Protect the rest of the endpoints

2025-04-19 19:01:19 +00:00 · 2024-10-02 17:27:38 -05:00 · 2024-10-02 17:27:38 -05:00 · e89c5cfcd3
commit e89c5cfcd3
parent a0e124d9ef
21 changed files with 169 additions and 37 deletions
--- a/src/pages/api/courses/[slug].js
+++ b/src/pages/api/courses/[slug].js
@ -1,8 +1,12 @@
 import { getCourseById, updateCourse, deleteCourse } from "@/db/models/courseModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
  const { slug } = req.query;

+  const session = await getServerSession(req, res, authOptions)
+
  if (req.method === 'GET') {
    try {
      const course = await getCourseById(slug);
@ -15,6 +19,10 @@ export default async function handler(req, res) {
      res.status(500).json({ error: error.message });
    }
  } else if (req.method === 'PUT') {
+    if (!session) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
    try {
      const course = await updateCourse(slug, req.body);
      res.status(200).json(course);
@ -22,6 +30,10 @@ export default async function handler(req, res) {
      res.status(400).json({ error: error.message });
    }
  } else if (req.method === 'DELETE') {
+    if (!session) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
    try {
      await deleteCourse(slug);
      res.status(204).end();
--- a/src/pages/api/courses/drafts/[slug].js
+++ b/src/pages/api/courses/drafts/[slug].js
@ -1,10 +1,17 @@
 import { getAllCourseDraftsByUserId, getCourseDraftById, updateCourseDraft, deleteCourseDraft } from "@/db/models/courseDraftModels";
-import prisma from "@/db/prisma";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
    const { slug } = req.query;
    const userId = req.body?.userId || req.query?.userId;

+    const session = await getServerSession(req, res, authOptions)
+
+    if (!session) {
+        return res.status(401).json({ error: 'Unauthorized' });
+    }
+
    if (req.method === 'GET') {
        if (slug && !userId) {
            try {
--- a/src/pages/api/courses/drafts/[slug]/all.js
+++ b/src/pages/api/courses/drafts/[slug]/all.js
@ -1,8 +1,17 @@
 import { getAllCourseDraftsByUserId } from "@/db/models/courseDraftModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
    // the slug here is user id to get all drafts for a given user
    const {slug} = req.query;
+
+    const session = await getServerSession(req, res, authOptions)
+
+    if (!session) {
+        return res.status(401).json({ error: 'Unauthorized' });
+    }
+
    if (req.method === 'GET') {
        if (slug) {
            try {
--- a/src/pages/api/courses/drafts/index.js
+++ b/src/pages/api/courses/drafts/index.js
@ -1,6 +1,14 @@
 import { createCourseDraft } from "@/db/models/courseDraftModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
+    const session = await getServerSession(req, res, authOptions)
+
+    if (!session) {
+        return res.status(401).json({ error: 'Unauthorized' });
+    }
+
    if (req.method === 'POST') {
        try {
            const courseDraft = await createCourseDraft(req.body);
--- a/src/pages/api/courses/index.js
+++ b/src/pages/api/courses/index.js
@ -1,4 +1,6 @@
 import { getAllCourses, createCourse } from "@/db/models/courseModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
  if (req.method === 'GET') {
@ -9,6 +11,12 @@ export default async function handler(req, res) {
      res.status(500).json({ error: error.message });
    }
  } else if (req.method === 'POST') {
+    const session = await getServerSession(req, res, authOptions)
+
+    if (!session) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
    try {
      const course = await createCourse(req.body);
      res.status(201).json(course);
--- a/src/pages/api/drafts/[slug].js
+++ b/src/pages/api/drafts/[slug].js
@ -1,8 +1,16 @@
 import { getDraftById, updateDraft, deleteDraft } from "@/db/models/draftModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
    const { slug } = req.query;

+    const session = await getServerSession(req, res, authOptions)
+
+    if (!session) {
+        return res.status(401).json({ error: 'Unauthorized' });
+    }
+
    if (req.method === 'GET') {
        try {
            const draft = await getDraftById(slug);
--- a/src/pages/api/drafts/all/[slug].js
+++ b/src/pages/api/drafts/all/[slug].js
@ -1,16 +1,24 @@
 import { getAllDraftsByUserId } from "@/db/models/draftModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
-const { slug } = req.query;
+  const { slug } = req.query;
+
+  const session = await getServerSession(req, res, authOptions)
+
+  if (!session) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }

