diff --git a/server/api/form/index.ts b/server/api/form/index.ts index f78e1e0..6a0200d 100644 --- a/server/api/form/index.ts +++ b/server/api/form/index.ts @@ -1,7 +1,7 @@ import { Prisma } from '~~/prisma/generated/client' -import { auth } from '~~/server/utils/auth' import { prisma } from '~~/server/utils/prisma' -import { getQuery, setResponseStatus, type H3Event } from 'h3' +import { requireAdmin } from '~~/server/utils/require-session' +import { createError, getQuery, setResponseStatus, type H3Event } from 'h3' type ActionName = | 'listFormGroups' @@ -196,49 +196,6 @@ const getAction = (event: H3Event, body: Record | null) => { return (query.action ?? body?.action) as ActionName | undefined } -const isFormApiDevBypassEnabled = () => - process.env.NODE_ENV !== 'production' || process.env.FORM_API_DEV_BYPASS === 'true' - -const requireAdminSession = async (event: H3Event) => { - const session = await auth.api.getSession({ - headers: event.headers, - }) - - if (!session) { - if (isFormApiDevBypassEnabled()) { - return { session: null, userId: null, admin: null, bypassed: true } - } - - throw createError({ - statusCode: 401, - statusMessage: 'Unauthorized: no active session. Log in, or set FORM_API_DEV_BYPASS=true for local testing only.', - }) - } - - const userId = normalizeScalar(session.user.id) - - if (!userId || typeof userId !== 'string') { - throw createError({ statusCode: 400, statusMessage: 'Invalid session user id' }) - } - - const admin = await prisma.admin.findUnique({ - where: { userId }, - }) - - if (!admin) { - if (isFormApiDevBypassEnabled()) { - return { session, userId, admin: null, bypassed: true } - } - - throw createError({ - statusCode: 403, - statusMessage: 'Forbidden: current user is not an admin.', - }) - } - - return { session, userId, admin, bypassed: false } -} - const mapComponent = (component: { id: number form: number @@ -265,9 +222,9 @@ const mapForm = ( startDate: Date endDate: Date | null published: boolean - author: string + author: string | null formGroup: number - title: string + title: string | null Components?: Array<{ id: number form: number @@ -326,6 +283,19 @@ export default defineEventHandler(async (event) => { const body = method === 'GET' ? null : ((await readBody(event).catch(() => null)) as Record | null) const action = getAction(event, body) + const session = await requireAdmin(event) + + const admin = await prisma.admin.findUnique({ + where: { userId: session.user.id }, + }) + + if (!admin) { + throw createError({ + statusCode: 403, + statusMessage: 'Forbidden', + }) + } + if (method !== 'GET' && !action) { throw createError({ statusCode: 400, statusMessage: 'Missing action' }) } if (method === 'GET') { @@ -475,14 +445,9 @@ export default defineEventHandler(async (event) => { }) } - throw createError({ statusCode: 400, statusMessage: 'Unknown action' }) } - - - const { admin } = await requireAdminSession(event) - if (method === 'POST') { if (action === 'createFormGroup') { const startDate = toDate(body?.startDate, 'startDate') @@ -763,7 +728,7 @@ export default defineEventHandler(async (event) => { data.Form = { connect: { id: form as number }, -} + } } if (hasOwnField(body, 'order')) {