refactor(cloud): validate all the routes to prevent get access from private resource

This commit is contained in:
Mauricio Siu
2024-10-03 19:34:38 -06:00
parent cc90d9ec9b
commit 8abeae5e63
17 changed files with 796 additions and 163 deletions

View File

@@ -66,13 +66,26 @@ export const mariadbRouter = createTRPCRouter({
if (ctx.user.rol === "user") {
await checkServiceAccess(ctx.user.authId, input.mariadbId, "access");
}
return await findMariadbById(input.mariadbId);
const mariadb = await findMariadbById(input.mariadbId);
if (mariadb.project.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not authorized to access this mariadb",
});
}
return mariadb;
}),
start: protectedProcedure
.input(apiFindOneMariaDB)
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
const service = await findMariadbById(input.mariadbId);
if (service.project.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not authorized to start this mariadb",
});
}
if (service.serverId) {
await startServiceRemote(service.serverId, service.appName);
} else {
@@ -102,8 +115,14 @@ export const mariadbRouter = createTRPCRouter({
}),
saveExternalPort: protectedProcedure
.input(apiSaveExternalPortMariaDB)
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
const mongo = await findMariadbById(input.mariadbId);
if (mongo.project.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not authorized to save this external port",
});
}
await updateMariadbById(input.mariadbId, {
externalPort: input.externalPort,
});
@@ -112,13 +131,26 @@ export const mariadbRouter = createTRPCRouter({
}),
deploy: protectedProcedure
.input(apiDeployMariaDB)
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
const mariadb = await findMariadbById(input.mariadbId);
if (mariadb.project.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not authorized to deploy this mariadb",
});
}
return deployMariadb(input.mariadbId);
}),
changeStatus: protectedProcedure
.input(apiChangeMariaDBStatus)
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
const mongo = await findMariadbById(input.mariadbId);
if (mongo.project.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not authorized to change this mariadb status",
});
}
await updateMariadbById(input.mariadbId, {
applicationStatus: input.applicationStatus,
});
@@ -132,6 +164,12 @@ export const mariadbRouter = createTRPCRouter({
}
const mongo = await findMariadbById(input.mariadbId);
if (mongo.project.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not authorized to delete this mariadb",
});
}
const cleanupOperations = [
async () => await removeService(mongo?.appName, mongo.serverId),
@@ -148,7 +186,14 @@ export const mariadbRouter = createTRPCRouter({
}),
saveEnvironment: protectedProcedure
.input(apiSaveEnvironmentVariablesMariaDB)
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
const mariadb = await findMariadbById(input.mariadbId);
if (mariadb.project.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not authorized to save this environment",
});
}
const service = await updateMariadbById(input.mariadbId, {
env: input.env,
});
@@ -164,8 +209,14 @@ export const mariadbRouter = createTRPCRouter({
}),
reload: protectedProcedure
.input(apiResetMariadb)
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
const mariadb = await findMariadbById(input.mariadbId);
if (mariadb.project.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not authorized to reload this mariadb",
});
}
if (mariadb.serverId) {
await stopServiceRemote(mariadb.serverId, mariadb.appName);
} else {
@@ -187,8 +238,15 @@ export const mariadbRouter = createTRPCRouter({
}),
update: protectedProcedure
.input(apiUpdateMariaDB)
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
const { mariadbId, ...rest } = input;
const mariadb = await findMariadbById(mariadbId);
if (mariadb.project.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not authorized to update this mariadb",
});
}
const service = await updateMariadbById(mariadbId, {
...rest,
});