code refactoring + many security/bug fixes
This commit is contained in:
daniel31x13
@@ -1,14 +1,14 @@
|
||||
import type { NextApiRequest, NextApiResponse } from "next";
|
||||
import getPermission from "@/lib/api/getPermission";
|
||||
import readFile from "@/lib/api/storage/readFile";
|
||||
import authenticateUser from "@/lib/api/authenticateUser";
|
||||
import verifyUser from "@/lib/api/verifyUser";
|
||||
|
||||
export default async function Index(req: NextApiRequest, res: NextApiResponse) {
|
||||
if (!req.query.params)
|
||||
return res.status(401).json({ response: "Invalid parameters." });
|
||||
|
||||
const user = await authenticateUser({ req, res });
|
||||
if (!user) return res.status(404).json({ response: "User not found." });
|
||||
const user = await verifyUser({ req, res });
|
||||
if (!user) return;
|
||||
|
||||
const collectionId = req.query.params[0];
|
||||
const linkId = req.query.params[1];
|
||||
|
||||
@@ -1,24 +1,26 @@
|
||||
import { prisma } from "@/lib/api/db";
|
||||
import NextAuth from "next-auth/next";
|
||||
import CredentialsProvider from "next-auth/providers/credentials";
|
||||
import { AuthOptions, Session, User } from "next-auth";
|
||||
import { AuthOptions } from "next-auth";
|
||||
import bcrypt from "bcrypt";
|
||||
import EmailProvider from "next-auth/providers/email";
|
||||
import { PrismaAdapter } from "@auth/prisma-adapter";
|
||||
import { Adapter } from "next-auth/adapters";
|
||||
import sendVerificationRequest from "@/lib/api/sendVerificationRequest";
|
||||
import { Provider } from "next-auth/providers";
|
||||
import checkSubscription from "@/lib/api/checkSubscription";
|
||||
import verifySubscription from "@/lib/api/verifySubscription";
|
||||
|
||||
const emailEnabled =
|
||||
process.env.EMAIL_FROM && process.env.EMAIL_SERVER ? true : false;
|
||||
|
||||
const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;
|
||||
|
||||
const providers: Provider[] = [
|
||||
CredentialsProvider({
|
||||
type: "credentials",
|
||||
credentials: {},
|
||||
async authorize(credentials, req) {
|
||||
console.log("User logged in attempt...");
|
||||
console.log("User log in attempt...");
|
||||
if (!credentials) return null;
|
||||
|
||||
const { username, password } = credentials as {
|
||||
@@ -26,7 +28,7 @@ const providers: Provider[] = [
|
||||
password: string;
|
||||
};
|
||||
|
||||
const findUser = await prisma.user.findFirst({
|
||||
const user = await prisma.user.findFirst({
|
||||
where: emailEnabled
|
||||
? {
|
||||
OR: [
|
||||
@@ -46,12 +48,12 @@ const providers: Provider[] = [
|
||||
|
||||
let passwordMatches: boolean = false;
|
||||
|
||||
if (findUser?.password) {
|
||||
passwordMatches = bcrypt.compareSync(password, findUser.password);
|
||||
if (user?.password) {
|
||||
passwordMatches = bcrypt.compareSync(password, user.password);
|
||||
}
|
||||
|
||||
if (passwordMatches) {
|
||||
return { id: findUser?.id };
|
||||
return { id: user?.id };
|
||||
} else return null as any;
|
||||
},
|
||||
}),
|
||||
@@ -82,62 +84,28 @@ export const authOptions: AuthOptions = {
|
||||
},
|
||||
callbacks: {
|
||||
async jwt({ token, trigger, user }) {
|
||||
const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;
|
||||
|
||||
const NEXT_PUBLIC_TRIAL_PERIOD_DAYS =
|
||||
process.env.NEXT_PUBLIC_TRIAL_PERIOD_DAYS;
|
||||
const secondsInTwoWeeks = NEXT_PUBLIC_TRIAL_PERIOD_DAYS
|
||||
? Number(NEXT_PUBLIC_TRIAL_PERIOD_DAYS) * 86400
|
||||
: 1209600;
|
||||
const subscriptionIsTimesUp =
|
||||
token.subscriptionCanceledAt &&
|
||||
new Date() >
|
||||
new Date(
|
||||
((token.subscriptionCanceledAt as number) + secondsInTwoWeeks) *
|
||||
1000
|
||||
);
|
||||
|
||||
if (
|
||||
STRIPE_SECRET_KEY &&
|
||||
(trigger || subscriptionIsTimesUp || !token.isSubscriber)
|
||||
) {
|
||||
const user = await prisma.user.findUnique({
|
||||
where: {
|
||||
id: Number(token.sub),
|
||||
},
|
||||
});
|
||||
|
||||
const subscription = await checkSubscription(
|
||||