  if (req.method === 'GET') {
    try {
      const drafts = await getAllDraftsByUserId(slug);
-        if (drafts) {
-            res.status(200).json(drafts);
-        } else {
-            res.status(404).json({ error: 'Drafts not found' });
-        }
+      if (drafts) {
+        res.status(200).json(drafts);
+      } else {
+        res.status(404).json({ error: 'Drafts not found' });
+      }
    } catch (error) {
      res.status(400).json({ error: error.message });
    }
--- a/src/pages/api/drafts/index.js
+++ b/src/pages/api/drafts/index.js
@ -1,6 +1,14 @@
 import { createDraft } from "@/db/models/draftModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
+  const session = await getServerSession(req, res, authOptions)
+
+  if (!session) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
  if (req.method === 'POST') {
    try {
      const draft = await createDraft(req.body);
--- a/src/pages/api/lessons/[slug].js
+++ b/src/pages/api/lessons/[slug].js
@ -1,8 +1,12 @@
 import { getLessonById, updateLesson, deleteLesson } from "@/db/models/lessonModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
  const { slug } = req.query;

+  const session = await getServerSession(req, res, authOptions)
+
  if (req.method === 'GET') {
    try {
      const lesson = await getLessonById(slug);
@ -15,6 +19,10 @@ export default async function handler(req, res) {
      res.status(500).json({ error: error.message });
    }
  } else if (req.method === 'PUT') {
+    if (!session) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
    try {
      const lesson = await updateLesson(slug, req.body);
      res.status(200).json(lesson);
@ -22,6 +30,10 @@ export default async function handler(req, res) {
      res.status(400).json({ error: error.message });
    }
  } else if (req.method === 'DELETE') {
+    if (!session) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
    try {
      await deleteLesson(slug);
      res.status(204).end();
--- a/src/pages/api/lessons/drafts/[slug].js
+++ b/src/pages/api/lessons/drafts/[slug].js
@ -1,8 +1,16 @@
 import { getDraftLessonById, updateDraftLesson, deleteDraftLesson } from "@/db/models/draftLessonModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
  const { slug } = req.query;

+  const session = await getServerSession(req, res, authOptions)
+
+  if (!session) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
  if (req.method === 'GET') {
    try {
      const draftLesson = await getDraftLessonById(slug);
--- a/src/pages/api/lessons/drafts/index.js
+++ b/src/pages/api/lessons/drafts/index.js
@ -1,6 +1,14 @@
 import { getAllDraftLessons, createDraftLesson } from "@/db/models/draftLessonModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
+  const session = await getServerSession(req, res, authOptions)
+
+  if (!session) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
  if (req.method === 'GET') {
    try {
      const draftLessons = await getAllDraftLessons();
--- a/src/pages/api/lessons/index.js
+++ b/src/pages/api/lessons/index.js
@ -1,4 +1,6 @@
 import { getAllLessons, createLesson } from "@/db/models/lessonModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
  if (req.method === 'GET') {
@ -9,6 +11,12 @@ export default async function handler(req, res) {
      res.status(500).json({ error: error.message });
    }
  } else if (req.method === 'POST') {
+    const session = await getServerSession(req, res, authOptions)
+
+    if (!session) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
    try {
      const lesson = await createLesson(req.body);
      res.status(201).json(lesson);
--- a/src/pages/api/lightning-address/callback/[slug].js
+++ b/src/pages/api/lightning-address/callback/[slug].js
@ -6,6 +6,7 @@ import { runMiddleware, corsMiddleware } from "@/utils/corsMiddleware";
 import { getLightningAddressByName } from "@/db/models/lightningAddressModels";

 const BACKEND_URL = process.env.BACKEND_URL;
+const PLEBDEVS_API_KEY = process.env.PLEBDEVS_API_KEY;

 export default async function handler(req, res) {
    await runMiddleware(req, res, corsMiddleware);
@ -70,7 +71,11 @@ export default async function handler(req, res) {
                return;
            } else {
                try {
-                    const response = await axios.post(`${BACKEND_URL}/api/lightning-address/lnd`, { amount: amount, description_hash: descriptionHash, name: slug, zap_request: queryParams?.nostr ? queryParams.nostr : null });
+                    const response = await axios.post(`${BACKEND_URL}/api/lightning-address/lnd`, { amount: amount, description_hash: descriptionHash, name: slug, zap_request: queryParams?.nostr ? queryParams.nostr : null }, {
+                        headers: {
+                            'Authorization': PLEBDEVS_API_KEY
+                        }
+                    });
                    res.status(200).json({ pr: response.data });
                } catch (error) {
                    console.error(error);
--- a/src/pages/api/lightning-address/lnd.js
+++ b/src/pages/api/lightning-address/lnd.js
@ -5,8 +5,16 @@ import appConfig from "@/config/appConfig";
 import { getLightningAddressByName } from "@/db/models/lightningAddressModels";

 const ZAP_PRIVKEY = process.env.ZAP_PRIVKEY;
+const PLEBDEVS_API_KEY = process.env.PLEBDEVS_API_KEY;

 export default async function handler(req, res) {
+    // make sure api key is in authorization header
+    const apiKey = req.headers['authorization'];
+    if (apiKey !== PLEBDEVS_API_KEY) {
+        res.status(401).json({ error: 'Unauthorized' });
+        return;
+    }
+
    try {
        const { amount, description_hash, zap_request=null, name } = req.body;

