egutierrez/linkwarden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

code refactoring + many security/bug fixes

Browse Source
This commit is contained in:
daniel31x13
2023-11-06 08:25:57 -05:00
parent b5a28f68ad
commit c8edc3844b
48 changed files with 472 additions and 317 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pages/_app.tsx
+5 -1
View File
@@ -22,7 +22,11 @@ export default function App({
}, []);
return (
<SessionProvider session={pageProps.session} basePath="/api/v1/auth">
<SessionProvider
session={pageProps.session}
refetchOnWindowFocus={false}
basePath="/api/v1/auth"
>
<Head>
<title>Linkwarden</title>
<meta name="viewport" content="width=device-width, initial-scale=1" />
pages/api/v1/archives/[...params].ts
+3 -3
View File
@@ -1,14 +1,14 @@
import type { NextApiRequest, NextApiResponse } from "next";
import getPermission from "@/lib/api/getPermission";
import readFile from "@/lib/api/storage/readFile";
import authenticateUser from "@/lib/api/authenticateUser";
import verifyUser from "@/lib/api/verifyUser";
export default async function Index(req: NextApiRequest, res: NextApiResponse) {
if (!req.query.params)
return res.status(401).json({ response: "Invalid parameters." });
const user = await authenticateUser({ req, res });
if (!user) return res.status(404).json({ response: "User not found." });
const user = await verifyUser({ req, res });
if (!user) return;
const collectionId = req.query.params[0];
const linkId = req.query.params[1];
pages/api/v1/auth/[...nextauth].ts
+26 -58
View File
@@ -1,24 +1,26 @@
import { prisma } from "@/lib/api/db";
import NextAuth from "next-auth/next";
import CredentialsProvider from "next-auth/providers/credentials";
import { AuthOptions, Session, User } from "next-auth";
import { AuthOptions } from "next-auth";
import bcrypt from "bcrypt";
import EmailProvider from "next-auth/providers/email";
import { PrismaAdapter } from "@auth/prisma-adapter";
import { Adapter } from "next-auth/adapters";
import sendVerificationRequest from "@/lib/api/sendVerificationRequest";
import { Provider } from "next-auth/providers";
import checkSubscription from "@/lib/api/checkSubscription";
import verifySubscription from "@/lib/api/verifySubscription";
const emailEnabled =
process.env.EMAIL_FROM && process.env.EMAIL_SERVER ? true : false;
const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;
const providers: Provider[] = [
CredentialsProvider({
type: "credentials",
credentials: {},
async authorize(credentials, req) {
console.log("User logged in attempt...");
console.log("User log in attempt...");
if (!credentials) return null;
const { username, password } = credentials as {
@@ -26,7 +28,7 @@ const providers: Provider[] = [
password: string;
};
const findUser = await prisma.user.findFirst({
const user = await prisma.user.findFirst({
where: emailEnabled
? {
OR: [
@@ -46,12 +48,12 @@ const providers: Provider[] = [
let passwordMatches: boolean = false;
if (findUser?.password) {
passwordMatches = bcrypt.compareSync(password, findUser.password);
if (user?.password) {
passwordMatches = bcrypt.compareSync(password, user.password);
}
if (passwordMatches) {
return { id: findUser?.id };
return { id: user?.id };
} else return null as any;
},
}),
@@ -82,62 +84,28 @@ export const authOptions: AuthOptions = {
},
callbacks: {
async jwt({ token, trigger, user }) {
const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;
const NEXT_PUBLIC_TRIAL_PERIOD_DAYS =
process.env.NEXT_PUBLIC_TRIAL_PERIOD_DAYS;
const secondsInTwoWeeks = NEXT_PUBLIC_TRIAL_PERIOD_DAYS
? Number(NEXT_PUBLIC_TRIAL_PERIOD_DAYS) * 86400
: 1209600;
const subscriptionIsTimesUp =
token.subscriptionCanceledAt &&
new Date() >
new Date(
