refactor(cloud): validate all the routes to prevent get access from private resource

packages/builders/src/db/schema/bitbucket.ts

@@ -61,4 +61,5 @@ export const apiUpdateBitbucket = createSchema.extend({
 	name: z.string().min(1),
 	bitbucketUsername: z.string().optional(),
 	bitbucketWorkspaceName: z.string().optional(),
+	adminId: z.string().optional(),
 });

packages/builders/src/services/admin.ts

@@ -13,10 +13,9 @@ import { eq } from "drizzle-orm";
 export type Admin = typeof admins.$inferSelect;
 export const createInvitation = async (
 	input: typeof apiCreateUserInvitation._type,
+	adminId: string,
 ) => {
 	await db.transaction(async (tx) => {
-		const admin = await findAdmin();
-
 		const result = await tx
 			.insert(auth)
 			.values({
@@ -39,7 +38,7 @@ export const createInvitation = async (
 		await tx
 			.insert(users)
 			.values({
-				adminId: admin.adminId,
+				adminId: adminId,
 				authId: result.id,
 				token,
 				expirationDate: expiresIn24Hours.toISOString(),

packages/builders/src/services/auth.ts

@@ -14,6 +14,7 @@ import { eq } from "drizzle-orm";
 import encode from "hi-base32";
 import { TOTP } from "otpauth";
 import QRCode from "qrcode";
+import { IS_CLOUD } from "../constants";
 
 export type Auth = typeof auth.$inferSelect;
 
@@ -37,13 +38,15 @@ export const createAdmin = async (input: typeof apiCreateAdmin._type) => {
 			});
 		}
 
-		await tx
-			.insert(admins)
-			.values({
-				authId: newAuth.id,
-				serverIp: await getPublicIpWithFallback(),
-			})
-			.returning();
+		if (!IS_CLOUD) {
+			await tx
+				.insert(admins)
+				.values({
+					authId: newAuth.id,
+					serverIp: await getPublicIpWithFallback(),
+				})
+				.returning();
+		}
 
 		return newAuth;
 	});

packages/builders/src/services/github.ts

@@ -4,13 +4,16 @@ import { TRPCError } from "@trpc/server";
 import { eq } from "drizzle-orm";
 
 export type Github = typeof github.$inferSelect;
-export const createGithub = async (input: typeof apiCreateGithub._type) => {
+export const createGithub = async (
+	input: typeof apiCreateGithub._type,
+	adminId: string,
+) => {
 	return await db.transaction(async (tx) => {
 		const newGitProvider = await tx
 			.insert(gitProvider)
 			.values({
 				providerType: "github",
-				authId: input.authId,
+				adminId: adminId,
 				name: input.name,
 			})
 			.returning()

packages/builders/src/services/gitlab.ts

@@ -11,13 +11,16 @@ import { eq } from "drizzle-orm";
 
 export type Gitlab = typeof gitlab.$inferSelect;
 
-export const createGitlab = async (input: typeof apiCreateGitlab._type) => {
+export const createGitlab = async (
+	input: typeof apiCreateGitlab._type,
+	adminId: string,
+) => {
 	return await db.transaction(async (tx) => {
 		const newGitProvider = await tx
 			.insert(gitProvider)
 			.values({
 				providerType: "gitlab",
-				authId: input.authId,
+				adminId: adminId,
 				name: input.name,
 			})
 			.returning()

packages/builders/src/services/registry.ts

@@ -9,19 +9,19 @@ import {
 } from "@/server/utils/traefik/registry";
 import { TRPCError } from "@trpc/server";
 import { eq } from "drizzle-orm";
-import { findAdmin } from "./admin";
 
 export type Registry = typeof registry.$inferSelect;
 
-export const createRegistry = async (input: typeof apiCreateRegistry._type) => {
-	const admin = await findAdmin();
-
+export const createRegistry = async (
+	input: typeof apiCreateRegistry._type,
+	adminId: string,
+) => {
 	return await db.transaction(async (tx) => {
 		const newRegistry = await tx
 			.insert(registry)
 			.values({
 				...input,
-				adminId: admin.adminId,
+				adminId: adminId,
 			})
 			.returning()
 			.then((value) => value[0]);
@@ -126,7 +126,9 @@ export const findRegistryById = async (registryId: string) => {
 	return registryResponse;
 };
 
-export const findAllRegistry = async () => {
-	const registryResponse = await db.query.registry.findMany();
+export const findAllRegistryByAdminId = async (adminId: string) => {
+	const registryResponse = await db.query.registry.findMany({
+		where: eq(registry.adminId, adminId),
+	});
 	return registryResponse;
 };