From 3a13ea5212fb307f108482a22990f6dc3cae8f33 Mon Sep 17 00:00:00 2001 From: nevins321 Date: Tue, 2 Jun 2026 21:37:20 +0530 Subject: [PATCH 1/2] enforce admin auth before GET dispatch --- server/api/form/index.ts | 72 +++++++++++----------------------------- 1 file changed, 20 insertions(+), 52 deletions(-) diff --git a/server/api/form/index.ts b/server/api/form/index.ts index f78e1e0..674cd43 100644 --- a/server/api/form/index.ts +++ b/server/api/form/index.ts @@ -1,7 +1,7 @@ import { Prisma } from '~~/prisma/generated/client' -import { auth } from '~~/server/utils/auth' import { prisma } from '~~/server/utils/prisma' -import { getQuery, setResponseStatus, type H3Event } from 'h3' +import { requireAdmin } from '~~/server/utils/require-session' +import { createError, getQuery, setResponseStatus, type H3Event } from 'h3' type ActionName = | 'listFormGroups' @@ -22,6 +22,8 @@ type ActionName = const WEEKDAY_NAMES = ['Sunday', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday'] + + const hasOwnField = (value: Record | null, key: string) => Object.prototype.hasOwnProperty.call(value ?? {}, key) @@ -196,49 +198,6 @@ const getAction = (event: H3Event, body: Record | null) => { return (query.action ?? body?.action) as ActionName | undefined } -const isFormApiDevBypassEnabled = () => - process.env.NODE_ENV !== 'production' || process.env.FORM_API_DEV_BYPASS === 'true' - -const requireAdminSession = async (event: H3Event) => { - const session = await auth.api.getSession({ - headers: event.headers, - }) - - if (!session) { - if (isFormApiDevBypassEnabled()) { - return { session: null, userId: null, admin: null, bypassed: true } - } - - throw createError({ - statusCode: 401, - statusMessage: 'Unauthorized: no active session. Log in, or set FORM_API_DEV_BYPASS=true for local testing only.', - }) - } - - const userId = normalizeScalar(session.user.id) - - if (!userId || typeof userId !== 'string') { - throw createError({ statusCode: 400, statusMessage: 'Invalid session user id' }) - } - - const admin = await prisma.admin.findUnique({ - where: { userId }, - }) - - if (!admin) { - if (isFormApiDevBypassEnabled()) { - return { session, userId, admin: null, bypassed: true } - } - - throw createError({ - statusCode: 403, - statusMessage: 'Forbidden: current user is not an admin.', - }) - } - - return { session, userId, admin, bypassed: false } -} - const mapComponent = (component: { id: number form: number @@ -265,9 +224,9 @@ const mapForm = ( startDate: Date endDate: Date | null published: boolean - author: string + author: string | null formGroup: number - title: string + title: string | null Components?: Array<{ id: number form: number @@ -326,6 +285,19 @@ export default defineEventHandler(async (event) => { const body = method === 'GET' ? null : ((await readBody(event).catch(() => null)) as Record | null) const action = getAction(event, body) + const session = await requireAdmin(event) + + const admin = await prisma.admin.findUnique({ + where: { userId: session.user.id }, + }) + + if (!admin) { + throw createError({ + statusCode: 403, + statusMessage: 'Forbidden', + }) + } + if (method !== 'GET' && !action) { throw createError({ statusCode: 400, statusMessage: 'Missing action' }) } if (method === 'GET') { @@ -479,10 +451,6 @@ export default defineEventHandler(async (event) => { throw createError({ statusCode: 400, statusMessage: 'Unknown action' }) } - - - const { admin } = await requireAdminSession(event) - if (method === 'POST') { if (action === 'createFormGroup') { const startDate = toDate(body?.startDate, 'startDate') @@ -763,7 +731,7 @@ export default defineEventHandler(async (event) => { data.Form = { connect: { id: form as number }, -} + } } if (hasOwnField(body, 'order')) { From 5e82e683ff0eeadecd19c096e7b7debf9608cb20 Mon Sep 17 00:00:00 2001 From: nevins321 Date: Tue, 2 Jun 2026 21:40:01 +0530 Subject: [PATCH 2/2] spacing --- server/api/form/index.ts | 3 --- 1 file changed, 3 deletions(-) diff --git a/server/api/form/index.ts b/server/api/form/index.ts index 674cd43..6a0200d 100644 --- a/server/api/form/index.ts +++ b/server/api/form/index.ts @@ -22,8 +22,6 @@ type ActionName = const WEEKDAY_NAMES = ['Sunday', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday'] - - const hasOwnField = (value: Record | null, key: string) => Object.prototype.hasOwnProperty.call(value ?? {}, key) @@ -447,7 +445,6 @@ export default defineEventHandler(async (event) => { }) } - throw createError({ statusCode: 400, statusMessage: 'Unknown action' }) }