((token.subscriptionCanceledAt as number) + secondsInTwoWeeks) *
1000
);
if (
STRIPE_SECRET_KEY &&
(trigger || subscriptionIsTimesUp || !token.isSubscriber)
) {
const user = await prisma.user.findUnique({
where: {
id: Number(token.sub),
},
});
const subscription = await checkSubscription(
STRIPE_SECRET_KEY,
user?.email as string
);
if (subscription.subscriptionCanceledAt) {
token.subscriptionCanceledAt = subscription.subscriptionCanceledAt;
} else token.subscriptionCanceledAt = undefined;
token.isSubscriber = subscription.isSubscriber;
}
if (trigger === "signIn") {
token.id = user.id as number;
} else if (trigger === "update" && token.id) {
const user = await prisma.user.findUnique({
where: {
id: token.id as number,
},
});
if (user?.name) {
token.name = user.name;
}
}
token.sub = token.sub ? Number(token.sub) : undefined;
if (trigger === "signIn") token.id = user?.id as number;
return token;
},
async session({ session, token }) {
session.user.id = token.id;
session.user.isSubscriber = token.isSubscriber;
if (STRIPE_SECRET_KEY) {
const user = await prisma.user.findUnique({
where: {
id: token.id,
},
include: {
subscriptions: true,
},
});
if (user) {
const subscribedUser = await verifySubscription(user);
}
}
return session;
},
pages/api/v1/avatar/[id].ts
+3 -3
View File
@@ -1,13 +1,13 @@
import type { NextApiRequest, NextApiResponse } from "next";
import { prisma } from "@/lib/api/db";
import readFile from "@/lib/api/storage/readFile";
import authenticateUser from "@/lib/api/authenticateUser";
import verifyUser from "@/lib/api/verifyUser";
export default async function Index(req: NextApiRequest, res: NextApiResponse) {
const queryId = Number(req.query.id);
const user = await authenticateUser({ req, res });
if (!user) return res.status(404).json({ response: "User not found." });
const user = await verifyUser({ req, res });
if (!user) return;
if (!queryId)
return res
pages/api/v1/collections/[id].ts
+3 -3
View File
@@ -1,14 +1,14 @@
import type { NextApiRequest, NextApiResponse } from "next";
import updateCollectionById from "@/lib/api/controllers/collections/collectionId/updateCollectionById";
import deleteCollectionById from "@/lib/api/controllers/collections/collectionId/deleteCollectionById";
import authenticateUser from "@/lib/api/authenticateUser";
import verifyUser from "@/lib/api/verifyUser";
export default async function collections(
req: NextApiRequest,
res: NextApiResponse
) {
const user = await authenticateUser({ req, res });
if (!user) return res.status(404).json({ response: "User not found." });
const user = await verifyUser({ req, res });
if (!user) return;
if (req.method === "PUT") {
const updated = await updateCollectionById(
pages/api/v1/collections/index.ts
+3 -3
View File
@@ -1,14 +1,14 @@
import type { NextApiRequest, NextApiResponse } from "next";
import getCollections from "@/lib/api/controllers/collections/getCollections";
import postCollection from "@/lib/api/controllers/collections/postCollection";
import authenticateUser from "@/lib/api/authenticateUser";
import verifyUser from "@/lib/api/verifyUser";
export default async function collections(
req: NextApiRequest,
res: NextApiResponse
) {
const user = await authenticateUser({ req, res });
if (!user) return res.status(404).json({ response: "User not found." });
const user = await verifyUser({ req, res });
if (!user) return;
if (req.method === "GET") {
const collections = await getCollections(user.id);
pages/api/v1/dashboard/index.ts
+3 -3
View File
@@ -1,11 +1,11 @@
import type { NextApiRequest, NextApiResponse } from "next";
import { LinkRequestQuery } from "@/types/global";
import getDashboardData from "@/lib/api/controllers/dashboard/getDashboardData";