STRIPE_SECRET_KEY,
|
||||
user?.email as string
|
||||
);
|
||||
|
||||
if (subscription.subscriptionCanceledAt) {
|
||||
token.subscriptionCanceledAt = subscription.subscriptionCanceledAt;
|
||||
} else token.subscriptionCanceledAt = undefined;
|
||||
|
||||
token.isSubscriber = subscription.isSubscriber;
|
||||
}
|
||||
|
||||
if (trigger === "signIn") {
|
||||
token.id = user.id as number;
|
||||
} else if (trigger === "update" && token.id) {
|
||||
const user = await prisma.user.findUnique({
|
||||
where: {
|
||||
id: token.id as number,
|
||||
},
|
||||
});
|
||||
|
||||
if (user?.name) {
|
||||
token.name = user.name;
|
||||
}
|
||||
}
|
||||
token.sub = token.sub ? Number(token.sub) : undefined;
|
||||
if (trigger === "signIn") token.id = user?.id as number;
|
||||
|
||||
return token;
|
||||
},
|
||||
async session({ session, token }) {
|
||||
session.user.id = token.id;
|
||||
session.user.isSubscriber = token.isSubscriber;
|
||||
|
||||
if (STRIPE_SECRET_KEY) {
|
||||
const user = await prisma.user.findUnique({
|
||||
where: {
|
||||
id: token.id,
|
||||
},
|
||||
include: {
|
||||
subscriptions: true,
|
||||
},
|
||||
});
|
||||
|
||||
if (user) {
|
||||
const subscribedUser = await verifySubscription(user);
|
||||
}
|
||||
}
|
||||
|
||||
return session;
|
||||
},
|
||||
|
||||
@@ -1,13 +1,13 @@
|
||||
import type { NextApiRequest, NextApiResponse } from "next";
|
||||
import { prisma } from "@/lib/api/db";
|
||||
import readFile from "@/lib/api/storage/readFile";
|
||||
import authenticateUser from "@/lib/api/authenticateUser";
|
||||
import verifyUser from "@/lib/api/verifyUser";
|
||||
|
||||
export default async function Index(req: NextApiRequest, res: NextApiResponse) {
|
||||
const queryId = Number(req.query.id);
|
||||
|
||||
const user = await authenticateUser({ req, res });
|
||||
if (!user) return res.status(404).json({ response: "User not found." });
|
||||
const user = await verifyUser({ req, res });
|
||||
if (!user) return;
|
||||
|
||||
if (!queryId)
|
||||
return res
|
||||
|
||||
@@ -1,14 +1,14 @@
|
||||
import type { NextApiRequest, NextApiResponse } from "next";
|
||||
import updateCollectionById from "@/lib/api/controllers/collections/collectionId/updateCollectionById";
|
||||
import deleteCollectionById from "@/lib/api/controllers/collections/collectionId/deleteCollectionById";
|
||||
import authenticateUser from "@/lib/api/authenticateUser";
|
||||
import verifyUser from "@/lib/api/verifyUser";
|
||||
|
||||
export default async function collections(
|
||||
req: NextApiRequest,
|
||||
res: NextApiResponse
|
||||
) {
|
||||
const user = await authenticateUser({ req, res });
|
||||
if (!user) return res.status(404).json({ response: "User not found." });
|
||||
const user = await verifyUser({ req, res });
|
||||
if (!user) return;
|
||||
|
||||
if (req.method === "PUT") {
|
||||
const updated = await updateCollectionById(
|
||||
|
||||
@@ -1,14 +1,14 @@
|
||||
import type { NextApiRequest, NextApiResponse } from "next";
|
||||
import getCollections from "@/lib/api/controllers/collections/getCollections";
|
||||
import postCollection from "@/lib/api/controllers/collections/postCollection";
|
||||
import authenticateUser from "@/lib/api/authenticateUser";
|
||||
import verifyUser from "@/lib/api/verifyUser";
|
||||
|
||||
export default async function collections(
|
||||
req: NextApiRequest,
|
||||
res: NextApiResponse
|
||||
) {
|
||||
const user = await authenticateUser({ req, res });
|
||||
if (!user) return res.status(404).json({ response: "User not found." });
|
||||
const user = await verifyUser({ req, res });
|
||||
if (!user) return;
|
||||
|
||||
if (req.method === "GET") {
|
||||
const collections = await getCollections(user.id);
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
import type { NextApiRequest, NextApiResponse } from "next";
|
||||
import { LinkRequestQuery } from "@/types/global";
|
||||
import getDashboardData from "@/lib/api/controllers/dashboard/getDashboardData";