--- a/src/pages/api/purchase/course.js
+++ b/src/pages/api/purchase/course.js
@ -1,6 +1,14 @@
 import { addCoursePurchaseToUser } from "@/db/models/userModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
+  const session = await getServerSession(req, res, authOptions)
+
+  if (!session) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
  if (req.method === 'POST') {
    try {
      const { userId, courseId, amountPaid } = req.body;
--- a/src/pages/api/purchase/resource.js
+++ b/src/pages/api/purchase/resource.js
@ -1,6 +1,14 @@
 import { addResourcePurchaseToUser } from "@/db/models/userModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
+  const session = await getServerSession(req, res, authOptions)
+
+  if (!session) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
  if (req.method === 'POST') {
    try {
      const { userId, resourceId, amountPaid } = req.body;
--- a/src/pages/api/resources/[slug].js
+++ b/src/pages/api/resources/[slug].js
@ -1,8 +1,12 @@
 import { getResourceById, updateResource, deleteResource, } from "@/db/models/resourceModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
  const { slug } = req.query;

+  const session = await getServerSession(req, res, authOptions)
+
  if (req.method === 'GET') {
    try {
      const resource = await getResourceById(slug);
@ -15,6 +19,10 @@ export default async function handler(req, res) {
      res.status(500).json({ error: error.message });
    }
  } else if (req.method === 'PUT') {
+    if (!session || !session?.user?.role?.admin) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
    try {
      console.log('req.body:', req.body);
      console.log('slug:', slug);
@ -31,6 +39,10 @@ export default async function handler(req, res) {
      res.status(400).json({ error: error.message });
    }
  } else if (req.method === 'DELETE') {
+    if (!session || !session?.user?.role?.admin) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
    try {
        await deleteResource(slug);
        res.status(204).end();
--- a/src/pages/api/resources/index.js
+++ b/src/pages/api/resources/index.js
@ -1,4 +1,6 @@
 import { getAllResources, createResource } from "@/db/models/resourceModels";
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"

 export default async function handler(req, res) {
  if (req.method === 'GET') {
@ -9,6 +11,12 @@ export default async function handler(req, res) {
      res.status(500).json({ error: error.message });
    }
  } else if (req.method === 'POST') {
+    const session = await getServerSession(req, res, authOptions)
+
+    if (!session || !session?.user?.role?.admin) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+
    try {
      const resource = await createResource(req.body);
      res.status(201).json(resource);
--- a/src/pages/api/roles/index.js
+++ b/src/pages/api/roles/index.js
@ -1,27 +0,0 @@
-import { createRole } from "@/db/models/roleModels";
-
-export default async function handler(req, res) {
-  if (req.method === "POST") {
-    if (!req.body || !req.body.userId) {
-      res.status(400).json({ error: "Missing required fields" });
-      return;
-    }
-
-    try {
-      const roleData = {
-        userId: req.body.userId,
-        admin: req.body.admin || false,
-        subscribed: req.body.subscribed || false,
-        // Add other fields as needed
-      };
-
-      const role = await createRole(roleData);
-      res.status(201).json(role);
-    } catch (error) {
-      console.error("Error creating role:", error);
-      res.status(500).json({ error: "Error creating role" });
-    }
-  } else {
-    res.status(405).json({ error: "Method not allowed" });
-  }
-}
--- a/src/pages/api/users/index.js
+++ b/src/pages/api/users/index.js
@ -2,9 +2,14 @@ import { getAllUsers, createUser } from '@/db/models/userModels';
 import { getServerSession } from "next-auth/next"
 import { authOptions } from "@/pages/api/auth/[...nextauth].js"

-// todo add recaptcha for additional security
 export default async function handler(req, res) {
-  // const session = await getServerSession(req, res, authOptions);
+  const session = await getServerSession(req, res, authOptions);
+
+  if (!session) {
+    res.status(401).json({ error: "Unauthorized" });
+    return;
+  }
+
  if (req.method === 'POST') {
    try {
      const user = await createUser(req.body);
--- a/src/pages/auth/signin.js
+++ b/src/pages/auth/signin.js
@ -4,6 +4,7 @@ import { useNDKContext } from "@/context/NDKContext";
 import GenericButton from "@/components/buttons/GenericButton";
 import { InputText } from 'primereact/inputtext';

+// todo add recaptcha for additional security
 export default function SignIn() {
  const [email, setEmail] = useState("")
  const [showEmailInput, setShowEmailInput] = useState(false)