import authenticateUser from "@/lib/api/authenticateUser";
import verifyUser from "@/lib/api/verifyUser";
export default async function links(req: NextApiRequest, res: NextApiResponse) {
const user = await authenticateUser({ req, res });
if (!user) return res.status(404).json({ response: "User not found." });
const user = await verifyUser({ req, res });
if (!user) return;
if (req.method === "GET") {
const convertedData: LinkRequestQuery = {
pages/api/v1/links/[id]/archive/index.ts
+3 -3
View File
@@ -1,13 +1,13 @@
import type { NextApiRequest, NextApiResponse } from "next";
import archive from "@/lib/api/archive";
import { prisma } from "@/lib/api/db";
import authenticateUser from "@/lib/api/authenticateUser";
import verifyUser from "@/lib/api/verifyUser";
const RE_ARCHIVE_LIMIT = Number(process.env.RE_ARCHIVE_LIMIT) || 5;
export default async function links(req: NextApiRequest, res: NextApiResponse) {
const user = await authenticateUser({ req, res });
if (!user) return res.status(404).json({ response: "User not found." });
const user = await verifyUser({ req, res });
if (!user) return;
const link = await prisma.link.findUnique({
where: {
pages/api/v1/links/[id]/index.ts
+3 -3
View File
@@ -2,11 +2,11 @@ import type { NextApiRequest, NextApiResponse } from "next";
import deleteLinkById from "@/lib/api/controllers/links/linkId/deleteLinkById";
import updateLinkById from "@/lib/api/controllers/links/linkId/updateLinkById";
import getLinkById from "@/lib/api/controllers/links/linkId/getLinkById";
import authenticateUser from "@/lib/api/authenticateUser";
import verifyUser from "@/lib/api/verifyUser";
export default async function links(req: NextApiRequest, res: NextApiResponse) {
const user = await authenticateUser({ req, res });
if (!user) return res.status(404).json({ response: "User not found." });
const user = await verifyUser({ req, res });
if (!user) return;
if (req.method === "GET") {
const updated = await getLinkById(user.id, Number(req.query.id));
pages/api/v1/links/index.ts
+3 -3
View File
@@ -2,11 +2,11 @@ import type { NextApiRequest, NextApiResponse } from "next";
import getLinks from "@/lib/api/controllers/links/getLinks";
import postLink from "@/lib/api/controllers/links/postLink";
import { LinkRequestQuery } from "@/types/global";
import authenticateUser from "@/lib/api/authenticateUser";
import verifyUser from "@/lib/api/verifyUser";
export default async function links(req: NextApiRequest, res: NextApiResponse) {
const user = await authenticateUser({ req, res });
if (!user) return res.status(404).json({ response: "User not found." });
const user = await verifyUser({ req, res });
if (!user) return;
if (req.method === "GET") {
// Convert the type of the request query to "LinkRequestQuery"
pages/api/v1/migration/index.ts
+3 -3
View File
@@ -3,7 +3,7 @@ import exportData from "@/lib/api/controllers/migration/exportData";
import importFromHTMLFile from "@/lib/api/controllers/migration/importFromHTMLFile";
import importFromLinkwarden from "@/lib/api/controllers/migration/importFromLinkwarden";
import { MigrationFormat, MigrationRequest } from "@/types/global";
import authenticateUser from "@/lib/api/authenticateUser";
import verifyUser from "@/lib/api/verifyUser";
export const config = {
api: {
@@ -14,8 +14,8 @@ export const config = {
};
export default async function users(req: NextApiRequest, res: NextApiResponse) {
const user = await authenticateUser({ req, res });
if (!user) return res.status(404).json({ response: "User not found." });
const user = await verifyUser({ req, res });
if (!user) return;
if (req.method === "GET") {
const data = await exportData(user.id);
pages/api/v1/payment/index.ts
+15 -7
View File
@@ -1,19 +1,27 @@
