riccardo/nextjs-auth0
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: protect delete customer form

Browse Source
This commit is contained in:
Riccardo
2024-07-08 00:00:06 +02:00
parent 71daa9aa7d
commit 90830f91a0
2 changed files with 31 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
app/api/protected/customer-form/[id]/route.ts
View File

@@ -2,18 +2,21 @@ import { getSession, withApiAuthRequired } from '@auth0/nextjs-auth0';
import { CustomerFormType } from '@prisma/client'; import { CustomerFormType } from '@prisma/client';
import prisma from '@prisma/prisma'; import prisma from '@prisma/prisma';
import { createErrorResponse } from '@utils/createErrorResponse'; import { createErrorResponse } from '@utils/createErrorResponse';
import { ContextSchema, CustomerForm } from '@utils/types'; import { CustomerForm } from '@utils/types';
import { validateContext } from '@utils/validateContext';
import { NextRequest, NextResponse } from 'next/server'; import { NextRequest, NextResponse } from 'next/server';
export const GET = withApiAuthRequired(async (request, context) => { export const GET = withApiAuthRequired(async (request, context) => {
const session = await getSession(); const session = await getSession();
const validatedContext = ContextSchema.safeParse(context); let id;
if (!validatedContext.success) {
return createErrorResponse('Invalid context format', 400); try {
id = validateContext(context);
} catch (error) {
return createErrorResponse('Internal server error', 500);
} }
const { id } = validatedContext.data.params;
const userEmail = session?.user?.email; const userEmail = session?.user?.email;
if (!userEmail) { if (!userEmail) {
@@ -68,15 +71,20 @@ export async function PUT(
return NextResponse.json({ success: true, data: result }); return NextResponse.json({ success: true, data: result });
} }
export async function DELETE( export const DELETE = withApiAuthRequired(async (request, context) => {
request: NextRequest,
{ params }: { params: { id: string } }
) {
const session = await getSession(); const session = await getSession();
let id;
try {
id = validateContext(context);
} catch (error) {
return createErrorResponse('Internal server error', 500);
}
const result = await prisma.customerForm.delete({ const result = await prisma.customerForm.delete({
where: { where: {
id: params.id, id: id,
createdBy: { createdBy: {
email: session?.user.email email: session?.user.email
} }
@@ -91,4 +99,4 @@ export async function DELETE(
} }
return NextResponse.json({ success: true }); return NextResponse.json({ success: true });
} });

12
utils/validateContext.ts Normal file
View File

@@ -0,0 +1,12 @@
import { ContextSchema } from '@utils/types';
export function validateContext(context: any) {
const validatedContext = ContextSchema.safeParse(context);
if (!validatedContext.success) {
throw new Error('Invalid context');
}
const { id } = validatedContext.data.params;
return id;
}