refactor(cloud): validate all the routes to prevent get access from private resource

This commit is contained in:
Mauricio Siu
2024-10-03 19:34:38 -06:00
parent cc90d9ec9b
commit 8abeae5e63
17 changed files with 796 additions and 163 deletions

View File

@@ -16,7 +16,7 @@ import {
} from "@/server/db/schema";
import { TRPCError } from "@trpc/server";
import { desc, eq, sql } from "drizzle-orm";
import { and, desc, eq, sql } from "drizzle-orm";
import type { AnyPgColumn } from "drizzle-orm/pg-core";
import {
@@ -45,7 +45,6 @@ export const projectRouter = createTRPCRouter({
return project;
} catch (error) {
console.log(error);
throw new TRPCError({
code: "BAD_REQUEST",
message: "Error to create the project",
@@ -62,8 +61,11 @@ export const projectRouter = createTRPCRouter({
await checkProjectAccess(ctx.user.authId, "access", input.projectId);
const service = await db.query.projects.findFirst({
where: eq(projects.projectId, input.projectId),
const project = await db.query.projects.findFirst({
where: and(
eq(projects.projectId, input.projectId),
eq(projects.adminId, ctx.user.adminId),
),
with: {
compose: {
where: buildServiceFilter(compose.composeId, accesedServices),
@@ -92,15 +94,22 @@ export const projectRouter = createTRPCRouter({
},
});
if (!service) {
if (!project) {
throw new TRPCError({
code: "NOT_FOUND",
message: "Project not found",
});
}
return service;
return project;
}
const project = await findProjectById(input.projectId);
if (project.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not authorized to access this project",
});
}
return project;
}),
all: protectedProcedure.query(async ({ ctx }) => {
@@ -170,32 +179,38 @@ export const projectRouter = createTRPCRouter({
if (ctx.user.rol === "user") {
await checkProjectAccess(ctx.user.authId, "delete");
}
const project = await deleteProject(input.projectId);
const currentProject = await findProjectById(input.projectId);
if (currentProject.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not authorized to delete this project",
});
}
const deletedProject = await deleteProject(input.projectId);
return project;
return deletedProject;
} catch (error) {
throw new TRPCError({
code: "BAD_REQUEST",
message: "Error to delete this project",
cause: error,
});
throw error;
}
}),
update: protectedProcedure
.input(apiUpdateProject)
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
try {
const project = updateProjectById(input.projectId, {
const currentProject = await findProjectById(input.projectId);
if (currentProject.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not authorized to update this project",
});
}
const project = await updateProjectById(input.projectId, {
...input,
});
return project;
} catch (error) {
throw new TRPCError({
code: "BAD_REQUEST",
message: "Error to update this project",
cause: error,
});
throw error;
}
}),
});