import type { NextApiRequest, NextApiResponse } from "next";
import paymentCheckout from "@/lib/api/paymentCheckout";
import { Plan } from "@/types/global";
import authenticateUser from "@/lib/api/authenticateUser";
import { getToken } from "next-auth/jwt";
import { prisma } from "@/lib/api/db";
export default async function users(req: NextApiRequest, res: NextApiResponse) {
const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;
const MONTHLY_PRICE_ID = process.env.MONTHLY_PRICE_ID;
const YEARLY_PRICE_ID = process.env.YEARLY_PRICE_ID;
if (!STRIPE_SECRET_KEY || !MONTHLY_PRICE_ID || !YEARLY_PRICE_ID) {
return res.status(400).json({ response: "Payment is disabled." });
}
const token = await getToken({ req });
const user = await authenticateUser({ req, res });
if (!user) return res.status(404).json({ response: "User not found." });
if (!STRIPE_SECRET_KEY || !MONTHLY_PRICE_ID || !YEARLY_PRICE_ID)
return res.status(400).json({ response: "Payment is disabled." });
console.log(token);
if (!token?.id) return res.status(404).json({ response: "Token invalid." });
const email = (await prisma.user.findUnique({ where: { id: token.id } }))
?.email;
if (!email) return res.status(404).json({ response: "User not found." });
let PRICE_ID = MONTHLY_PRICE_ID;
@@ -25,7 +33,7 @@ export default async function users(req: NextApiRequest, res: NextApiResponse) {
if (req.method === "GET") {
const users = await paymentCheckout(
STRIPE_SECRET_KEY,
user.email as string,
email as string,
PRICE_ID
);
return res.status(users.status).json({ response: users.response });
pages/api/v1/public/users/[id].ts
+18
View File
@@ -0,0 +1,18 @@
import type { NextApiRequest, NextApiResponse } from "next";
import getPublicUserById from "@/lib/api/controllers/public/users/getPublicUserById";
import { getToken } from "next-auth/jwt";
export default async function users(req: NextApiRequest, res: NextApiResponse) {
const token = await getToken({ req });
const requestingId = token?.id;
const lookupId = req.query.id as string;
// Check if "lookupId" is the user "id" or their "username"
const isId = lookupId.split("").every((e) => Number.isInteger(parseInt(e)));
if (req.method === "GET") {
const users = await getPublicUserById(lookupId, isId, requestingId);
return res.status(users.status).json({ response: users.response });
}
}
pages/api/v1/tags/[id].ts
+3 -3
View File
@@ -1,11 +1,11 @@
import type { NextApiRequest, NextApiResponse } from "next";
import updeteTagById from "@/lib/api/controllers/tags/tagId/updeteTagById";
import authenticateUser from "@/lib/api/authenticateUser";
import verifyUser from "@/lib/api/verifyUser";
import deleteTagById from "@/lib/api/controllers/tags/tagId/deleteTagById";
export default async function tags(req: NextApiRequest, res: NextApiResponse) {
const user = await authenticateUser({ req, res });
if (!user) return res.status(404).json({ response: "User not found." });
const user = await verifyUser({ req, res });
if (!user) return;
const tagId = Number(req.query.id);
pages/api/v1/tags/index.ts
+3 -3
View File
@@ -1,10 +1,10 @@
import type { NextApiRequest, NextApiResponse } from "next";
import getTags from "@/lib/api/controllers/tags/getTags";
import authenticateUser from "@/lib/api/authenticateUser";
import verifyUser from "@/lib/api/verifyUser";
export default async function tags(req: NextApiRequest, res: NextApiResponse) {
const user = await authenticateUser({ req, res });
if (!user) return res.status(404).json({ response: "User not found." });
const user = await verifyUser({ req, res });
if (!user) return;
if (req.method === "GET") {
const tags = await getTags(user.id);
pages/api/v1/users/[id].ts
+37 -27
View File
@@ -1,48 +1,58 @@
import type { NextApiRequest, NextApiResponse } from "next";
