry, setUser } from '@sentry/nextjs'
import { getAuthenticatedUser } from 'services/api/utils'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)

if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })

const user = session.user as User
setUser({ email: user.email ?? undefined, id: user.id })
if (req.method === 'GET') {
const credentialsId = req.query.credentialsId.toString()
Expand Down
11 changes: 4 additions & 7 deletions apps/builder/pages/api/publicTypebots.ts
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,12 @@
import { withSentry } from '@sentry/nextjs'
import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
import { methodNotAllowed } from 'utils'
import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed, notAuthenticated } from 'utils'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })

if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })

const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
try {
if (req.method === 'POST') {
const data =
Expand Down
10 changes: 4 additions & 6 deletions apps/builder/pages/api/publicTypebots/[id].ts
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,12 @@
import { withSentry } from '@sentry/nextjs'
import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
import { methodNotAllowed } from 'utils'
import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed, notAuthenticated } from 'utils'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })

if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)

const id = req.query.id.toString()
if (req.method === 'PUT') {
Expand Down
13 changes: 5 additions & 8 deletions apps/builder/pages/api/typebots.ts
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,14 @@
import { withSentry } from '@sentry/nextjs'
import { Prisma, User } from 'db'
import { Prisma } from 'db'
import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
import { getAuthenticatedUser } from 'services/api/utils'
import { parseNewTypebot } from 'services/typebots/typebots'
import { methodNotAllowed } from 'utils'
import { methodNotAllowed, notAuthenticated } from 'utils'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })
if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = session.user as User
if (!user.id) return res.status(401).json({ message: 'Not authenticated' })
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
try {
if (req.method === 'GET') {
const folderId = req.query.folderId ? req.query.folderId.toString() : null
Expand Down
11 changes: 4 additions & 7 deletions apps/builder/pages/api/typebots/[typebotId].ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,16 @@ import { withSentry } from '@sentry/nextjs'
import { CollaborationType, Prisma, User } from 'db'
import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
import { methodNotAllowed } from 'utils'
import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed, notAuthenticated } from 'utils'

const adminEmail = 'contact@baptiste-arnaud.fr'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })

if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)

const typebotId = req.query.typebotId.toString()
const user = session.user as User
if (req.method === 'GET') {
const typebot = await prisma.typebot.findFirst({
where: parseWhereFilter(typebotId, user, 'read'),
Expand Down
34 changes: 0 additions & 34 deletions apps/builder/pages/api/typebots/[typebotId]/collaborators copy/[userId].ts
View file

This file was deleted.

13 changes: 4 additions & 9 deletions apps/builder/pages/api/typebots/[typebotId]/results.ts
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,15 @@
import { withSentry } from '@sentry/nextjs'
import { User } from 'db'
import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
import { getAuthenticatedUser } from 'services/api/utils'
import { isFreePlan } from 'services/user/user'
import { methodNotAllowed } from 'utils'
import { methodNotAllowed, notAuthenticated } from 'utils'

const adminEmail = 'contact@baptiste-arnaud.fr'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })

if (!session?.user)
return res.status(401).send({ message: 'Not authenticated' })

const user = session.user as User
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (req.method === 'GET') {
const typebotId = req.query.typebotId.toString()
const lastResultId = req.query.lastResultId?.toString()
Expand Down
13 changes: 4 additions & 9 deletions apps/builder/pages/api/typebots/[typebotId]/results/answers/count.ts
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,13 @@
import { PublicTypebot } from 'models'
import { User } from 'db'
import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
import { methodNotAllowed } from 'utils'
import { methodNotAllowed, notAuthenticated } from 'utils'
import { withSentry } from '@sentry/nextjs'
import { getAuthenticatedUser } from 'services/api/utils'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })

if (!session?.user)
return res.status(401).send({ message: 'Not authenticated' })

const user = session.user as User
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (req.method === 'GET') {
const typebotId = req.query.typebotId.toString()
const typebot = await prisma.typebot.findUnique({
Expand Down
13 changes: 4 additions & 9 deletions apps/builder/pages/api/typebots/[typebotId]/results/stats.ts
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,13 @@
import { withSentry } from '@sentry/nextjs'
import { User } from 'db'
import prisma from 'libs/prisma'
import { Stats } from 'models'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
import { methodNotAllowed } from 'utils'
import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed, notAuthenticated } from 'utils'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })

if (!session?.user)
return res.status(401).send({ message: 'Not authenticated' })

const user = session.user as User
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
if (req.method === 'GET') {
const typebotId = req.query.typebotId.toString()

Expand Down
10 changes: 4 additions & 6 deletions apps/builder/pages/api/users/[id].ts
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,12 @@
import { withSentry } from '@sentry/nextjs'
import prisma from 'libs/prisma'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
import { methodNotAllowed } from 'utils'
import { getAuthenticatedUser } from 'services/api/utils'
import { methodNotAllowed, notAuthenticated } from 'utils'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })

if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)

const id = req.query.id.toString()
if (req.method === 'PUT') {
Expand Down
14 changes: 5 additions & 9 deletions apps/builder/pages/api/users/[id]/credentials.ts
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,14 @@
import { withSentry } from '@sentry/nextjs'
import { Prisma, User } from 'db'
import { Prisma } from 'db'
import prisma from 'libs/prisma'
import { Credentials } from 'models'
import { NextApiRequest, NextApiResponse } from 'next'
import { getSession } from 'next-auth/react'
import { encrypt, methodNotAllowed } from 'utils'
import { getAuthenticatedUser } from 'services/api/utils'
import { encrypt, methodNotAllowed, notAuthenticated } from 'utils'

const handler = async (req: NextApiRequest, res: NextApiResponse) => {
const session = await getSession({ req })

if (!session?.user)
return res.status(401).json({ message: 'Not authenticated' })

const user = session.user as User
const user = await getAuthenticatedUser(req)
if (!user) return notAuthenticated(res)
const id = req.query.id.toString()
if (user.id !== id) return res.status(401).send({ message: 'Forbidden' })
if (req.method === 'GET') {
Expand Down
Loading

2 comments on commit ec18912

@vercel
Copy link

@vercel vercel bot commented on ec18912 Mar 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Successfully deployed to the following URLs:

builder-v2 – ./apps/builder

app.typebot.io
builder-v2-git-main-typebot-io.vercel.app
builder-v2-typebot-io.vercel.app

@vercel
Copy link

@vercel vercel bot commented on ec18912 Mar 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Successfully deployed to the following URLs:

viewer-v2 – ./apps/viewer

zap.fundviser.in
viewer.typebot.io
chat.matthesv.de
app.yvon.earth
bot.matthesv.de
chat.hayuri.id
bot.contakit.com
88584434.therpm.club
demo.wemakebots.xyz
92109660.therpm.club
chat.thehomebuyersusa.com
bot.digitalpointer.id
typebot-viewer.vercel.app
bot.pratikmandalia.com
criar.somaperuzzo.com
invite.bridesquadapp.com
bot.outstandbrand.com
link.venturasuceder.com
chat.atlasoutfittersk9.com
bot.adventureconsulting.hu
tarian.theiofoundation.org
viewer-v2-typebot-io.vercel.app
viewer-v2-git-main-typebot-io.vercel.app
bot.pinpointinteractive.com

Please sign in to comment.