|
||||
import authenticateUser from "@/lib/api/authenticateUser";
|
||||
import verifyUser from "@/lib/api/verifyUser";
|
||||
|
||||
export default async function links(req: NextApiRequest, res: NextApiResponse) {
|
||||
const user = await authenticateUser({ req, res });
|
||||
if (!user) return res.status(404).json({ response: "User not found." });
|
||||
const user = await verifyUser({ req, res });
|
||||
if (!user) return;
|
||||
|
||||
if (req.method === "GET") {
|
||||
const convertedData: LinkRequestQuery = {
|
||||
|
||||
@@ -1,13 +1,13 @@
|
||||
import type { NextApiRequest, NextApiResponse } from "next";
|
||||
import archive from "@/lib/api/archive";
|
||||
import { prisma } from "@/lib/api/db";
|
||||
import authenticateUser from "@/lib/api/authenticateUser";
|
||||
import verifyUser from "@/lib/api/verifyUser";
|
||||
|
||||
const RE_ARCHIVE_LIMIT = Number(process.env.RE_ARCHIVE_LIMIT) || 5;
|
||||
|
||||
export default async function links(req: NextApiRequest, res: NextApiResponse) {
|
||||
const user = await authenticateUser({ req, res });
|
||||
if (!user) return res.status(404).json({ response: "User not found." });
|
||||
const user = await verifyUser({ req, res });
|
||||
if (!user) return;
|
||||
|
||||
const link = await prisma.link.findUnique({
|
||||
where: {
|
||||
|
||||
@@ -2,11 +2,11 @@ import type { NextApiRequest, NextApiResponse } from "next";
|
||||
import deleteLinkById from "@/lib/api/controllers/links/linkId/deleteLinkById";
|
||||
import updateLinkById from "@/lib/api/controllers/links/linkId/updateLinkById";
|
||||
import getLinkById from "@/lib/api/controllers/links/linkId/getLinkById";
|
||||
import authenticateUser from "@/lib/api/authenticateUser";
|
||||
import verifyUser from "@/lib/api/verifyUser";
|
||||
|
||||
export default async function links(req: NextApiRequest, res: NextApiResponse) {
|
||||
const user = await authenticateUser({ req, res });
|
||||
if (!user) return res.status(404).json({ response: "User not found." });
|
||||
const user = await verifyUser({ req, res });
|
||||
if (!user) return;
|
||||
|
||||
if (req.method === "GET") {
|
||||
const updated = await getLinkById(user.id, Number(req.query.id));
|
||||
|
||||
@@ -2,11 +2,11 @@ import type { NextApiRequest, NextApiResponse } from "next";
|
||||
import getLinks from "@/lib/api/controllers/links/getLinks";
|
||||
import postLink from "@/lib/api/controllers/links/postLink";
|
||||
import { LinkRequestQuery } from "@/types/global";
|
||||
import authenticateUser from "@/lib/api/authenticateUser";
|
||||
import verifyUser from "@/lib/api/verifyUser";
|
||||
|
||||
export default async function links(req: NextApiRequest, res: NextApiResponse) {
|
||||
const user = await authenticateUser({ req, res });
|
||||
if (!user) return res.status(404).json({ response: "User not found." });
|
||||
const user = await verifyUser({ req, res });
|
||||
if (!user) return;
|
||||
|
||||
if (req.method === "GET") {
|
||||
// Convert the type of the request query to "LinkRequestQuery"
|
||||
|
||||
@@ -3,7 +3,7 @@ import exportData from "@/lib/api/controllers/migration/exportData";
|
||||
import importFromHTMLFile from "@/lib/api/controllers/migration/importFromHTMLFile";
|
||||
import importFromLinkwarden from "@/lib/api/controllers/migration/importFromLinkwarden";
|
||||
import { MigrationFormat, MigrationRequest } from "@/types/global";
|
||||
import authenticateUser from "@/lib/api/authenticateUser";
|
||||
import verifyUser from "@/lib/api/verifyUser";
|
||||
|
||||
export const config = {
|
||||
api: {
|
||||
@@ -14,8 +14,8 @@ export const config = {
|
||||
};
|
||||
|
||||
export default async function users(req: NextApiRequest, res: NextApiResponse) {
|
||||
const user = await authenticateUser({ req, res });
|
||||
if (!user) return res.status(404).json({ response: "User not found." });
|
||||
const user = await verifyUser({ req, res });
|
||||
if (!user) return;
|
||||
|
||||
if (req.method === "GET") {
