Skip to content
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 18 additions & 53 deletions server/api/form/index.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import { Prisma } from '~~/prisma/generated/client'
import { auth } from '~~/server/utils/auth'
import { prisma } from '~~/server/utils/prisma'
import { getQuery, setResponseStatus, type H3Event } from 'h3'
import { requireAdmin } from '~~/server/utils/require-session'
import { createError, getQuery, setResponseStatus, type H3Event } from 'h3'

type ActionName =
| 'listFormGroups'
Expand Down Expand Up @@ -196,49 +196,6 @@ const getAction = (event: H3Event, body: Record<string, unknown> | null) => {
return (query.action ?? body?.action) as ActionName | undefined
}

const isFormApiDevBypassEnabled = () =>
process.env.NODE_ENV !== 'production' || process.env.FORM_API_DEV_BYPASS === 'true'

const requireAdminSession = async (event: H3Event) => {
const session = await auth.api.getSession({
headers: event.headers,
})

if (!session) {
if (isFormApiDevBypassEnabled()) {
return { session: null, userId: null, admin: null, bypassed: true }
}

throw createError({
statusCode: 401,
statusMessage: 'Unauthorized: no active session. Log in, or set FORM_API_DEV_BYPASS=true for local testing only.',
})
}

const userId = normalizeScalar(session.user.id)

if (!userId || typeof userId !== 'string') {
throw createError({ statusCode: 400, statusMessage: 'Invalid session user id' })
}

const admin = await prisma.admin.findUnique({
where: { userId },
})

if (!admin) {
if (isFormApiDevBypassEnabled()) {
return { session, userId, admin: null, bypassed: true }
}

throw createError({
statusCode: 403,
statusMessage: 'Forbidden: current user is not an admin.',
})
}

return { session, userId, admin, bypassed: false }
}

const mapComponent = (component: {
id: number
form: number
Expand All @@ -265,9 +222,9 @@ const mapForm = (
startDate: Date
endDate: Date | null
published: boolean
author: string
author: string | null
formGroup: number
title: string
title: string | null
Components?: Array<{
id: number
form: number
Expand Down Expand Up @@ -326,6 +283,19 @@ export default defineEventHandler(async (event) => {
const body = method === 'GET' ? null : ((await readBody(event).catch(() => null)) as Record<string, unknown> | null)
const action = getAction(event, body)

const session = await requireAdmin(event)

const admin = await prisma.admin.findUnique({
where: { userId: session.user.id },
})

if (!admin) {
throw createError({
statusCode: 403,
statusMessage: 'Forbidden',
})
}

if (method !== 'GET' && !action) { throw createError({ statusCode: 400, statusMessage: 'Missing action' }) }

if (method === 'GET') {
Expand Down Expand Up @@ -475,14 +445,9 @@ export default defineEventHandler(async (event) => {
})
}


throw createError({ statusCode: 400, statusMessage: 'Unknown action' })
}



const { admin } = await requireAdminSession(event)

if (method === 'POST') {
if (action === 'createFormGroup') {
const startDate = toDate(body?.startDate, 'startDate')
Expand Down Expand Up @@ -763,7 +728,7 @@ export default defineEventHandler(async (event) => {

data.Form = {
connect: { id: form as number },
}
}
}

if (hasOwnField(body, 'order')) {
Expand Down