diff --git a/src/pages/api/courses/[slug].js b/src/pages/api/courses/[slug].js index b6aa293..7a3c010 100644 --- a/src/pages/api/courses/[slug].js +++ b/src/pages/api/courses/[slug].js @@ -1,8 +1,12 @@ import { getCourseById, updateCourse, deleteCourse } from "@/db/models/courseModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { const { slug } = req.query; + const session = await getServerSession(req, res, authOptions) + if (req.method === 'GET') { try { const course = await getCourseById(slug); @@ -15,6 +19,10 @@ export default async function handler(req, res) { res.status(500).json({ error: error.message }); } } else if (req.method === 'PUT') { + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + try { const course = await updateCourse(slug, req.body); res.status(200).json(course); @@ -22,6 +30,10 @@ export default async function handler(req, res) { res.status(400).json({ error: error.message }); } } else if (req.method === 'DELETE') { + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + try { await deleteCourse(slug); res.status(204).end(); diff --git a/src/pages/api/courses/drafts/[slug].js b/src/pages/api/courses/drafts/[slug].js index 7082c78..4c0a3ac 100644 --- a/src/pages/api/courses/drafts/[slug].js +++ b/src/pages/api/courses/drafts/[slug].js @@ -1,10 +1,17 @@ import { getAllCourseDraftsByUserId, getCourseDraftById, updateCourseDraft, deleteCourseDraft } from "@/db/models/courseDraftModels"; -import prisma from "@/db/prisma"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { const { slug } = req.query; const userId = req.body?.userId || req.query?.userId; + const session = await getServerSession(req, res, authOptions) + + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + if (req.method === 'GET') { if (slug && !userId) { try { diff --git a/src/pages/api/courses/drafts/[slug]/all.js b/src/pages/api/courses/drafts/[slug]/all.js index d1aaaa5..92b89ef 100644 --- a/src/pages/api/courses/drafts/[slug]/all.js +++ b/src/pages/api/courses/drafts/[slug]/all.js @@ -1,8 +1,17 @@ import { getAllCourseDraftsByUserId } from "@/db/models/courseDraftModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { // the slug here is user id to get all drafts for a given user const {slug} = req.query; + + const session = await getServerSession(req, res, authOptions) + + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + if (req.method === 'GET') { if (slug) { try { diff --git a/src/pages/api/courses/drafts/index.js b/src/pages/api/courses/drafts/index.js index d18b0e1..54391b9 100644 --- a/src/pages/api/courses/drafts/index.js +++ b/src/pages/api/courses/drafts/index.js @@ -1,6 +1,14 @@ import { createCourseDraft } from "@/db/models/courseDraftModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { + const session = await getServerSession(req, res, authOptions) + + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + if (req.method === 'POST') { try { const courseDraft = await createCourseDraft(req.body); diff --git a/src/pages/api/courses/index.js b/src/pages/api/courses/index.js index d217d64..da98bf6 100644 --- a/src/pages/api/courses/index.js +++ b/src/pages/api/courses/index.js @@ -1,4 +1,6 @@ import { getAllCourses, createCourse } from "@/db/models/courseModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { if (req.method === 'GET') { @@ -9,6 +11,12 @@ export default async function handler(req, res) { res.status(500).json({ error: error.message }); } } else if (req.method === 'POST') { + const session = await getServerSession(req, res, authOptions) + + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + try { const course = await createCourse(req.body); res.status(201).json(course); diff --git a/src/pages/api/drafts/[slug].js b/src/pages/api/drafts/[slug].js index 6963409..4bb375e 100644 --- a/src/pages/api/drafts/[slug].js +++ b/src/pages/api/drafts/[slug].js @@ -1,8 +1,16 @@ import { getDraftById, updateDraft, deleteDraft } from "@/db/models/draftModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { const { slug } = req.query; + const session = await getServerSession(req, res, authOptions) + + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + if (req.method === 'GET') { try { const draft = await getDraftById(slug); diff --git a/src/pages/api/drafts/all/[slug].js b/src/pages/api/drafts/all/[slug].js index fab2c85..22ba807 100644 --- a/src/pages/api/drafts/all/[slug].js +++ b/src/pages/api/drafts/all/[slug].js @@ -1,16 +1,24 @@ import { getAllDraftsByUserId } from "@/db/models/draftModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { -const { slug } = req.query; + const { slug } = req.query; + + const session = await getServerSession(req, res, authOptions) + + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } if (req.method === 'GET') { try { const drafts = await getAllDraftsByUserId(slug); - if (drafts) { - res.status(200).json(drafts); - } else { - res.status(404).json({ error: 'Drafts not found' }); - } + if (drafts) { + res.status(200).json(drafts); + } else { + res.status(404).json({ error: 'Drafts not found' }); + } } catch (error) { res.status(400).json({ error: error.message }); } diff --git a/src/pages/api/drafts/index.js b/src/pages/api/drafts/index.js index 60d2c8b..1553528 100644 --- a/src/pages/api/drafts/index.js +++ b/src/pages/api/drafts/index.js @@ -1,6 +1,14 @@ import { createDraft } from "@/db/models/draftModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { + const session = await getServerSession(req, res, authOptions) + + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + if (req.method === 'POST') { try { const draft = await createDraft(req.body); diff --git a/src/pages/api/lessons/[slug].js b/src/pages/api/lessons/[slug].js index c43a80e..4be8fcc 100644 --- a/src/pages/api/lessons/[slug].js +++ b/src/pages/api/lessons/[slug].js @@ -1,8 +1,12 @@ import { getLessonById, updateLesson, deleteLesson } from "@/db/models/lessonModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { const { slug } = req.query; + const session = await getServerSession(req, res, authOptions) + if (req.method === 'GET') { try { const lesson = await getLessonById(slug); @@ -15,6 +19,10 @@ export default async function handler(req, res) { res.status(500).json({ error: error.message }); } } else if (req.method === 'PUT') { + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + try { const lesson = await updateLesson(slug, req.body); res.status(200).json(lesson); @@ -22,6 +30,10 @@ export default async function handler(req, res) { res.status(400).json({ error: error.message }); } } else if (req.method === 'DELETE') { + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + try { await deleteLesson(slug); res.status(204).end(); diff --git a/src/pages/api/lessons/drafts/[slug].js b/src/pages/api/lessons/drafts/[slug].js index 7f09bd1..0160048 100644 --- a/src/pages/api/lessons/drafts/[slug].js +++ b/src/pages/api/lessons/drafts/[slug].js @@ -1,8 +1,16 @@ import { getDraftLessonById, updateDraftLesson, deleteDraftLesson } from "@/db/models/draftLessonModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { const { slug } = req.query; + const session = await getServerSession(req, res, authOptions) + + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + if (req.method === 'GET') { try { const draftLesson = await getDraftLessonById(slug); diff --git a/src/pages/api/lessons/drafts/index.js b/src/pages/api/lessons/drafts/index.js index 3bcc827..daf4e6c 100644 --- a/src/pages/api/lessons/drafts/index.js +++ b/src/pages/api/lessons/drafts/index.js @@ -1,6 +1,14 @@ import { getAllDraftLessons, createDraftLesson } from "@/db/models/draftLessonModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { + const session = await getServerSession(req, res, authOptions) + + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + if (req.method === 'GET') { try { const draftLessons = await getAllDraftLessons(); diff --git a/src/pages/api/lessons/index.js b/src/pages/api/lessons/index.js index e34ea5e..5c227a1 100644 --- a/src/pages/api/lessons/index.js +++ b/src/pages/api/lessons/index.js @@ -1,4 +1,6 @@ import { getAllLessons, createLesson } from "@/db/models/lessonModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { if (req.method === 'GET') { @@ -9,6 +11,12 @@ export default async function handler(req, res) { res.status(500).json({ error: error.message }); } } else if (req.method === 'POST') { + const session = await getServerSession(req, res, authOptions) + + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + try { const lesson = await createLesson(req.body); res.status(201).json(lesson); diff --git a/src/pages/api/lightning-address/callback/[slug].js b/src/pages/api/lightning-address/callback/[slug].js index b282b84..de03ba1 100644 --- a/src/pages/api/lightning-address/callback/[slug].js +++ b/src/pages/api/lightning-address/callback/[slug].js @@ -6,6 +6,7 @@ import { runMiddleware, corsMiddleware } from "@/utils/corsMiddleware"; import { getLightningAddressByName } from "@/db/models/lightningAddressModels"; const BACKEND_URL = process.env.BACKEND_URL; +const PLEBDEVS_API_KEY = process.env.PLEBDEVS_API_KEY; export default async function handler(req, res) { await runMiddleware(req, res, corsMiddleware); @@ -70,7 +71,11 @@ export default async function handler(req, res) { return; } else { try { - const response = await axios.post(`${BACKEND_URL}/api/lightning-address/lnd`, { amount: amount, description_hash: descriptionHash, name: slug, zap_request: queryParams?.nostr ? queryParams.nostr : null }); + const response = await axios.post(`${BACKEND_URL}/api/lightning-address/lnd`, { amount: amount, description_hash: descriptionHash, name: slug, zap_request: queryParams?.nostr ? queryParams.nostr : null }, { + headers: { + 'Authorization': PLEBDEVS_API_KEY + } + }); res.status(200).json({ pr: response.data }); } catch (error) { console.error(error); diff --git a/src/pages/api/lightning-address/lnd.js b/src/pages/api/lightning-address/lnd.js index 6bb117a..cd64acc 100644 --- a/src/pages/api/lightning-address/lnd.js +++ b/src/pages/api/lightning-address/lnd.js @@ -5,8 +5,16 @@ import appConfig from "@/config/appConfig"; import { getLightningAddressByName } from "@/db/models/lightningAddressModels"; const ZAP_PRIVKEY = process.env.ZAP_PRIVKEY; +const PLEBDEVS_API_KEY = process.env.PLEBDEVS_API_KEY; export default async function handler(req, res) { + // make sure api key is in authorization header + const apiKey = req.headers['authorization']; + if (apiKey !== PLEBDEVS_API_KEY) { + res.status(401).json({ error: 'Unauthorized' }); + return; + } + try { const { amount, description_hash, zap_request=null, name } = req.body; diff --git a/src/pages/api/purchase/course.js b/src/pages/api/purchase/course.js index 499da96..76da4a2 100644 --- a/src/pages/api/purchase/course.js +++ b/src/pages/api/purchase/course.js @@ -1,6 +1,14 @@ import { addCoursePurchaseToUser } from "@/db/models/userModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { + const session = await getServerSession(req, res, authOptions) + + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + if (req.method === 'POST') { try { const { userId, courseId, amountPaid } = req.body; diff --git a/src/pages/api/purchase/resource.js b/src/pages/api/purchase/resource.js index d5d0f3f..72f51bc 100644 --- a/src/pages/api/purchase/resource.js +++ b/src/pages/api/purchase/resource.js @@ -1,6 +1,14 @@ import { addResourcePurchaseToUser } from "@/db/models/userModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { + const session = await getServerSession(req, res, authOptions) + + if (!session) { + return res.status(401).json({ error: 'Unauthorized' }); + } + if (req.method === 'POST') { try { const { userId, resourceId, amountPaid } = req.body; diff --git a/src/pages/api/resources/[slug].js b/src/pages/api/resources/[slug].js index cfd49ae..bea7cb5 100644 --- a/src/pages/api/resources/[slug].js +++ b/src/pages/api/resources/[slug].js @@ -1,8 +1,12 @@ import { getResourceById, updateResource, deleteResource, } from "@/db/models/resourceModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { const { slug } = req.query; + const session = await getServerSession(req, res, authOptions) + if (req.method === 'GET') { try { const resource = await getResourceById(slug); @@ -15,6 +19,10 @@ export default async function handler(req, res) { res.status(500).json({ error: error.message }); } } else if (req.method === 'PUT') { + if (!session || !session?.user?.role?.admin) { + return res.status(401).json({ error: 'Unauthorized' }); + } + try { console.log('req.body:', req.body); console.log('slug:', slug); @@ -31,6 +39,10 @@ export default async function handler(req, res) { res.status(400).json({ error: error.message }); } } else if (req.method === 'DELETE') { + if (!session || !session?.user?.role?.admin) { + return res.status(401).json({ error: 'Unauthorized' }); + } + try { await deleteResource(slug); res.status(204).end(); diff --git a/src/pages/api/resources/index.js b/src/pages/api/resources/index.js index d424981..35746aa 100644 --- a/src/pages/api/resources/index.js +++ b/src/pages/api/resources/index.js @@ -1,4 +1,6 @@ import { getAllResources, createResource } from "@/db/models/resourceModels"; +import { getServerSession } from "next-auth/next" +import { authOptions } from "@/pages/api/auth/[...nextauth]" export default async function handler(req, res) { if (req.method === 'GET') { @@ -9,6 +11,12 @@ export default async function handler(req, res) { res.status(500).json({ error: error.message }); } } else if (req.method === 'POST') { + const session = await getServerSession(req, res, authOptions) + + if (!session || !session?.user?.role?.admin) { + return res.status(401).json({ error: 'Unauthorized' }); + } + try { const resource = await createResource(req.body); res.status(201).json(resource); diff --git a/src/pages/api/roles/index.js b/src/pages/api/roles/index.js deleted file mode 100644 index 6be0435..0000000 --- a/src/pages/api/roles/index.js +++ /dev/null @@ -1,27 +0,0 @@ -import { createRole } from "@/db/models/roleModels"; - -export default async function handler(req, res) { - if (req.method === "POST") { - if (!req.body || !req.body.userId) { - res.status(400).json({ error: "Missing required fields" }); - return; - } - - try { - const roleData = { - userId: req.body.userId, - admin: req.body.admin || false, - subscribed: req.body.subscribed || false, - // Add other fields as needed - }; - - const role = await createRole(roleData); - res.status(201).json(role); - } catch (error) { - console.error("Error creating role:", error); - res.status(500).json({ error: "Error creating role" }); - } - } else { - res.status(405).json({ error: "Method not allowed" }); - } -} \ No newline at end of file diff --git a/src/pages/api/users/index.js b/src/pages/api/users/index.js index 25db149..45a9b2a 100644 --- a/src/pages/api/users/index.js +++ b/src/pages/api/users/index.js @@ -2,9 +2,14 @@ import { getAllUsers, createUser } from '@/db/models/userModels'; import { getServerSession } from "next-auth/next" import { authOptions } from "@/pages/api/auth/[...nextauth].js" -// todo add recaptcha for additional security export default async function handler(req, res) { - // const session = await getServerSession(req, res, authOptions); + const session = await getServerSession(req, res, authOptions); + + if (!session) { + res.status(401).json({ error: "Unauthorized" }); + return; + } + if (req.method === 'POST') { try { const user = await createUser(req.body); diff --git a/src/pages/auth/signin.js b/src/pages/auth/signin.js index a2c4f6f..e589b31 100644 --- a/src/pages/auth/signin.js +++ b/src/pages/auth/signin.js @@ -4,6 +4,7 @@ import { useNDKContext } from "@/context/NDKContext"; import GenericButton from "@/components/buttons/GenericButton"; import { InputText } from 'primereact/inputtext'; +// todo add recaptcha for additional security export default function SignIn() { const [email, setEmail] = useState("") const [showEmailInput, setShowEmailInput] = useState(false)