import getUserById from "@/lib/api/controllers/users/userId/getUserById";
import getPublicUserById from "@/lib/api/controllers/users/userId/getPublicUserById";
import updateUserById from "@/lib/api/controllers/users/userId/updateUserById";
import deleteUserById from "@/lib/api/controllers/users/userId/deleteUserById";
import authenticateUser from "@/lib/api/authenticateUser";
import { prisma } from "@/lib/api/db";
import { getToken } from "next-auth/jwt";
import { prisma } from "@/lib/api/db";
import verifySubscription from "@/lib/api/verifySubscription";
const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;
export default async function users(req: NextApiRequest, res: NextApiResponse) {
const token = await getToken({ req });
const userId = token?.id;
if (!token?.id)
return res.status(400).json({ response: "Invalid parameters." });
if (!userId) {
return res.status(401).json({ response: "You must be logged in." });
}
const username = (await prisma.user.findUnique({ where: { id: token.id } }))
?.username;
if (userId !== Number(req.query.id))
return res.status(401).json({ response: "Permission denied." });
if (!username) return res.status(404).json({ response: "User not found." });
const lookupId = req.query.id as string;
const isSelf =
userId === Number(lookupId) || username === lookupId ? true : false;
// Check if "lookupId" is the user "id" or their "username"
const isId = lookupId.split("").every((e) => Number.isInteger(parseInt(e)));
if (req.method === "GET" && !isSelf) {
const users = await getPublicUserById(lookupId, isId, username);
if (req.method === "GET") {
const users = await getUserById(userId);
return res.status(users.status).json({ response: users.response });
}
const user = await authenticateUser({ req, res });
if (!user) return res.status(404).json({ response: "User not found." });
if (STRIPE_SECRET_KEY) {
const user = await prisma.user.findUnique({
where: {
id: token.id,
},
include: {
subscriptions: true,
},
});
if (req.method === "GET") {
const users = await getUserById(user.id);
return res.status(users.status).json({ response: users.response });
} else if (req.method === "PUT") {
const updated = await updateUserById(user.id, req.body);
if (user) {
const subscribedUser = await verifySubscription(user);
if (!subscribedUser) {
return res.status(401).json({
response:
"You are not a subscriber, feel free to reach out to us at support@linkwarden.app if you think this is an issue.",
});
}
} else {
return res.status(404).json({ response: "User not found." });
}
}
if (req.method === "PUT") {
const updated = await updateUserById(userId, req.body);
return res.status(updated.status).json({ response: updated.response });
} else if (req.method === "DELETE" && user.id === Number(req.query.id)) {
} else if (req.method === "DELETE") {
console.log(req.body);
const updated = await deleteUserById(user.id, req.body);
const updated = await deleteUserById(userId, req.body);
return res.status(updated.status).json({ response: updated.response });
}
}
pages/index.tsx
+1 -8
View File
@@ -1,10 +1,3 @@
import { useRouter } from "next/router";
import { useEffect } from "react";
export default function Index() {
const router = useRouter();
useEffect(() => {
router.push("/dashboard");
}, []);
return null;
}
pages/register.tsx
+2 -2
View File
@@ -96,7 +96,7 @@ export default function Register() {
return (
<CenteredForm
text={
process.env.NEXT_PUBLIC_STRIPE_IS_ACTIVE
process.env.NEXT_PUBLIC_STRIPE
? `Unlock ${
process.env.NEXT_PUBLIC_TRIAL_PERIOD_DAYS || 14
} days of Premium Service at no cost!`
@@ -196,7 +196,7 @@ export default function Register() {
/>
</div>
{process.env.NEXT_PUBLIC_STRIPE_IS_ACTIVE ? (