|
||||
const data = await exportData(user.id);
|
||||
|
||||
@@ -1,19 +1,27 @@
|
||||
import type { NextApiRequest, NextApiResponse } from "next";
|
||||
import paymentCheckout from "@/lib/api/paymentCheckout";
|
||||
import { Plan } from "@/types/global";
|
||||
import authenticateUser from "@/lib/api/authenticateUser";
|
||||
import { getToken } from "next-auth/jwt";
|
||||
import { prisma } from "@/lib/api/db";
|
||||
|
||||
export default async function users(req: NextApiRequest, res: NextApiResponse) {
|
||||
const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;
|
||||
const MONTHLY_PRICE_ID = process.env.MONTHLY_PRICE_ID;
|
||||
const YEARLY_PRICE_ID = process.env.YEARLY_PRICE_ID;
|
||||
|
||||
if (!STRIPE_SECRET_KEY || !MONTHLY_PRICE_ID || !YEARLY_PRICE_ID) {
|
||||
return res.status(400).json({ response: "Payment is disabled." });
|
||||
}
|
||||
const token = await getToken({ req });
|
||||
|
||||
const user = await authenticateUser({ req, res });
|
||||
if (!user) return res.status(404).json({ response: "User not found." });
|
||||
if (!STRIPE_SECRET_KEY || !MONTHLY_PRICE_ID || !YEARLY_PRICE_ID)
|
||||
return res.status(400).json({ response: "Payment is disabled." });
|
||||
|
||||
console.log(token);
|
||||
|
||||
if (!token?.id) return res.status(404).json({ response: "Token invalid." });
|
||||
|
||||
const email = (await prisma.user.findUnique({ where: { id: token.id } }))
|
||||
?.email;
|
||||
|
||||
if (!email) return res.status(404).json({ response: "User not found." });
|
||||
|
||||
let PRICE_ID = MONTHLY_PRICE_ID;
|
||||
|
||||
@@ -25,7 +33,7 @@ export default async function users(req: NextApiRequest, res: NextApiResponse) {
|
||||
if (req.method === "GET") {
|
||||
const users = await paymentCheckout(
|
||||
STRIPE_SECRET_KEY,
|
||||
user.email as string,
|
||||
email as string,
|
||||
PRICE_ID
|
||||
);
|
||||
return res.status(users.status).json({ response: users.response });
|
||||
|
||||
@@ -0,0 +1,18 @@
|
||||
import type { NextApiRequest, NextApiResponse } from "next";
|
||||
import getPublicUserById from "@/lib/api/controllers/public/users/getPublicUserById";
|
||||
import { getToken } from "next-auth/jwt";
|
||||
|
||||
export default async function users(req: NextApiRequest, res: NextApiResponse) {
|
||||
const token = await getToken({ req });
|
||||
const requestingId = token?.id;
|
||||
|
||||
const lookupId = req.query.id as string;
|
||||
|
||||
// Check if "lookupId" is the user "id" or their "username"
|
||||
const isId = lookupId.split("").every((e) => Number.isInteger(parseInt(e)));
|
||||
|
||||
if (req.method === "GET") {
|
||||
const users = await getPublicUserById(lookupId, isId, requestingId);
|
||||
return res.status(users.status).json({ response: users.response });
|
||||
}
|
||||
}
|
||||
@@ -1,11 +1,11 @@
|
||||
import type { NextApiRequest, NextApiResponse } from "next";
|
||||
import updeteTagById from "@/lib/api/controllers/tags/tagId/updeteTagById";
|
||||
import authenticateUser from "@/lib/api/authenticateUser";
|
||||
import verifyUser from "@/lib/api/verifyUser";
|
||||
import deleteTagById from "@/lib/api/controllers/tags/tagId/deleteTagById";
|
||||
|
||||
export default async function tags(req: NextApiRequest, res: NextApiResponse) {
|
||||
const user = await authenticateUser({ req, res });
|
||||
if (!user) return res.status(404).json({ response: "User not found." });
|
||||
const user = await verifyUser({ req, res });
|
||||
if (!user) return;
|
||||
|
||||
const tagId = Number(req.query.id);
|
||||
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
import type { NextApiRequest, NextApiResponse } from "next";
|
||||
import getTags from "@/lib/api/controllers/tags/getTags";
|
||||
import authenticateUser from "@/lib/api/authenticateUser";
|
||||
import verifyUser from "@/lib/api/verifyUser";
|
||||
|
||||
export default async function tags(req: NextApiRequest, res: NextApiResponse) {
|
||||
const user = await authenticateUser({ req, res });
|
