Merge branch 'main' into doc-162

2025-11-15 09:12:02 +10:00 · 2023-03-21 14:16:47 +01:00
parent 266ecf0f8d 9e536e95b6
commit 0e9aa4ab62
17 changed files with 178 additions and 64 deletions
--- a/apps/web/pages/api/documents/[id].ts
+++ b/apps/web/pages/api/documents/[id].ts
@ -18,10 +18,10 @@ async function getHandler(req: NextApiRequest, res: NextApiResponse) {
  }

  let user = null;
-
+  let recipient = null;
  if (recipientToken) {
    // Request from signing page without login
-    const recipient = await prisma.recipient.findFirst({
+    recipient = await prisma.recipient.findFirst({
      where: {
        token: recipientToken?.toString(),
      },
@ -37,7 +37,14 @@ async function getHandler(req: NextApiRequest, res: NextApiResponse) {

  if (!user) return res.status(401).end();

-  const document: PrismaDocument = await getDocument(+documentId, req, res);
+  let document: PrismaDocument | null = null;
+  if (recipientToken) {
+    document = await prisma.document.findFirst({
+      where: { id: recipient?.Document?.id },
+    });
+  } else {
+    document = await getDocument(+documentId, req, res);
+  }

  if (!document)
    res.status(404).end(`No document with id ${documentId} found.`);
@ -45,16 +52,18 @@ async function getHandler(req: NextApiRequest, res: NextApiResponse) {
  const signaturesCount = await prisma.signature.count({
    where: {
      Field: {
-        documentId: document.id,
+        documentId: document?.id,
      },
    },
  });

-  let signedDocumentAsBase64 = document.document;
+  let signedDocumentAsBase64 = document?.document || "";

  // No need to add a signature, if no one signed yet.
  if (signaturesCount > 0) {
-    signedDocumentAsBase64 = await addDigitalSignature(document.document);
+    signedDocumentAsBase64 = await addDigitalSignature(
+      document?.document || ""
+    );
  }

  const buffer: Buffer = Buffer.from(signedDocumentAsBase64, "base64");
@ -62,7 +71,7 @@ async function getHandler(req: NextApiRequest, res: NextApiResponse) {
  res.setHeader("Content-Length", buffer.length);
  res.setHeader(
    "Content-Disposition",
-    `attachment; filename=${document.title}`
+    `attachment; filename=${document?.title}`
  );

  return res.status(200).send(buffer);
--- a/apps/web/pages/api/documents/[id]/fields/index.ts
+++ b/apps/web/pages/api/documents/[id]/fields/index.ts
@ -36,8 +36,10 @@ async function getHandler(req: NextApiRequest, res: NextApiResponse) {
 }

 async function postHandler(req: NextApiRequest, res: NextApiResponse) {
-  const user = await getUserFromToken(req, res);
-  const { id: documentId } = req.query;
+  const { token: recipientToken } = req.query;
+  let user = null;
+  if (!recipientToken) user = await getUserFromToken(req, res);
+  if (!user && !recipientToken) return res.status(401).end();
  const body: {
    id: number;
    type: FieldType;
@ -48,18 +50,30 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
    customText: string;
  } = req.body;

-  if (!user) return;
-
+  const { id: documentId } = req.query;
  if (!documentId) {
-    res.status(400).send("Missing parameter documentId.");
-    return;
+    return res.status(400).send("Missing parameter documentId.");
  }

-  const document: PrismaDocument = await getDocument(+documentId, req, res);
+  if (recipientToken) {
+    const recipient = await prisma.recipient.findFirst({
+      where: { token: recipientToken?.toString() },
+    });

-  // todo entity ownerships checks
-  if (document.userId !== user.id) {
-    return res.status(401).send("User does not have access to this document.");
+    if (!recipient || recipient?.documentId !== +documentId)
+      return res
+        .status(401)
+        .send("Recipient does not have access to this document.");
+  }
+
+  if (user) {
+    const document: PrismaDocument = await getDocument(+documentId, req, res);
+    // todo entity ownerships checks
+    if (document.userId !== user.id) {
+      return res
+        .status(401)
+        .send("User does not have access to this document.");
+    }
  }

  const field = await prisma.field.upsert({
--- a/apps/web/pages/api/documents/[id]/sign.ts
+++ b/apps/web/pages/api/documents/[id]/sign.ts
@ -1,8 +1,4 @@
-import {
-  defaultHandler,
-  defaultResponder,
-  getUserFromToken,
-} from "@documenso/lib/server";
+import { defaultHandler, defaultResponder } from "@documenso/lib/server";
 import prisma from "@documenso/prisma";
 import { NextApiRequest, NextApiResponse } from "next";
 import { SigningStatus, DocumentStatus } from "@prisma/client";
@ -12,7 +8,6 @@ import { insertImageInPDF, insertTextInPDF } from "@documenso/pdf";
 import { sendSigningDoneMail } from "@documenso/lib/mail";

 async function postHandler(req: NextApiRequest, res: NextApiResponse) {
-  const existingUser = await getUserFromToken(req, res);
  const { token: recipientToken } = req.query;
  const { signatures: signaturesFromBody }: { signatures: any[] } = req.body;

@ -29,11 +24,19 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
    return res.status(401).send("Recipient not found.");
  }

-  const document: PrismaDocument = await getDocument(
-    recipient.documentId,
-    req,
-    res
-  );
+  const document: PrismaDocument = await prisma.document.findFirstOrThrow({
+    where: {
+      id: recipient.documentId,
+    },
+    include: {
+      Recipient: {
+        orderBy: {
+          id: "asc",
+        },
+      },
+      Field: { include: { Recipient: true, Signature: true } },
+    },
+  });

  if (!document) res.status(404).end(`No document found.`);

@ -70,6 +73,8 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
    },
  });

+  // Don't check for inserted, because currently no "sign again" scenarios exist and
+  // this is probably the expected behaviour in unclean states.
  const nonSignatureFields = await prisma.field.findMany({
    where: {
      documentId: document.id,