From 107f6b4499937c5cf754ad6bf5aaaa28f20a318e Mon Sep 17 00:00:00 2001
From: austinkelsay <austinkelsay@yahoo.com>
Date: Mon, 30 Sep 2024 20:41:52 -0500
Subject: [PATCH] Check session for decrypt, check session and admin for
 encrypt

---
 src/pages/api/decrypt.js | 8 ++++++++
 src/pages/api/encrypt.js | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/src/pages/api/decrypt.js b/src/pages/api/decrypt.js
index bd85185..595f587 100644
--- a/src/pages/api/decrypt.js
+++ b/src/pages/api/decrypt.js
@@ -1,10 +1,18 @@
 import { nip04 } from 'nostr-tools';
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"
 
 export default async function handler(req, res) {
+  const session = await getServerSession(req, res, authOptions)
+
   if (req.method !== 'POST') {
     return res.status(405).json({ error: 'Method Not Allowed' });
   }
 
+  if (!session) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
   const { encryptedContent } = req.body;
 
   if (!encryptedContent) {
diff --git a/src/pages/api/encrypt.js b/src/pages/api/encrypt.js
index 5645062..1040f39 100644
--- a/src/pages/api/encrypt.js
+++ b/src/pages/api/encrypt.js
@@ -1,10 +1,18 @@
 import { nip04 } from 'nostr-tools';
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"
 
 export default async function handler(req, res) {
+  const session = await getServerSession(req, res, authOptions)
+
   if (req.method !== 'POST') {
     return res.status(405).json({ error: 'Method Not Allowed' });
   }
 
+  if (!session || !session.user.role?.admin) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
   const { content } = req.body;
 
   if (!content) {