||||
if (!user) return res.status(404).json({ response: "User not found." });
|
||||
const user = await verifyUser({ req, res });
|
||||
if (!user) return;
|
||||
|
||||
if (req.method === "GET") {
|
||||
const tags = await getTags(user.id);
|
||||
|
||||
+37
-27
@@ -1,48 +1,58 @@
|
||||
import type { NextApiRequest, NextApiResponse } from "next";
|
||||
import getUserById from "@/lib/api/controllers/users/userId/getUserById";
|
||||
import getPublicUserById from "@/lib/api/controllers/users/userId/getPublicUserById";
|
||||
import updateUserById from "@/lib/api/controllers/users/userId/updateUserById";
|
||||
import deleteUserById from "@/lib/api/controllers/users/userId/deleteUserById";
|
||||
import authenticateUser from "@/lib/api/authenticateUser";
|
||||
import { prisma } from "@/lib/api/db";
|
||||
import { getToken } from "next-auth/jwt";
|
||||
import { prisma } from "@/lib/api/db";
|
||||
import verifySubscription from "@/lib/api/verifySubscription";
|
||||
|
||||
const STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;
|
||||
|
||||
export default async function users(req: NextApiRequest, res: NextApiResponse) {
|
||||
const token = await getToken({ req });
|
||||
const userId = token?.id;
|
||||
|
||||
if (!token?.id)
|
||||
return res.status(400).json({ response: "Invalid parameters." });
|
||||
if (!userId) {
|
||||
return res.status(401).json({ response: "You must be logged in." });
|
||||
}
|
||||
|
||||
const username = (await prisma.user.findUnique({ where: { id: token.id } }))
|
||||
?.username;
|
||||
if (userId !== Number(req.query.id))
|
||||
return res.status(401).json({ response: "Permission denied." });
|
||||
|
||||
if (!username) return res.status(404).json({ response: "User not found." });
|
||||
|
||||
const lookupId = req.query.id as string;
|
||||
const isSelf =
|
||||
userId === Number(lookupId) || username === lookupId ? true : false;
|
||||
|
||||
// Check if "lookupId" is the user "id" or their "username"
|
||||
const isId = lookupId.split("").every((e) => Number.isInteger(parseInt(e)));
|
||||
|
||||
if (req.method === "GET" && !isSelf) {
|
||||
const users = await getPublicUserById(lookupId, isId, username);
|
||||
if (req.method === "GET") {
|
||||
const users = await getUserById(userId);
|
||||
return res.status(users.status).json({ response: users.response });
|
||||
}
|
||||
|
||||
const user = await authenticateUser({ req, res });
|
||||
if (!user) return res.status(404).json({ response: "User not found." });
|
||||
if (STRIPE_SECRET_KEY) {
|
||||
const user = await prisma.user.findUnique({
|
||||
where: {
|
||||
id: token.id,
|
||||
},
|
||||
include: {
|
||||
subscriptions: true,
|
||||
},
|
||||
});
|
||||
|
||||
if (req.method === "GET") {
|
||||
const users = await getUserById(user.id);
|
||||
return res.status(users.status).json({ response: users.response });
|
||||
} else if (req.method === "PUT") {
|
||||
const updated = await updateUserById(user.id, req.body);
|
||||
if (user) {
|
||||
const subscribedUser = await verifySubscription(user);
|
||||
if (!subscribedUser) {
|
||||
return res.status(401).json({
|
||||
response:
|
||||
"You are not a subscriber, feel free to reach out to us at support@linkwarden.app if you think this is an issue.",
|
||||
});
|
||||
}
|
||||
} else {
|
||||
return res.status(404).json({ response: "User not found." });
|
||||
}
|
||||
}
|
||||
|
||||
if (req.method === "PUT") {
|
||||
const updated = await updateUserById(userId, req.body);
|
||||
return res.status(updated.status).json({ response: updated.response });
|
||||
} else if (req.method === "DELETE" && user.id === Number(req.query.id)) {
|
||||
} else if (req.method === "DELETE") {
|
||||
console.log(req.body);
|
||||
const updated = await deleteUserById(user.id, req.body);
|
||||
const updated = await deleteUserById(userId, req.body);
|
||||
return res.status(updated.status).json({ response: updated.response });
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user