added auth

2 days ago · 8d236e9ed7
parent 043ac80784
commit 8d236e9ed7
3 changed files with 27 additions and 3 deletions
--- a/src/pages/api/room/[id]/action.ts
+++ b/src/pages/api/room/[id]/action.ts
@ -1,8 +1,9 @@
 import { getRoom, updateRoom } from '@/db'
+import { getSession } from '@/db/sessions'
 import type { Action } from '@/ggwp'
 import type { APIRoute } from 'astro'

-export const POST: APIRoute = async ({ params, request }) => {
+export const POST: APIRoute = async ({ params, request, cookies }) => {
    const { id: roomId } = params
    if (!roomId) {
        return new Response('Invalid room id', { status: 400 })
@ -13,6 +14,17 @@ export const POST: APIRoute = async ({ params, request }) => {
        return new Response('Room not found', { status: 404 })
    }

+    // check auth
+    const sid = cookies.get('sid')
+    if (!sid) {
+        return new Response('Unauthorized', { status: 401 })
+    }
+
+    const sessionRoom = getSession(sid.value)
+    if (sessionRoom !== roomId) {
+        return new Response('Unauthorized', { status: 401 })
+    }
+
    const action = (await request.json()) as Action
    room.actions.push(action)

--- a/src/pages/api/room/[id]/index.ts
+++ b/src/pages/api/room/[id]/index.ts
@ -1,6 +1,7 @@
 import { getRoom, updateRoom } from '@/db'
 import { addRoomUpdateListener, removeRoomUpdateListener } from '@/db/events'
 import type { RoomData } from '@/db/model'
+import { getSession } from '@/db/sessions'
 import type { APIRoute } from 'astro'

 function sseHandler(roomId: string) {
@ -54,7 +55,7 @@ export const GET: APIRoute = async ({ params, url }) => {
    })
 }

-export const POST: APIRoute = async ({ params, request }) => {
+export const POST: APIRoute = async ({ params, request, cookies }) => {
    const { id: roomId } = params
    if (!roomId) {
        return new Response('Invalid room id', { status: 400 })
@ -65,6 +66,17 @@ export const POST: APIRoute = async ({ params, request }) => {
        return new Response('Room not found', { status: 404 })
    }

+    // check auth
+    const sid = cookies.get('sid')
+    if (!sid) {
+        return new Response('Unauthorized', { status: 401 })
+    }
+
+    const sessionRoom = getSession(sid.value)
+    if (sessionRoom !== roomId) {
+        return new Response('Unauthorized', { status: 401 })
+    }
+
    const newRoom = (await request.json()) as RoomData

    // @ts-ignore
--- a/src/pages/api/rooms.ts
+++ b/src/pages/api/rooms.ts
@ -2,7 +2,7 @@ import { createRoom, getRoom, getRooms } from '@/db'
 import { createSession } from '@/db/sessions'
 import type { APIRoute } from 'astro'

-export const POST: APIRoute = async ({ params, request, cookies }) => {
+export const POST: APIRoute = async ({ request, cookies }) => {
    const body = await request.json()

    console.log(body)