Add Protection on Organiser API Routes

hackathon-zip · Oct 24, 2023 · f503e61 · f503e61
1 parent 8ea00ba
commit f503e61
Show file tree

Hide file tree

Showing 10 changed files with 51 additions and 38 deletions.
diff --git a/pages/api/organizer/hackathons/[slug]/check-in/[attendee].ts b/pages/api/organizer/hackathons/[slug]/check-in/[attendee].ts
@@ -1,13 +1,14 @@
 import prisma from "@/lib/prisma";
 import { getAuth } from "@clerk/nextjs/server";
 import { NextApiRequest, NextApiResponse } from "next";
+import { getHackathon } from "..";
 
 export default async function handler(
     req: NextApiRequest,
     res: NextApiResponse
 ) {
-    const { userId } = getAuth(req);
-    if (!userId) return res.status(401).json({ error: "Unauthorized" });
+    const hackathon = await getHackathon(req, res)
+    if (!hackathon) return res.status(401).json({ error: "Unauthorized" });
 
     const { attendee, slug } = req.query;
 

diff --git a/pages/api/organizer/hackathons/[slug]/data/create.ts b/pages/api/organizer/hackathons/[slug]/data/create.ts
@@ -2,13 +2,14 @@ import prisma from "@/lib/prisma";
 import { getAuth } from "@clerk/nextjs/server";
 import type { Attendee } from "@prisma/client";
 import { NextApiRequest, NextApiResponse } from "next";
+import { getHackathon } from "..";
 
 export default async function handler(
     req: NextApiRequest,
     res: NextApiResponse
 ) {
-    const { userId } = getAuth(req);
-    if (!userId) return res.status(401).json({ error: "Unauthorized" });
+    const hackathon = await getHackathon(req, res)
+    if (!hackathon) return res.status(401).json({ error: "Unauthorized" });
     let attendee: Attendee = await prisma.attendee.create({
         data: {
             email: req.body.email,

diff --git a/pages/api/organizer/hackathons/[slug]/data/delete.ts b/pages/api/organizer/hackathons/[slug]/data/delete.ts
@@ -1,13 +1,14 @@
 import prisma from "@/lib/prisma";
 import { getAuth } from "@clerk/nextjs/server";
 import { NextApiRequest, NextApiResponse } from "next";
+import { getHackathon } from "..";
 
 export default async function handler(
     req: NextApiRequest,
     res: NextApiResponse
 ) {
-    const { userId } = getAuth(req);
-    if (!userId) return res.status(401).json({ error: "Unauthorized" });
+    const hackathon = await getHackathon(req, res)
+    if (!hackathon) return res.status(401).json({ error: "Unauthorized" });
 
     const { ids } = req.body;
 

diff --git a/pages/api/organizer/hackathons/[slug]/data/form.ts b/pages/api/organizer/hackathons/[slug]/data/form.ts
@@ -1,7 +1,7 @@
 import prisma from "@/lib/prisma";
 import { getAuth } from "@clerk/nextjs/server";
 import { NextApiRequest, NextApiResponse } from "next";
-
+import { getHackathon } from "..";
 import type { AttendeeAttribute, Hackathon } from "@prisma/client";
 
 type HackathonWithAttributes = Hackathon & {
@@ -12,16 +12,8 @@ export default async function handler(
     req: NextApiRequest,
     res: NextApiResponse
 ) {
-    const { userId } = getAuth(req);
-    if (!userId) return res.status(401).json({ error: "Unauthorized" });
-    let hackathon = (await prisma.hackathon.findUnique({
-        where: {
-            slug: req.query.slug as string
-        },
-        include: {
-            attendeeAttributes: true
-        }
-    })) as HackathonWithAttributes;
+    const hackathon = await getHackathon(req, res, {attendeeAttributes: true}) as HackathonWithAttributes | null
+    if (!hackathon) return res.status(401).json({ error: "Unauthorized" });
     let newData: any = {};
     Object.keys(req.body).map((x) => {
         let id = x.split("_")[0];

diff --git a/pages/api/organizer/hackathons/[slug]/data/save.ts b/pages/api/organizer/hackathons/[slug]/data/save.ts
@@ -6,6 +6,7 @@ import { getAuth } from "@clerk/nextjs/server";
 import type { AttendeeAttributeValue } from "@prisma/client";
 import { NextApiRequest, NextApiResponse } from "next";
 import { v4 as uuidv4 } from "uuid";
+import { getHackathon } from "..";
 
 function c<T>(x: T): T {
     console.log(x);
@@ -16,8 +17,8 @@ export default async function handler(
     req: NextApiRequest,
     res: NextApiResponse
 ) {
-    const { userId } = getAuth(req);
-    if (!userId) return res.status(401).json({ error: "Unauthorized" });
+    const hackathon = await getHackathon(req, res, {attendeeAttributes: true}) as HackathonWithAttributes | null
+    if (!hackathon) return res.status(401).json({ error: "Unauthorized" });
 
     try {
         let newData = req.body as { shape: Column[]; content: string[][] };
@@ -31,13 +32,7 @@ export default async function handler(
 
         if (hackathon == null) throw new Error("no hackathon!");
 