{process.env.NEXT_PUBLIC_STRIPE ? (
<div>
<p className="text-xs text-gray-500 dark:text-gray-400">
By signing up, you agree to our{" "}
pages/settings/account.tsx
+2 -16
View File
@@ -86,20 +86,6 @@ export default function Account() {
if (response.ok) {
toast.success("Settings Applied!");
// if (user.email !== account.email) {
// update({
// id: data?.user.id,
// });
// signOut();
// } else if (
// user.username !== account.username ||
// user.name !== account.name
// )
// update({
// id: data?.user.id,
// });
} else toast.error(response.data as string);
setSubmitLoader(false);
};
@@ -190,7 +176,7 @@ export default function Account() {
<div>
<p className="text-black dark:text-white mb-2">Email</p>
{user.email !== account.email &&
process.env.NEXT_PUBLIC_STRIPE_IS_ACTIVE === "true" ? (
process.env.NEXT_PUBLIC_STRIPE === "true" ? (
<p className="text-gray-500 dark:text-gray-400 mb-2 text-sm">
Updating this field will change your billing email as well
</p>
@@ -388,7 +374,7 @@ export default function Account() {
<p>
This will permanently delete ALL the Links, Collections, Tags, and
archived data you own.{" "}
{process.env.NEXT_PUBLIC_STRIPE_IS_ACTIVE
{process.env.NEXT_PUBLIC_STRIPE
? "It will also cancel your subscription. "
: undefined}{" "}
You will be prompted to enter your password before the deletion
pages/settings/billing.tsx
+1 -2
View File
@@ -6,8 +6,7 @@ export default function Billing() {
const router = useRouter();
useEffect(() => {
if (!process.env.NEXT_PUBLIC_STRIPE_IS_ACTIVE)
router.push("/settings/profile");
if (!process.env.NEXT_PUBLIC_STRIPE) router.push("/settings/profile");
}, []);
return (
pages/settings/delete.tsx
+2 -2
View File
@@ -72,7 +72,7 @@ export default function Password() {
<p>
This will permanently delete all the Links, Collections, Tags, and
archived data you own. It will also log you out
{process.env.NEXT_PUBLIC_STRIPE_IS_ACTIVE
{process.env.NEXT_PUBLIC_STRIPE
? " and cancel your subscription"
: undefined}
. This action is irreversible!
@@ -91,7 +91,7 @@ export default function Password() {
/>
</div>
{process.env.NEXT_PUBLIC_STRIPE_IS_ACTIVE ? (
{process.env.NEXT_PUBLIC_STRIPE ? (
<fieldset className="border rounded-md p-2 border-sky-500">
<legend className="px-3 py-1 text-sm sm:text-base border rounded-md border-sky-500">
<b>Optional</b>{" "}
pages/settings/password.tsx
-1
View File
@@ -1,7 +1,6 @@
import SettingsLayout from "@/layouts/SettingsLayout";
import { useState } from "react";
import useAccountStore from "@/store/account";
import { faPenToSquare } from "@fortawesome/free-regular-svg-icons";
import SubmitButton from "@/components/SubmitButton";
import { toast } from "react-hot-toast";
import TextInput from "@/components/TextInput";
pages/subscribe.tsx
+3 -2
View File
@@ -1,4 +1,4 @@
import { signOut } from "next-auth/react";
import { signOut, useSession } from "next-auth/react";
import { useState } from "react";
import { toast } from "react-hot-toast";
import { useRouter } from "next/router";
@@ -7,6 +7,7 @@ import { Plan } from "@/types/global";
export default function Subscribe() {
const [submitLoader, setSubmitLoader] = useState(false);
const session = useSession();
const [plan, setPlan] = useState<Plan>(1);
@@ -83,7 +84,7 @@ export default function Subscribe() {
<p className="font-semibold">
Billed {plan === Plan.monthly ? "Monthly" : "Yearly"}
</p>
<fieldset className="w-full px-4 pb-4 pt-1 rounded-md border border-sky-100 dark:border-neutral-700">
<fieldset className="w-full flex-col flex justify-evenly px-4 pb-4 pt-1 rounded-md border border-sky-100 dark:border-neutral-700">
<legend className="w-fit font-extralight px-2 border border-sky-100 dark:border-neutral-700 rounded-md text-xl">
Total
</legend>