-        const attendeeAttributes = await prisma.attendeeAttribute.findMany({
-            where: {
-                hackathon: {
-                    slug: slug as string
-                }
-            }
-        });
+        const attendeeAttributes = hackathon.attendeeAttributes
 
         const toCreateAttributes = newData.shape
             .map((column, i) => ({

diff --git a/pages/api/organizer/hackathons/[slug]/data/schema.ts b/pages/api/organizer/hackathons/[slug]/data/schema.ts
@@ -1,13 +1,14 @@
 import prisma from "@/lib/prisma";
 import { getAuth } from "@clerk/nextjs/server";
 import { NextApiRequest, NextApiResponse } from "next";
+import { getHackathon } from "..";
 
 export default async function handler(
     req: NextApiRequest,
     res: NextApiResponse
 ) {
-    const { userId } = getAuth(req);
-    if (!userId) return res.status(401).json({ error: "Unauthorized" });
+    const hackathon = await getHackathon(req, res)
+    if (!hackathon) return res.status(401).json({ error: "Unauthorized" });
     let attributes: {
         [key: string]: { name?: string; type?: string; options?: string[] };
     } = {};

diff --git a/pages/api/organizer/hackathons/[slug]/features/leads.ts b/pages/api/organizer/hackathons/[slug]/features/leads.ts
@@ -1,13 +1,14 @@
 import prisma from "@/lib/prisma";
 import { getAuth } from "@clerk/nextjs/server";
 import { NextApiRequest, NextApiResponse } from "next";
+import { getHackathon } from "..";
 
 export default async function handler(
     req: NextApiRequest,
     res: NextApiResponse
 ) {
-    const { userId } = getAuth(req);
-    if (!userId) return res.status(401).json({ error: "Unauthorized" });
+    const hackathon = await getHackathon(req, res)
+    if (!hackathon) return res.status(401).json({ error: "Unauthorized" });
     try {
         switch (req.method) {
             case "GET":

diff --git a/pages/api/organizer/hackathons/[slug]/features/sponsors.ts b/pages/api/organizer/hackathons/[slug]/features/sponsors.ts
@@ -1,13 +1,14 @@
 import prisma from "@/lib/prisma";
 import { getAuth } from "@clerk/nextjs/server";
 import { NextApiRequest, NextApiResponse } from "next";
+import { getHackathon } from "..";
 
 export default async function handler(
     req: NextApiRequest,
     res: NextApiResponse
 ) {
-    const { userId } = getAuth(req);
-    if (!userId) return res.status(401).json({ error: "Unauthorized" });
+    const hackathon = await getHackathon(req, res)
+    if (!hackathon) return res.status(401).json({ error: "Unauthorized" });
     try {
         switch (req.method) {
             case "GET":

diff --git a/pages/api/organizer/hackathons/[slug]/index.ts b/pages/api/organizer/hackathons/[slug]/index.ts
@@ -1,18 +1,40 @@
 import prisma from "@/lib/prisma";
 import { getAuth } from "@clerk/nextjs/server";
 import { NextApiRequest, NextApiResponse } from "next";
+import { HackathonPolicy } from "@/lib/permissions";
+
+export async function getHackathon(req: NextApiRequest, res: NextApiResponse, include?: any) {
+    const { userId } = getAuth(req);
+    if (!userId) return null;
+    const { slug } = req.query;
+    const hackathon = await prisma.hackathon.delete({
+        where: {
+            slug: slug as string
+        },
+        include: {
+            attendees: true
+        }
+    });
+    if (
+        hackathon == null ||
+        userId == null ||
+        !new HackathonPolicy(hackathon).canOrganizerAccess({ id: userId })
+    ) {
+        return null;
+    }
+    return hackathon;
+}
 
 export default async function handler(
     req: NextApiRequest,
     res: NextApiResponse
 ) {
-    const { userId } = getAuth(req);
-    if (!userId) return res.status(401).json({ error: "Unauthorized" });
-
+    const hackathon = await getHackathon(req, res)
+    if (!hackathon) return res.status(401).json({ error: "Unauthorized" });
     switch (req.method) {
         case "DELETE": {
             const { slug } = req.query;
-            const hackathon = await prisma.hackathon.delete({
+            await prisma.hackathon.delete({
                 where: {
                     slug: slug as string
                 }

diff --git a/pages/api/organizer/hackathons/create.ts b/pages/api/organizer/hackathons/create.ts
@@ -27,8 +27,6 @@ export default async function handler(
             }
         });
 
-        console.log({ hackathon });
-
         res.redirect(`/${hackathon.slug}`);
     } catch (error) {
         console.error(error);